<TABLE width=500>3 }* `# |. [5 G+ h% L- L- t
<TBODY>
+ z9 W# D# c) D5 f5 L0 K* i<TR>
d; [, L4 k5 K7 Y2 y' ]! M<TD><PRE>Method 01 7 A+ Q- w. S# m( M& W/ @
=========
C$ t+ C- w- r, A
4 ?+ e7 @ @: ], }This method of detection of SoftICE (as well as the following one) is* Y/ K2 t! U( V6 [+ h: Q3 O% k2 K* M
used by the majority of packers/encryptors found on Internet.! t1 J0 h2 n; O) Y; n
It seeks the signature of BoundsChecker in SoftICE
; w! X* c0 G0 X3 R8 U3 F# a. R) g4 @
" c" j9 c! M4 n( i! D& ` mov ebp, 04243484Bh ; 'BCHK'2 m( c2 V* Q+ ]( ?
mov ax, 04h
6 N: P+ _! {8 a6 S0 ?* T0 c: t$ I int 3 3 [+ p& G, D. x3 u
cmp al,48 S. }7 E# ]: C& ]+ N- ?- ]
jnz SoftICE_Detected- h7 p/ W6 Y8 w7 J
* Y. D7 d( X2 v- K___________________________________________________________________________% Q7 b! N) l8 P8 n* H+ J4 W7 B, B
6 u1 d7 N" x' ~! D
Method 02
2 c; ^( q8 e' ^4 p9 C8 c4 i3 R5 {=========
0 J' ]; I) J e0 o, E- N
6 r3 J4 Z. N6 r1 wStill a method very much used (perhaps the most frequent one). It is used
% W1 \ U; }5 p7 S( Q& tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 M s: S8 Y: ` P" O/ R
or execute SoftICE commands...
) i5 Q" E+ E& @* {$ ~It is also used to crash SoftICE and to force it to execute any commands
& V0 K$ v2 B1 W2 \1 s(HBOOT...) :-((
7 [- }- A. r: ~* H# r# E1 q4 s+ Z: d) V* z7 q4 f' _! L4 b
Here is a quick description:
% [/ f% b" G7 Q-AX = 0910h (Display string in SIce windows)
0 ]$ m7 K0 [' v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); g& d3 C# Z- i4 V$ {* W
-AX = 0912h (Get breakpoint infos)
9 E+ Y1 ?( T$ Z# i; Y& P; F-AX = 0913h (Set Sice breakpoints)
3 [; p" P" |8 G* m-AX = 0914h (Remove SIce breakoints)
5 O, q) \7 o- X/ X. ?- L
3 \; o; E$ |* ^' R- [& b. IEach time you'll meet this trick, you'll see:' l4 }' M$ q, X, E8 j
-SI = 4647h
" h6 E7 E6 r6 }/ `2 Y* j-DI = 4A4Dh
* @0 @! _1 a. C6 r/ ZWhich are the 'magic values' used by SoftIce.
1 I: l; n; T# vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 G* q' D& {/ S( }; H. `* m3 z
1 P* {) h8 r: m0 ^# K9 [Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 ^( k" C4 L6 J8 c' W8 v$ Y2 QEnvelope utility use to protect DOS applications:+ |( F* [! n1 U P4 T G+ L8 y" Z
5 ]' V0 W+ ~$ p. d1 G
5 ?* x% K- k( D L7 C! p4C19:0095 MOV AX,0911 ; execute command.
' I- Z, c1 M$ ^& ~ B+ S+ ~/ {, U- }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) v" ?6 L0 N0 \' T
4C19:009A MOV SI,4647 ; 1st magic value.
) S0 S4 @" ~/ M! m: |$ J, A4C19:009D MOV DI,4A4D ; 2nd magic value., k( u5 x. u7 |3 r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' ]) E7 [; |6 `/ ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" F+ ]& F3 [5 l8 p; p+ |
4C19:00A4 INC CX6 ]& G4 ^1 R2 W4 S5 D5 {! x P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 F( Z# N/ E0 L. D: s4C19:00A8 JB 0095 ; 6 different commands.( j* D6 t" k: n+ `! O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) H3 C& u7 W( {* C Z( w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 O' v* K: z$ s1 U2 R& x7 c3 q
/ P: f e, u Q6 r+ e8 OThe program will execute 6 different SIce commands located at ds:dx, which
4 G+ X& [6 V( I' ?1 e# Z1 n4 D/ Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 o% O" e% f/ K1 i6 G5 L# p0 M6 M3 G" B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' B N; | w- |# H/ b
___________________________________________________________________________ P) ?0 r# ]- d9 l, Q( B2 L# d6 S
+ D2 ^3 y( W: l$ V3 L
: R" D2 Z4 p/ D$ V' L$ e8 @Method 03, Q- `& i/ C3 E9 w
=========
7 Y8 m# o' i2 F4 o0 Z6 s Z' c' |& E) n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# i* W3 o5 K$ [8 Q0 g+ R(API Get entry point)- L/ Z0 B7 ]; ~7 R: G
+ l( A0 n) [, _; |. p) x3 L8 J8 _6 p: q2 i
xor di,di
& M8 s D+ F$ V1 B( V0 m. q; J mov es,di
/ K3 m. ^* m2 ^! q* _' r2 e/ M mov ax, 1684h
2 O. G) q4 L0 F. a% j mov bx, 0202h ; VxD ID of winice' B# {# a2 Q: ?- b, `( F' W, H
int 2Fh
2 m9 O& o) J, M( p1 \- B' M+ S( \ mov ax, es ; ES:DI -> VxD API entry point1 G; {" S* E. z7 z# v
add ax, di2 V5 L2 ~0 W: i+ x6 p# `
test ax,ax0 u5 Z2 _/ F+ U# e
jnz SoftICE_Detected* o. S* T1 w4 o& I5 a. Q2 G" Z
- {3 f4 T* ~! F5 `7 \- M9 k___________________________________________________________________________
3 w6 X7 l9 I) u, O L3 g( j p1 |9 }% O1 R3 Y t1 A+ X/ F p
Method 04; p9 _9 Q) [. r0 [) E5 A
=========, l: m1 f# f" B8 n4 F
# s# r H% ^2 qMethod identical to the preceding one except that it seeks the ID of SoftICE4 o0 O) O1 k2 y5 z* G" p8 a' ]
GFX VxD.6 M9 h) T8 c1 j% W& o! |
$ T3 P0 S9 U. i) V% _ xor di,di# I5 b2 z1 Y1 L6 _4 @$ S* v
mov es,di/ P' a9 _) T% ?4 u
mov ax, 1684h
1 B' ]2 ]; t1 q0 U* J mov bx, 7a5Fh ; VxD ID of SIWVID/ w o; [8 _, ~$ W
int 2fh
9 U7 q$ }2 E t: Z mov ax, es ; ES:DI -> VxD API entry point% Y' @) e0 F, m' R9 L, _
add ax, di
5 s$ Q3 L9 E' z& p9 K test ax,ax
2 _* }4 [6 ~$ X& r# Q& m jnz SoftICE_Detected& ]( `+ I ]/ d- X
9 |8 V/ T& ?+ V E% P1 ]__________________________________________________________________________4 B- o9 L# `8 F
! u! g& ]0 ?3 h. D* c$ H
4 {7 {1 x! h+ P3 e0 S( z% ^Method 05+ U9 r% n9 T& O* O! M7 k
=========+ e# `- r9 d8 c9 F+ h9 n7 |: e5 v! U" z
- M, Q" e: G L" A
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 v+ ^# N$ V+ |2 Q. x) R3 X
debugger. It calls the int 41h, function 4Fh.
0 @; R% J- s+ i! T0 [- g: X8 iThere are several alternatives. 1 y% t9 M4 C5 P
% y x v- \% V! |The following one is the simplest:7 C5 J5 W* M* U( r
. C0 e4 V) u1 t
mov ax,4fh
! j5 t3 E! T* y' n8 l& w4 G int 41h
# t/ D) Y- U9 ~+ g. X9 v1 \ cmp ax, 0F386
6 ^: R, C. t2 K" S- N R% X; s- s jz SoftICE_detected
0 e7 T- E' _% k- q4 C4 p7 Y( e6 l* X+ y; o! ~4 ^: ?# Y, T7 U
. C1 @ D% d5 F4 S$ [- o0 c
Next method as well as the following one are 2 examples from Stone's # P, x5 c2 ?* O0 i0 y
"stn-wid.zip" (www.cracking.net):
1 d* P `# b( K* d% B: r; e' }. e9 ^
mov bx, cs
7 ?$ D& h, H; p# P9 m. X lea dx, int41handler29 P/ F# H5 r! \8 t' d& B9 V
xchg dx, es:[41h*4]
! a. ~, U9 ~: m! W xchg bx, es:[41h*4+2]6 Q2 _3 E% g8 L% ?, \' _/ u J
mov ax,4fh
) u: V5 J! P; `1 A" ?4 m# Z int 41h6 H* F. x4 @# d4 K
xchg dx, es:[41h*4]
4 F& p$ k; A) _' R+ Q2 y xchg bx, es:[41h*4+2]
- \' Q+ J3 |$ p8 r2 F cmp ax, 0f386h
3 c. c# B1 u0 v+ @* b# o5 } jz SoftICE_detected7 F: a1 C3 \) i, q `! h
7 Y; p5 e8 G5 L6 z% b) ?1 oint41handler2 PROC
9 f& y* K3 l9 D; {% O& L- k; J% { iret
% Y2 T" v4 E0 {int41handler2 ENDP. @1 a$ ]* f4 e/ m* t4 }% i
3 n/ M1 @: ?5 N
6 {* x* h7 u8 j* i& _! q% t' p_________________________________________________________________________
% T* ~) L3 e4 J) E. M( i$ P; i& Q) i5 c
) ?0 R2 a( K$ o" I% yMethod 06* M! U' g$ G+ R- t
=========( W& B7 V& Q+ j7 t
' N: u; A. J7 t* d0 @& ?
$ Q# W* r" F4 U: w2nd method similar to the preceding one but more difficult to detect:: R8 A7 `8 ^* G q) i! Y! Z
: b$ b, Z# S* a7 }9 o% L0 L
5 }: V% p; k9 B
int41handler PROC3 a! \- @# C1 H
mov cl,al
]' H' R: V- @3 L& Z5 z iret2 ?$ s* B$ A' b* o, m
int41handler ENDP6 S# O, j* H/ }4 S- E
6 f, a5 Z7 u" K5 C% z
8 Z) Q" Y6 c. ~ xor ax,ax
1 d7 m! t5 p+ Y2 Q mov es,ax
- x7 A& f9 t+ `* `. r4 _* f mov bx, cs6 T* j7 ?0 \. j: C% S+ {2 Z
lea dx, int41handler
8 e% I) t0 p* z+ m+ q* A xchg dx, es:[41h*4]# R) h& K' l8 |' d$ z& t- n
xchg bx, es:[41h*4+2]
/ n* @0 e1 C, Q: G3 Y$ C: j in al, 40h
3 `4 @# h' R" j6 Q% N0 p xor cx,cx
. X6 @0 _6 a' o, A int 41h
$ l0 E0 i! n2 o7 P8 J# m9 u xchg dx, es:[41h*4]
a% K D, k' {3 ~ xchg bx, es:[41h*4+2]
e7 e7 K: |; j cmp cl,al2 ~4 X# {7 \9 o# ]. ]
jnz SoftICE_detected9 P" T2 H) q2 E7 x" L5 r& L& j
, r6 q x8 g: i X" H5 r5 P_________________________________________________________________________
# S! w0 k' ^2 W0 s7 ?. r/ v: Y! A9 Z+ ?, `6 m) m# v
Method 07
/ N5 [4 }% G f/ J=========3 R8 _2 m$ [# z1 j5 g m' f
3 I' X9 w- d/ g4 \Method of detection of the WinICE handler in the int68h (V86)
; e( G. ?: ]# s1 s( g: p! I0 I- p3 D4 G5 L. N
mov ah,43h
: \. V& E" o* {5 [' ?6 ?, c7 t int 68h I; n8 b+ h! `- Z' j" [. A
cmp ax,0F386h
* W9 m5 R, m5 ]6 F a( d$ Z jz SoftICE_Detected! W" o" A8 z& i( K- N ~. h% K
. g+ {+ p' V; x) V5 z1 C* L/ D" @4 x& N# g i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: o/ l4 ^' c8 _ ]9 u% s& E8 S* L app like this:2 W5 ]' G2 h$ ~% g) b0 }- z# l0 G8 R
8 B/ \' Q0 u& f9 B E/ y' D BPX exec_int if ax==68
6 F% M: o7 B5 O) C5 d (function called is located at byte ptr [ebp+1Dh] and client eip is
4 u3 G5 ~* s2 U1 W5 o9 z located at [ebp+48h] for 32Bit apps)/ G% [% ]( |' |0 ~
__________________________________________________________________________
9 P# m5 R1 Q9 _3 G
+ }$ o5 d7 W8 o. d6 R3 r' U8 ^: I# p
Method 08
2 R' n- L% f! V! m8 [- P# R=========
) B0 y) |) \& B; x B+ [
* M6 |' w' O8 }. IIt is not a method of detection of SoftICE but a possibility to crash the
9 f7 R+ Q6 }% k1 M( D1 Zsystem by intercepting int 01h and int 03h and redirecting them to another
) N r# K! A5 d |5 qroutine.+ w$ u7 L% o$ k$ |0 i6 E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" z) a/ b* F) |5 w$ \
to the new routine to execute (hangs computer...)
9 k& \9 i: f; y6 g* q
9 d! b! J% X, p% G4 V2 D mov ah, 25h
& T1 k: c: P, S( U2 o mov al, Int_Number (01h or 03h)
3 K" @1 C2 \' K/ [ mov dx, offset New_Int_Routine6 ~! ?* ~' @6 H: L
int 21h
: R3 b) o% G) ~$ x
A1 E* A# o' G; W4 N' u5 E4 z8 P__________________________________________________________________________
, q5 U3 \8 F" i0 W6 A
6 Z4 E5 O* J* kMethod 093 L& u( M4 \2 b) l, l7 T. w
=========
8 W5 [0 @ p9 o# d' k/ \5 d9 Q: l/ S8 k* p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ N" X7 a; [1 q' S) A, { _performed in ring0 (VxD or a ring3 app using the VxdCall).
( E* G% w5 j" ~+ z+ V. v, HThe Get_DDB service is used to determine whether or not a VxD is installed) n+ L+ }1 P1 C$ ?, }
for the specified device and returns a Device Description Block (in ecx) for5 K% g1 v, h3 M6 `0 _# W
that device if it is installed.
# {8 v- U$ h: Z* K7 N# [& a' u1 v. h/ ]- U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& ]9 H: P8 E/ Z/ Z( O8 H" } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& i1 L3 ~7 Y4 f4 J
VMMCall Get_DDB8 ]. |$ c' R3 K" d4 y6 c8 J7 o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( p9 I5 e7 e( T/ S0 G8 q$ r e* }# _8 y
Note as well that you can easily detect this method with SoftICE:
* k, n& G2 J r; H' Y1 E2 l; w. Z bpx Get_DDB if ax==0202 || ax==7a5fh, `4 x) _# ?5 v& h4 l
! I) K- l: R2 _7 c) q* U' m__________________________________________________________________________
. v1 b" ^' J% S( Q1 t' F+ t6 N0 e3 A* S$ E( F' q8 |
Method 10
/ `! v( E2 P/ `' f V=========3 B: G* Z; \; B* k2 u( Y
6 R( x G d* E/ q' ~) j& l=>Disable or clear breakpoints before using this feature. DO NOT trace with4 {8 Q; Y# L% c L
SoftICE while the option is enable!!
* j2 L- ]6 I6 c* k* u1 Z+ z( f7 b$ Z/ m! W
This trick is very efficient:2 P: F9 q1 V) x' j7 N$ N2 _9 i
by checking the Debug Registers, you can detect if SoftICE is loaded3 G7 z- [+ c# }( P2 J: t6 y0 G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; }0 V5 P' J/ L: ethere are some memory breakpoints set (dr0 to dr3) simply by reading their4 a2 ^4 a8 L% x' t1 e
value (in ring0 only). Values can be manipulated and or changed as well4 u; _* \. u" \2 n% }
(clearing BPMs for instance)
: Q. F7 B2 y9 [+ j* z3 I/ N# }0 V& L5 ^) _( n
__________________________________________________________________________
/ B9 }+ a; a- s4 z4 c
% J0 y1 f' k9 q6 f" {Method 11- ?' B9 g4 a) g3 M- `8 a
=========
% ~& d- x7 r) ?; @
& E: L/ p$ r6 w5 n+ YThis method is most known as 'MeltICE' because it has been freely distributed
& z, Z/ P0 T# W6 cvia www.winfiles.com. However it was first used by NuMega people to allow
$ X4 ] R/ P1 R! U- xSymbol Loader to check if SoftICE was active or not (the code is located ~9 c* I; M' h0 ~. Q% ~
inside nmtrans.dll).% Q8 v/ V) S1 [8 y
/ v) `& w2 a: w C& K; k3 _' F! EThe way it works is very simple:$ ?9 w& {2 l1 [, k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 [. A& | t5 Q. K" a$ I+ V( f* K/ W
WinNT) with the CreateFileA API.
" M' R, Z4 {, i9 K
( H% f/ _% [8 U6 o0 KHere is a sample (checking for 'SICE'):3 U! P1 R `; S/ [! u1 Z
8 V# y' N4 }0 u1 b$ r3 c5 y6 G9 QBOOL IsSoftIce95Loaded()
* u \! u9 S- f( ~9 Y( c7 A{
* F3 d0 L' g5 h5 m6 V2 P HANDLE hFile; 7 Y6 x# j5 i& Y6 X% V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. n0 h! r9 [( J; n0 D" \ V( S
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 k l5 ~- j' Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& Z* O9 p) [. C. w5 Y: b% c" B z
if( hFile != INVALID_HANDLE_VALUE )
9 T2 f% c% ~4 R) C# N) q {/ ]- B; O7 C$ A+ u
CloseHandle(hFile);
4 ^" r. V1 x. \- A4 h3 ` return TRUE;( S k9 s9 m: V; e& a
}
7 y* F7 o7 Y3 P# T% J- ~6 } return FALSE;+ l- G: F4 ` ~. n! R
}: L% @1 _5 l" j: D# R3 c, ?5 |1 S
}. L9 X! E- D3 I8 u- WAlthough this trick calls the CreateFileA function, don't even expect to be; D2 O: F9 B; E3 V$ G9 e- C; l- l
able to intercept it by installing a IFS hook: it will not work, no way!
2 r+ D" v- y6 K+ B2 P4 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. \5 }" H1 M3 ]& z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 \* w3 L8 J/ |2 Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& }2 {0 @0 y8 F) M: W; F# W* d1 [field.+ H" g9 W! Y; {3 ]2 C- F
In fact, its purpose is not to load/unload VxDs but only to send a
+ U" `# S' v) U+ r5 O% R0 }) S2 T% ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; w+ N8 y; B/ Y6 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try% o' w( y8 f0 Q* I6 Y, U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# i/ g) i4 p) i5 @$ AIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ Z! _2 A6 L1 R. A$ ^5 B
its handle to be opened and then, will be detected.2 @& D& |- T k+ w( D
You can check that simply by hooking Winice.exe control proc entry point
8 O2 j' I- o. Q/ Hwhile running MeltICE.
6 b9 x3 R# | Z; ]
& O- b7 k% i% O8 u s% F' s7 G% z$ |' @* D0 M: r0 r' f0 g
00401067: push 00402025 ; \\.\SICE& j4 I$ i- {* x# L% b
0040106C: call CreateFileA
( X$ w: d3 v, m2 [& m 00401071: cmp eax,-001+ j$ H! B( b6 u4 @2 p7 I
00401074: je 00401091. i! ]! |0 [; g4 z. k- c6 K
! y$ `) b7 B3 N% p, K1 l! z
# X" o. Y' l ~) Y& AThere could be hundreds of BPX you could use to detect this trick.
6 C/ T, Q6 O4 J: g, J-The most classical one is:
& P+ A. x: e: t6 }' |" e! z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ J5 z7 h6 g* ?4 N *(esp->4+4)=='NTIC'
1 x3 q4 @, }4 L5 @' l0 r, F4 O, X k3 ?1 H. V4 z
-The most exotic ones (could be very slooooow :-(' a, P. z. K1 i6 w: V, r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 a0 g i" B! `( V
;will break 3 times :-(
3 T7 p7 _ ^ K7 `: K
3 n2 {# r$ Q- h0 K9 W% k& ?" T# p-or (a bit) faster:
% Z! x& E0 @ }" }3 Q% h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 H$ ~" K' b" c9 N! N9 a' ^
0 k/ O3 Q8 r. t4 E6 r3 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ^# _! d' H3 ]' P( H
;will break 3 times :-(
4 I5 d4 [7 A) s% p4 A, G* _; t8 W
-Much faster:# u% ~ W* L. C4 x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 o6 A/ x9 \/ R' n9 x+ A
! k8 J" t6 o( v* n2 r- j3 J# c3 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 N1 e3 P% N5 X2 k
function to do the same job:
7 N4 h% _4 \- v* c* ]6 r/ m8 l- Z! ]
push 00 ; OF_READ
7 f' Q% t8 c' d7 P6 I' B% G mov eax,[00656634] ; '\\.\SICE',0
* K& `* F+ P H2 P( O' D- e push eax4 @3 F, ?+ x* M+ a8 L$ L
call KERNEL32!_lopen
/ F- c9 b {2 g0 x: F3 t3 \- c inc eax
2 ]# m5 |0 @) Y( g9 k jnz 00650589 ; detected. ?* a4 @1 ?/ d4 Z0 j
push 00 ; OF_READ
* Y" N8 ~2 d7 x$ V' K: m* A mov eax,[00656638] ; '\\.\SICE'' K/ G' _. N6 Z" q0 v
push eax; x/ o# h5 P! }5 X
call KERNEL32!_lopen; g; e4 u0 Q a
inc eax7 T3 S' W7 k! O
jz 006505ae ; not detected
, S! l, O0 ~, k5 ?& {) a* S, _& e' u& m; R$ Y
" M: g' I6 |+ c, \( Q* C__________________________________________________________________________% H, f* N- g$ U( J) s2 C
/ J: k1 Z7 }! z# b/ j: X/ {: CMethod 12" X* L7 ?; B' v! t5 y1 i {
=========
4 c: P( O* _- n) ?' w* ?) Q- ~
% g3 B4 _2 N4 H! c& s: `! VThis trick is similar to int41h/4fh Debugger installation check (code 05
% M# H' `7 B9 ~! U7 I K9 W- y& W& 06) but very limited because it's only available for Win95/98 (not NT)
3 [. `3 V8 Y' H! S5 Q& g& Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% q" i6 Y% v* k! q( B
1 |. H/ K! @6 ]7 h
push 0000004fh ; function 4fh
1 h! u7 O' d8 g1 l, c: i push 002a002ah ; high word specifies which VxD (VWIN32) z F0 r0 y4 X9 V/ O: m8 L* @
; low word specifies which service1 J% r7 ~: ?, B- @1 Z" o! |' }
(VWIN32_Int41Dispatch)
+ _- M3 O `) ` call Kernel32!ORD_001 ; VxdCall
$ [6 r% n" ]2 y* L) i cmp ax, 0f386h ; magic number returned by system debuggers: c! v; ?( O8 d( a9 f
jz SoftICE_detected
- s8 N9 b; i& _# L$ ~, f8 ]% F3 e# J$ I; Z+ D, @" q
Here again, several ways to detect it:4 ~8 v" `) u, E8 k1 B- J1 \
: m, d: F" T+ ]% }) F BPINT 41 if ax==4f
1 t! g8 _( U# P$ ?* }% _. r( a- |0 q: S" r$ g6 n: ~3 v6 N6 Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 C+ z0 q; B4 _. U4 G* ~. x/ T& N# n' U8 }( s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 V+ W! F1 X6 Y! Q* g. \
% j1 R8 S* y" O+ R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- u5 D: s& v2 F, c7 Z0 ^4 c
, a; y( S; u6 n& ?' G I5 b0 V__________________________________________________________________________6 E9 L* i5 U) Z. s
3 h) F+ C/ P. b" Z6 J! ~Method 13
( U) b" e. O: e5 i: W, `, F7 a=========/ w$ I) A. s9 f0 q# `$ {
# {8 w: `/ }8 v/ e9 u; d1 L5 t% _Not a real method of detection, but a good way to know if SoftICE is! c+ N- a0 u* ? l! E) D0 i
installed on a computer and to locate its installation directory.
& y( K0 |5 j, t! UIt is used by few softs which access the following registry keys (usually #2) :' l+ h( X; U6 A$ ?% d3 L4 E
1 D: E0 q) S1 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) J% ~2 H% v& y/ f# a3 P( q9 a
\Uninstall\SoftICE$ S1 \4 f2 R- j- ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# c& y! f2 F4 v. x( @9 P& w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 d$ Z- A& e$ E
\App Paths\Loader32.Exe
2 g6 o9 F5 B: c1 y# L: v# ^$ n( b/ {0 j0 _* P; @7 e0 n
2 s+ N" R+ @; }( N6 p8 S8 t9 y2 k7 RNote that some nasty apps could then erase all files from SoftICE directory
( M+ k$ d0 z2 n(I faced that once :-(1 e3 [+ i4 p& O# b9 ^4 Q! h
) o2 K! u" }1 N% H2 e+ L7 x
Useful breakpoint to detect it:' f2 n* U8 R3 B9 ?
7 {! ~$ L% i) y- U1 a' I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 p( x" T G' g# E9 C7 Z
; y0 D/ d1 j) K__________________________________________________________________________
5 }" K5 a) |( w% l# S w v# Q6 e7 T2 a% G3 L, g
+ N5 u$ g! A- j
Method 14 * Y* D% S1 J; p* y0 ~! F" g
=========
0 h7 p* h. k: ?6 z F& ?
" [# M! c7 u% \- ?4 x/ G+ LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% B8 A& W' w _5 I9 T2 f0 h
is to determines whether a debugger is running on your system (ring0 only).
+ L! ?% }3 B; |% ~0 q
- p" ?4 \; i/ ?1 x8 d9 U VMMCall Test_Debug_Installed
2 ]* b' r5 r5 T- S je not_installed
" A0 x7 B6 T* Q* v+ j8 R/ {2 {4 `. D& b+ x+ n( ^; h7 M6 M
This service just checks a flag.( t' a/ V9 l( n1 C0 j" b3 B- u
</PRE></TD></TR></TBODY></TABLE> |