<TABLE width=500>
9 ]1 v' Q N$ O7 b<TBODY>
?9 G, t6 q v<TR>' D# S. b, X c. E( `
<TD><PRE>Method 01 " X# M8 s% o- v9 R7 @
=========
* a. T5 D& @- N2 L0 ?2 `4 g5 v
6 I9 K% f; S3 b. vThis method of detection of SoftICE (as well as the following one) is% T& O6 S, T: I/ |5 E& d' W# T
used by the majority of packers/encryptors found on Internet.
Q9 h3 n e% A C: m/ Q: [% o" L- uIt seeks the signature of BoundsChecker in SoftICE
% w! A( @7 q F3 I
& C9 w2 \$ T( S6 a6 p mov ebp, 04243484Bh ; 'BCHK'/ c. ^! d( \( m- p$ s9 e
mov ax, 04h/ a$ \" w, a$ f" A# I
int 3
# `# i" l9 L q' C$ `+ _ cmp al,4
* h0 `6 E4 X- d f% C6 ~1 F! @ jnz SoftICE_Detected# A% S L4 x/ s; ?; \! c
1 H" ` r6 V6 Q( @! O___________________________________________________________________________
8 u+ P/ G! g4 a7 d B2 H: f! A1 L# ^% R9 `0 Q$ s0 H6 P
Method 02
# V6 I" t; X3 Q9 m8 t* K=========
# Z: H( w1 A/ @6 G; G& w. z* ^# d: Z" p# S
Still a method very much used (perhaps the most frequent one). It is used1 [6 d/ I9 S' P! T5 A+ C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; |) j/ ]4 d: b5 e# ?' R3 _or execute SoftICE commands...& X( L# w/ f% s+ Z" y' ^2 r! Q
It is also used to crash SoftICE and to force it to execute any commands$ \: M) w! ]$ k. _5 X0 |
(HBOOT...) :-(( : _/ E4 A/ v, F M/ N( F7 |9 n
+ [, n ~9 P, R! y- w6 p UHere is a quick description:
$ o% v- k+ ^ W: G8 M# x0 W+ O-AX = 0910h (Display string in SIce windows)
* t5 q1 K. i4 t2 v! {2 ]7 g; W( I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 }: L; @& s5 ?3 I& B* G/ D
-AX = 0912h (Get breakpoint infos)( }- z8 f7 ^! r% V( {
-AX = 0913h (Set Sice breakpoints)# e' P( A0 h& B7 a3 A8 `1 s
-AX = 0914h (Remove SIce breakoints)
/ S/ t! ?* ]% h8 a% L4 I
2 }7 V/ @% g6 eEach time you'll meet this trick, you'll see:
* v& C+ h6 o9 E5 C% B-SI = 4647h
' }, ?1 O0 V1 T7 X% u-DI = 4A4Dh: L1 Q6 P; E, i# Q+ t, F" X& x
Which are the 'magic values' used by SoftIce.
7 h+ m2 p$ @# J% M, u0 i6 }* |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 e2 ]8 Q, J/ \9 n$ Z' W3 M/ S$ A: r/ P+ Y1 o& ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 ~# c6 x9 `' Q& c; XEnvelope utility use to protect DOS applications:, r4 k1 ~2 w( s% w8 X
* y+ |4 q3 L+ T8 ]5 U+ l
6 ?+ d# R; l p% Q" i- L( n, _+ d4C19:0095 MOV AX,0911 ; execute command.: V7 F% Z! _! {' X, Z( i; o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& K! b1 Y+ b( [! S8 b( Z" T5 j
4C19:009A MOV SI,4647 ; 1st magic value.
! k" \/ K) B7 Z x; d4C19:009D MOV DI,4A4D ; 2nd magic value., y' _& o( C$ ], ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( U* ?9 W- p4 m( {0 ~. ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 k! U( N5 r5 R" m: J. O3 C4C19:00A4 INC CX1 _! |( m9 u! j! n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 m" T; N. e7 R! F$ d+ M
4C19:00A8 JB 0095 ; 6 different commands.
T& L1 Q: P+ I0 N8 j+ n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 a! j* O) g0 T3 D$ t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- U1 A: S& f% s n& y2 O1 ^
- X; Q/ Z0 |9 o' U% _The program will execute 6 different SIce commands located at ds:dx, which8 b @7 r$ J) q e1 i5 {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& \1 \% u8 L6 w ?. H9 K4 _3 ?% o8 E9 ]! D: `; {$ K- n1 P# v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 K, W, T# R9 ^: j1 |, c( ?8 N
___________________________________________________________________________+ a% _) [( w, v8 C, d' {9 W" e
; P! m8 P% K- O
2 u* x, N- j: {# g
Method 03! r; \. a! j# C/ _$ N" w
=========2 U5 M6 ~8 d5 e c% ^
! g& i; Y! |8 m0 ? |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 a5 H/ S) P" j# Y3 s8 Q
(API Get entry point)
' a. x! E7 a% Y4 s0 L" E4 U2 f
, q6 X0 L6 {4 M u
: d; b) V1 T! F* a6 Z# P# p; g( R xor di,di
$ t2 ~" P! L+ i8 d! Y; S) l mov es,di
' o4 |) ~1 g' v: B! u mov ax, 1684h
9 Q: f ^' Y$ }) W) _9 ] mov bx, 0202h ; VxD ID of winice
6 V8 M8 [' b3 @8 I( n int 2Fh
: H$ w8 Z m& ?# G' @5 B( \ mov ax, es ; ES:DI -> VxD API entry point
" P+ R6 o6 F- b+ R6 G2 W. n3 V add ax, di
) Q9 t, Q, A' L, V test ax,ax% h# _* c, U1 {
jnz SoftICE_Detected, _( q3 T% L3 u
( l8 ~9 N; t w4 l, r9 o. g
___________________________________________________________________________
- p+ B `& |6 u% X
' Y6 ~0 }, ^! f+ E) J- _Method 04
4 a% M! k0 v$ R6 _& u=========
+ \+ B }7 X, j* n8 L" c4 R; v5 I1 O; W
Method identical to the preceding one except that it seeks the ID of SoftICE
: K. l4 M4 Z2 o% KGFX VxD.1 [, j; `- l: Z5 }) ^
2 _' {9 X1 p+ T' _8 o9 r xor di,di
3 I# r! e" r# ]$ i mov es,di
; X1 {, b1 i# Y9 r0 n5 P mov ax, 1684h
/ ]6 N6 {7 C9 g3 j5 H' u* E8 [1 h4 s mov bx, 7a5Fh ; VxD ID of SIWVID+ F& \) m! @" a
int 2fh
* D& Z2 r/ `4 ^) q3 |: B8 U mov ax, es ; ES:DI -> VxD API entry point
( Y0 k, f+ G" e1 Z) |, h add ax, di) j, n( `: |2 O9 q8 `! D3 k
test ax,ax
5 C+ m$ Z: X5 r2 C; `: @# l jnz SoftICE_Detected" e& |# f6 U& O4 R3 ^5 o
) S u+ K4 | i7 c+ J
__________________________________________________________________________ N2 Y! R* z/ V1 B" |8 Q; J8 z
2 m# N" U! j' P! t ]# w' F. m2 }4 h1 C
Method 05' U8 ~, N5 ~6 g
=========
8 a; c4 F$ Y5 c o
. Q. d+ E, I3 V8 r$ S# |% B6 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system: U7 W- o+ C2 L
debugger. It calls the int 41h, function 4Fh.
. H2 C. l% q; sThere are several alternatives.
' I7 i5 X$ R1 G$ k. C5 w/ |( ^1 d: h+ m% {# y! r! H0 \; ]. ]
The following one is the simplest:! S3 i- a/ o- a; l% v8 U3 B& x
3 n& c3 \) u) ^5 F5 t6 S+ ^2 J2 ? mov ax,4fh7 V& o1 a ?4 J* h) H$ x5 f
int 41h1 a5 ?9 o. \( s& A# ?9 Z7 |! k& e
cmp ax, 0F386$ _. u3 \, `0 v+ `% a( f! N# O
jz SoftICE_detected1 L# C1 T( E7 b- H
7 ^0 W: E" T2 o' ]) t- o* _7 r
: a# |4 C6 R" qNext method as well as the following one are 2 examples from Stone's
) f( \) ~6 Q) S* z"stn-wid.zip" (www.cracking.net):" d$ ?; ~/ E3 N, ^
& h1 |# W! u9 I/ }0 |" I
mov bx, cs# R/ U C# N; o; g
lea dx, int41handler2, W/ |; v% F5 p5 l) C
xchg dx, es:[41h*4], L( W5 G( A) [
xchg bx, es:[41h*4+2]
X2 }& ^: `4 z$ i8 { mov ax,4fh
6 l' e: O+ |" \/ @ int 41h
0 t( G% C, ~; X7 s) w; k3 y6 H xchg dx, es:[41h*4]4 ?! ^- z# S' B6 t* j2 t
xchg bx, es:[41h*4+2] R0 x Q c& G% ~# ` [
cmp ax, 0f386h
6 \ `+ u8 b& H7 J jz SoftICE_detected: u# U/ k8 \; K) \6 T8 a, @/ a
4 _- P# q3 o6 T( fint41handler2 PROC9 q! S/ D4 e/ e8 J. \ \( G6 t
iret$ z9 E- [* j6 b3 J+ P
int41handler2 ENDP
! S1 {, I% A4 V4 y& k" Q( F/ z
' P" h; [9 h' S7 r2 V" S- N a! m4 c( x6 k, X: k3 k0 u9 U
_________________________________________________________________________) |/ Z1 ^/ Q7 a5 v7 B9 |) j+ G
& Z+ o7 E5 c3 f% i
' G$ ]0 s" {+ \1 `Method 06$ ^7 O" R7 O& F" ~9 l
=========
0 G; m) d% v3 ]% q2 }. Y
9 g3 n1 p6 O& B2 c z3 R
! Z a7 y; U9 I. K& N- M" m2nd method similar to the preceding one but more difficult to detect:
; j0 H2 w! _1 O
% B- M: t5 R2 P* Y; q" e( [: _8 z
int41handler PROC+ O. j2 e, x8 {7 Q- r e7 \) s
mov cl,al
3 r+ { o! r- b( y iret
1 k9 r: u3 h6 W2 X3 D$ d* o) p- S& bint41handler ENDP
5 h" }7 _. j2 i& i" V
* \: V% m# x" I; P' n
$ x& p; Q$ F6 j Y; e9 y xor ax,ax- ]) c2 R, s! e6 t! @* V# p: I
mov es,ax
) Q8 ] l; }, L c: G3 k9 A8 [ mov bx, cs
% r1 F" e1 \/ Z+ b; M+ ~; E; d lea dx, int41handler
5 _7 ~) [1 a* i0 ?( b xchg dx, es:[41h*4]# E9 h8 R: r; z- J
xchg bx, es:[41h*4+2]
4 u( G9 n! b! H3 z- |$ ^2 K6 \ in al, 40h
! ~9 a7 X W0 P7 f9 U xor cx,cx# R( }$ w# P! o& F8 Y1 j: [
int 41h9 e' ?1 y/ x& }& J+ r4 {( n
xchg dx, es:[41h*4]% F2 x- k- K$ B5 f) S
xchg bx, es:[41h*4+2]
2 |2 u, X/ C7 u3 f9 x' ~ cmp cl,al
8 p) U# d+ Q: `; @6 }) F3 W jnz SoftICE_detected
7 Z& S9 T& n1 g* x7 }/ ~& E9 ]& ~" f0 I8 r, I) A! v
_________________________________________________________________________
1 _% C3 J" z+ @# \# E" p6 T
9 `& J! ~9 Q, R* J" f4 G0 G5 s; NMethod 07+ o/ X' V. }* ]
=========
* u) {4 ?% ?) P2 t# Q( m2 T1 b" _9 v9 v
Method of detection of the WinICE handler in the int68h (V86)5 i i9 B6 m. f
0 x/ x' m, ?5 s$ y* }# ^$ H mov ah,43h" h: Y' P+ w3 @2 \
int 68h) o9 G* x; _$ L% }9 N
cmp ax,0F386h( g% K; L% C5 r6 B0 P
jz SoftICE_Detected! U' k+ g/ X5 L2 m
) Q' S( K4 {* e7 m9 f/ `$ W# |' r* `) y1 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. @9 C) C! y6 _7 u
app like this:. v3 b: c3 S8 r# J& ?
( y$ ?7 g4 K3 s1 z/ e( h' { BPX exec_int if ax==688 y |0 Y% m# G& [' r2 O* ]2 e
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ m% d6 c' ^6 P: y located at [ebp+48h] for 32Bit apps)5 n* u' \- S; U4 a w9 o3 ]
__________________________________________________________________________, V: q4 c7 Q; l3 ~# D$ b# z
i2 a3 X4 X; }. Z$ M" Z r# F% @- |& R" m
Method 08
2 S# F* o" ^- M" g=========. S) [1 E" o; O1 y- a% Z
( Q$ _' D) `) F* g( D2 dIt is not a method of detection of SoftICE but a possibility to crash the
/ W# `+ v, V: |# v! N) i6 h" a8 ?" nsystem by intercepting int 01h and int 03h and redirecting them to another
$ ?% k" U, e1 _9 P4 {routine.
: o' U* w. c- g8 |2 A' I* NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 j& ?+ I6 [5 C( [- e$ g0 @
to the new routine to execute (hangs computer...)
# {8 N4 d' ~% c' q8 E5 C1 y1 f9 `# J$ r& t2 [
mov ah, 25h
. u( D8 Z! y ~9 e: j mov al, Int_Number (01h or 03h)
4 l( T) ]( g" [ mov dx, offset New_Int_Routine, i" \* r0 l/ v0 o8 q
int 21h* C7 |" ]' b1 J) [( D1 O9 Q. z
# Y$ C3 Y# I R- y3 _$ `; U( I__________________________________________________________________________" S/ Y- t: T% {
9 l$ ~+ R. P! Q+ d3 x2 l+ [
Method 09
& ]; _* D- S8 ^, t2 t# [=========# `- G- k! X; n- Q' i
2 k0 d# t4 a6 `* N, QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 ]' r. c3 W& y* i6 operformed in ring0 (VxD or a ring3 app using the VxdCall).
\6 r% V& ^: \3 j8 c: u8 KThe Get_DDB service is used to determine whether or not a VxD is installed! ]+ t9 d- X9 f- }7 B4 Z
for the specified device and returns a Device Description Block (in ecx) for2 b# ]7 b! C1 J R/ c: ?6 v7 |
that device if it is installed.
0 H$ K* b: t2 H$ J& g8 x
( H, S4 Q C+ u2 @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) O7 a0 A" x) c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 z2 W6 }4 V/ t5 o) j5 h/ Z& O
VMMCall Get_DDB" b/ X' A0 f, j- Q' j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( M7 o* w( N# K4 T
+ h8 p3 v0 u' L. q
Note as well that you can easily detect this method with SoftICE:1 K, R c2 f& B. Y
bpx Get_DDB if ax==0202 || ax==7a5fh3 ~5 O. [; C$ ?) G5 n
p1 u. s! `! D( A: X__________________________________________________________________________; ~$ z! O: P! B2 `% {) D0 P' v+ A
; h3 V2 z/ R- ?( R* ?! G: s3 G' g6 LMethod 10
% m* u0 J: O% j) Q+ Q* _=========
9 f! {; x6 P- ?- c
" m6 K, t, i6 W=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 l' i( }% p1 ~7 S SoftICE while the option is enable!!9 Q% u3 W6 L s* |% S
8 N' y6 }* S, h0 XThis trick is very efficient:3 h5 K* `. N7 }
by checking the Debug Registers, you can detect if SoftICE is loaded, j- |- _5 g2 w# p7 n7 O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 m, ~: |0 ^) { H1 v4 P7 C6 C5 Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their3 l$ @! O: l- O9 a5 x( Y
value (in ring0 only). Values can be manipulated and or changed as well
! V" v! I' z/ w8 k- H& b(clearing BPMs for instance)
, M/ Y; F1 P8 B5 }) C2 ?
W& u) F1 @( N2 R0 Y__________________________________________________________________________: d2 B$ [: ]7 G& O8 i! h& y
( G9 s3 p; g/ S6 SMethod 11
" I5 S# X7 S% e4 i! r( A8 f* T0 }8 X=========# I& ] S; @: K
* a$ ?9 \5 M& R' K/ _2 D7 f+ v
This method is most known as 'MeltICE' because it has been freely distributed
) e. \: x+ v7 uvia www.winfiles.com. However it was first used by NuMega people to allow1 l- E' @! c; |1 c/ X9 G8 H) i! _
Symbol Loader to check if SoftICE was active or not (the code is located
! X; u: ^& O5 K6 z/ y" pinside nmtrans.dll).
* w' i, G& [; V& h4 ~: N6 P0 \2 h/ g5 X! `4 x: a1 u9 M% Y z2 |
The way it works is very simple:
* T. F2 L3 W5 H5 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 o( A5 { @8 k( F
WinNT) with the CreateFileA API.; e- W: \& W* v" b
8 M6 D) W& W' J8 d1 ~ c. YHere is a sample (checking for 'SICE'):$ U( X( Q/ O o3 a
2 I2 m9 M# E" {9 s9 P
BOOL IsSoftIce95Loaded(): S! e7 W3 @' @( U- I: V" [
{, [- W5 H* p, w6 T* o
HANDLE hFile;
& e/ q. g+ M4 Y! Y$ g% F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' ~$ p7 w* @9 b0 i, g FILE_SHARE_READ | FILE_SHARE_WRITE,
0 S. W- R/ S! ?$ C7 e o% ?& u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 `& I1 n9 S. x) ]/ z& L
if( hFile != INVALID_HANDLE_VALUE )) l" B& p! {# t( G
{# z! [! l7 p+ g/ ]# t% G
CloseHandle(hFile);7 |9 v, w9 n0 c. X, z- `
return TRUE;; ^: y/ O' {) ?: T- y7 O
}) E0 z$ O1 P d$ \
return FALSE;# } m3 o* P( ~( e; m
}
; m5 `/ C* }: V
- L/ H8 u, H+ ~8 [1 Q2 C- `Although this trick calls the CreateFileA function, don't even expect to be
5 M( x6 P0 h# g1 M9 p5 Pable to intercept it by installing a IFS hook: it will not work, no way!- b7 K* b }5 r% B& ]$ |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. e5 ]; ^( r4 P1 U& E, O6 n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 d4 c( h5 L1 } v4 t8 Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* b2 l& \6 n( P* S& Ofield.
6 L$ w# \$ p+ d1 v0 d, y2 BIn fact, its purpose is not to load/unload VxDs but only to send a 5 E. h. U7 r$ C! v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
f( _9 u, e: M% _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 D1 z0 ]2 R/ P" F6 O3 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
k9 [/ P+ y. W7 ~! o( nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- G2 p) ]/ P+ ^* \: A) rits handle to be opened and then, will be detected.3 v2 }3 y5 ~% I3 ?% O4 g
You can check that simply by hooking Winice.exe control proc entry point
6 e$ j1 Z4 ~, s7 @2 G& E: M+ gwhile running MeltICE./ ?4 B+ B2 x$ y7 p# P/ b6 S
' R: M0 v4 Y! ?2 i9 s" E/ i
5 @; n. Y' a! L; T- e 00401067: push 00402025 ; \\.\SICE$ X' j4 X) @9 E! Q2 b
0040106C: call CreateFileA) s& q/ R S0 q3 M2 j0 z7 E
00401071: cmp eax,-001! B: }# X' [9 w1 V7 G& v; S
00401074: je 00401091
" v9 b6 Q" j% [" Z- S. G) X6 X- {& ~
1 d6 M; R0 p. O) @% U5 H3 wThere could be hundreds of BPX you could use to detect this trick.
2 H" r% M; _% J, l; L8 T3 M-The most classical one is:
: z9 u( d" @! F. r$ X+ A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* v6 |' U: G: R- l5 ?
*(esp->4+4)=='NTIC'$ J7 k( J( y* o; q: }5 W5 J
+ T- k% @+ m) R' Y2 p+ z5 V-The most exotic ones (could be very slooooow :-(- S$ o! W# S4 B1 _& ?: J3 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 Q5 ?6 t5 g! l" M! N9 U
;will break 3 times :-(
: [6 I- Z& K4 D7 v# E6 Z9 g4 K6 B/ S( D8 w% c+ X, B: l m
-or (a bit) faster:
9 M9 j& M" D/ ]7 A2 v7 W8 Q6 S" n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 h* P0 N* u1 X/ M$ i
% X7 O k; A- e9 `" w( {% U1 Q# M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 e% \4 \+ H& ^3 R0 c% y ;will break 3 times :-(
( g$ c6 ]$ q: }, x8 k) o( E0 a \1 H' ]" `. J
-Much faster:
( l9 r; z0 s/ \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( o. s- ?/ f, b2 B5 V6 h9 Z L9 f$ I" j: y5 N7 F8 @; S# ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 K- P; `$ ?; C) u( _5 Lfunction to do the same job:
5 a6 I; Y* V; J: V& R3 q2 V5 f
: C6 R% ?5 l: e% t8 n) y" r# V& y: V push 00 ; OF_READ
S# v m2 n8 H$ `, K7 b mov eax,[00656634] ; '\\.\SICE',0' T6 Q. l' m; y! [" p- G4 a( v
push eax ~0 o# u& }0 u/ z! y
call KERNEL32!_lopen" D& ^3 w/ `' S" g8 b
inc eax4 l& w! T( E) ~& }
jnz 00650589 ; detected
& B) f n# K1 ?, X- m R push 00 ; OF_READ
* @* }( P7 Y1 T& d0 i$ d mov eax,[00656638] ; '\\.\SICE'
* c. u; m- x2 s* {: L push eax
- Y' z6 u( W' k/ K0 ]9 M1 [# ]- N call KERNEL32!_lopen$ h& a) \( K6 {2 r: x( t F! s+ g2 _
inc eax
% _% S: g) f( w- |( X- U" f* e jz 006505ae ; not detected
# N- P& Q* e) _7 B: S4 i/ M3 W/ G @' Z3 y# H' B
8 z/ h' s A; G& |__________________________________________________________________________+ d+ w2 x% u r; e& n7 Q& Y
8 m3 E! M G9 W* _ I# k. BMethod 12
1 K& n$ x- r$ g( ^4 l4 J b=========
9 h. X" S" H" n. \
+ K2 N+ o9 J, G2 y' X8 H wThis trick is similar to int41h/4fh Debugger installation check (code 05; f$ Z, G7 m; V L* D/ ~; A# k
& 06) but very limited because it's only available for Win95/98 (not NT)9 J! Y$ V! R1 b9 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ ^1 z8 Q7 E8 i8 }1 n" e j; k4 b
: I, ?- C8 o1 W: V1 K1 { push 0000004fh ; function 4fh
% X+ N1 }5 g- c+ ?7 U. w* z5 I push 002a002ah ; high word specifies which VxD (VWIN32)8 ~% `) M6 o3 i- Y
; low word specifies which service
8 L! D$ W3 g5 F& @ (VWIN32_Int41Dispatch)
! _3 e4 a/ \$ }9 o4 [! {$ g call Kernel32!ORD_001 ; VxdCall
) X% D2 O" j4 D; f( E9 P cmp ax, 0f386h ; magic number returned by system debuggers
" e4 O7 s" d" c2 x: q jz SoftICE_detected( p" s1 I1 o) a9 G% ~0 G$ p* m
: V' ~! q/ B; m, ?/ _
Here again, several ways to detect it:
# h: a, Q9 k" {* W/ {
) G( k+ Y6 ~ l1 P8 k' K1 \5 w BPINT 41 if ax==4f
9 z! t/ [' z2 Y& k4 }, c* V5 A5 i( x7 N, v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 _. V, Q, \6 c8 N0 w+ K& p1 i
& |! N5 ?9 s& V+ g* I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 k* f5 ~; b7 c: A2 v6 }. \
+ L6 i% {& o! [' N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* x( i1 P$ H S7 s D
& k; ^% Z6 a6 j9 b1 h! |__________________________________________________________________________# R. T* v% Y; {: l
9 j9 b. B `2 c( h2 e
Method 13' ?' m* k- y+ K3 ?% S7 G
=========
( a( I& @% L6 o) {% d& ~
; s9 C9 D. ~' {" O: MNot a real method of detection, but a good way to know if SoftICE is
' L" E4 H9 B* T- {1 |+ D/ i3 winstalled on a computer and to locate its installation directory." C {' [3 z9 W! h1 y) U
It is used by few softs which access the following registry keys (usually #2) :: Z$ T Y% n: ~' @2 u: q6 Y
* J2 ~3 Z' x* I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion }+ Y8 `) s% A1 K8 V
\Uninstall\SoftICE
9 m& P3 ]) t T* |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' I% x A1 l: s' l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: z( R" E$ p* t8 N- U\App Paths\Loader32.Exe Q* R8 ?& Y; X9 P% H
6 s8 q! x% I$ W' m
) X3 o# f f; |! T# B3 F
Note that some nasty apps could then erase all files from SoftICE directory1 S6 |; E! @% L5 l. r+ \+ w
(I faced that once :-(7 Q6 @5 z/ @9 { Q7 J
8 n- D% v. K7 {8 K" ?/ JUseful breakpoint to detect it:
2 @" z( E- o, X7 U& f# @) a) i- Q, V/ P* ]1 c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* L6 @" s9 y6 \: f. |' L$ D% [6 W( h
( a) b+ a q+ P& C! F6 r! N/ H
__________________________________________________________________________
8 a. A, p8 E* B4 i- n6 D- K) v) m6 [
" B% F6 f& j( h# ^" ~6 U3 b
Method 14
, O5 w3 l0 h. c/ z5 _=========
y2 Y! x6 v; K, X3 U4 P7 j% X9 e' b' H4 C, d3 j1 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 L( _: O' X/ e" u& i. k
is to determines whether a debugger is running on your system (ring0 only).9 F& l {% C) A3 ^ b v/ @
7 j) x5 P6 {: c. z' a \- m6 L' S
VMMCall Test_Debug_Installed
( r! a8 _& ?. u: R" ]# u je not_installed
& k: e1 h. y3 {' G
/ U) v$ w& D; _3 \* J: ~This service just checks a flag.3 s0 H7 b0 V! y" c
</PRE></TD></TR></TBODY></TABLE> |