<TABLE width=500>4 U+ `2 I" L" [( W
<TBODY>
! Y- ~6 z# y$ `<TR>% }! j# Z' O* t( v' s- j0 t. V+ d
<TD><PRE>Method 01
U. }% X% d1 W4 k2 x=========
" U4 t1 |; [$ A. f& Y! ~
" i1 `2 a- [. G, u5 sThis method of detection of SoftICE (as well as the following one) is
1 \4 J3 P7 c% D* Yused by the majority of packers/encryptors found on Internet.4 o K* H( x& p/ B+ w
It seeks the signature of BoundsChecker in SoftICE
K% J- R7 q5 C9 d2 K
/ G0 k4 g9 g: u* H* x mov ebp, 04243484Bh ; 'BCHK': I( Q! z% [' C2 }8 a- g
mov ax, 04h4 ?) L/ E: I4 w% l' U" b
int 3
; H; \$ C* q$ x cmp al,4
( H( n9 E: D) T* O jnz SoftICE_Detected
8 i) @: d c: w) s6 J
5 @( A1 v- y& ?) K* a# J- i0 ]8 ]___________________________________________________________________________0 o) P# J6 o5 f7 r! X' n G
* Y+ f' S5 \" u* o
Method 02$ G6 E6 K9 V- a+ X0 g) M( o6 C7 }
=========# M; q; t; S' v) O) j& _$ C
% c; o! V7 `. D% K. NStill a method very much used (perhaps the most frequent one). It is used
1 S/ t6 Q- O3 Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& H; o4 B3 v0 T( A, {/ A! e7 C
or execute SoftICE commands...1 s- |" w9 m3 B! x
It is also used to crash SoftICE and to force it to execute any commands4 T/ x+ J( s( [5 G
(HBOOT...) :-(( 2 y" ^& E+ c8 ]) d. }; d
' B) F0 N) O. I7 I0 z5 ^ HHere is a quick description:
+ H; W8 D* [, N* ^-AX = 0910h (Display string in SIce windows)
4 M$ `0 ~: g' s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); Q* _& S3 o! i8 W! g
-AX = 0912h (Get breakpoint infos): v( ^' w: I7 z8 r6 s7 u
-AX = 0913h (Set Sice breakpoints), l' W* ?7 R7 L$ U. R# h
-AX = 0914h (Remove SIce breakoints)
* O0 q m' Z0 f% L6 v' ]& g& u& Q/ m0 F- X+ L( `+ N2 a% n7 o
Each time you'll meet this trick, you'll see:' w- G/ o6 j3 x3 t* n8 a7 v3 N
-SI = 4647h$ ?8 } g$ W; _ q1 }- e. Z
-DI = 4A4Dh
( `. h7 |/ c4 P! s; E9 RWhich are the 'magic values' used by SoftIce.
( Z1 j( Q* a! m8 N8 b( ]8 H4 Z( EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# R# ^% f4 D3 ?( l& `
& c" y8 E; X" S: T. h7 s. KHere is one example from the file "Haspinst.exe" which is the dongle HASP* P; E$ M `% ?; Y( F" \( \
Envelope utility use to protect DOS applications:- ]* Y+ F* a/ a/ S" a+ r9 W
5 i+ V9 s: E; b* \3 q, U/ v% R8 e
4 \; A, s( Y0 M, S4C19:0095 MOV AX,0911 ; execute command.
* G: M. B: L8 u1 h! }8 Y$ h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 O4 p; c1 e% l0 [0 K4C19:009A MOV SI,4647 ; 1st magic value.
+ U5 H9 w F( H+ O+ _4C19:009D MOV DI,4A4D ; 2nd magic value.& Q' L( G# r8 O+ s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. W4 w. G- x1 W! `/ X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" w5 A1 X0 p5 ~* m) e! d' y4C19:00A4 INC CX" z6 o% l; q5 `, R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 q6 D& X2 w$ x( T6 W( p0 @
4C19:00A8 JB 0095 ; 6 different commands.
& }6 {1 i3 j' f5 h4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! z9 Z8 c- {9 L o% d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ K* R. u r6 L+ y. x7 D& y/ k
& S; r6 c0 [1 ? y- bThe program will execute 6 different SIce commands located at ds:dx, which+ Q0 P" O# K6 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( [ a* y: e- M$ M/ N# H
1 C( k, q: `$ ^2 w, T* ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. i) k8 d( ^0 t" q) {" K6 y8 [___________________________________________________________________________
* k$ Y' L5 [! y+ J' ]5 K: `' d- b/ A; r* O2 L2 n* K3 M
" G0 p( H$ ^! `
Method 038 m! y0 ^) {) B$ t. a2 O
=========. @! _, {" n; R
: g9 `& h) d$ r( i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: J( r0 K/ ?/ [2 T# w$ e4 J0 Z' b
(API Get entry point)( c0 }6 m8 q: }' M: h
# f3 Z+ ]/ n: _" o1 F4 m
$ Z5 y1 |* {" k3 T! l
xor di,di# x) g4 A* k8 \- L% y4 B
mov es,di
$ T6 `; k+ W2 x4 \ mov ax, 1684h ! \9 K5 w% y, s/ P8 ^
mov bx, 0202h ; VxD ID of winice
: y2 E8 S& b) X. p1 i* `0 s int 2Fh a5 l4 @6 x8 z3 U) n" P5 `
mov ax, es ; ES:DI -> VxD API entry point" _7 S! C; ]* m0 P; L7 X' m( l
add ax, di; u# F3 }( X' }: p3 Y+ I! f, H
test ax,ax$ n! I2 j8 Y* `2 `/ r" ]
jnz SoftICE_Detected( h4 Q% l& A: b+ x. A+ k' W- u9 d V# A
5 S3 k7 d% j% a# Q$ Q6 M9 D* b___________________________________________________________________________# Q/ C& |& d( |/ A3 x
, i b4 U7 g+ v H& w" \% L. t2 AMethod 04" M( V& Q2 |8 @: H* ~% @5 N
=========
7 U- k9 {, N" ~' J
( U6 [/ D2 K1 S6 U2 LMethod identical to the preceding one except that it seeks the ID of SoftICE8 R' q4 J6 M! R9 Y% v/ H5 ?; J
GFX VxD.
' r" S" R8 D# T
- f3 L% z* r1 ?& N6 u7 X9 [ xor di,di. C7 \, r+ T' W
mov es,di) \; `& s( e, y
mov ax, 1684h ! \; A) u' i/ o0 T1 L+ W; v+ p
mov bx, 7a5Fh ; VxD ID of SIWVID
- W4 f4 Q1 z, p% U& ` int 2fh
7 q( V. w9 {/ n2 i2 N. |2 U mov ax, es ; ES:DI -> VxD API entry point
, @; K) i" Q2 ^! r add ax, di
( o% L! M B0 N test ax,ax
# v6 q5 u- Q1 c0 ^# n jnz SoftICE_Detected$ U3 Z" ~6 j) ^7 H! L
^. ~+ C. |7 M' |* @
__________________________________________________________________________
+ J( e% {; Z) O) k1 U9 ?. v6 L, y
. O7 _: E) j6 L* mMethod 052 A5 m! P! y9 o
=========+ x5 Q. D9 L7 d$ w8 K
( j- Z o, z# }) I% J, rMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 X; \" I1 B- Y) N4 m, Vdebugger. It calls the int 41h, function 4Fh.
0 ?8 v# o1 R- jThere are several alternatives. 7 c4 e1 U9 h, Z
% Y1 p9 l, H8 OThe following one is the simplest:% M, X1 k& U3 r5 e P
7 x* G) R `3 z! [0 O3 H B
mov ax,4fh
, A1 l' T- O( J int 41h
2 K4 V q6 ^4 j3 A. g# Q cmp ax, 0F386. ]* u$ ?& [" _4 |: @
jz SoftICE_detected$ J2 d2 t! E( X: k" X! ~" ~# ~
7 p3 S* p1 k- ]* ^7 S
8 \1 _5 g+ v4 Y+ J( p- w$ FNext method as well as the following one are 2 examples from Stone's 7 ?1 n$ K, C. t0 C# z. ~
"stn-wid.zip" (www.cracking.net):
0 W" u! X& \* O8 p3 t& X3 G' z7 T; S6 c7 J! |
mov bx, cs, q4 W8 h% r# N6 O# v: V) \! n
lea dx, int41handler2
2 u& {: v. c9 s' S w5 K xchg dx, es:[41h*4]
6 N' A7 H2 }! _- \: Q- V2 n xchg bx, es:[41h*4+2]4 j% `- }9 B( c
mov ax,4fh
% j$ ^* u: z5 N# H& q( q int 41h
9 M' R7 d' Z7 h0 m xchg dx, es:[41h*4]
8 U) a7 _5 u# I- l4 F. m& O+ f8 C xchg bx, es:[41h*4+2]& H! S$ v/ y0 R6 j: e9 W0 \ ^
cmp ax, 0f386h
0 f9 m. S3 ?2 F& L jz SoftICE_detected! W, O7 W- V2 G: C+ Z5 Z% | k, H
6 \0 g& Z3 @( o, s0 |! c$ H$ k# bint41handler2 PROC
% n4 x. e- {4 J3 N' F' y2 C iret$ e. T3 M f* [
int41handler2 ENDP
+ V6 i2 o5 b4 F4 x0 v3 q. s/ J, a8 y" z8 k* I
- j3 `' d: k1 W6 \$ W) M0 e_________________________________________________________________________! x9 q% }. O/ n+ c Z& T
2 l1 I4 G3 Z- s" u: v
$ A; D! ^' Z( L+ x( o# o& R
Method 06* j' L) o& J# _7 [* F4 U6 E
=========; F/ x4 q) `6 Z# r
* o/ k: r/ B* ^
& r& C k/ U; L0 ~% S1 ^2nd method similar to the preceding one but more difficult to detect:2 i' b6 _" |* G
# V, n. m! D4 P. K* U3 h8 {1 k+ A+ q2 l$ s8 D9 V
int41handler PROC$ A" i [' g7 R3 H# m
mov cl,al
( J7 Z, c4 P9 a" g, e& A iret) M- `, j) a. ?7 G& N8 C1 F. v
int41handler ENDP
8 q' S3 i, C$ g- o& n5 J1 e$ {: ?) T" `2 k$ X) D, H) h
) E0 V, [6 `7 i xor ax,ax
; E! D0 [: D% \# N mov es,ax8 I# M) G2 j! F" t; L9 ~9 ^ D
mov bx, cs9 f9 X/ I* r6 k' v+ x
lea dx, int41handler
% R! T6 t7 u3 b xchg dx, es:[41h*4]. a2 C) p, l* g7 W4 c0 E5 g9 c
xchg bx, es:[41h*4+2]
0 g( {( y9 i+ a# E4 N, C in al, 40h" w& K Z! s' a4 e- Y# L& M
xor cx,cx
1 Z- Q) g. m. }. s9 s9 K7 d- l int 41h
. q8 X! @1 `' c( K; b8 K xchg dx, es:[41h*4]
0 l" q; O8 s1 p( w' f xchg bx, es:[41h*4+2]. \5 f3 k# \- e5 T6 H+ _! {
cmp cl,al
4 t" }) K; f7 d# @; \" |% \ jnz SoftICE_detected
( k' n4 H. _4 {3 [# s/ p
; w, o) `9 R2 _, _8 M_________________________________________________________________________
7 L, i+ g' Y' W" z- J+ Y5 q/ @. ^, W9 Z K
Method 07
/ o1 o( o7 s( P. H3 E4 u4 L=========
/ q3 ]: E+ S7 v# O
2 C: j- t0 @* v( u. I* kMethod of detection of the WinICE handler in the int68h (V86)
( B* O8 w6 j' I8 X8 u4 [1 g
, C. H& O% i' M& `* q; Y mov ah,43h: a1 [9 L9 J6 ^6 A
int 68h
j, h4 M5 F* O" m" H6 S% X cmp ax,0F386h
]& l( D. \+ U0 o9 E jz SoftICE_Detected4 l- T& d6 I g& y& N2 p+ y
! v+ h+ P. Q/ N
$ R. I M, G, p' Z+ i2 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. w6 B% r+ b- q app like this:
0 M4 F1 z2 I1 f$ L" P: D+ D! K( M; |6 Z% x/ S2 s+ D
BPX exec_int if ax==68
) X, S: I, i" y2 r (function called is located at byte ptr [ebp+1Dh] and client eip is
/ J" X. Y: Z) d0 z' r! r5 J3 Q; u located at [ebp+48h] for 32Bit apps)
- K7 H4 W5 y1 Q5 @* Z3 d__________________________________________________________________________+ `' I* V8 j5 z6 T! { C
! v! i' O' A( ~' s, r P) L
3 K* _6 f8 I7 G& _! A1 R, T9 u4 BMethod 08
/ {( W; c" j! o9 y, ~2 m=========
9 d4 F" P# s7 P4 @8 V5 ^" C9 K. S" `3 U1 i0 a$ f) t O
It is not a method of detection of SoftICE but a possibility to crash the
! u1 v7 L. p+ c- C$ h! Usystem by intercepting int 01h and int 03h and redirecting them to another
' ?, O6 B" Z1 T! B! rroutine.
2 T; Q- U* V) n& x& T& _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 l+ |' C5 \5 D+ P4 h! [' Pto the new routine to execute (hangs computer...)
; R0 }5 j1 y7 s% _& l- T+ j7 @8 ^0 u! H" E2 A* m
mov ah, 25h
5 k, X, W3 f+ V7 L9 Z; ^/ I c mov al, Int_Number (01h or 03h)
$ s/ {7 ~1 p# ^! [; M3 l$ j% X mov dx, offset New_Int_Routine) x7 V* L/ h" \% u+ k$ O
int 21h9 p9 x9 v7 F: u4 z* o. K
8 ?+ M8 x2 i5 R8 q* }8 S, c
__________________________________________________________________________& i$ x r# ]) @4 G
4 X! |; [/ l5 f
Method 09, @. c/ L) P* T# M& M( g
=========
2 o9 ?( ^& \7 Y1 d2 [" d7 o2 z
# L/ m& j" E; \3 Z- NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: Q# A4 v% X+ Q$ u% x
performed in ring0 (VxD or a ring3 app using the VxdCall).: k$ W0 o) s9 \# L+ Q2 [
The Get_DDB service is used to determine whether or not a VxD is installed
& U1 X4 |4 h5 v6 z4 t& b9 l# q! afor the specified device and returns a Device Description Block (in ecx) for1 X# h8 C) L7 n# C. W+ i
that device if it is installed.
- c, v ]0 }) J: x3 P1 d1 R0 _/ {( _- O! p9 ] ^+ Q6 k. t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( m, j* @8 N' z4 i E7 q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 w" u7 k; N" k4 A: f
VMMCall Get_DDB
0 @& Y0 ?) m' Z' @% ]$ {* M) s4 x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 Y$ A0 p( \+ {7 t( m- r8 f' L0 n! j4 m, X0 \& u* c
Note as well that you can easily detect this method with SoftICE:; ?6 ]. S4 d" S2 J/ A6 H. q/ D
bpx Get_DDB if ax==0202 || ax==7a5fh a9 b( q$ T% G2 G
: v7 i3 x2 X: Z: z4 |$ a
__________________________________________________________________________
' O `2 {( r, D5 s
5 s0 q' J* y$ Z9 N1 V( [) k! ^6 `Method 10
* i: |# h7 H1 ?6 Z8 J3 g=========+ v [/ c7 {' P; T6 {/ q: [/ m+ ]
; K8 g: e, n$ w# }; s; i* ?9 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! J7 N6 k& ^% t f" v2 X SoftICE while the option is enable!!6 X( a- W& \7 R+ B ?, w- y
4 y5 c: x; c) t# [! U5 Y
This trick is very efficient:% Y2 } ?' t; Y0 \% f4 @
by checking the Debug Registers, you can detect if SoftICE is loaded
. W/ z* J! j% _5 r- o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- ~% e' C5 L7 T0 d- p) L( S
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 [ p9 U2 i$ c% S
value (in ring0 only). Values can be manipulated and or changed as well- A/ R% G6 e$ j0 X9 z
(clearing BPMs for instance)
; v+ K/ h$ P( u9 s! o5 U
, h2 G& J$ B+ j__________________________________________________________________________6 o: w( c. `) N/ N4 i8 x0 e7 h
' C( n0 Q1 z( }3 k3 _
Method 11' S d2 t; i- x% ^1 T$ Q# v
=========
( X, g$ } D9 {. p3 U4 X9 K0 Q
' p: t* ^* Z% w9 j1 K( t R" @9 F, nThis method is most known as 'MeltICE' because it has been freely distributed) E" x! `& |) K' u, b* M, G# p
via www.winfiles.com. However it was first used by NuMega people to allow
8 {; k6 O. x9 U- ^Symbol Loader to check if SoftICE was active or not (the code is located5 P( v z8 b" @$ e* m% u
inside nmtrans.dll).
4 @1 m4 ^% j+ s8 m3 [* n
) \6 w Y$ @. I. q6 TThe way it works is very simple:
: }" [1 V5 D$ v) C' HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' g+ b( h: z: b" {; J
WinNT) with the CreateFileA API.
. @0 u- J3 x% V$ C
/ s q/ T8 \3 A" b* k+ qHere is a sample (checking for 'SICE'):' C* I4 @- H" |" ?1 x, c
3 Q" j8 u9 f$ kBOOL IsSoftIce95Loaded()
7 u4 x6 n+ k6 K" J1 H: c4 Y5 C{- Z# }) L) i% L& p
HANDLE hFile;
; A3 V# [, y7 \+ [8 d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 H5 m' }7 Z, d8 \1 D. C Z, I9 M
FILE_SHARE_READ | FILE_SHARE_WRITE,
: b1 ?/ L+ J4 d7 [1 Z! }1 {! G" y; A# ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' H' x; M6 K; h$ ]- n( {
if( hFile != INVALID_HANDLE_VALUE )
* V+ }( f1 l2 y) U: t! ?$ O& ?6 }: G {
8 y. G6 ~ d$ t( R; a& s. N) ` CloseHandle(hFile);
6 E& C0 ]" ^7 s# { return TRUE;0 X5 K0 n& l& o+ }& @4 _* t6 ?' c
}9 t7 i1 s! l S$ D$ h4 a
return FALSE;
8 I3 D& ~! [3 j T}
# b5 r% X; R) e2 [
0 ], ?6 F" @+ P1 t. |Although this trick calls the CreateFileA function, don't even expect to be
# g) d' z3 V' U* |0 W. Zable to intercept it by installing a IFS hook: it will not work, no way!
6 M) a) j/ Y( {3 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: A3 I) i: k6 G" }. y: L! f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* b! @0 o, h" x/ y1 o4 j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 ^9 \7 L9 Y7 t( @" ] z
field.; L; Y5 i2 R! C7 S4 t8 R" p
In fact, its purpose is not to load/unload VxDs but only to send a
: S7 Y& W; r, h9 v: qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) S- x) Y6 S1 _" N, U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ H V0 X( V: e0 L) b" eto load/unload a non-dynamically loadable driver such as SoftICE ;-)., ^$ Y: P$ G6 a
If the VxD is loaded, it will always clear eax and the Carry flag to allow! W8 ?8 g) I5 ]$ m
its handle to be opened and then, will be detected.
5 Y- g$ h* F2 V5 G$ O4 A0 gYou can check that simply by hooking Winice.exe control proc entry point
) X' h& o; n# Z# o- j8 Iwhile running MeltICE.7 [2 P! r1 `1 b) A0 V* W
/ `1 O% R9 g- h2 R" `* E+ s! Z/ _4 K- B5 @* J5 _6 l
00401067: push 00402025 ; \\.\SICE
# [8 Z5 \4 M1 j+ o! `5 I 0040106C: call CreateFileA. }+ M- [9 |$ W2 m, @- } g
00401071: cmp eax,-001
: \+ t( r R. F7 a7 } 00401074: je 00401091
" H* K& R/ S- i/ k9 n m6 N2 B. F e5 ~
! R8 f. u# W; rThere could be hundreds of BPX you could use to detect this trick.
! i7 l$ n' E3 Q4 R" I; B- H& D-The most classical one is:
7 q, U$ ?% g4 K* e" o, S. X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 b' U: D3 c: O! P+ k0 u6 q8 } *(esp->4+4)=='NTIC'
" }3 H c' b2 ^* U- ^% w& ?1 b1 T- N1 b; N8 ?+ ~+ J* o4 G/ n( w2 w
-The most exotic ones (could be very slooooow :-() ~+ U6 x5 V: g9 N( E* R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 E3 ~* H0 H* U# ]5 V8 x, n1 K
;will break 3 times :-(( j! b2 M* H4 {0 U) A
" M C2 w& d a" U/ u+ O! D% ?-or (a bit) faster: $ i! z7 T' y- s) o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); D4 C7 Z, s) s) o2 p7 ~( o5 x
% c7 F. L) _" @( H; t! W, C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 L. e; c% t& y/ S
;will break 3 times :-(* e2 ~; e' E/ B' R+ C8 A
: [' V) H i" ~! L- d0 r/ B L" h
-Much faster:' N f8 M9 {+ F! x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 h f; f% L! T( A! \
4 P. s7 y/ I2 b2 Q; W7 w' I9 I2 S1 yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 d, h( V! u' l
function to do the same job:- e/ T) Y* C# [$ z3 R
( F1 L+ d4 b6 S9 W2 A/ b) Y push 00 ; OF_READ
# B6 f/ s! w* z7 o( ` mov eax,[00656634] ; '\\.\SICE',0. |; }( v8 B& x9 p; w6 {
push eax6 L4 a" R7 v# V7 x8 L. \
call KERNEL32!_lopen' @! g- X7 Q) S& p- f3 w: R1 {7 O
inc eax
1 i2 A! ]- M) @% a jnz 00650589 ; detected
3 r8 U5 ]2 y8 t% s8 e7 \& d push 00 ; OF_READ: G9 {7 r8 S) q1 G% w9 t
mov eax,[00656638] ; '\\.\SICE') G' ?) `& I i: T
push eax8 E, \( `4 y2 M5 M2 e8 u- `5 S
call KERNEL32!_lopen
* y( U! u2 a* k5 |4 F! [$ x inc eax
8 V- [! U( V6 } jz 006505ae ; not detected5 r+ r' o7 k$ I( Z5 b' l3 `
! | O, _7 y, {' v
! Y3 Q# x s; ~0 d& a) a__________________________________________________________________________
9 {- j! Q# ~4 Y8 ?
t/ N+ y; S* C/ cMethod 120 M% e5 A! Q. Y4 \' D- K
=========
) v- V2 C' C) \; P N9 a; Z& E& C
This trick is similar to int41h/4fh Debugger installation check (code 05; ?) j) C' z! v: }4 B! \
& 06) but very limited because it's only available for Win95/98 (not NT)6 H7 I0 a# y( }( C$ @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% |" X% E/ h/ z" q& n e+ h6 `: R8 _0 }
push 0000004fh ; function 4fh# @# x) t' b4 r* O, \) C9 R9 P) z
push 002a002ah ; high word specifies which VxD (VWIN32)5 z6 i0 p. w- q# [# c
; low word specifies which service
4 W# I% l$ u- b$ B, @& R' v (VWIN32_Int41Dispatch)- }' q: m! ~- `1 p* Q
call Kernel32!ORD_001 ; VxdCall# Y( i2 H) w6 y( l" L @
cmp ax, 0f386h ; magic number returned by system debuggers3 B `" N5 m% G9 x
jz SoftICE_detected
6 T- A n6 u+ j0 J! \2 V6 D& D; I2 m/ j! d* n4 ^
Here again, several ways to detect it:3 k+ U* I1 y- D* L+ N5 b
4 q/ c# S0 ^. k
BPINT 41 if ax==4f
w8 F1 }- U$ V% U
7 f! c! r; G3 D! T2 y" m. Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! G% k; z" C3 a; |: _" r
0 B5 [( D2 |+ Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- l+ ^. j/ a) O' h# ~- j. t: |3 M( O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 G2 Z0 \- A9 x, W! ?* |
! |+ y; t8 J- X2 H$ S: q( {__________________________________________________________________________
N& g/ @8 i9 R. J/ K7 m0 W& A; `7 A4 i p# T I
Method 13
9 _4 F8 R$ }& D=========
# `1 d6 o. v# D) g! f) _" z, \9 P& \9 g' W+ S# E
Not a real method of detection, but a good way to know if SoftICE is3 X# b2 d3 H) p) i# |2 ?
installed on a computer and to locate its installation directory.
/ z8 [2 b! y! lIt is used by few softs which access the following registry keys (usually #2) :# k( C5 U' E W g
. s3 C0 X3 a! t9 a+ [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 O& F& O0 ?) K# G8 w7 t: `. K- e\Uninstall\SoftICE
9 E- k; w' q! U' R" U' |* X; H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 R3 o9 o9 X: y& E2 `9 W6 C1 f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 ^6 G# r% B" S. V% s# @, Z
\App Paths\Loader32.Exe9 _/ n0 N. m6 o4 O1 _ t) r3 B
9 t& M6 M+ @9 U$ Q* ~; @" H
9 a5 R/ [2 T- p6 f
Note that some nasty apps could then erase all files from SoftICE directory# u# `! H% @# l( Q0 i H H
(I faced that once :-(
3 X* n9 { ], I' j3 h( g
/ v8 h* D6 k# |0 _. f6 Y1 M$ m7 vUseful breakpoint to detect it:
! a3 V3 }2 |" E0 J: I/ B* {/ [. f3 ~' A# i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; ~8 c/ K" N0 U8 m1 y$ D
$ Y, F7 S3 r8 S, H. n; c__________________________________________________________________________. t! w! Z) b5 f( G; }8 A
5 O& A$ a7 U, o4 R
, @& \; ? w: O6 Y1 h6 ]" FMethod 14
1 o5 e1 k* l. E, }=========
$ I0 C: r9 u, \& }- n E1 n8 P/ {1 n1 o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 o- x3 s5 T3 y# m/ v$ O# zis to determines whether a debugger is running on your system (ring0 only).
% z: z; [3 K2 f( U/ u3 c
/ h5 `! F: G1 x$ @0 W* K$ [* l1 ~ VMMCall Test_Debug_Installed, Y- r" `+ A# p e/ e# k
je not_installed
( p$ Y& u, z( T: |' T- U1 K6 Z* z1 A) Y Z
This service just checks a flag.. I1 a. |0 ~+ X' ^! U
</PRE></TD></TR></TBODY></TABLE> |