<TABLE width=500>
0 k1 p1 z" p+ G: H<TBODY>
. J/ ~" g+ }* I) L- ]<TR>
- K; d9 U) v" ]; t2 C7 @+ Z' Q<TD><PRE>Method 01
4 {( k' G6 S( C=========3 L& g4 h+ N% Q" H$ F/ N
7 C+ [) P' z+ z' A FThis method of detection of SoftICE (as well as the following one) is
3 ]! _& X. S3 V/ [4 k( wused by the majority of packers/encryptors found on Internet.
" Q+ b: U9 l" B) Z MIt seeks the signature of BoundsChecker in SoftICE
& k' l: x! N1 `+ P6 q" S, i0 I. R+ N2 S4 W1 i8 y5 B& _( y
mov ebp, 04243484Bh ; 'BCHK') ?: B6 i! q* {2 ^& U5 a/ Y0 N
mov ax, 04h
, h" t# P! G m' s. } int 3 @+ I, R" O5 j9 U# x4 i
cmp al,4
5 V$ {0 e+ `' }1 D: N2 b0 k jnz SoftICE_Detected0 p) T, W7 A+ V" _; A/ c1 |. z% F/ v
, H" v! W" J' Y. y6 e
___________________________________________________________________________
! P! p; y/ c9 |$ d& a, j- ]6 R& y# K, O0 {+ \
Method 02
" Q, g/ U. ^) [5 W" p; P========= t( @6 S# q ~( n2 u
+ d: p4 M2 _6 N4 `& Y7 z
Still a method very much used (perhaps the most frequent one). It is used- r6 p; {8 {( s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 p+ E1 }9 J: M/ {
or execute SoftICE commands...
( @" M- K; H! p& D e% _! oIt is also used to crash SoftICE and to force it to execute any commands
- B( P% I4 X* T# y& _/ a& h1 ^(HBOOT...) :-((
6 y( z# H7 |! X6 q& s; q& d9 ?& v
Here is a quick description:
+ p, r& f @7 Q7 P0 ?0 x: N. Q# {-AX = 0910h (Display string in SIce windows), S- S. `) F9 l) I- g& Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' {7 ?1 x/ g& Y( H' P-AX = 0912h (Get breakpoint infos)0 {+ i8 d2 ]4 O. T5 U5 f* P' n( [
-AX = 0913h (Set Sice breakpoints), T: o4 o; U @2 c5 a: ]0 x
-AX = 0914h (Remove SIce breakoints)0 S( b. n" w$ e' @5 @) l. ~
' V, R0 d( O! P- `Each time you'll meet this trick, you'll see:
0 Q \, `* \2 t+ x: z-SI = 4647h4 H6 N" I Y0 {+ J7 I. w
-DI = 4A4Dh i% h) I% h2 P. s; G
Which are the 'magic values' used by SoftIce.+ ~: w" |+ U( q0 Q0 ]* B2 a8 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) S' A+ c1 T3 E0 X( i- h" E9 T. Y7 R/ ]: Q; ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 k2 e: _2 D' a+ ?4 ~1 r5 rEnvelope utility use to protect DOS applications:* m" x: ]# O6 q; e
8 t+ W( y4 j( r3 C \* b9 M2 F% `: S1 D) z( Z
4C19:0095 MOV AX,0911 ; execute command.
" J* c) A* X1 w5 K I; [) z; ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% z5 O! E" F" \: v4C19:009A MOV SI,4647 ; 1st magic value.6 g; n* `- g8 S& ^3 z( @5 g% f# v
4C19:009D MOV DI,4A4D ; 2nd magic value.) F2 m# K8 w( U: |4 V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 f! G7 e, D) I" p) o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% h% U8 u: x7 F. H
4C19:00A4 INC CX
' P" s2 n" Y* @) g- d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 g* M! i& r: b+ |4C19:00A8 JB 0095 ; 6 different commands.
! V0 J# h! Y. t3 W8 G* y# M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. A# \2 k1 M( M& e& ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) r6 m S6 w1 O0 J1 w
( F) k" o' s6 n$ x4 X, ]
The program will execute 6 different SIce commands located at ds:dx, which
. Z: b8 T: l W. L$ s* g( U5 R1 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: B: q. N0 |7 U M" k
9 w5 Q9 U) N5 X4 l( O ]6 N5 W+ @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. @, J& v# v6 S, J, V' l4 P- Y___________________________________________________________________________ Y" j% J. `3 \2 e/ g# n K* q, r
0 `6 v# M5 U' b3 K5 Z: W
# x! `' _6 k1 X8 k- l- q5 C
Method 03
% X' h: R5 Q0 t* \3 v) @( \=========
) g3 {1 h" Q, _) S, `# H5 p
9 z, J- {" D s4 nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* B: J5 M5 t' T. ~) o4 Z(API Get entry point)
" X6 f- l. l" _! `7 B
$ d+ m: [6 [2 e" c* }; }: d1 t I' i0 O R
xor di,di( b a6 N6 n0 ^' f
mov es,di
% E+ ?& }3 J( s# C7 L1 Z4 m* g v mov ax, 1684h
/ B/ { c5 T3 U/ o mov bx, 0202h ; VxD ID of winice
3 t7 W1 {+ m8 o int 2Fh
9 `9 m4 P1 ?: r8 O mov ax, es ; ES:DI -> VxD API entry point
7 l/ C, c- k/ o: \4 t add ax, di0 {$ H+ v1 o# m0 ]- O) \3 _
test ax,ax. |7 b% r: F u+ n2 e4 c; {& k% C
jnz SoftICE_Detected, \. F0 l5 e4 P6 V6 H6 ~ R0 B
4 u# ~8 G( |" d- k- R
___________________________________________________________________________
( v5 E+ q( Z* b. G5 e9 J
& l! j7 y( _5 L, _2 @, f7 pMethod 040 f1 I, Q+ W% i: j& W; x z& K
=========: L( |# y( L" z$ |9 @& m E# C c4 \
; ~4 E+ a P3 f: xMethod identical to the preceding one except that it seeks the ID of SoftICE) H* f0 y& o* m$ L0 X
GFX VxD.# F2 F9 c0 F- F2 A
: a6 n, ]5 U V; H xor di,di! Q% u8 S8 Q& I7 I5 h6 L& [
mov es,di: Q- `+ o2 \& z) ?7 I; [4 W1 V
mov ax, 1684h
4 a a: R* ^0 p# D mov bx, 7a5Fh ; VxD ID of SIWVID% k8 b) I2 A$ P, a+ I' f+ w0 b0 \) R
int 2fh
; }/ Q: X- V5 v3 V: m( a+ | mov ax, es ; ES:DI -> VxD API entry point
+ x9 B* B9 | y; x( z- U o add ax, di
$ u6 p( A: a7 ]3 I5 l% `2 P test ax,ax
f7 R" X* T2 W' ^% Z% q# g& h0 ]' K0 O4 ^ jnz SoftICE_Detected
% }: v6 R& S! U( ^+ {' c3 _, Y' ?
4 E' Y. R5 G4 I& J__________________________________________________________________________
' I( ~9 _; I" ]1 g# e$ s0 f
; ~$ k! x2 A/ n. q0 Q2 [9 N' g0 L
Method 05
5 x6 ^$ e) b! I2 I# M=========
5 h: J4 Y. H1 n0 L! O$ Q& ] ? O' m0 r# E i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 u2 s$ k9 d. f+ I1 H9 P6 M1 Idebugger. It calls the int 41h, function 4Fh.% @$ F2 b. B h) D1 K3 P" ~
There are several alternatives.
9 z3 ~* m: t! U/ M' L( H
. B1 U( N* W/ Z. Q1 QThe following one is the simplest:% Y& L/ g8 z( V$ k
( G( z' L7 g) E) A. y0 i( A! l
mov ax,4fh% z! S+ [* f7 J" W* n) s
int 41h
0 ~& U! `0 o5 p$ G" Q, ]+ q: B9 G8 \ cmp ax, 0F386
) L: l J6 n/ r7 k+ J# G9 |( I jz SoftICE_detected
+ {' X! e, b* m4 s/ `* o2 c3 g# E9 R% n' k' M y7 C
+ H; ]' M% A' S; H, G9 i: }
Next method as well as the following one are 2 examples from Stone's
. N" v7 S# p& d3 X* `( _) t"stn-wid.zip" (www.cracking.net):3 G3 q# B9 ?* ^4 y% g, `! K) y
/ O! u) C$ k$ K
mov bx, cs: T5 M/ a/ m; T/ h/ F
lea dx, int41handler2
$ y: i7 w3 j0 r9 f* N5 ?6 f" R xchg dx, es:[41h*4]
) x2 d- L, @& Y, ^7 n% Q/ n3 ?' ^ xchg bx, es:[41h*4+2]
6 t, G& q A$ ]$ M3 f mov ax,4fh
2 U' n: K x+ U, e5 s- Y2 @ int 41h3 ]8 _3 X8 z( c5 e4 H; h* J% [4 }
xchg dx, es:[41h*4]
- u' _1 b" n) R+ Q7 f/ ` xchg bx, es:[41h*4+2], }2 s0 a$ I9 R4 {+ {) |
cmp ax, 0f386h% r7 S3 I. s. x" S Y
jz SoftICE_detected: A" {+ j" Z( V. W* E; T0 v% Q0 D
8 q! I: y/ |6 C7 T" Y! e
int41handler2 PROC) f: Q* o4 s6 F. X
iret
" K+ q& k# @; d, X5 I& Wint41handler2 ENDP4 {0 B& N# i f$ {$ f2 x
# W5 t z# l# G8 K! r
: V; U& ^2 I: w' T, z. D4 u+ ]% b_________________________________________________________________________
5 J0 W; d) `: @4 ^# ^1 I# v" L) C, B& `" `8 W
3 s4 a# u' G* m1 n7 k* Y
Method 06: @/ }; j) _- K& i6 g
=========
. ?, M0 Q7 E9 Z$ F9 R9 R) Y# Q8 l( g9 O( ~
L6 N {0 b) j) W# `. A. Z# P
2nd method similar to the preceding one but more difficult to detect:
7 T7 T6 I/ M4 A3 F$ A: E: |; x% b x0 o' T+ y
! j2 D+ @ d. F: x& t+ N
int41handler PROC
4 S4 h& Q$ k1 W, h mov cl,al
& r& X) I# {; t: m0 ~ iret6 Q" k/ w7 b5 [
int41handler ENDP
2 i2 Q: o9 c+ H% C+ Y' M5 G
) o* J. t% I) y8 M- m! w
: W- _; H# [- F+ x3 `0 r5 u xor ax,ax0 s1 N4 G* ^, v& U' q T' ^
mov es,ax3 z' K7 g6 R& J" D$ u
mov bx, cs
2 F0 r! ?% w* x; W lea dx, int41handler k2 q8 j& z! a6 L
xchg dx, es:[41h*4]
1 ~* E" O# K" L7 Z" A9 Q xchg bx, es:[41h*4+2]
6 a6 M: ^; t2 `; S2 ?3 T Q in al, 40h; m( x" g5 @! d" R) t
xor cx,cx
# t# @2 k: [ Y, e int 41h' x& @2 ]5 ~$ h1 k: L k
xchg dx, es:[41h*4]5 U' P# b: B9 J
xchg bx, es:[41h*4+2]8 {5 A: Y* O! ~- t3 {2 {
cmp cl,al
* A! g, P' g _, k, t jnz SoftICE_detected
! m2 g% W# S7 t0 O* W
" v' V, h' l- J4 d9 ?# f2 a8 i_________________________________________________________________________, I' ?, ]) T8 \' }
/ {4 v! ?! a4 q( G7 ]5 B9 q
Method 07
; M! X/ D6 L/ V( u# y=========
6 w1 {7 E. Z- }6 d& K2 r9 v+ W' M. L+ x. F0 @' @
Method of detection of the WinICE handler in the int68h (V86)
. t$ k, ^% V4 T& ?8 t
3 V- T9 p P/ x7 `# G& w& G mov ah,43h5 N W, Q& G2 ]; q, ]
int 68h! `* m2 n- @1 u" H/ H; f
cmp ax,0F386h3 `8 z6 ]8 ^0 e+ U( z. J: I
jz SoftICE_Detected6 t" m( r: `3 E4 Q
0 o' a% e0 w" ?7 [6 m# w* q
; h& |! J- v$ u R7 Y( f5 E7 y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* p0 Z" u8 W" u* e app like this:
3 U$ u+ o* u$ U& c/ A8 @, W, c9 r/ g
% g: R2 j% {& T3 e9 I& U2 g) e+ S& s BPX exec_int if ax==68
6 s5 C$ f8 A3 a8 h% t$ D2 x (function called is located at byte ptr [ebp+1Dh] and client eip is
: k8 W( W" l" P* N! ] ?. e located at [ebp+48h] for 32Bit apps)# J" z6 `9 n T* o4 Q
__________________________________________________________________________8 a9 A6 G9 `: w
1 @ t: x. Q+ e8 L2 R) p6 f
$ K& K/ }) c- sMethod 08
7 d7 j" Q# C# ^7 g) G' D=========3 @$ B5 U, M2 _! I8 t: L
# X, P9 v1 K& q2 o+ g# }9 ?It is not a method of detection of SoftICE but a possibility to crash the
1 u. }; z Q- T+ T, Tsystem by intercepting int 01h and int 03h and redirecting them to another
3 T/ H! K6 H# Z, g+ U7 p9 ^! |routine.
: ?( T8 a; {- l8 LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: Q% O2 b" {& D1 y, _. @* ^
to the new routine to execute (hangs computer...)
2 Z) g/ o# Y% W
* f9 h# q8 j1 ?3 o2 l$ ?( X& Q mov ah, 25h1 J( M# h9 s9 K$ O5 X" R% x# p# h
mov al, Int_Number (01h or 03h)% z- K: q# v9 d% h5 [
mov dx, offset New_Int_Routine
0 M. `3 {- A( I/ ~7 F int 21h
5 D& {' o2 m3 y# }" \) e" Q5 b( V E+ q2 S) Q
__________________________________________________________________________- W' m+ R9 A$ X ?! M
$ A5 b) Q: l. ZMethod 09
% E% O2 }4 r$ `& g& l" S8 J========= J1 Y5 Q4 n, A6 E9 _
: y6 g: Q" _: k) X' T, s% e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& ?6 c0 f3 Z( r4 K+ o
performed in ring0 (VxD or a ring3 app using the VxdCall).( S2 H7 u+ K' B. s/ T
The Get_DDB service is used to determine whether or not a VxD is installed
% g+ B R" b$ E/ `# m/ f+ Zfor the specified device and returns a Device Description Block (in ecx) for9 V3 _3 W, _+ b/ [% D$ f& t
that device if it is installed." D9 L$ C5 ], t/ u: _- r
# I7 a7 a7 R3 W; y# j+ s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 t% Z9 r% l& u" k. ^1 E3 u; _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 v8 t/ x" _( J( P7 `* L
VMMCall Get_DDB
6 |3 ?, i; |5 [5 I6 V" Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, ^1 K4 G6 P( s6 g
( ^+ {" z, Z% F7 WNote as well that you can easily detect this method with SoftICE:
: a+ }; I) ^4 o; A" o: O' h. m bpx Get_DDB if ax==0202 || ax==7a5fh* [; t" }) a1 X! v; n7 U1 r
8 h0 ?+ i7 m! s5 y__________________________________________________________________________
8 v( n5 Z8 V7 M$ D Y
) }; l0 K- f; @2 O2 K: m& HMethod 10
/ h* Y0 ]6 S' Q9 z7 Q=========0 m, U1 w; z4 ~6 {
5 C0 O7 w$ F/ `) _4 O- V) q
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 n( j; x1 y& K0 ~
SoftICE while the option is enable!!3 E8 o% H( f, \
6 j L# g0 K5 d, f: A- b3 ]
This trick is very efficient:
% p g8 B8 b2 Pby checking the Debug Registers, you can detect if SoftICE is loaded3 T/ O0 F6 Z v4 R4 p0 |3 e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 ~" ?1 k* p# d, D0 G' ?) w" z6 D3 Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ l) A, Y" Y; H; y Fvalue (in ring0 only). Values can be manipulated and or changed as well7 N: e+ j% O6 l: S& i% x1 t, B2 F5 S. J
(clearing BPMs for instance)' a' N- V1 b; i4 ^8 Z4 ?
. a" F [4 Z1 F8 r. L x0 w__________________________________________________________________________
# S! |0 h9 m9 {& u
/ }7 y) i+ g% ]3 `Method 11
% [7 l, c& {( i$ v k# t z/ ^% o=========
4 _& D4 i$ Z& }: {6 ]3 C8 `! G2 a. ^* H
This method is most known as 'MeltICE' because it has been freely distributed: ~) R+ h1 X, |$ n6 i7 [2 ~9 q
via www.winfiles.com. However it was first used by NuMega people to allow. B. G4 @) X+ j, e4 D
Symbol Loader to check if SoftICE was active or not (the code is located4 v; d! q* N2 r$ ^$ D
inside nmtrans.dll).
& A* N) {* |5 V; @; U$ c; } C6 z; \
The way it works is very simple:5 q4 \% H9 D( ^3 [" T" R. J/ n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- ?" h5 }5 y% [. Q# ^WinNT) with the CreateFileA API.
3 Q' O3 l. D" [6 T3 p0 s" J. i" j$ D' f+ {1 k) d8 X
Here is a sample (checking for 'SICE'):. D5 L1 ^9 m( u* n) S! b
5 k; c$ y* m" q! m1 C, ~8 c) GBOOL IsSoftIce95Loaded(), W: g: P2 g. _" Y! k4 F/ u5 ]: F- Y
{4 r. `6 `2 n- E. B
HANDLE hFile; / B8 P; c$ t1 o3 i3 B! H/ v. U' F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 p( o0 e D7 O8 ?/ p( L
FILE_SHARE_READ | FILE_SHARE_WRITE,1 H, L7 ~ p. F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& A- {$ `9 x1 x) W7 P if( hFile != INVALID_HANDLE_VALUE ) q' |0 O4 G# F" g }
{
- R+ [6 ]3 q8 W3 y% {0 i CloseHandle(hFile);
4 [3 o0 r% T3 ~/ k* i4 F. z# w return TRUE;. h3 V# q4 Q- O' }
}
8 D( Z5 l O. o6 y V return FALSE;* l; s0 N# `. d/ l9 a! B' ?
} {, k2 D) a+ s
# D3 S* ~( {9 W; g {Although this trick calls the CreateFileA function, don't even expect to be
4 O# l" H$ }6 C1 Aable to intercept it by installing a IFS hook: it will not work, no way!
5 p2 e' d6 r' H4 L8 \In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 S+ a5 \) C# R s+ M' Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( u% L c( U4 q; e! P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" Z3 D" O# O% ^7 w
field.2 J6 F8 Y4 H3 u% n
In fact, its purpose is not to load/unload VxDs but only to send a ' z" N0 n8 N% F& I9 k; P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ S8 x" e, M; e4 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* H0 U& W1 D1 a4 V/ [/ C. y/ q2 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ \: M+ \& t, Y) ] e4 zIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" n* q* X& V& P: A$ ~/ {/ P- Aits handle to be opened and then, will be detected.
! F, [6 F0 N- \* G+ IYou can check that simply by hooking Winice.exe control proc entry point
6 ~9 s; j: ]9 a# Z ]while running MeltICE.
) c; W" v; y+ M# u1 Z+ t" [' a n' A j; C! t
1 o' H; \1 _7 X, { 00401067: push 00402025 ; \\.\SICE
* x, A% {6 r# T' J: V6 E 0040106C: call CreateFileA; ^$ s; l( f" v: }* ]
00401071: cmp eax,-001
* C! b+ y) O" W. g/ f 00401074: je 00401091
2 c. _" n) D0 J" L9 D
6 N E0 O) w5 l. Y Y( Z# m9 F5 T
% @7 `6 p3 J s7 v( i; C" uThere could be hundreds of BPX you could use to detect this trick." f0 d5 y" u' ]/ f
-The most classical one is:
$ K8 `1 }, H z' L* {# j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ K+ q: j# |& X1 H* _: V! G' a. l *(esp->4+4)=='NTIC'
1 d) F0 d4 V& N/ J. d" y
& H t" C: q& Z8 w( c( H/ p-The most exotic ones (could be very slooooow :-(3 y! o& i) u6 j( N3 S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # V( a* A, C6 n3 J4 S8 A
;will break 3 times :-(% z" n2 ~, B% B' C3 [3 Q0 f
) r+ d, m1 Z* C( b- A, Z# L$ m: |-or (a bit) faster:
# s6 ?! y* M8 o9 U4 G* C8 o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 }! O; [ N; X2 D& b4 b" t
. Y3 ~0 h, y+ E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, ^! G7 A# v9 y, q1 T ;will break 3 times :-(
% V: E/ `8 R9 l- A# ]- x' y' G3 e i2 |8 [4 Q7 y
-Much faster:
3 G" [5 s4 W' p* _+ E' H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ C2 T% h+ p" l+ j; k3 N
$ S$ [3 T' _( F) u5 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( m+ F; {7 K4 g, B7 {4 S# ^% \
function to do the same job:
1 `+ G9 `" T& G3 y% C$ Y9 b" `7 _& ~3 f& {6 B5 x! P. C- R
push 00 ; OF_READ
" {0 C6 l7 M+ f4 O7 J mov eax,[00656634] ; '\\.\SICE',0* h( S7 z9 A, d
push eax; [, d6 x4 F3 L
call KERNEL32!_lopen
/ L% t3 _! g# G9 U$ |5 S& e inc eax' k5 Q' e2 d% @. f
jnz 00650589 ; detected
( ?" a4 T5 h' K+ z5 X+ m( C push 00 ; OF_READ' r) c6 E v) Y0 N
mov eax,[00656638] ; '\\.\SICE'
: {: R0 e% \1 E( M% `/ ?/ R2 a push eax4 U- G6 m; d& W5 F; C7 y8 @
call KERNEL32!_lopen( o' u7 k, t" q" @% P
inc eax
9 l8 \: m0 \! r! o/ l* J2 | jz 006505ae ; not detected- e9 ^/ v6 {; [4 R
0 b" D$ R, ?/ t( n. c5 ]6 _# F2 s6 A+ A% m
__________________________________________________________________________: W3 e! n8 w4 Q" `1 P. z
6 Y! p% \2 g+ o1 ~$ kMethod 12- B: w( D* p1 I' c& E. R g7 A6 q
=========
- u2 S4 v0 e7 b( w! o4 Y( {
2 q- ~: s& S1 UThis trick is similar to int41h/4fh Debugger installation check (code 051 P: B. C/ c% L" B* C+ x% a6 _
& 06) but very limited because it's only available for Win95/98 (not NT)% x6 O* V+ E [4 p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* a' d; C; c' x) _. k. j& u
: ]* X; B J7 I, R' ^7 R1 B push 0000004fh ; function 4fh
" I9 k5 n0 d( z push 002a002ah ; high word specifies which VxD (VWIN32)
4 p8 x% x5 u. X5 \. t: T' ^4 } ; low word specifies which service; B7 m5 z+ }/ }+ {9 H
(VWIN32_Int41Dispatch)7 X3 K7 b! D, Y! ~3 r4 S6 D
call Kernel32!ORD_001 ; VxdCall8 I, ^0 |& d$ L% |
cmp ax, 0f386h ; magic number returned by system debuggers
; { m9 @ r( W. C jz SoftICE_detected& m( U5 ~4 w5 {( h
' n4 g8 u6 M, `2 C" KHere again, several ways to detect it:
; |9 M0 U! E+ r" o8 \: y8 q2 u: k& ^5 j; p+ U# T5 [( X
BPINT 41 if ax==4f
2 ~1 [% E% }" W8 T
E0 E: y' ?/ a) U& I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) ^& ~2 v1 ~- r+ P' B) |
5 R0 j9 V5 e0 ]/ L8 N% R: ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: p( O9 O4 f4 w9 u1 @
! D, ]0 I& G& z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 p+ F y) P' F
/ N% p1 X/ O0 M# g# M/ {__________________________________________________________________________- N h4 {4 @( J6 g, [7 x- X
& M$ [) \8 o9 s1 w( L1 E! l+ [
Method 13& t+ h# w8 ^. W' n4 d* j
=========8 R# ^( H0 I+ o( `! U) y% N
" W; W& c J8 \( |4 r" Z' r$ VNot a real method of detection, but a good way to know if SoftICE is
% z& f: Q- n8 N9 A. \installed on a computer and to locate its installation directory." g/ e. d Q+ s z; u! T# S" k# R
It is used by few softs which access the following registry keys (usually #2) :
$ V& A O: |+ w8 p$ \' P1 X# w4 q# l" x; X D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% [3 b! |: V/ `5 s0 [/ ^\Uninstall\SoftICE
# F8 l3 m; L9 i1 D7 E5 `* P( Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 `/ t" Z, J1 o9 G- n4 f% z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 n! {1 f2 I0 x/ x8 [1 }\App Paths\Loader32.Exe
- `& |- a8 B, N. a
& H+ n' t5 a2 [% H) g I# ^% |/ J% Q" f8 d
Note that some nasty apps could then erase all files from SoftICE directory( ^! t2 P8 s. Q0 l1 t8 v
(I faced that once :-(' x0 d$ T1 g7 x8 x" i
% }, b- u4 ]; u' K
Useful breakpoint to detect it:& M# Q1 D4 |7 k; |+ J) W3 p
2 v$ e/ |6 P, K, P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' C4 Z4 T2 H# |
$ z z) d2 p+ q; m# F( l" d: N__________________________________________________________________________, @6 L/ `& ?& M5 u; l) r
" H1 j+ d& Z8 L. a: Q/ q+ E; M
, }! x( w1 @. \7 n% N+ k m$ t7 bMethod 14
# }# U+ W0 j( t4 k* p; i- H=========
4 {/ `# z0 {8 Y) t5 v/ }5 c
9 n& Z* g4 |6 S" f+ l# u8 L$ ^0 eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose @$ F) v7 O0 E, b
is to determines whether a debugger is running on your system (ring0 only).$ r1 Y' h* j; g# Y
- Z# p- A2 o5 f! O. U, B VMMCall Test_Debug_Installed
& ]3 H/ Q2 {: G8 Q+ B* U je not_installed3 V. O; g* I. \; X' l( b
! u$ L! U8 R' M; S# j. @, _This service just checks a flag.: j/ |! ? U5 U- x3 }* |
</PRE></TD></TR></TBODY></TABLE> |