<TABLE width=500>1 y* v- O& n' V
<TBODY>
& m, K, v; J$ J7 q+ e% o<TR>
* m! t9 `$ [5 E) [* @3 N<TD><PRE>Method 01
8 b t+ N5 ?+ T/ Y- j=========' M/ A2 s- j4 S
$ O5 y) i( D3 f4 o% A# Y/ vThis method of detection of SoftICE (as well as the following one) is' a c8 a9 f( i/ E% z$ ~. X
used by the majority of packers/encryptors found on Internet.
8 v+ {4 `3 u- D6 T% o2 x J: v% ~It seeks the signature of BoundsChecker in SoftICE
: k4 X& k$ c) O x) X" j2 C
, @* _/ m* W9 p4 I0 d mov ebp, 04243484Bh ; 'BCHK'
$ V4 |, t5 x& [' D% G/ Y4 N mov ax, 04h: l S4 d% j+ L" S6 B* m! `6 W- Y
int 3
# j: w0 l2 F- @( T cmp al,4
. q' H m. F6 h' I0 D+ j6 f# V jnz SoftICE_Detected0 d5 F: j" t) a2 w( t7 d
8 F! q9 w: y2 k! t( G4 x! V
___________________________________________________________________________
6 k+ ]9 X: ?7 W8 _, y( E% h$ y& z7 b! a" c- H2 ?& Q
Method 02
! p7 d ~. p) W# k* F=========2 p" M% y A6 z" j8 W
8 e- Q. d* c+ @0 b& N4 }. y* HStill a method very much used (perhaps the most frequent one). It is used
9 u, C. z M1 T4 @' pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
o1 y$ F5 G' ]" B- ^/ ror execute SoftICE commands...
0 X9 ^" j! N' EIt is also used to crash SoftICE and to force it to execute any commands
2 E: g3 s3 T% V% t' G7 {5 L. V(HBOOT...) :-(( 7 H6 ?. Q6 l( l. ^7 x2 ?
3 m+ d2 A8 R2 q# Z' W! ~Here is a quick description:
) c' \% J$ b3 r, b-AX = 0910h (Display string in SIce windows)
' G6 Y. ~( _; A1 G5 L4 [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 A9 C9 `* c- J0 ^- t* E
-AX = 0912h (Get breakpoint infos)
8 `) c- [7 U7 |9 ~2 w8 x1 i-AX = 0913h (Set Sice breakpoints)
/ v) l7 i1 n3 m4 `" f2 J' J* J-AX = 0914h (Remove SIce breakoints), j( V) x- ~# L) K( s% }* y
6 c/ J0 ]; S" b
Each time you'll meet this trick, you'll see:
" u) b# O) A- Y-SI = 4647h; D$ S G1 F/ m# u% I. q3 i9 {+ c
-DI = 4A4Dh8 r/ C6 T7 E. ]& |/ K
Which are the 'magic values' used by SoftIce.
0 X' w8 c9 ]4 g6 GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 a/ E0 n1 v4 A) T! n0 ?" X6 K. {( n6 f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* u9 _2 ^& k# i3 G p2 yEnvelope utility use to protect DOS applications:
- V. W( f( g- y* G: N5 ~1 X$ V. k3 |* d! J0 i8 K6 R7 C
: H8 ?9 J/ b3 n( Z0 {6 h
4C19:0095 MOV AX,0911 ; execute command./ v, S4 U R% j8 J4 M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 d' i4 D5 d! l5 a( P9 v8 t4C19:009A MOV SI,4647 ; 1st magic value.
D. x* Z& d- B( o4C19:009D MOV DI,4A4D ; 2nd magic value.
) p4 [6 P7 t0 m- X8 Z9 a& [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- y8 y$ I5 I' M% f( s+ w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 Q2 t/ | {. P) _4C19:00A4 INC CX/ X/ w6 x8 Y6 \7 Y; v& u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
M) {. B2 @' b4C19:00A8 JB 0095 ; 6 different commands.
3 K9 l. }; s1 p1 r1 h" d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 I3 d! g0 i' w3 K& \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" d7 H* \& I3 P9 C3 r& I- z. Y T6 B1 s
+ a. b% Z# N- F' t5 [) t/ Q- |7 d5 OThe program will execute 6 different SIce commands located at ds:dx, which
. B" N/ H7 y! G. s; tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& H3 d4 R4 M: B& I0 ]& y3 \( I$ }
- o; w3 y- U! |( W9 K2 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 l# c2 {& O2 _" T: e- r
___________________________________________________________________________) Q! p3 j7 h1 p: X2 {% j5 x9 q9 Q1 G
0 v" i, J+ ]; T, f! p/ E/ r( u, ^2 A) A8 [9 k4 b S3 y
Method 03
4 r, ]$ d( Y* |2 g! h% F# \0 W=========
0 g6 b, ^8 R+ Y1 i7 O- N
3 W3 {- j$ a- }# oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 M+ p$ s1 e. B1 _7 X2 ~. @2 f(API Get entry point)
. a! e" \7 W, W, e: h
5 k* s( { ~2 D2 j& u+ K5 p* Y5 C" R. x+ ^* p( p+ a
xor di,di. {$ [ g" M7 c- n3 S- ~. M
mov es,di
; z, ^6 n6 d2 \6 e. Z6 S mov ax, 1684h 9 E" _# h" \4 z* X! V; B
mov bx, 0202h ; VxD ID of winice5 e. n9 K. U4 P; z" }
int 2Fh/ Q# O( ^5 ] M$ }5 H
mov ax, es ; ES:DI -> VxD API entry point. U5 D L. j+ n8 X# V7 O# d9 ?& w, C
add ax, di! ^6 p l9 U h& J& v
test ax,ax
$ B1 Y0 H$ v9 X/ b& h9 f! p jnz SoftICE_Detected d: o! b! |5 X9 s& u
/ K" V9 N- E/ P2 _
___________________________________________________________________________. r! {- J& ~3 e/ A* Y6 ^1 o! h
6 I& S( O! X0 k5 V# P
Method 04
: {" t" s9 C I# V* ]1 M9 K=========5 B3 W' ~# z7 c- Y- O8 s
6 w: u& l' ?' ?( X& oMethod identical to the preceding one except that it seeks the ID of SoftICE- o7 N% q1 N& ?: ?$ [
GFX VxD.
1 i M( N- L* B
& f* s- |5 ] ^/ G; O xor di,di$ N( \0 M4 m- ^: N' s) O! i% f j
mov es,di
$ ?. Q8 }2 g0 M# y' r7 y mov ax, 1684h , m' Z f- N% u: o3 E" h" ]
mov bx, 7a5Fh ; VxD ID of SIWVID/ M( U+ q* e& k8 @3 S2 E3 ^, \
int 2fh
) W3 l2 r8 y% S; O mov ax, es ; ES:DI -> VxD API entry point! j+ i1 I5 W+ [+ ^
add ax, di9 w0 `4 L& o! B6 |2 j( u
test ax,ax
, _. _" l8 Z. X jnz SoftICE_Detected2 ^/ e1 X/ c" R$ s
5 G' Q0 ^8 I# {6 O* y. y: E; U
__________________________________________________________________________
3 c. ]* P& N- i0 d3 V
( n3 {) x- {0 M0 A! c
/ P1 ]0 G" p( c% _( S f6 xMethod 050 a& B* Y; Z7 q& a( D$ M6 O
=========6 R5 S' p. w3 [( k
+ t/ P8 q/ [9 {" Y6 Z' vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! S( T" R3 f7 h9 Jdebugger. It calls the int 41h, function 4Fh.$ y I! }, S3 C
There are several alternatives.
T( k' P" B$ W# n+ }6 I' D' I
8 }: f; N3 t- t! O$ _6 R2 sThe following one is the simplest:
/ R- u! M/ o* [/ O$ o* j" ]% I) {6 X' {. r
mov ax,4fh
! n9 X* H( U& Y& c int 41h4 X$ N5 f! |7 G9 m" t! V6 r! o
cmp ax, 0F386' M. k: M6 L' V2 B6 w2 H
jz SoftICE_detected
9 g; d( K( `+ ]8 A' Z
; F' Y4 B' z' k- y8 |1 T- L8 ~! p! S3 x' N& _
Next method as well as the following one are 2 examples from Stone's ! R' B* J7 n0 e4 @ n: S* a
"stn-wid.zip" (www.cracking.net):
9 a S; }+ i7 R5 d0 t, g
; a$ j0 l& i8 @! [6 O3 s+ o mov bx, cs9 b, H' T6 p3 O5 n5 N
lea dx, int41handler23 b0 Z5 D7 A) L0 e* b) M
xchg dx, es:[41h*4]
+ g2 ]. v" B$ j4 {& b/ C6 w xchg bx, es:[41h*4+2]
% }* _, d4 }2 c+ C* e mov ax,4fh2 u8 A+ C% i+ A8 p% r: n
int 41h$ |/ q0 B7 x" A! v5 H# z
xchg dx, es:[41h*4]
8 {$ ~! S6 F- T xchg bx, es:[41h*4+2]
: f- a4 _" v2 g( E cmp ax, 0f386h& D( `! |/ X) A: Z) {2 r" b# t8 E
jz SoftICE_detected
+ C. W7 {! R, }: w* X; c
# L, Z2 e' D9 ^int41handler2 PROC9 K4 p# U3 ]! y+ X2 l7 ]$ Q- e: D
iret
6 a& m! c/ E; S) `4 sint41handler2 ENDP
% |9 S x0 Y$ y: s
, k/ Z. p; k: S! f
4 \ `( T0 u6 A3 ~_________________________________________________________________________7 F# K& v- W. E
0 T1 a$ l/ e+ {- `: a8 b1 U
" @" I4 }* Y+ a5 UMethod 06
4 R4 @8 r5 D( b# n5 H+ c9 s=========. F9 x3 @7 c- A8 k5 O4 j
8 |% |! H' L* F
+ M& d$ [* j, z: ^; P- ?6 w% V8 v5 s
2nd method similar to the preceding one but more difficult to detect:) Q2 _3 U/ w* L0 ~
3 A0 k$ \/ C8 W. v+ q; ^' b0 x9 B, E ~0 `
int41handler PROC; @2 X4 L1 e) H# W7 M9 t: u; }
mov cl,al3 h* Z0 S. f/ ?- p6 e. `9 a
iret m; m- p9 c6 R
int41handler ENDP
) Z* }4 I) U6 Z" D3 }$ ^! L
% m" O7 q- j% X/ g1 b- l/ k# ~& E; e0 R8 C J9 i6 [
xor ax,ax
8 y/ o, Z N5 q J5 q( b2 ~ mov es,ax; Z n5 F0 V4 c
mov bx, cs
" O; H: x; z t lea dx, int41handler
" D$ W3 V" n; W+ h8 W xchg dx, es:[41h*4]8 X& c; L, x9 B0 c# _) y
xchg bx, es:[41h*4+2]9 a ]3 U; ^% ^2 U4 h3 @% E
in al, 40h/ C4 ]8 t& e9 V. p6 i7 R, H& p/ H1 X
xor cx,cx
; W2 [) C( n( B) a& Y4 e int 41h1 |: G" u. V' D1 C& z
xchg dx, es:[41h*4]
9 U- ?0 S& X. c5 q0 ^: l8 R xchg bx, es:[41h*4+2] J9 @, ^0 ~, s z
cmp cl,al3 P3 |. t8 a) m; R" m
jnz SoftICE_detected
' p7 H7 [5 C8 ]2 _$ S
9 |( h5 _( t+ {' B. H* T_________________________________________________________________________
) O8 g5 Y7 g7 H7 ]( _ _4 j
* i1 U+ _2 g B* l& m8 dMethod 07
# C9 Q* N& Y/ N2 t=========
4 W: i( O" T6 ^. U& I" _- y" L2 }: ~4 t X& z! j
Method of detection of the WinICE handler in the int68h (V86)
6 m" G$ N ^$ A0 B: k) q% d: w; K4 m# p9 T3 a% W3 L9 S
mov ah,43h/ c& f( O2 E- d7 _- _( A
int 68h
1 z/ ^3 E& s# |* r; e1 c cmp ax,0F386h
3 H3 K: T8 D5 a3 T jz SoftICE_Detected
$ r4 _. {- i7 f7 j; R" o1 I g$ g7 |8 q4 N/ h0 U) \. O, e
: v# S, j' y4 z/ T- m3 ~ k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 ^8 y0 U! l' c% Q: y2 n/ l
app like this:
/ ^ f7 k% Z* g% t: }! L9 w0 B+ d2 I. i+ [! H3 ]) B" v
BPX exec_int if ax==68
8 j5 h$ X9 N/ F; `5 y+ I5 `) b8 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
: ^+ p' J* ~8 h) x7 E; a located at [ebp+48h] for 32Bit apps). R/ q6 }' U7 S8 h8 U, H
__________________________________________________________________________( i, a" C7 W5 q1 T1 ]- Q! D
. ^2 g3 c+ _# n* R; \
8 R; q1 ~4 ?; U& l% [
Method 08
2 G/ p9 b3 y+ Q========= j B. q- N& G/ L2 }# O9 i
4 X! h- u) \' m( N" L' e6 [; g: N* ?0 B0 |It is not a method of detection of SoftICE but a possibility to crash the
; s. S2 v9 V" Nsystem by intercepting int 01h and int 03h and redirecting them to another9 K# K* W, Z( a, @" y
routine.$ p, d- u3 I* s% M' S/ ^" e1 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! k3 ?9 \5 h% q, I {5 qto the new routine to execute (hangs computer...)8 P- G6 }: a( t5 R
8 g1 M0 e2 @% \4 T3 ?0 Z
mov ah, 25h( ~7 O, D+ W' b- h Q* E
mov al, Int_Number (01h or 03h) D2 ~3 O" K2 h
mov dx, offset New_Int_Routine- ^8 ~$ _9 M' K" [: U
int 21h* s, y, o, _1 h0 L$ V
3 v$ a( m/ `5 ^: ?4 e" {/ o__________________________________________________________________________
4 Y* g: z% V" S; G9 ?
# m) E; I, y( K1 H+ S6 lMethod 093 ^+ h7 Z0 F+ A# l4 s- [
=========* ?% G; ~, ]2 U0 b* @2 ^: J
7 x$ q0 E" e, rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ u3 c1 y& j$ O3 n ^# ?$ Mperformed in ring0 (VxD or a ring3 app using the VxdCall).' N, R I' m8 e8 b" n
The Get_DDB service is used to determine whether or not a VxD is installed3 v: r, U2 Z3 b$ y G& y& c
for the specified device and returns a Device Description Block (in ecx) for
- s7 }9 i) Y1 F1 {: D8 { xthat device if it is installed.
7 \, n# v2 s! m( f
C+ W# }3 ]+ _ V) \- W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 a1 `: [" e: ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 J+ B+ n7 }. l3 ^9 a VMMCall Get_DDB
3 @) p: Z3 P8 K. B7 } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- i f4 k% p6 r6 ~- `- \+ K- T! x# R
8 ^! d* l4 s3 u% R7 D* h; M# wNote as well that you can easily detect this method with SoftICE:5 T$ j6 |) P. U7 P) i3 V/ V6 `
bpx Get_DDB if ax==0202 || ax==7a5fh* X4 I# q0 D! ?- l" y9 U2 q9 c2 l
# I' A5 | G! n$ s
__________________________________________________________________________! e0 n' S* r7 d0 Q
% e8 G9 Z! W! u# o7 w% J! a' T" o! O% HMethod 10. L4 p/ b5 l: o
=========
( y( k: l9 t$ n
4 [* l, ? F8 P U' [=>Disable or clear breakpoints before using this feature. DO NOT trace with' z; `; K# k6 G: I
SoftICE while the option is enable!!9 O2 S: ?; l! p0 o5 I
3 A: l, `' `4 a' z/ {0 C
This trick is very efficient:9 v( ?8 g8 i O
by checking the Debug Registers, you can detect if SoftICE is loaded
8 W+ a$ B- D/ p5 g Z$ B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 o* p' J: y$ k Athere are some memory breakpoints set (dr0 to dr3) simply by reading their- f$ ^9 p3 y" k. ^8 X
value (in ring0 only). Values can be manipulated and or changed as well
8 _9 |# v, k J( s6 c' P(clearing BPMs for instance)' ~2 @+ s! m! |. j1 M- v
4 u# @9 H7 ?; a! n+ n
__________________________________________________________________________+ y% c/ g6 F/ u. j, ]! N) f/ N
( \0 h+ O( M4 V: h! Y/ ^6 R
Method 11
, y0 W8 z) g- w% ?- Z=========5 w8 I8 d6 m3 l6 C2 e
1 q& Z' W; K7 Z. @1 ~9 iThis method is most known as 'MeltICE' because it has been freely distributed* i8 V5 {; D3 L; x) x
via www.winfiles.com. However it was first used by NuMega people to allow
! O, Q7 V! H8 B7 r( X6 xSymbol Loader to check if SoftICE was active or not (the code is located5 h, W7 A: _8 I! H, j* s, x
inside nmtrans.dll).- F3 @% }: s" }( W. i
5 l. \4 k+ ]$ X$ {( E4 ?" Y( [ g3 OThe way it works is very simple:% T8 e6 E5 ?. T: g* r0 {8 b1 l( j. }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ j- G" K+ L( c$ |% y0 oWinNT) with the CreateFileA API.9 P9 y0 w+ z* ]( z
1 O: u! K3 I& d% h0 @2 K
Here is a sample (checking for 'SICE'):9 @% B' A: u* C4 D
; z8 V* p; g3 w6 E
BOOL IsSoftIce95Loaded(). b! G' W& b! g7 b$ y
{& N( e5 W/ I6 Y$ {0 a' ^8 a
HANDLE hFile;
9 A4 \' J' D; J& P4 c5 y% H6 l; `( c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# V: W. q e5 y
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 q4 f1 {' S$ G# l- Z2 h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; @/ V" n9 M1 V
if( hFile != INVALID_HANDLE_VALUE )+ Z( C% b7 V6 T* ^6 m
{- J7 ]! u8 Z' k$ @/ i+ C# U
CloseHandle(hFile);
+ O3 j7 r, `/ Y+ O" a6 Q" }7 ] return TRUE;
4 {0 J3 B! A' p2 @ }2 {+ U9 L/ l( d* y& R6 |% L1 k
return FALSE;
+ O0 W+ Y' ?7 x0 ?9 ~" d; O) c9 L}
! b! n1 N* ~' ~3 D! B- i& Q- `" S& K- }2 t7 v$ s
Although this trick calls the CreateFileA function, don't even expect to be) r% m6 \; r7 l2 b% [; G5 X
able to intercept it by installing a IFS hook: it will not work, no way!8 ]% h7 n" S8 h1 h$ z/ A+ V0 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 {; g7 v) S& ^7 a7 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& p f" r9 c7 `' ~1 s H; }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 p) o6 E, i5 F) R' yfield.! V* Z6 B6 b9 p3 p/ B
In fact, its purpose is not to load/unload VxDs but only to send a
/ b9 \! J" I @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 v: M% R1 I# U) l1 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try" e2 _" {, U! S1 P% g' S# y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 t' @* O Z3 j$ V ]0 k: g
If the VxD is loaded, it will always clear eax and the Carry flag to allow( d4 y4 F& z4 N- L
its handle to be opened and then, will be detected.
: z- Y+ O4 X1 |3 ZYou can check that simply by hooking Winice.exe control proc entry point9 g7 E, N/ y, l
while running MeltICE.
4 b8 A8 ~3 X/ g0 c+ r C2 T7 S K @+ G" h
9 i; A; L8 N% q" }0 n `/ \ 00401067: push 00402025 ; \\.\SICE4 v. P8 k' p1 a
0040106C: call CreateFileA
6 }$ F7 f. U4 c5 o1 o, e3 z) Z 00401071: cmp eax,-001* K) u5 R0 ?& J- p5 B% u1 H
00401074: je 00401091
5 H7 V) Q) a: F- E2 z$ K! R' e
9 {: c5 R& W0 u. O i% B, K! K2 q8 i" c3 N- |3 e& F( v" y
There could be hundreds of BPX you could use to detect this trick.
0 k& ^/ O) ~* ~& O-The most classical one is:% v5 D* I' k2 @( o6 |4 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 [$ W, I9 A0 d: f* ~ x) E *(esp->4+4)=='NTIC'8 n8 X4 |" Y0 l) |
! j& F6 p3 j$ s3 d5 s-The most exotic ones (could be very slooooow :-(' r# j- k1 o" L2 b/ }2 O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # n4 A a, }& q4 ^
;will break 3 times :-(
8 H6 |$ k! Z/ K" c* p' ]& x- M4 q) _4 R
-or (a bit) faster:
- i+ M4 g7 U2 k9 I% I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 E8 }2 c3 M7 i; E# V5 v/ d" q
4 t, e. I! a! s8 h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' i; R7 k9 i: ?6 j2 J
;will break 3 times :-(5 z. |/ x0 A* X5 r I
7 ^# k5 `/ B+ {- Q9 P
-Much faster:
1 {' u# i- j. W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" o) v. G: Y- `4 q( i, h
2 D* v8 Y5 I3 [& l5 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 X) I! ]5 S' H" j+ n" p5 kfunction to do the same job:
# H! k. q) J: y& H! w, ^0 Q) L2 c& B5 O; t" _- E" b# G
push 00 ; OF_READ
% B, L. x! Z5 E% P0 Z9 H2 _ mov eax,[00656634] ; '\\.\SICE',0! F, G5 g( O, t' Q+ n- F
push eax
! `5 D$ K5 w, F8 g2 s) h- l call KERNEL32!_lopen
* r4 I7 |% ?; S9 D" n9 r3 f1 w2 U7 V% E) X inc eax+ R/ r6 @ g( U) X0 L2 Z0 \' G
jnz 00650589 ; detected- _& d! X8 u/ X: o1 D g. P
push 00 ; OF_READ, H3 G+ f0 R* \) T" y- a( M; }
mov eax,[00656638] ; '\\.\SICE'0 R z+ p4 V2 G6 I
push eax
3 B1 |6 G& U0 r: Q. d- |7 k4 { call KERNEL32!_lopen
3 L! q! m$ B3 F inc eax
3 H' ~: ^! m1 O, @2 h jz 006505ae ; not detected& L+ j: r( Z- j4 }8 n0 Y+ j
2 U e! S" A3 _ \$ q
& s6 U- Z+ @8 `2 J$ [* E2 N2 {__________________________________________________________________________1 n! T. ^5 D5 w i
) \: m3 @$ O+ M0 E: F1 Z, {3 bMethod 12, j+ `5 f2 Y" S6 } A/ |3 N
=========
I0 D* A' c* G a, j
4 L, i8 H& d \) L( d+ aThis trick is similar to int41h/4fh Debugger installation check (code 05( D. v0 e! b) Q3 S
& 06) but very limited because it's only available for Win95/98 (not NT)
( b/ ]' }% }1 {* [8 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) @& k* l0 {1 a3 n3 e/ J
1 {4 T+ B4 U7 M- L. h push 0000004fh ; function 4fh
$ N, L c6 u- \9 B push 002a002ah ; high word specifies which VxD (VWIN32); O; T7 ]# N* R+ w" z
; low word specifies which service/ c$ I d% g, e8 B" E2 `+ x
(VWIN32_Int41Dispatch). o" [9 j: |4 ~2 s$ H( ?& E
call Kernel32!ORD_001 ; VxdCall. O/ @: ^# ~$ e: l" _0 T8 r
cmp ax, 0f386h ; magic number returned by system debuggers
/ y9 G9 U* L/ N* R/ X8 C jz SoftICE_detected
1 _8 F( ^; D' H$ j
, G; b) ?& a6 Q) z% F3 UHere again, several ways to detect it:5 ?' P9 h; k/ d4 B2 [$ I
% k% R0 Q1 C3 m" d
BPINT 41 if ax==4f
* v% R: n4 b/ d; m, ~% c8 B0 G" F
5 |4 n& b5 F7 C: p' X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& {6 |( f- M8 `1 z4 g
: f! j- i9 A5 u% B# Q# v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 l, I/ p! z( v' v4 o4 L
3 Y. {# V" h( N8 O5 ~! u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. v: S$ H- V7 O, T
$ B2 e% k5 ~* e__________________________________________________________________________! `/ a% a, U! ]- h' }5 x
4 r' u7 g H5 c* Z( X
Method 139 J; j7 P! _6 F% w2 z
=========
2 t# u* \1 `) N/ s! ~3 F/ @! w; V: }6 y+ S
Not a real method of detection, but a good way to know if SoftICE is
9 h5 y$ ^, u. u: z1 Finstalled on a computer and to locate its installation directory.
- w$ ?( _* \5 w) W6 oIt is used by few softs which access the following registry keys (usually #2) :# o; [8 _, q+ Y9 F$ R
. I8 h( @3 }) e$ U" ]# h& U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 w4 D6 R r* o( A\Uninstall\SoftICE
0 \2 r- w& g9 z K) {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- a" ^7 P' q5 K4 U- ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 m6 m. ]5 m& X) o4 Y
\App Paths\Loader32.Exe
9 ^9 m# y3 t V4 t) W- s( a# ]$ F, u9 O6 r, [ N6 ?
0 }# y3 s+ l# Y8 n/ s
Note that some nasty apps could then erase all files from SoftICE directory: A4 w8 s5 t. D. _7 q
(I faced that once :-(
, E1 M; u. H. Z0 w/ k
. J1 q( g/ }+ s9 z) wUseful breakpoint to detect it: H5 j/ c: S- |% K8 W
( o* e) G g. {& P) i( d/ k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 l$ T; f3 C0 @ P* V5 s+ ~! t5 m8 P! U, `$ c) _3 p
__________________________________________________________________________7 f, }, u9 b6 \* m
0 D- b* o# f1 v+ d
7 ?; Y" C7 p$ rMethod 14 8 {( h2 {$ T: _( L
=========
5 [+ P/ n- ^. N: w1 M; Z$ K) z8 j! y! G; {( E$ w. v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 @6 \9 F# [; @
is to determines whether a debugger is running on your system (ring0 only).
! ^$ k! d! L' v0 p! F1 m: S
|. E1 }+ ^( C& [6 f( l1 Q$ z1 c VMMCall Test_Debug_Installed, Z: O: @( l, o4 ^8 g( k
je not_installed
+ y$ D8 _ g: l; `! N+ H C- l- C' I: x. I
This service just checks a flag.
+ i J+ f$ E# ?</PRE></TD></TR></TBODY></TABLE> |