<TABLE width=500>
) A6 d$ H. A- T<TBODY>! B; ~% S' P9 G+ h
<TR>
" _6 G, E% g& w4 ]<TD><PRE>Method 01
" G- K( Q, N$ t) g- `2 S3 B3 b=========$ _8 X1 e: ~+ d' t
" R' ~% J8 V. W2 E
This method of detection of SoftICE (as well as the following one) is0 g7 m# }( y3 d. Y% h
used by the majority of packers/encryptors found on Internet.
8 D4 L" t2 {* X% c8 J% ]It seeks the signature of BoundsChecker in SoftICE. i2 [* \; Y' _3 m) b
0 L+ i( {+ c4 o r mov ebp, 04243484Bh ; 'BCHK'
1 a9 a, P- a) y5 W2 ~ mov ax, 04h
* D- f: e3 J. O6 K) {9 b, ]! v int 3
i8 v- ]0 r: F l \' i/ p9 O( y cmp al,4: X/ f5 t- |4 j' p) C
jnz SoftICE_Detected
- l6 [, o. |8 {. g
c6 T6 S8 W1 p1 `0 `___________________________________________________________________________4 |0 M# ?. k* H8 J; [$ w
' }5 N- L0 M, h
Method 02
: e: K. H7 s6 R5 ^9 n) _6 X0 W=========8 F6 w5 V4 S5 g( _' c$ w5 C0 H
|& z: J1 n) X' d7 d7 }Still a method very much used (perhaps the most frequent one). It is used
( O* Z- V8 ]- A1 H7 K2 ]5 @( ]6 Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints, n( a# q, ]+ a* J
or execute SoftICE commands...# i: v1 q) L- R4 |& V
It is also used to crash SoftICE and to force it to execute any commands
' w: |4 R; W; O+ ^(HBOOT...) :-((
2 o) K4 s8 K( m, K& `- S* Y* `1 x% H, R! {; k( [+ [9 G2 {! v
Here is a quick description:
5 S& x* y/ ~; y" ]-AX = 0910h (Display string in SIce windows)
$ R& o$ I+ G4 ` a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); x: U5 i* W; `" h) ]2 C
-AX = 0912h (Get breakpoint infos)
1 e: r0 h& j6 l# m- N-AX = 0913h (Set Sice breakpoints)7 t7 G7 C$ i6 G* \
-AX = 0914h (Remove SIce breakoints)
/ ~( v# `& @) f4 P8 d/ \' w
. F& L$ F) b2 t- h" t, ]7 ^% [Each time you'll meet this trick, you'll see:
, K. M% e) |( k" m2 [ L-SI = 4647h
3 K3 _4 {3 b: Q2 N+ z+ Q-DI = 4A4Dh: n( Y2 n: F1 W( d8 D! M$ l
Which are the 'magic values' used by SoftIce.! B0 ^: g# ]+ r+ e. f# y+ w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% |8 f3 U c) V" x# K
5 s: A. d+ v+ U) v/ q: m7 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP, p- y7 _2 O& Q) _! _# k
Envelope utility use to protect DOS applications:7 r# o$ o4 _4 S
. _$ r: E/ }) f0 v' L! \- F% [3 X1 J- h* e5 |, g
4C19:0095 MOV AX,0911 ; execute command.
9 V( |$ m- B7 G9 K' X- u8 x J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 B5 {* o ^7 V( A. g9 {0 Z, J1 Z4C19:009A MOV SI,4647 ; 1st magic value.
$ n% Q' h$ R* V4C19:009D MOV DI,4A4D ; 2nd magic value.5 v4 ?2 A; ^( P/ V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), ? b, K! v9 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, }* r$ j1 f$ s. C! @. n4C19:00A4 INC CX
& K' a/ `, h+ [' ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ ~$ T, U' U- b9 n' ?4C19:00A8 JB 0095 ; 6 different commands.! w) U" S. g. s( x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 B& k" u% e r( D3 X! e* p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( |2 ]$ x2 `3 ~" b" W0 q2 P/ B
6 s! q, w( \* @' [; J% \& {The program will execute 6 different SIce commands located at ds:dx, which
& N. s+ N4 o+ D! Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 b: X. G/ T2 `# Z9 H! ~" r2 _5 i& ]/ H ~( d+ F' u/ V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( n& F) w6 k! ?1 f' l
___________________________________________________________________________" ^- N, a, m! e/ n; g
: ?) Z, _( h' ^- m# y
t1 `$ T; V8 G4 p1 x; O: c7 c
Method 03
+ K7 ]" w; _+ j- ], f=========2 b& [8 q* S. K: S
/ Y2 L. `+ M1 k+ v p! N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% Z& z" H4 N; W5 y3 A) Z1 V2 Y2 Z
(API Get entry point)8 ?3 K. s7 B5 Y7 s l
5 s/ E/ ?& F$ t5 v( J$ H9 B" l
" ~* A" `* b0 t xor di,di. X" a+ v% n4 \4 P8 T9 J2 P
mov es,di z) C/ U3 g: C+ c' x! A- W
mov ax, 1684h 7 D) l2 J, F: U; _
mov bx, 0202h ; VxD ID of winice8 Y6 U7 a5 G5 ^# e
int 2Fh
' H6 P' O+ {/ f mov ax, es ; ES:DI -> VxD API entry point. u! ]/ A" k" Y. [ e% {/ z
add ax, di( o! b: ^" a, g e' v& p
test ax,ax p' z! }1 h( K* _9 q
jnz SoftICE_Detected
) c# `2 ~' _9 ` e/ D' `3 ~! }5 G% O; |2 X# w' [2 I9 d3 K& [0 p5 K
___________________________________________________________________________
1 c0 L- C- o* C9 {* I8 h$ \7 S1 P- F, n. H# ]5 w
Method 04
3 t- B8 e3 S" a$ M- H0 _% m/ K=========6 V# i7 X# U; w: P8 J8 S5 z& a
& H. l, }+ i8 QMethod identical to the preceding one except that it seeks the ID of SoftICE
' C5 l" }: k( j4 K3 H6 d" ?GFX VxD.
! n! U" n$ U; b4 a" U, P k7 R# d/ }
xor di,di0 Y9 W& t4 T- T! {/ N a
mov es,di [; v; a* x! E; v
mov ax, 1684h 0 w1 ]2 Z; g7 q Y* w$ B! [
mov bx, 7a5Fh ; VxD ID of SIWVID
9 i0 u/ m" Y: K6 x! F7 w$ s2 k5 H7 I int 2fh
1 w$ \1 K& P# ?7 _% c mov ax, es ; ES:DI -> VxD API entry point3 c% \' [; K1 }: u) Y. Z. I2 r
add ax, di
' L$ x- k @+ ?- k4 d test ax,ax
; p: B9 F3 M5 A jnz SoftICE_Detected
/ ^; b8 u1 t& y4 O4 V6 o) n( N" |% m2 I3 C- _/ ^
__________________________________________________________________________
/ k B; U6 d u0 {8 _$ r5 N# V# W# ~" {6 G" S* v
v; l. q& i; f# I. |Method 05
9 ?# d5 m0 M6 t=========" _) q- l$ l: [+ \; A
4 y# Z- y4 K& ^: |' H# LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% X9 Q' v1 m! @* r P2 e: T+ `debugger. It calls the int 41h, function 4Fh.1 n' O3 W7 a' m3 [6 `8 b
There are several alternatives. : V2 M Y+ g0 ^, L! V9 J% {
0 |- Y2 }# \, x4 p0 W" F3 AThe following one is the simplest:
. ]. ]( r* X3 E3 `5 [: f
$ y2 w, g7 p/ O+ s9 y mov ax,4fh2 _ a! |* x3 p5 ]) S- @" r6 l; n
int 41h$ j( j+ X- z6 e9 Q* j8 w
cmp ax, 0F386; }; t9 K* M6 I* [
jz SoftICE_detected8 ^8 b/ ?& q5 [" J3 r* x
. ?9 y3 b( U+ U k$ Z: Z) _4 V( k: o4 x) o: U/ D2 t' h1 k! V
Next method as well as the following one are 2 examples from Stone's / |+ o7 g3 r7 K/ F
"stn-wid.zip" (www.cracking.net):
& r9 e0 C6 }: N8 u- k- o# N" ]8 ~0 A9 A& I2 N
mov bx, cs0 g5 a! V6 o& U/ P! d
lea dx, int41handler2
& {* U& \+ @& l xchg dx, es:[41h*4]7 i# o3 P! b% L4 N' N
xchg bx, es:[41h*4+2]4 h6 N. ^, D: _0 G
mov ax,4fh) t% n7 F$ R `4 _* Z
int 41h5 M( |) n' G4 `' \
xchg dx, es:[41h*4]
' c4 t! M, k/ }( X' T xchg bx, es:[41h*4+2]. q2 G7 d9 S7 @
cmp ax, 0f386h
O; K( q6 C" x: c* V7 z3 A jz SoftICE_detected3 i& z* u. ~# \+ X" a
0 j* Q k, S( x% b' k) P5 sint41handler2 PROC
4 a8 v; ^- P( p* j- l2 P6 F iret
" O& n2 @% P2 B6 ~9 f( R0 ^# dint41handler2 ENDP
; c8 C+ x9 k' [/ k
5 U& \8 L) }( t5 t8 @# L6 d; \" ~/ a
1 U O1 h/ `% D. D+ M( c# I_________________________________________________________________________- K5 v" h+ h" V1 p/ o4 ?' d; v
% j$ g. z( x+ w" s% \% u7 C B
$ C j" T7 l) O/ V. J" U4 ?Method 06
/ \5 g+ ]# _! n& U5 t=========* u7 A) i6 b/ \% k# ~
2 S; Y( Y v+ s& U! B
7 M' C0 Y' p- I2nd method similar to the preceding one but more difficult to detect:5 o. H1 o9 c7 _7 v1 c) i$ q1 |
1 g0 c. L, S3 o7 G
: H! [0 K4 r" r0 |. q
int41handler PROC& x. b ]9 I T3 Z1 ]* A
mov cl,al0 {! W2 \6 M. n4 [4 D9 ^0 _! _
iret% r, c" ?7 q+ e3 Z+ a0 ~' S
int41handler ENDP$ }6 r& {. n( r: n
) h/ D4 ]& k9 @; X- s- [
3 T2 f% U4 C' J) `
xor ax,ax
9 E( d- D3 m* E- R+ C: P mov es,ax
* Z+ |$ E% Q5 { mov bx, cs
" Q# ]) J. l5 Z7 U6 i& N lea dx, int41handler' Q+ U9 \: E% ]. r
xchg dx, es:[41h*4]) M8 a2 T+ H- H! ?) ^
xchg bx, es:[41h*4+2]3 ]9 s( B" G4 L7 P5 N) a
in al, 40h; {$ T) F" N4 K/ E" W7 o2 z
xor cx,cx) _7 ]1 f. `3 ~% t$ N5 E% I
int 41h; ?" V( l7 M( Q: \
xchg dx, es:[41h*4]
; N* D1 t& \ n9 S' C xchg bx, es:[41h*4+2]6 X% T6 }# T: E; z2 t8 e
cmp cl,al9 [; W9 o g- q
jnz SoftICE_detected5 |3 s/ s' X9 X' n+ Z
+ n* [6 F8 c: [4 R_________________________________________________________________________
1 s& f" {. J) t. W$ T1 L
. {' E2 ~6 r4 _# yMethod 07
& B9 L9 K4 T- o# F) q, K* |% F( m- |# N/ d=========2 O% n7 I$ E8 ^ F P' l, j7 R
, N4 c& u* |$ a) k7 k$ V. J/ c6 _, C7 J8 q
Method of detection of the WinICE handler in the int68h (V86)
7 Z/ A) N7 K0 c+ c6 c S6 i8 Z+ J5 g7 ^! w7 v0 D6 O
mov ah,43h) G3 ]) ?4 J( n8 D4 q' B) ?& g
int 68h
$ A/ F: S0 k; ~* d cmp ax,0F386h
! {6 y( J- M: N, z2 S: P jz SoftICE_Detected
- X3 z) O; }8 Q4 R+ p; T' U4 t# n0 E$ I$ N5 u5 y
4 U* x0 u4 N, h- z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ u$ Q+ k& C0 i2 ]8 @, C app like this:6 ]2 c8 j a8 z/ R ]; R9 l
. y. `/ C& ^# W _, U& J) T$ B& C BPX exec_int if ax==68
# M2 Z( d6 |4 D, D7 q, ^ (function called is located at byte ptr [ebp+1Dh] and client eip is7 P' V; T5 ~. z. X! x" R( B
located at [ebp+48h] for 32Bit apps)
7 v6 C8 z O4 j! k* X__________________________________________________________________________
6 ~! Y3 R4 L3 h- Z5 |9 l$ ^( r6 f8 o& ~. w6 |5 B
7 d$ p( T9 H# p. yMethod 08. c2 Z" C3 a0 |5 h4 f3 F
=========
% H. {7 w* |3 N) T9 l" N9 u
" j, P% ^# O! BIt is not a method of detection of SoftICE but a possibility to crash the
0 t0 L1 _0 g% zsystem by intercepting int 01h and int 03h and redirecting them to another
& w1 U/ n* o; A2 W4 y; }/ oroutine.
$ M J: n9 T7 b1 y* aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: T) _) D2 {& ~4 p3 K) qto the new routine to execute (hangs computer...)$ U! x- d7 L) w' s7 |. o
% x/ ^& {2 t' e: ^ mov ah, 25h0 T# r4 } F7 q
mov al, Int_Number (01h or 03h)8 D- @5 o/ G+ w N1 M3 [1 [
mov dx, offset New_Int_Routine
: {! T' W1 {0 ?# t- e* \; s int 21h# D5 T3 i' t6 H9 f; N' y( k
! O- h' \ T: o% E__________________________________________________________________________
& y& ]" v* n8 F8 @" E) g$ i3 n
% t8 ?- ?9 V/ k; ^8 S+ j3 \: OMethod 09% L4 ?3 {+ a- i# X) {; G$ L
=========
% e7 |, X) M$ N+ {/ x
3 J5 ^9 p' ~/ f3 ?! r8 C# zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. g; u. Q/ g7 T- p4 J' ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
- N c/ z& b5 TThe Get_DDB service is used to determine whether or not a VxD is installed
1 X s9 Y0 Q4 b' ? ~4 H% zfor the specified device and returns a Device Description Block (in ecx) for
3 W4 [, W* n L) i. lthat device if it is installed.$ V# L& D1 w- c
1 P" g) P" p* @' O; f5 ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; L5 y1 Z2 Z2 g0 @6 U5 E3 H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 v5 U- x6 `+ w VMMCall Get_DDB. K. e' d6 g& k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! u5 z9 z1 x5 D; Q4 O3 I& q h3 r! [/ }8 T! y5 [' \
Note as well that you can easily detect this method with SoftICE:
5 M0 K* [3 A/ n" P z ?6 F' d# c bpx Get_DDB if ax==0202 || ax==7a5fh8 g* Q2 Z/ J& q% v
) x& A/ T% {; z, @' ^* w/ }" p__________________________________________________________________________
( g- P% q0 `9 K H6 M+ n! g4 g6 S9 `" ?' ^$ u
Method 10
6 ^$ L' r2 Y4 {* d- X=========& o8 I9 Y$ z: m5 w) z! Z
: M& C4 a, _4 v7 s6 i. y=>Disable or clear breakpoints before using this feature. DO NOT trace with- E$ E4 z* `3 ]( \6 d( i- c
SoftICE while the option is enable!!. z% F1 h$ q- E9 e
- K1 R! K% S- J2 e% g4 f6 A/ a7 WThis trick is very efficient:
- ?) L: W! f& P( a1 k" e/ iby checking the Debug Registers, you can detect if SoftICE is loaded9 Y' [8 y7 N/ b* q8 v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! P0 b, ]: s/ c6 b+ y- A& nthere are some memory breakpoints set (dr0 to dr3) simply by reading their* q2 H9 N( q5 F! w/ i+ o- u
value (in ring0 only). Values can be manipulated and or changed as well
( n; z4 c, a$ a8 i9 m. V0 g3 e M/ O(clearing BPMs for instance)
7 K1 S# P, l, B% [* }* \& k$ R' o% s0 `
__________________________________________________________________________. }9 s+ R& X# M0 r: }1 [/ E6 C
3 i6 e% @2 C) G, i1 U
Method 11( [$ A7 T }$ b. I! A1 Q
=========
1 I# f% Q% n3 Y1 k% _5 ?$ [
5 |+ B2 Y/ u6 M4 M2 b# cThis method is most known as 'MeltICE' because it has been freely distributed
/ p7 O( R# |3 Q) C; `) t6 \! cvia www.winfiles.com. However it was first used by NuMega people to allow
# L: i6 X6 K$ r3 D `. KSymbol Loader to check if SoftICE was active or not (the code is located6 l0 q% N4 N, \0 p- m
inside nmtrans.dll).( R$ D) l: _" n4 s3 E
F) P: }9 @5 i, d0 sThe way it works is very simple:
" t" H; q! t w' {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 r/ Y1 h9 k2 J+ f- T
WinNT) with the CreateFileA API.5 A3 e0 k" s/ d9 g- M( w* f
! E0 V/ x# M% D
Here is a sample (checking for 'SICE'):' O) [7 Q- M% h. M+ [2 C4 W4 s
" e3 f0 a7 q% |. e! lBOOL IsSoftIce95Loaded()
+ e9 J$ M0 i- K9 k& i/ C1 l& I{4 p" e4 D! t) e& I$ q$ m$ A3 |
HANDLE hFile;
8 [) ?' ^8 | ?' u1 e/ {6 I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 F2 ?( o) ]9 V: `2 L/ r FILE_SHARE_READ | FILE_SHARE_WRITE,
/ k0 N4 @) f- \/ b7 z$ e( y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; J) L( X% J' ^4 {% F; O3 c
if( hFile != INVALID_HANDLE_VALUE )6 \- ~( [* A* z* }% p, A
{) `+ P1 v( j W8 e4 Y* g- X- n
CloseHandle(hFile);" U# j+ m* i" u; q0 s- `1 E" g: g
return TRUE;* } x: P' b0 U7 V
}# B1 h/ z# ]; u% u
return FALSE;% T( h, P$ i; K) @0 \7 }1 C2 U- F
}
( O" h1 ]0 j$ E1 H& N1 v
q# f' [$ _# m$ b- e8 R/ u/ ^Although this trick calls the CreateFileA function, don't even expect to be
7 J0 l' C% {! N) j$ S; \" R6 Xable to intercept it by installing a IFS hook: it will not work, no way!
5 D& B) h/ v+ tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 \4 p) c! v+ n- }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 r2 W# S5 @. H/ Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 K6 i2 [7 J* g7 K6 D7 gfield.3 g* C, D3 G; ]: b z! `
In fact, its purpose is not to load/unload VxDs but only to send a W, m4 X: S7 J; c4 d+ ^+ h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' B9 [# o& g$ n$ _5 {* E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 g8 \/ E/ L1 C2 e" W
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., f3 w1 h; u a" f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. X% b/ e! m+ b, B! Vits handle to be opened and then, will be detected.2 q7 u4 X) q! J% [4 g
You can check that simply by hooking Winice.exe control proc entry point- a- i' ^$ Q/ W- C3 t- n# [7 g2 i
while running MeltICE., K7 T; G n# G/ X0 }0 j7 U
- a% k$ Z& A+ O* X$ h) o% T4 z' q8 o4 P. t7 X
00401067: push 00402025 ; \\.\SICE% O B2 Q0 [; j8 P2 n( X; }
0040106C: call CreateFileA
1 v9 K1 R5 o. M6 U. q. v 00401071: cmp eax,-001- O3 f! Q, Y" c; Q
00401074: je 00401091 h/ O5 N( t: ^# s% F2 Z# V
2 T( |1 L7 s) k8 {3 M, ^1 i0 Z8 h6 }& u# A. G; N/ J1 Q( d5 B
There could be hundreds of BPX you could use to detect this trick.2 ^0 x0 H& ^1 x3 `) Q8 m, y
-The most classical one is:
$ D9 E7 l* }! y& w/ w2 V5 a3 Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 N4 e# C# v' h
*(esp->4+4)=='NTIC'( k+ Y" @% a5 G0 K- T. G
0 V7 ~% N9 [ X/ }7 }) Z6 `
-The most exotic ones (could be very slooooow :-(3 n# T% H) i' S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; b% \6 w6 ~, y3 K* j9 h+ T
;will break 3 times :-(
! L0 h$ q9 c: `
" P# K2 l- ?: \1 l+ c-or (a bit) faster: , u8 q4 V' q: d g- o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ g. o" |7 r- h( s8 t: k& {9 X
# { h+ z+ ?6 Z3 t- e1 J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ c1 l+ v% a& _7 x: }' O6 b ;will break 3 times :-(9 t& O$ o6 r& y/ a! a4 y7 j, L) H) z
0 x; A* l7 r" E( C" o7 ?
-Much faster:, F# l& X7 B8 W* O, N- h6 s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 |9 S! K/ J. J4 G4 y! W1 Q3 n: C4 ]( P$ C
& O8 n7 o6 h# l4 b, O0 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# Z. w2 G+ Y; F1 ?2 M1 yfunction to do the same job:
& q) S' s! r5 { x& I+ C4 t( W0 L; e; l% N
push 00 ; OF_READ( \& f e$ f* i2 q
mov eax,[00656634] ; '\\.\SICE',0
) m" u; q/ E. A8 k# x push eax
8 [5 a0 h8 M$ J4 G call KERNEL32!_lopen- a& D! Y5 K* A) }" Q8 R
inc eax5 r0 o2 j1 |3 P$ B
jnz 00650589 ; detected
; n- ?9 u! D2 Q D7 r push 00 ; OF_READ
; z; O' y p* G3 C+ ?+ U0 N mov eax,[00656638] ; '\\.\SICE'
, j' {+ ` r% T7 y% e3 }. v. R0 ? push eax6 E1 @" y8 [" @) V# k! p3 W
call KERNEL32!_lopen
+ N2 m1 z+ z4 @$ S% R F- _; { inc eax
3 g0 q4 R+ J9 O; p jz 006505ae ; not detected2 v+ S0 c' }8 O, i1 f3 ^
- H& i. \+ c( R1 N& ~# B* _& |
& h6 {( j+ v R' r__________________________________________________________________________2 b' r3 `& n3 Y# m2 ^! N
! x& r! f1 o8 S# _6 q
Method 12+ r$ d. L: k; P1 {! P% o. M. ?
=========
& x; n5 \4 X- z% Z: ^# n
1 \, t& Z9 z' d3 sThis trick is similar to int41h/4fh Debugger installation check (code 05( }# H- r3 G) K9 A6 q
& 06) but very limited because it's only available for Win95/98 (not NT)
4 N& g7 ~# V6 B2 {4 P, r$ G. Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ ?8 r1 ?: L! A
+ n9 s8 E7 N7 D, X- e* c
push 0000004fh ; function 4fh
. h2 m3 p- F: b& b# K8 A push 002a002ah ; high word specifies which VxD (VWIN32)
3 D# V! G2 \; Q6 t ; low word specifies which service; d! W$ v$ u- f! X( f: Y: E* R" L
(VWIN32_Int41Dispatch)
3 ^3 t& J) ?* c* o% ~6 i, t! ~ call Kernel32!ORD_001 ; VxdCall
1 s" |5 O9 L6 b2 P cmp ax, 0f386h ; magic number returned by system debuggers
) y6 R( `4 S! F9 \" B. E4 m. J jz SoftICE_detected4 O1 S: W9 |- l0 F7 X- T/ v. {
# K% J! b# [% @; _Here again, several ways to detect it:9 _) U0 P' t2 d/ o A4 s
) r. h$ V( L7 y$ \7 r9 g
BPINT 41 if ax==4f
1 l# J5 `3 Q" x& F- \* c
5 v9 ^, r% ^# g Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" Z1 Z1 t" ]1 P! Y @3 Q' P* y, H0 h H; z' o8 l. \* w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( t v9 N# `% Q i
. c. g% U% r8 }' T# |* Y) a' a1 D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" v' o. ?3 ?9 I3 l
7 |7 i4 b. k( h- L+ R__________________________________________________________________________$ d% C1 E0 [5 J+ F# @0 O9 `3 o- W- @
: l+ Q# ~; `/ x' c* U' `( j/ D
Method 13
- n4 a7 L* Q( D' N( y1 f8 O=========
2 {. ^9 A4 i8 I0 j
, S6 t/ z5 ?. @! Q& C( YNot a real method of detection, but a good way to know if SoftICE is$ [& C& m1 w P5 J. h/ p, d8 E8 `
installed on a computer and to locate its installation directory.) d3 F d; V! u7 b" }( o2 `1 l
It is used by few softs which access the following registry keys (usually #2) :
% X) k1 q# d8 T9 ~3 _+ E
' d% j8 H n% e' Z& `$ l; k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 ]- @. f/ X! D1 i% U- C# A" J; [2 E
\Uninstall\SoftICE
( R% Q! S/ e7 D8 X8 Y" q$ q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, k: G# L6 U. v% r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 Y8 k$ D! t# c
\App Paths\Loader32.Exe
! h* J8 W! R! T; \4 I" w I
" _0 j% \7 k$ H- c0 s4 I' [7 k; d# c2 U$ y0 g9 d. D3 ?# b
Note that some nasty apps could then erase all files from SoftICE directory
4 @) n K, g1 j: n& T1 Y(I faced that once :-(7 `( S1 R: D, k3 Z* N
# Z2 V O! X: w) _0 @+ [4 t
Useful breakpoint to detect it:7 J* f* K- T4 v/ }4 w
: A q( i/ N L4 g, f2 G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 h( @' y; w- c+ P* ~* |
! P6 a1 J# t! R, o( \ H) w__________________________________________________________________________8 S8 X2 W2 C% M6 n$ x
" _. A8 L( j v
" b# m+ N) k. |$ O. M: [) V( gMethod 14
# |; Q( v# O& w5 _=========1 I4 i% `3 H/ N0 O3 b
) B' f+ _1 o# U: G* M! Q* ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" ^4 a, d6 Z/ }& v! o. ]( U; N
is to determines whether a debugger is running on your system (ring0 only)." r* }9 U6 W3 s$ i. ~! a: A; \
1 }3 F( ]* y, l- L( v9 Y# D VMMCall Test_Debug_Installed0 Y% r+ o; o" i. J/ R% {2 _
je not_installed/ g2 E. |" G3 P4 j0 z
7 n2 V( P9 w1 R, S0 y/ C$ e. A# YThis service just checks a flag.
) b8 e) h6 _9 o+ G' _! E! j4 D</PRE></TD></TR></TBODY></TABLE> |