<TABLE width=500>
% s- M* W: k7 v( S<TBODY>
1 C" z: E( y" z5 n) Z% l<TR>
3 t: V+ _4 y* u; x6 i0 z2 R<TD><PRE>Method 01 / n/ O1 d6 P7 ` Q+ W0 S
=========3 X. V, S: _& \; L/ r5 h& y& H( `4 R
* o4 L3 `0 c( L5 @/ C
This method of detection of SoftICE (as well as the following one) is# R- F7 w: D9 L( u+ P
used by the majority of packers/encryptors found on Internet.
. ~/ Q( g$ `6 s; pIt seeks the signature of BoundsChecker in SoftICE
6 i& F3 _0 _1 ?1 q t# A
4 `3 ^3 B/ X8 @# Z3 m2 @8 P* k mov ebp, 04243484Bh ; 'BCHK'0 n. W0 `+ _; A# `( ]" v- j3 @) S
mov ax, 04h, c1 G6 _# T ^' G+ n, E6 x i( h
int 3
5 J0 R- {& _6 e' R cmp al,44 H5 u! w; k$ u* C4 f/ q" M
jnz SoftICE_Detected
* B' S, `' Z6 w! c2 O8 F& N
. S6 t% x6 z. Z; ?1 x3 W___________________________________________________________________________$ m3 `0 Z H" K- B, `2 M
, v5 h! W9 i# z3 s* K0 p1 P8 q
Method 02
6 `0 K" s: G7 {# @# \=========% r. a8 r% g7 Y' r+ A+ N: X6 O! f
% N9 c X! ?, M. s- r
Still a method very much used (perhaps the most frequent one). It is used
, J$ m6 W7 ]& \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 P% N8 p' g0 v4 D3 p
or execute SoftICE commands...$ X0 R# T/ b. P4 R' a, [
It is also used to crash SoftICE and to force it to execute any commands
4 t9 F! t, i1 [% z i( B7 v* _/ o(HBOOT...) :-((
( P* V0 m* Q3 B' h/ I. G* S$ t# r8 b2 t" F
Here is a quick description:6 d, k8 i1 \4 I' s o
-AX = 0910h (Display string in SIce windows)- c* l$ s8 W/ c5 n. a& P5 ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) j: R7 g9 M+ i: K, [. H1 }# F' o/ ^; C
-AX = 0912h (Get breakpoint infos)
* t' n' N' L! B {; l0 n7 H/ q-AX = 0913h (Set Sice breakpoints)0 K' S4 K# g3 Y: T$ q- o/ J
-AX = 0914h (Remove SIce breakoints)/ ~* M F; c/ d' C# I
6 g/ X1 \( R: d0 G v( ZEach time you'll meet this trick, you'll see:) P- s( O) R. i% s6 H
-SI = 4647h# O: M$ m" g9 [6 \. }* D
-DI = 4A4Dh
0 `6 C( w' Q1 o L7 Q& wWhich are the 'magic values' used by SoftIce.# v* Z/ F/ t; q3 ]& T% q5 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 d" V6 u: B: c, F1 X
& k0 f5 ^/ f/ |: O$ B* LHere is one example from the file "Haspinst.exe" which is the dongle HASP
" U( y: E9 `& h; U4 f$ a3 u" Y% VEnvelope utility use to protect DOS applications:8 X7 \$ c; b! k8 m
* G- |+ ?1 W; C5 A# A9 e$ I) k" m, d
4C19:0095 MOV AX,0911 ; execute command.3 Q( Z, w/ Y8 b1 Q9 V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ Z: k: X3 r7 c1 `" F6 E4C19:009A MOV SI,4647 ; 1st magic value.
0 v( h" F; B3 W4C19:009D MOV DI,4A4D ; 2nd magic value.
7 }3 Z9 R; K& ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 t5 M% b# U ^" [) r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! W0 L1 M/ c6 v9 k
4C19:00A4 INC CX
1 C7 N+ i. F: ^' I$ f# u4 |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: A) d4 x" Y2 [& I4C19:00A8 JB 0095 ; 6 different commands., a! @1 ?) Z! @: C5 E: ~' s h9 Y- [' J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( k1 t% m% N! i& B# w2 \7 D" |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# a) v6 ~! u/ [9 E! c, T
; |# ~, u8 y6 b A1 v( ZThe program will execute 6 different SIce commands located at ds:dx, which
. k0 N! O l5 `3 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. _8 o+ x! c" e5 _
5 F% e( w2 I L `0 }2 U" B: x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ W& P3 l _; v) `: O' T" H. X- s, A
___________________________________________________________________________
9 V# r& p" [, A2 A% v7 F+ q# ?- |& X. O% y4 _# F9 g; P m
# C/ e" u( r& Q" y$ nMethod 03
4 B- s( V4 e+ ~( \=========1 X+ C- y1 B0 d% U( @( c
9 e( i% m/ `3 V# K- f0 |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 {* U. E& S6 c! |& S7 h/ @4 n(API Get entry point)
: d0 d6 t' \3 z3 l! ~3 D2 E" d
( z0 a* G, c; t1 E" q; { V
8 A* T( V Q- d% T, Z8 T: D$ w7 v xor di,di0 ~% |5 {8 `% _1 B7 K0 V3 h( z
mov es,di
0 o$ _# c6 \# P- t U _. P mov ax, 1684h ( [+ F2 i7 r& a- E* i" C7 `; b
mov bx, 0202h ; VxD ID of winice6 ~ B4 s) X- {5 @
int 2Fh
9 A X& P+ P! Z0 b mov ax, es ; ES:DI -> VxD API entry point( V6 A" ~" r e* m6 R8 s8 R5 z4 W; b
add ax, di
1 C" r7 c4 V$ J/ K test ax,ax6 M8 n& d" H$ f% f+ t( H8 N9 X
jnz SoftICE_Detected
% B! I: N2 K) }( U Z; d- ]/ E
! Z8 Z. A6 L8 [0 H- [7 I9 E9 z___________________________________________________________________________
7 | a# h) Q7 W2 w
& H9 Z$ Q0 C/ C- FMethod 04
o9 o7 Y8 x) s* ]=========& T. a! y; x4 R
7 E3 ^7 g7 @* c3 F j FMethod identical to the preceding one except that it seeks the ID of SoftICE
# w6 ?+ W+ k1 }, O+ }' A5 J' nGFX VxD.& i3 O! `1 w2 T4 `
4 k( B) _" k; L Q xor di,di; `- y1 v* f- `- Y8 t9 ~2 h
mov es,di
9 U$ p4 F+ Y. B1 x mov ax, 1684h 7 ^4 r& z( c4 r2 ?7 M% C2 `
mov bx, 7a5Fh ; VxD ID of SIWVID. b) z8 m" S3 ~1 g! b
int 2fh0 c& B# Q, R$ ]- y) q
mov ax, es ; ES:DI -> VxD API entry point& ~) U2 d! f$ C! Z+ W0 W
add ax, di6 z) u. ~$ D2 K/ `+ U7 A
test ax,ax
( b$ n0 Q$ `& p* I8 O! H jnz SoftICE_Detected% p$ ^4 ?. a! |- n& W# e* J7 \
" Y7 x% ?/ }0 y4 _) Z
__________________________________________________________________________
" f% h' V8 D5 K9 d( n. \
0 b0 B# X! o. X1 y3 W# |' c- L' N) f4 o/ k& b
Method 051 {! q8 K% Y" c5 p6 r/ Y9 a
=========
" }5 i" J: Y! C: _4 c- a! S4 O* I( d5 d, a: n
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 R* v! ]# f' V$ h* {
debugger. It calls the int 41h, function 4Fh." Z" e0 K7 d0 a$ _
There are several alternatives. 2 S5 [. n6 p! F5 u$ z( F4 V
/ y* M/ g, u' g: X3 i) h2 {The following one is the simplest:
5 d* y( b) [5 X, P0 M, \: a& P( X2 E: W
mov ax,4fh& Z8 s$ G7 W% Q+ b& d, |# i
int 41h, s3 K: r' G, A6 ?9 C: x2 K
cmp ax, 0F386" ?8 H% j* ?: c3 M! f/ I4 o
jz SoftICE_detected
( ?( b) Q, C7 J, Z/ R3 j
8 f- s+ P& G' R; Q- @
I: Q. q: G: c7 W5 P# r5 FNext method as well as the following one are 2 examples from Stone's ; _7 p# j T: G& y
"stn-wid.zip" (www.cracking.net):
' h8 K- s9 j" ~' V1 j
4 c, I( v. K6 m$ { ^$ e mov bx, cs
O+ Z1 C N; {1 L lea dx, int41handler2
* ?3 B0 f. N, O xchg dx, es:[41h*4]' ?3 }6 y; k$ A! W6 q* B
xchg bx, es:[41h*4+2], ?7 R# I4 V, @- N: M! S
mov ax,4fh9 G% J- L' x9 L) _% U# S4 }4 ?7 d
int 41h, l4 L: w3 o" a! |5 F
xchg dx, es:[41h*4]
5 r9 n2 D; r# Z9 Z xchg bx, es:[41h*4+2]0 Z4 K! M: E: O2 V
cmp ax, 0f386h
% B5 P5 W% C, \" W" W7 c' M jz SoftICE_detected
Z1 [# _" S# W& u2 ]- i
! V3 K6 Q" ?( ^7 @8 W" q! D' N, bint41handler2 PROC% \/ V$ M) u, Y/ g. q
iret
" E q) W- _! ?/ c' mint41handler2 ENDP( Y$ P0 X5 {! B! v: K+ T- o
9 L1 R% _8 b8 a9 G2 d4 \$ N1 s
8 `& n1 l$ o0 v& W9 Q* _; W9 [: t. j_________________________________________________________________________: V+ J$ M \3 j7 x- k0 L# P
( }; F6 _% l# u' T/ X4 O( E
3 ?5 d6 W; i6 A/ B+ AMethod 06
; ~- Z- b! G* u# H- w( \- _=========5 B O& P' }) m* U [: G
9 z) s) J% Q- i6 O+ s' P4 w, ?; H4 `; I+ e( P2 [" m5 u( W
2nd method similar to the preceding one but more difficult to detect:+ Z& g$ K6 X) {! r0 |
" m/ V7 Q: ^1 l$ M3 F! B! s1 t& y
; p4 x) E) E2 h0 y& [6 l
int41handler PROC8 x* t$ m# L- }& g" E' Y- {
mov cl,al
+ h+ P* v% B9 d: Y iret" K: T. d8 G) M8 r0 a
int41handler ENDP, A' i! ?/ F7 l0 m5 p- s6 E& T
2 ?+ Y2 G( H1 d+ {5 v: F5 V9 h) F+ o+ p/ l% r
xor ax,ax
a, f/ d6 V. e1 f! @( K mov es,ax
e( E2 B; |8 T5 D mov bx, cs s! b3 [8 i) L6 x# B6 U5 l6 `4 D) P
lea dx, int41handler
! v: D* B1 ?- X" |: f1 X- ]+ ]( V xchg dx, es:[41h*4]: E: \1 b7 }" l% n, @8 j4 i
xchg bx, es:[41h*4+2]
* v3 B3 j, D. H6 @& n/ J in al, 40h
C6 j' O2 P6 R& ] xor cx,cx
! o7 Q1 ^3 d: F. { int 41h: ^ S, ~1 k) T$ Y; C& z1 J6 s* f
xchg dx, es:[41h*4]
9 ^% f6 o b' G5 w& d- x xchg bx, es:[41h*4+2]
: o$ z: J8 _; H; \3 r8 W% l' T cmp cl,al
# z/ i/ m% A/ y) D$ J- g) H jnz SoftICE_detected! Y' l, n0 b- h
6 ?; {8 @$ p* ]! x' _$ W( q% p
_________________________________________________________________________# t4 c F. \3 ~
" |) u( m( I' {4 ^Method 07
8 w; j0 \' w4 n) u2 M=========
1 ?# D2 S* m1 }9 n
9 A' O% Z5 l0 r/ w) u9 TMethod of detection of the WinICE handler in the int68h (V86)* }0 J& ~; K# Q/ V1 Y* ^. Y
, t, _- ?0 B$ ]' L* s" t! w/ U mov ah,43h
/ c* B6 C& F1 E( ~% Z int 68h
$ P9 e/ N1 Q3 M* d cmp ax,0F386h
# @' j, C& F: Y2 F) k$ I jz SoftICE_Detected
, w# @* b; u# g. l) }* t' P9 Z& N' a# B; M7 v
3 _ j6 Z- ~' r7 H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# o; C" ^! n4 l# h* P! p. R app like this:6 v0 f$ @0 J- Q
_ Y, `" @ v# @ BPX exec_int if ax==68
3 g2 C$ d0 k6 H$ {, f% h1 B. t; D9 M (function called is located at byte ptr [ebp+1Dh] and client eip is
* e. e: D+ J$ x/ ?% s' a located at [ebp+48h] for 32Bit apps)
; N0 e6 k; u% j& d7 f% t* C( u9 E__________________________________________________________________________
- Q r2 n7 O( |+ Z! \4 n
. Q4 t ?# ~2 s! z- G U
; i7 k, ^' T- N( h, t% H0 J4 Z8 LMethod 08
- {$ ?( n; ~5 m# }1 w7 Q. M& e=========" i: R1 w" _: [$ E" ~
9 i6 U- j8 h' g* _It is not a method of detection of SoftICE but a possibility to crash the1 l5 o' {3 c4 s4 `8 T/ ]) X
system by intercepting int 01h and int 03h and redirecting them to another
$ o) A! m, b/ |& Droutine.9 X2 q+ s7 r1 D2 w6 A7 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 @- L6 B7 V7 r0 }* b) k
to the new routine to execute (hangs computer...)
1 Z* b2 ` G$ W; i, G# }- \0 X4 ]! G
mov ah, 25h |+ s |1 Z8 t6 o8 k$ W
mov al, Int_Number (01h or 03h)
' V* D' b0 q+ q0 `2 L& N2 x, M mov dx, offset New_Int_Routine) l s. A7 g1 O8 F. S
int 21h# ]; u; \8 H0 D
) l, A+ v! y/ p! w( o N
__________________________________________________________________________& E) f. R7 M: w! u- P4 L6 ~
, t. k7 E- g5 E9 I7 F# P0 H
Method 09) j" k; ^( P* l i& p2 r
=========
9 C" R0 V! p% P) G( ]- W/ i3 x2 P, G$ N2 A! t4 f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ M; G+ m7 f2 R+ F
performed in ring0 (VxD or a ring3 app using the VxdCall).
' R4 c# O' U G- M& TThe Get_DDB service is used to determine whether or not a VxD is installed4 R. `' A3 W8 {" O) s. T; A
for the specified device and returns a Device Description Block (in ecx) for
# D5 c$ X. V4 D# ~that device if it is installed.
2 | ]% p; b8 k! v, _4 F
4 D0 b7 o, s0 P7 D, a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& G* {! K! q) A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* f2 F, `7 [7 _+ H VMMCall Get_DDB
v6 f( l) B* ]" q W* g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" ~9 n+ w& X/ U
+ X& o) {2 ] W6 o {7 B
Note as well that you can easily detect this method with SoftICE:
% Z) ?! n% k$ O3 C1 r" t& c bpx Get_DDB if ax==0202 || ax==7a5fh
, @1 O# i% G. S- N' J; ~( C" q4 f3 Y+ x* r
__________________________________________________________________________6 e+ D( ]: T2 N
4 _! @3 _1 P! C4 `" w3 ^Method 105 c6 a2 u5 b( L
=========' `8 ]; K$ y0 P
/ A9 n' d/ |" O# w! P# |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 r) l- o& f3 D' p1 t6 ` SoftICE while the option is enable!!
7 ?! V0 a* p. i2 m; e2 Y: O
! V- E/ f4 v9 J% G3 uThis trick is very efficient:
" `+ f p- f9 s) u, L6 |by checking the Debug Registers, you can detect if SoftICE is loaded
: k; h, g; P7 Y! a1 I% y7 X% S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if \- ?$ P7 g; |) o# i
there are some memory breakpoints set (dr0 to dr3) simply by reading their. Y1 z2 s x" N
value (in ring0 only). Values can be manipulated and or changed as well, a) ?0 o# \: ?7 W
(clearing BPMs for instance)
* M7 G/ p3 W' D. O" A: @, l7 x. i5 T; }
' P& X9 r$ c3 J( z1 q( u__________________________________________________________________________
8 q" Y! o4 ~8 E/ ]+ Z0 U8 F, G/ _# s. y1 a8 I- C: M( P( @
Method 11
" r" I7 _' \% g" i. Z=========, S+ m/ k' Q* O' q$ Y
/ g# h1 \: E" A% @, v0 WThis method is most known as 'MeltICE' because it has been freely distributed
' A8 q! y* \! nvia www.winfiles.com. However it was first used by NuMega people to allow
/ N! x& I& m! [- f" _% pSymbol Loader to check if SoftICE was active or not (the code is located
- s4 W+ U9 q8 W' x' Ninside nmtrans.dll)., L5 ^5 m4 o, Z; M4 c Y* J# o
1 j8 H1 k' M% k* i r2 ^The way it works is very simple:) y7 z$ s0 g) E0 S+ i, U- |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 Q! \ N7 P, r3 b8 x8 B
WinNT) with the CreateFileA API.
+ o: ]& _/ i" o2 G" v# b5 Z3 {4 c
Here is a sample (checking for 'SICE'):
1 f# W3 E7 X2 W" w6 P9 h! t2 q+ X4 b
BOOL IsSoftIce95Loaded()6 ]! m7 v+ g$ q( F
{2 ]3 w7 j6 t( S
HANDLE hFile; 4 ]$ ]+ x$ y0 @' F+ g* d1 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! ]5 M3 ^, C q! E+ [* N6 I6 D FILE_SHARE_READ | FILE_SHARE_WRITE,
. X7 ^) @( U& a1 H- F) Z+ Z" j! j7 D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 R3 j* N+ _4 A. l if( hFile != INVALID_HANDLE_VALUE )
" x ]+ X. I3 ?9 W' Z# \' J s {
! f0 V6 ^5 J8 ?; v# m$ J* Z CloseHandle(hFile);
2 H3 a! V! ]; H" Q6 O return TRUE;
7 }! l# G2 C7 q) { }
0 ^+ X. j7 F$ S" ? return FALSE;
; e: v4 `0 j0 T' W, P}
1 h* n. ?# b. l9 D1 C' T" V8 X6 M- A; L% _. U U8 F- M; T
Although this trick calls the CreateFileA function, don't even expect to be
- I1 n0 ^, C! F: M0 ^" Q: xable to intercept it by installing a IFS hook: it will not work, no way!
) H, W% e8 L b2 b& `# L; UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; z) ?; F2 i7 g# |7 }9 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& z* s8 o4 U2 n+ Q; Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 r$ r: F+ n6 X* V$ t& X/ u
field.
: Y0 | u1 m& [0 tIn fact, its purpose is not to load/unload VxDs but only to send a
" p, x; c3 n" x" j/ f. Z, e+ kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, Y2 t' n+ v. I; T+ `9 w. W6 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 p* C0 I# o6 S- x) ~) J `6 D; V
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." q5 y0 X4 v: b, w5 _2 i# O1 a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( q/ q+ E, p7 M' X# p( Q, k& Cits handle to be opened and then, will be detected. M, H! W% D7 \+ D
You can check that simply by hooking Winice.exe control proc entry point. q3 D0 f9 H3 f0 v; D, l
while running MeltICE.
. W$ u- F# V6 D* p H2 o, ~+ s% z! s" ~8 w+ P7 m
7 a4 K/ D9 M' o' I. O! d0 k9 P; [
00401067: push 00402025 ; \\.\SICE
5 B' ^) [1 i8 ~ 0040106C: call CreateFileA
% j# w1 e" x6 E' F& u$ D 00401071: cmp eax,-001' H, } k2 i0 v1 O
00401074: je 00401091" i ~& k f$ O8 s0 W# d: r H
1 a8 J: z5 g: B# G+ @8 I2 z! @
9 b3 ] `2 U; q* R0 v% kThere could be hundreds of BPX you could use to detect this trick.2 n4 z7 t* u* B
-The most classical one is:4 y! a6 ] V- y) V& K' e, k' [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! v4 [, Q/ ~: O N *(esp->4+4)=='NTIC'
/ N+ Y0 q) W4 b6 w4 @" j4 y: N0 _: e% n2 T% V2 E
-The most exotic ones (could be very slooooow :-(
, X) x ?( L& @$ I) M( G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' a4 T N @$ A9 u! v2 f" a ;will break 3 times :-(
3 X0 ?6 }5 O5 A# C8 @" ^# a' w* y
$ u0 h* J1 U+ o. a% T( V- {+ ]# h-or (a bit) faster: 9 z" x: A B$ \ s& I/ c+ \+ c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" `& ]( }# E) U: Y2 I
: n, x' M5 s4 O$ K3 q7 L9 {4 D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ g3 \0 |0 R# i- y3 ~3 ^ ;will break 3 times :-(6 ?2 n u' t+ _, N F
5 l9 s8 _* c. n! W4 O1 D-Much faster:0 b1 P1 M% L4 y% R- b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ {3 |( _0 p- i3 Q* N# \
L$ y7 X- ^) D+ L+ N6 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 T- X1 T2 {! B9 G# ifunction to do the same job:
! \6 S, q4 _1 p
6 R0 p9 b6 e' C push 00 ; OF_READ
# g- ]5 \) t9 \; N% f, L mov eax,[00656634] ; '\\.\SICE',0
$ K4 [% O) Q. R push eax
8 s$ d2 L; {% M3 Z% x, b+ } call KERNEL32!_lopen
# G$ L% `* c0 N4 E3 h4 F" ] inc eax; h9 g9 H$ [9 c- ~
jnz 00650589 ; detected' ?& s9 j" y7 _2 J: V
push 00 ; OF_READ
$ \) G+ Z) q7 [/ } O mov eax,[00656638] ; '\\.\SICE', ?# r7 o) a2 g4 {! _; }, J: E
push eax
( |5 U8 q3 T, B call KERNEL32!_lopen
' `, n3 |, O. r9 ? inc eax
7 P9 o: Z z7 }, H jz 006505ae ; not detected
, p/ D/ |& Z( ~9 Q' K. O3 M5 f% y% X0 f
: l8 |. [4 O# f7 P; m: C
__________________________________________________________________________
: E5 u4 t; L" }! I
& k; G& i" F7 Y) {( v9 w5 mMethod 121 Y9 {) F# N0 s$ d3 E, U* E
=========
; R1 g/ Z5 l* Q: z; c l) r2 t. p1 J Z/ Q/ o% {
This trick is similar to int41h/4fh Debugger installation check (code 057 g; x9 D- `3 R. ?
& 06) but very limited because it's only available for Win95/98 (not NT)
( Y! G6 f3 s! o( r1 B2 pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 {( W+ |1 p+ l+ P6 P4 q3 w$ p6 B
$ ?4 U$ i% T! u% m! B7 d+ [ ?
push 0000004fh ; function 4fh! _' z5 J* U3 }3 b9 J7 I1 y5 |, I
push 002a002ah ; high word specifies which VxD (VWIN32); I9 B4 B" i" w+ H" s
; low word specifies which service
. V; I! W2 z' g; d+ w) x6 c& H: C (VWIN32_Int41Dispatch)' c5 A. F$ k1 I/ _
call Kernel32!ORD_001 ; VxdCall) o0 k# N- f, M* h2 t! N9 q3 j
cmp ax, 0f386h ; magic number returned by system debuggers' K; X) \2 U1 }! r$ @ Y* l: ]
jz SoftICE_detected" J5 q3 f- \1 Z) J" t* |: e4 K$ J
2 g- P9 v* l! ^" C' WHere again, several ways to detect it:
9 v- ?* C8 L% s/ _+ [2 l+ K: |% x+ B, \. ~
BPINT 41 if ax==4f% _* ~5 ^ O$ a" N6 f
/ v+ J- C- r+ r1 V7 P* J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 `( `$ e/ u& ]% H# _0 p9 K
% z# k) P9 ^/ u# F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: L3 D0 `( k6 z0 g7 l$ q( U9 f3 R7 h0 j' _* b3 E+ U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* x2 v5 l6 [$ [0 u
. i' O8 o1 ], a* F$ H8 c8 d__________________________________________________________________________' F4 A, Z2 }3 E$ q3 [
0 P5 G9 j* M4 R1 R! F
Method 13
7 O+ O0 J {- ^" {" u6 d% x=========# `0 [- ~, q. Y7 C" M2 Y
. |, N0 g" l% U4 s* T% ]1 t
Not a real method of detection, but a good way to know if SoftICE is
: F9 \2 Z6 p+ ]2 A/ y3 @installed on a computer and to locate its installation directory.
7 G4 _' }# ?( r- o. i! |It is used by few softs which access the following registry keys (usually #2) : g. W3 d6 W2 [& [ j6 @6 [, I
3 H5 c" W2 P% b2 R P( P/ _/ K+ @' m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' M2 Y/ j* J2 `% p/ z+ a\Uninstall\SoftICE
- q4 {( z3 N' J3 n+ R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) v {, m3 \; G) [! O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ [1 ?% d3 ^6 i# Y$ V/ A
\App Paths\Loader32.Exe
4 S6 A) K" x Q, B$ H' y% n2 ^% r5 h% G, Z, P6 a7 \9 k
1 y" e) Y+ e! |; E" u& E% X! I+ @2 BNote that some nasty apps could then erase all files from SoftICE directory
# k4 F3 w0 U) @* ^(I faced that once :-(
& R5 r" ?/ t+ c' f
* [: }( @' O( dUseful breakpoint to detect it:0 ]* f( [* v3 y; ?
( f; h8 ~* y* I4 [: X4 u6 p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" y7 M( N2 k, f& G
8 Y8 P- }+ i1 _1 Y0 R__________________________________________________________________________/ O$ Z& w8 B% y* N. ]- p: D3 q) Z
0 B' V- b1 f( I! y! w9 l# ^2 {0 N7 i' L6 E N0 B
Method 14
7 M% w" h* W, a=========8 A3 ]+ F: v7 b' f# |- f
, P8 ]& H6 E7 X7 z1 g$ ?& P8 k# MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 a+ R- f% q5 h9 A+ c
is to determines whether a debugger is running on your system (ring0 only).
; H8 s: Y% s# Y
1 D, _1 h& |# @& n5 u1 K( L; p VMMCall Test_Debug_Installed
+ F" l; E8 p$ T je not_installed
9 Q+ w) F0 U( I P8 f6 s0 W* t/ w0 h
This service just checks a flag.
* a$ d) l! {8 e# u</PRE></TD></TR></TBODY></TABLE> |