<TABLE width=500>
+ O+ \3 t) F1 }2 ?( ^<TBODY>) A6 m/ J3 m6 K
<TR>" r2 q# i/ j4 Z0 p& t9 ^4 H9 Q
<TD><PRE>Method 01 / p3 f' X: F0 I
=========# p) W! Y2 H$ N! e M# s* R7 k
3 R& q5 e6 ~/ X2 B8 |3 }6 N
This method of detection of SoftICE (as well as the following one) is3 h: l3 |& ~0 p# `* M3 C6 b
used by the majority of packers/encryptors found on Internet.
3 y. S' [: Y7 T1 C2 S ]It seeks the signature of BoundsChecker in SoftICE
# X) u1 C! y3 Q9 a& U/ |
( L# B- i. [) ]; Q0 t1 A mov ebp, 04243484Bh ; 'BCHK'5 ^& S; Q* y* g; i. J+ E" b) B
mov ax, 04h
. X* l+ u; I( ^5 J2 A2 e int 3
6 Q9 {! u+ p9 \. a" B# d" {6 T( b cmp al,4
) q5 w) L1 ~6 Z( E jnz SoftICE_Detected. r$ ^6 \; r% @5 s
7 x) I7 b w" T/ p8 u4 v7 P
___________________________________________________________________________" D" L) @& \7 C6 a- k8 [ U
: S/ ] m1 B' Q( n. T% |Method 022 Q: ^9 F4 l1 P1 ?/ ~. U6 V
=========
+ M' B3 a; v0 S1 l! D4 H+ m; d, \0 {" e# d9 U% j, R/ d4 {: \
Still a method very much used (perhaps the most frequent one). It is used
6 O( K+ _, m# ]! ~+ xto get SoftICE 'Back Door commands' which gives infos on Breakpoints, S# Q+ h) H5 u( v
or execute SoftICE commands...
4 d% I% ]7 `2 LIt is also used to crash SoftICE and to force it to execute any commands* D1 P7 W* J, n* W% A- b4 d. b
(HBOOT...) :-(( 3 o* k/ q( Z7 a) O7 Z
9 |- D8 _: l+ x) C3 _0 RHere is a quick description:5 Q2 A) D1 h5 J9 D% \4 D1 A
-AX = 0910h (Display string in SIce windows)- t& G5 r5 f; [( K3 J @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- }, D" u% D. Y% E5 }2 d. o; i
-AX = 0912h (Get breakpoint infos)
, x/ `4 L. S2 I. l3 n9 v% [# u9 x0 s-AX = 0913h (Set Sice breakpoints)
( e2 C* @0 y6 r% _+ H-AX = 0914h (Remove SIce breakoints)) { a; w6 y/ f
- b/ }9 X1 \$ s5 wEach time you'll meet this trick, you'll see:/ W' M1 |) V. K$ k% \6 V0 F* n
-SI = 4647h
) T4 d8 P' t p$ D% ^0 G) w Q* G-DI = 4A4Dh) N& P# J/ i5 ~- |4 v! X8 k
Which are the 'magic values' used by SoftIce.' j; r9 G" V( d4 B3 c- a: R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 b+ F: l$ X" h8 R6 j
' f7 a0 i- |( m' O
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 N. `. s0 H! c# j5 h8 R# W4 j6 \
Envelope utility use to protect DOS applications:
4 F: D: Y7 C- F
& D5 E. Y& E8 p4 |# C0 w, x: z- j
: ~7 j' z! I* Z/ `1 n. ~6 ^: k4C19:0095 MOV AX,0911 ; execute command.
6 q8 a% q, e) V. v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 Z3 x3 l( U5 S2 @* t4C19:009A MOV SI,4647 ; 1st magic value.
; Y s0 _9 y% J! I2 v4C19:009D MOV DI,4A4D ; 2nd magic value.
$ P/ _) K- t6 ?7 v9 C4 K' M* e( l/ C# R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* J# C# R/ {) v8 Y z7 N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- Q2 \8 R/ {+ z2 a4C19:00A4 INC CX; |! |8 ]( W$ T9 R( [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# h" [' W' Y- k
4C19:00A8 JB 0095 ; 6 different commands.3 | j5 A+ K3 H/ d4 J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* i1 Z7 y! r( }' V j. V1 t$ D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ p" K1 ^# p) X! U) T# d) R
" Z( i6 ?& y m/ w+ `
The program will execute 6 different SIce commands located at ds:dx, which
& N4 K( w; v3 f6 T) }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 o7 I# N1 B5 \, ^3 F+ i% M
5 u9 T8 F, j1 s. a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- ~6 X s$ Y( Z1 m9 J: Q___________________________________________________________________________
: o0 A' ^1 l# t Q' T) i* E
+ a& Y7 k) M2 i. f+ k5 c8 `) w
6 W) G5 E$ B0 L+ L) `Method 03
# r8 ^) L8 j* W9 f7 j$ X( b=========* k: n. s7 ]3 K8 T
, L5 Q( w" u) C8 m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; E0 {% T$ ^0 {' w* [% q* Z$ `
(API Get entry point)* ~3 H- s. w+ v7 m9 b G5 A- e8 I5 K
& a. k# x, [! N
6 i# b) C9 ]5 u5 j xor di,di5 D4 F3 Q/ I* U& n6 L* G
mov es,di
* l/ b8 ^' U4 w% y2 Y mov ax, 1684h
) I# N" j3 l: C5 C mov bx, 0202h ; VxD ID of winice/ y; Q4 E `9 e- J( Q( C
int 2Fh
+ J H% U. g, l3 K1 f; ?8 q mov ax, es ; ES:DI -> VxD API entry point
. K6 Y* i2 f/ R# A3 w. Z H7 T add ax, di
; b) l$ d! i+ r7 U# m8 l test ax,ax& r/ j; |0 K3 ^* V" O
jnz SoftICE_Detected# i& t' x1 M E+ U; U3 x
% f; E$ t/ i! V0 k$ j, z
___________________________________________________________________________
6 ~6 }- T" \( X9 ] F
$ n: p) _( V5 Z; QMethod 043 V) F" S7 ^- R, r0 L8 k Y+ K
=========
8 S5 _% I* v1 A0 @' o% @) Y e" Y; m" V
Method identical to the preceding one except that it seeks the ID of SoftICE; K8 O1 e! H3 e* V$ |7 V3 }
GFX VxD.
3 L( z4 a6 L. h& H3 {$ A5 a5 ? w8 C. h. j3 Q; d
xor di,di
3 c% l |0 \9 r! \4 \4 ~: H2 O( u5 m mov es,di
4 ?* K2 X8 {2 q( b$ h; T o! A mov ax, 1684h 4 y! B4 ^3 }: G# ?- V T
mov bx, 7a5Fh ; VxD ID of SIWVID
. u& o7 j" R9 Q3 `( B int 2fh
$ k. R; n$ @' O8 p2 c6 j mov ax, es ; ES:DI -> VxD API entry point1 a E/ }- i( Q: w
add ax, di, \' m. I' ]0 l: y
test ax,ax
. M, Y! @% Y8 W: M3 T jnz SoftICE_Detected' e! ~, D, Z ?" \
. Y& O) U7 z& U d+ q+ Z3 z7 N
__________________________________________________________________________
0 a v( E5 Z/ V" Q5 c' K1 @3 m+ F* E& a6 a, w
2 q* @: l. k: LMethod 05
% c3 L) ~5 I$ h; |' u) ~% G6 F! O! S$ O=========+ C9 X# h/ ~' S7 z* d! E
1 w+ h4 x' d; N9 C% l" U! u
Method seeking the 'magic number' 0F386h returned (in ax) by all system- K" D4 C& p- u, l$ s1 h. R$ ~( y( c
debugger. It calls the int 41h, function 4Fh.$ V0 y$ B. ?; X+ `/ \7 k$ ?
There are several alternatives.
( V5 {% f) O3 L$ d- m/ U$ y. L" ]$ g9 w, v7 }
The following one is the simplest:
5 c) o5 {# w4 @1 c, o: R+ `0 y# G- ~
mov ax,4fh" Y x7 w7 C6 B4 w8 Z7 v% x8 w; s6 x
int 41h
P- L- b" ~5 b& L) S cmp ax, 0F386$ d# m' l0 m1 B5 h# G6 e+ H
jz SoftICE_detected
/ K* i W2 E o G @8 M3 |8 d+ T3 G: ?! B3 l, a. @
) h/ K. j% X4 K E
Next method as well as the following one are 2 examples from Stone's
$ h: B# ]. d9 F0 P"stn-wid.zip" (www.cracking.net):) ^" y6 r6 Y! m, b# {& t
! v0 s' z' }1 B+ z
mov bx, cs
7 `1 Z' `8 {8 N" Q3 }: N lea dx, int41handler20 X- @' W; z& _* @' u9 D( ?# z
xchg dx, es:[41h*4]: F+ I2 m1 o; C* M! }+ x/ P
xchg bx, es:[41h*4+2]8 k& B$ e1 Q: `! v2 o; v" W& N
mov ax,4fh0 a( e( z% j$ ^
int 41h! c% a# s3 ]6 i$ y! c, T
xchg dx, es:[41h*4]0 b7 W, t& k A' p2 P& t9 S
xchg bx, es:[41h*4+2]
4 W2 H# O6 W/ Y8 S% G cmp ax, 0f386h5 F" w7 L$ N5 p* T7 E4 M
jz SoftICE_detected! W' X( A1 k* @ `" G' M& ]* X9 n
( B# B, D" Z6 ~int41handler2 PROC
- g& N# Q4 g% I2 N7 Z; f5 K iret f! t! f9 }! @: i
int41handler2 ENDP
2 x' M: {& F7 i; V& m; q# [
( H. u. m6 d. x. P0 U' K% N }
7 }0 _; v6 g! r: t& a_________________________________________________________________________" D9 e+ U E/ P
0 |- i5 T+ ?( I/ [. P" v4 l1 j4 P9 J
8 m+ J" V& [5 y/ c6 ]# c. EMethod 06" a% k% h% j8 o
=========
5 B" U6 Y. s4 b. Y" ~ t7 [7 |1 V, h5 C) B5 l; f6 z( t+ o3 K) v
% i$ D8 L0 Q# H6 j ~
2nd method similar to the preceding one but more difficult to detect:
5 y! I) F8 {" X2 W) _7 u) I. |/ U" H6 w: f4 l8 }: J
9 d* v; s) @* L+ }% Xint41handler PROC. @/ j/ e, Z8 ?0 Y X
mov cl,al# F* b6 ^: R' p+ C* \0 ?9 |
iret
9 r0 t2 x% O: @5 eint41handler ENDP
' Z5 j" t b9 F4 s8 T0 V' i" I" L6 B' x: B2 K2 A# h6 u8 z
$ ]3 s% ^2 X; t# s; f
xor ax,ax
+ e$ h& w% m, M8 E. N mov es,ax* b( B3 ?& A7 }1 m6 y6 h/ p6 _9 c
mov bx, cs
8 S1 ~& l U% r8 L0 ` lea dx, int41handler t+ i7 @) G! q0 I, e2 o7 ]( W, r
xchg dx, es:[41h*4]
! |# R7 D+ T" \3 Z+ D/ j D xchg bx, es:[41h*4+2]5 j- v, Z/ m6 n3 f4 x8 ?; _( j
in al, 40h8 i7 Y4 V3 p3 A P+ N
xor cx,cx' o6 H K' j: Y S2 o5 t
int 41h
$ @( J& B% G$ ]# k xchg dx, es:[41h*4]+ I; R3 m5 s. ~
xchg bx, es:[41h*4+2]
4 u c7 _& ^% w& X$ e- u7 o cmp cl,al* F, Z' T7 M# b3 J% | W1 }
jnz SoftICE_detected3 G ]$ [* _1 D; T6 S4 q. j& {) I
6 ^- a! U. c( p) R6 l, R8 T$ c# w6 N
_________________________________________________________________________
9 k; `& a% ^' _, d3 b, n- O3 c8 ^- V5 E
Method 07( x) t+ a4 v4 H0 i) x, I/ \
=========
' M% B4 q! ~1 L
% n. i1 H$ w- U5 L# j9 z6 @2 |Method of detection of the WinICE handler in the int68h (V86)' m; o* W& y! b& f# e
# N T1 c/ w/ b4 k6 G% N3 q G mov ah,43h
, f3 I5 u% V* ]$ l+ a int 68h
# r3 @' R, j' f- x' t cmp ax,0F386h
0 q' Y! \0 R* }" B# `( ` jz SoftICE_Detected; S4 t0 g/ K2 P3 T
7 Q# y5 h Z% H$ v) \1 d
5 W" n" F7 U P% J/ C$ ~2 ^ q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: p5 c6 k6 ^9 \ z$ \ app like this:3 }7 M: z) c: q: r
0 ^0 z! v R- {* \ BPX exec_int if ax==68
$ s* K6 y2 Q9 i7 ]$ G. m. t (function called is located at byte ptr [ebp+1Dh] and client eip is
# E1 Z+ \6 u% S+ U& \+ q located at [ebp+48h] for 32Bit apps), c7 T& C5 l8 }# J. P9 j+ N( O
__________________________________________________________________________
- o4 t& A0 b: m$ d3 l( Q2 m4 ?" i2 m+ {
2 K3 W2 k; n/ H: l! } F
4 n2 d+ d% A0 R/ ? PMethod 08
7 C' B j- j- B4 E' [========= [2 x2 Z0 i; V) c; c
t: Y7 a N6 k9 j. U3 n8 f
It is not a method of detection of SoftICE but a possibility to crash the
$ i2 J" [; y6 f) ^: n }system by intercepting int 01h and int 03h and redirecting them to another/ u; b r; j) v( [/ f; B
routine.* p3 r5 T7 N5 U/ x0 z! n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" f! a' }: f( f' y, D5 e; r' K! s
to the new routine to execute (hangs computer...), t+ `1 e% s! j, a, b+ F4 q3 r
: M8 a0 a+ P1 h- D$ T+ e) n mov ah, 25h
0 q1 e. G; g8 ?3 r) M mov al, Int_Number (01h or 03h)
. W1 N' t2 Y) ?; O7 X& g/ E, R mov dx, offset New_Int_Routine
2 ]7 s o+ D; C/ a( @* }9 _ int 21h2 j) \0 t' [- F' h+ S; S
! O9 F2 z: j* \8 B
__________________________________________________________________________
% T- }9 E6 v% ^) ]+ x4 V F% H: F$ V2 U) t" U7 i$ w4 S: V$ h
Method 09' s/ @, Q: g' T
=========( n/ x4 E, l/ v3 f: H9 O7 v
" w9 K3 f& V) k4 Y4 G( [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 p$ b, ^% u. A) ~0 C Q0 }performed in ring0 (VxD or a ring3 app using the VxdCall).* X5 C# W9 A; W8 c
The Get_DDB service is used to determine whether or not a VxD is installed
- [+ w+ k/ L, k6 [ w! S8 ~+ i" |for the specified device and returns a Device Description Block (in ecx) for E! o) ^8 D+ |& c m
that device if it is installed.
2 W" y! Q! E! [" @
- e! Z; L5 H7 {0 |" I( b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
\) i$ i5 T( I4 s* o; o0 Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ D& a! {9 @" [ s/ H
VMMCall Get_DDB# V) ?2 }" L$ L: g! U# Y$ `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ ~ T* w9 X' |1 |( j. I7 s& M
+ y( |" G$ k8 `; B% Z1 dNote as well that you can easily detect this method with SoftICE:; ~" K$ U) G# T! V
bpx Get_DDB if ax==0202 || ax==7a5fh
" K* D1 j5 E Y' Y. E. R8 t& i$ W+ |3 u3 i2 P/ r4 e/ G
__________________________________________________________________________
4 T ?3 ?- O: G) T/ |, H
/ q4 j4 p- V! T; OMethod 10
O3 u5 b4 q. R5 o=========
2 {5 V1 B! r+ G. B! o4 {
7 i- o0 v+ f, s, U7 `+ x=>Disable or clear breakpoints before using this feature. DO NOT trace with
# ^) G, i( B8 V SoftICE while the option is enable!!; K r' H8 {; D/ {. z' {' o" E# Y/ O
" \" M$ Q8 B' y
This trick is very efficient:
& Z$ `% |% _0 A6 B( _( _5 J, kby checking the Debug Registers, you can detect if SoftICE is loaded
4 i7 I5 | v& v N- N1 F1 [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 z. T {9 K( W( F1 r) B
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 h0 _, ~# V/ z1 C5 T0 U6 D9 C
value (in ring0 only). Values can be manipulated and or changed as well, N3 D t9 C y# a6 |1 J# E
(clearing BPMs for instance)
! N- L: Q5 V: N$ @5 g! K1 E; t) }3 L& b! ]' m0 Y. `. X
__________________________________________________________________________) ]: [% v; t1 ~$ D
/ P/ g; I2 M" B, T' d3 b3 ^- xMethod 11- X& ^& v: [! C q' N
=========
; g1 y" N' j2 H! P
) i& Z, c7 q3 O9 M. D# M5 b5 K, BThis method is most known as 'MeltICE' because it has been freely distributed
/ \+ X* s/ S* z+ @9 g+ T/ ]! ivia www.winfiles.com. However it was first used by NuMega people to allow
/ u% t$ b2 ~! F. m1 D5 C) lSymbol Loader to check if SoftICE was active or not (the code is located
+ V7 G# {3 A( F) d- K ]- x. xinside nmtrans.dll).6 F/ h0 O$ g6 b* E# j+ J
6 n5 g& q1 |6 D! `0 r+ Y
The way it works is very simple:
, o4 h Y5 {: ~% HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* n) |6 z5 v5 Z$ ~9 X/ n2 a8 v
WinNT) with the CreateFileA API.
0 [. r* u# H) w6 N8 G, @. q, A. f, o- {. z6 f
Here is a sample (checking for 'SICE'):
* {5 r* |9 n; q( c- _& W1 \; I& p$ o5 Y* i" g o0 [
BOOL IsSoftIce95Loaded() V5 n3 c, E7 O, i \' {
{9 U; Q* o& [/ `; x3 W3 W/ T
HANDLE hFile;
9 C; H5 `% h1 B4 B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& l. N5 c, V& ?! o+ v( S
FILE_SHARE_READ | FILE_SHARE_WRITE,2 Y( }& x4 [, e! m9 s. }8 g5 p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: C* C! i, @! p5 [+ P
if( hFile != INVALID_HANDLE_VALUE )/ O2 R. v; Q( T* O0 t
{
9 b$ v: Z! Q: ?. {8 E2 A: Z* e CloseHandle(hFile);! t; h$ b( B& M: _" t9 d; G9 G9 J
return TRUE;% Y0 A, {0 L3 N# M
}
0 I0 @& n2 j+ W return FALSE; R( m% k. m& E5 \; K
}6 z. d9 s$ N8 o, \2 W" t" v
3 Z0 s! w$ J2 o) ^0 fAlthough this trick calls the CreateFileA function, don't even expect to be5 y4 i6 i' [6 E' | M; p
able to intercept it by installing a IFS hook: it will not work, no way!7 m3 b- s2 b* E2 d S7 B1 x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 i. [9 L3 d! ^3 U4 q- O: bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ ~$ j" r3 K" g/ m$ H1 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 P$ B! ~ E5 R# a& J! lfield.
% T+ k3 V& `3 D8 PIn fact, its purpose is not to load/unload VxDs but only to send a 2 `$ m( O7 N6 C ?$ Z- s( J, `6 Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 }5 G* w1 W1 I/ D! i6 tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" ~* b' ?* H% ?; U1 Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- T* d: ^" B: W4 Z8 ~# j+ A* S7 m, TIf the VxD is loaded, it will always clear eax and the Carry flag to allow2 k! K& X: `2 }1 H: X
its handle to be opened and then, will be detected., ?0 Z& P1 S7 `# Y2 |
You can check that simply by hooking Winice.exe control proc entry point
+ `! B3 U+ n+ F- u# ywhile running MeltICE.
0 a4 k' r: f4 h% q% w7 M4 H1 q: {4 b. q+ l0 j" D& P6 k, x
, M F) J+ g$ R' f 00401067: push 00402025 ; \\.\SICE: |. M9 g+ Y8 o& F
0040106C: call CreateFileA2 ~1 X' y( G+ f, c$ w; @& @0 d
00401071: cmp eax,-001
0 U: H0 P2 t0 C( O2 Z) s2 S# M 00401074: je 00401091: o. L" b) R7 i/ P# v' |. Y
2 L% d5 n+ t7 B- c1 b8 i
- K) c n0 z, }, H- y! ]
There could be hundreds of BPX you could use to detect this trick.
( V1 d F0 |0 |% q6 ?% i$ Z% h/ l-The most classical one is:' Q' n. U' d c8 L' u# f8 B4 r) R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ }' ?* z% q' n! r
*(esp->4+4)=='NTIC'0 K' ?, J3 b6 s* @0 ?
( F) C; ]+ t8 I9 f2 Y5 E N% q-The most exotic ones (could be very slooooow :-($ d6 ^' z: A! v. Q3 y; T* N6 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# v. k$ \+ j& x' z6 @ ;will break 3 times :-(. K5 V, i7 R! L' k
# S! G" N: s& X$ z/ N+ U2 B-or (a bit) faster:
+ [ |9 P( l( L/ @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 A4 L% X' V, k) ?. d1 ^( J
/ R( H$ d, c& k, r1 k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * x) r$ g0 b6 W( G) z, E
;will break 3 times :-(
8 `4 m/ z- u2 ^4 M3 ]5 c# t; h6 y
4 E/ _9 W# o6 u. j) C7 E4 M-Much faster:
3 V! [3 P; S' q" a' v8 D9 k+ A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', m/ p5 k2 o7 y
! Z; Y; V8 \( r8 m7 m; h! |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 J, z9 j. q- S2 p7 C
function to do the same job:
6 k' m( m+ m& M6 [8 \% e4 B! |; m- [( N/ u# U/ l- [1 ^) y7 B0 h
push 00 ; OF_READ
: \. ~9 L, c8 n4 x mov eax,[00656634] ; '\\.\SICE',04 {1 r: { j( a! n
push eax
1 d& t; ~/ U N6 K# Y call KERNEL32!_lopen
5 w5 Y* C* \) D" h& g inc eax
8 K c: p; z* o3 A8 N* T jnz 00650589 ; detected1 o" c, D5 ?4 P9 q
push 00 ; OF_READ
7 T: A! Q" u" Z$ P* B# w3 U0 t' u, Z* O mov eax,[00656638] ; '\\.\SICE'
5 ]' W! m& {1 t6 ~' e push eax& n! p& L# Q, g" N% h
call KERNEL32!_lopen
/ M! B) R) \$ M& I) N inc eax
4 G( w% _+ L5 t% d8 J5 v jz 006505ae ; not detected
& u+ ]+ G# y7 `/ s, D" Q9 q: k' a, x. V
- d! ?3 E# D( a( M( J2 b; @+ g' P
__________________________________________________________________________
3 ?! Q; ~, `! D. C, e9 t5 f C! K% L' Q$ O F; n C
Method 12$ `( W: P" X [
=========# p7 \* X' G$ ]* z! }
, p3 D4 K7 \) k& r4 J& N3 K0 GThis trick is similar to int41h/4fh Debugger installation check (code 05
9 ^ F7 L: G2 O3 U" r' U" f" W* M& 06) but very limited because it's only available for Win95/98 (not NT)- X. d& S* Q, c0 c$ k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 ?( ]6 y( i+ r
, K/ y0 v9 L3 O# C push 0000004fh ; function 4fh: ^% T" y' Y/ K8 x, ~
push 002a002ah ; high word specifies which VxD (VWIN32)
6 u: A9 ^1 a$ K- G& t9 O p ; low word specifies which service
- s0 D" L2 _9 c! r) x0 u+ V/ m2 n (VWIN32_Int41Dispatch)* V) Z" p5 G/ S" U) V
call Kernel32!ORD_001 ; VxdCall$ t/ e4 a0 ~/ A% C6 G# r' E* P
cmp ax, 0f386h ; magic number returned by system debuggers* J a/ y7 [" ]5 @, x
jz SoftICE_detected
2 z7 Z/ U' x0 i3 Z: E
[! `5 z( I; U. K8 L5 F0 uHere again, several ways to detect it:
0 ?7 d# e7 T* V$ b4 _$ @: p
f; ^1 W6 R9 Z, j# M# s BPINT 41 if ax==4f6 p9 F: P) h* i
9 |2 u! b7 D6 f, q1 L- v. Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 {$ H# x I! c* k. \( ^
2 z5 V% {; D* x% Z% e" V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 W0 y2 |3 k. E" N! |) [* B
' O4 D4 u& ?$ m) x, H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ m- w! B8 p) x* r$ Q5 I
5 b, ^% R1 R% Z# ]( J3 a__________________________________________________________________________
0 V; b( Q* ]$ G' Z/ Z2 v O I; c9 h, \5 U3 z9 ~% V; q' e* u
Method 13
' |* s7 u, E! @ ], r4 |' W4 {=========: I* U, F' Z3 y# H$ U- F1 D
/ U G, Z5 R8 [; MNot a real method of detection, but a good way to know if SoftICE is5 ?& P* \, z* t" J2 s
installed on a computer and to locate its installation directory.- S! ?% ^3 g7 s4 h; f
It is used by few softs which access the following registry keys (usually #2) :
) C# E4 K4 ^" ?0 Y. b' [+ A W/ e$ j; ?( W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ?8 U# F# l1 C9 T
\Uninstall\SoftICE- o% m+ ?. j2 ^$ r2 a4 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 W+ @8 E6 b$ r& Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 X) Y0 b! m8 h8 p6 R2 P\App Paths\Loader32.Exe
- q8 K6 @4 R! m2 O+ c' |8 s3 F/ [/ m( c L0 r8 G" N
F- J5 J' O$ I" m) Y7 H0 Q; V7 i
Note that some nasty apps could then erase all files from SoftICE directory
& `1 @) b3 e; m" O$ A(I faced that once :-(+ L4 x% \2 X1 E7 Q$ E7 @# M
0 B( J* I. f# C6 s, y% I2 z' _Useful breakpoint to detect it:
# x3 O1 W( N! {& {% w( M1 D6 k2 ]) f( z! {4 g* x$ v' S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: X1 b2 [ j2 G( t3 O0 P
/ X9 z% g; u9 l" O! M$ [4 |__________________________________________________________________________4 h7 f0 H" y+ p# E) |. y. ?
# j$ @* O3 ^9 t" G( y
5 Z) c" a( t- }: n, R; U4 oMethod 14
* W/ R! L' U. L/ c* k9 {=========
' W' n. b y/ Y7 i% J8 p6 ?0 _0 a+ b1 E" a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 o% z( |7 h- v( e6 j$ J( uis to determines whether a debugger is running on your system (ring0 only).
; L$ [. l% f, {$ u* O
/ O E9 t: ~2 Z: L8 E" V VMMCall Test_Debug_Installed
0 D. N4 K+ _' U9 m7 } je not_installed
- o/ M E$ j1 d# ?& _9 u
5 \ R" v( J( _7 tThis service just checks a flag.
# {7 X3 J; H7 |2 P; ^: j5 U5 _</PRE></TD></TR></TBODY></TABLE> |