<TABLE width=500>2 x! s0 _6 c& c
<TBODY>& |2 H# S7 @/ c% t( C/ F2 o
<TR>/ O7 D; H2 _5 X# R
<TD><PRE>Method 01 0 V6 P- p q& y% X3 @
=========1 R _+ D8 b; R# H
9 q) H4 P" U2 z8 |7 M+ X+ b0 \4 V+ ?
This method of detection of SoftICE (as well as the following one) is
6 y! D4 e: ?( Z9 Yused by the majority of packers/encryptors found on Internet.# `9 Y) S$ U, G7 @
It seeks the signature of BoundsChecker in SoftICE! H: _ u+ l# }0 x
1 N; d3 R" N/ W: n5 l: Q& K- C# G9 X
mov ebp, 04243484Bh ; 'BCHK'2 L5 i% U" M2 @, j& ^
mov ax, 04h
9 S* ^+ b! d K+ E int 3 # R5 h, [% A4 K6 W& @" C. j9 Q: R- V
cmp al,4
( W6 b& _7 e( I jnz SoftICE_Detected
7 s( ~/ ~2 E8 P) ^) m' l. Q! x4 J# ]$ i
___________________________________________________________________________
; h9 e6 w/ t* U7 a% P6 r5 }% d z# C9 m, W
Method 02
7 V! ^8 w- d5 w+ Z+ q! p=========
0 M9 L% J3 e9 N: E f6 z6 R
1 F8 x" k' {5 F$ gStill a method very much used (perhaps the most frequent one). It is used% ?9 l7 Y% K' Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ @5 R% X7 @7 D8 v; L
or execute SoftICE commands...
1 p4 a. `. m @( e. s1 hIt is also used to crash SoftICE and to force it to execute any commands+ R( C, S0 t% ^) L: A
(HBOOT...) :-((
# h) f: g2 [! G
5 [; c: k- u5 }; C* L! A. O7 CHere is a quick description:' A1 z& m9 ~0 Q
-AX = 0910h (Display string in SIce windows)
0 \/ K/ n0 v2 Y9 f" A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 U3 Q! C9 R/ Q9 Z) w9 U2 \$ c/ A
-AX = 0912h (Get breakpoint infos)
, } H4 ?4 q& v-AX = 0913h (Set Sice breakpoints)
2 U; j* C3 ? v-AX = 0914h (Remove SIce breakoints)
. `6 `: O; X" Z7 {& P# E2 e& c
2 c: b& h) h5 {) V- EEach time you'll meet this trick, you'll see:9 m2 _+ d, |: u4 }7 v1 M
-SI = 4647h2 ]1 R* u( S Q! c8 Z; H, F
-DI = 4A4Dh! O- D5 o# E4 w( {/ g
Which are the 'magic values' used by SoftIce.& h# {$ @) Y- z! H+ J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- W. w6 Z1 `! Q
% ?4 L. s& }* dHere is one example from the file "Haspinst.exe" which is the dongle HASP
, V5 x( Y* A2 }4 U5 F4 X$ N& `Envelope utility use to protect DOS applications:5 X/ T0 _, U+ J0 O* z* Q: F" l: [( E1 z
}5 x3 F# c- s* q2 ~4 ~
2 |) I Y) w% o/ R7 A4C19:0095 MOV AX,0911 ; execute command.
" P7 k( d; }' l/ \5 g- D& m9 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: r# N9 {& U8 K- R# c. ]. m
4C19:009A MOV SI,4647 ; 1st magic value.
) r0 |8 Q0 ]1 g T5 H2 Y4C19:009D MOV DI,4A4D ; 2nd magic value.; }/ {# U2 ?. i( m, J4 `- O* e/ r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, O% Z/ ^- y2 X9 X9 Z. z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 Y, r0 f: {- B4C19:00A4 INC CX
$ _' W# D2 }# r+ ~- F4 M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% \" ]0 I' x" e8 S$ B
4C19:00A8 JB 0095 ; 6 different commands.8 k$ o7 _- K' [1 I9 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 L: ]+ q3 } B4 _ }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 k5 E4 Y4 n* G/ Z* @8 P `
8 y: k& S/ I+ v+ e. I& {The program will execute 6 different SIce commands located at ds:dx, which" i' E7 G3 K# q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* L/ `$ g- F5 w* K$ ]* k' h
- x! a8 r2 v2 n3 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 ^5 _8 n; w5 w* f3 _3 A6 B1 F2 a' }8 _
___________________________________________________________________________ S7 }; @3 s- ^
& S/ Z$ Y! ^, s3 ]* t* k
, M. U- O" `. i( D, ?Method 03 h( a3 h2 d; `1 V/ F7 m
=========% u' l) y( K3 F8 `5 s* p H) N+ w
- W7 G6 J1 g$ f' nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, R I+ z6 c0 n4 [, b4 @
(API Get entry point), y, B; i: x& x9 W8 ] Z f
7 d# c0 k5 d, D0 s" `/ O; N+ ?% d' ]9 Q4 {% c( H! u; P
xor di,di; A4 z4 g) B5 m% v
mov es,di* p$ t. p: m) g' U& c- _0 B6 P
mov ax, 1684h : X) N: o6 J; [8 \9 f
mov bx, 0202h ; VxD ID of winice
- V7 z/ c. f7 ?% [5 Q/ S. P int 2Fh
! ^9 T! A, t/ C! O mov ax, es ; ES:DI -> VxD API entry point/ u0 s* x: Q* k# o& `' w' E8 \
add ax, di
8 d' c& p; a: ~, \* p9 Q1 ] test ax,ax
7 R+ y7 o+ b3 L7 ~ jnz SoftICE_Detected
0 w6 F5 g+ ~ j J% K0 v. L7 Y7 l2 G8 ^: U9 W! |5 h9 C9 J
___________________________________________________________________________8 D: E. s1 L* F5 z0 J
$ V2 E- f+ O$ ~0 D, v7 WMethod 04
* o/ @1 e) V/ Y. P2 f=========( f7 @# Z) b- Z# T- ?
7 m6 p! }3 l: `" W( u
Method identical to the preceding one except that it seeks the ID of SoftICE
5 h, ^0 K* q& w$ G7 e. |! L& vGFX VxD.
5 D3 V: T$ T4 R6 T" K l0 X
! ?" c" H' r) l, X2 p xor di,di t( z7 B' o6 b8 w% o3 X
mov es,di
7 ?' p9 J/ F/ B6 B7 O mov ax, 1684h + D& e0 G( {+ D9 j+ n# z
mov bx, 7a5Fh ; VxD ID of SIWVID8 _6 M" j; K5 Z& C h+ ]0 ]& a
int 2fh
) _$ Q6 @& g1 P- m4 F2 R/ A mov ax, es ; ES:DI -> VxD API entry point& g, b. N+ @7 ]0 N1 A
add ax, di& j, R! V7 S2 P4 \, V
test ax,ax1 @9 {- {2 B" K/ l0 j! c# l, d
jnz SoftICE_Detected
3 @) Z7 y0 `. ^- f, q
' M0 f9 z) s0 _6 X) C8 h__________________________________________________________________________
, s0 F- ~- W3 g7 A3 m: ?3 ]3 P/ p
) D- c( b, a3 V1 \! J6 B5 `Method 05
+ }; P/ b" `1 B5 K0 x=========/ J5 x5 k6 B/ W4 q ]7 A; P* w
" r$ \3 A) ?' o4 d5 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ M+ y% U& `* q' T+ U; j6 cdebugger. It calls the int 41h, function 4Fh.
1 X- u# o% q4 s! QThere are several alternatives.
8 T6 K0 @0 t9 \' {$ ]1 v6 _: h$ h* V; k6 U# ?) m- w
The following one is the simplest:9 T- k$ F U7 [* ^) \/ f
4 m& G( W6 k) K2 Y+ e8 @, f mov ax,4fh; [! d9 W$ \1 @* n5 ]8 O
int 41h
5 ]& J, a& ^9 i" i8 S0 v cmp ax, 0F386
4 l4 {/ B# F4 m9 r jz SoftICE_detected& `$ G6 g' Z) i+ Q8 Q n. K' p
! E; R9 m" ~# y2 b% Q# b
; s9 M' h9 [( _% G; z$ E% j4 lNext method as well as the following one are 2 examples from Stone's ' D* W" x, l& z+ Y# G: n
"stn-wid.zip" (www.cracking.net):
0 V8 T! A1 i7 J7 V# |" _5 Q# C) U' {4 Y6 l+ p7 S& A
mov bx, cs1 L8 C( ^, ?& \, P- M5 Q' I" f
lea dx, int41handler2
& {. Y4 x6 o6 u7 m3 Q) Q* I" u, h xchg dx, es:[41h*4]
9 k+ \! i# `7 f7 m xchg bx, es:[41h*4+2]5 ^4 {. T7 ]/ p! q7 @8 k
mov ax,4fh0 f* f% g9 U1 |* E3 L0 O' ~# L
int 41h, c( V: m6 ~7 N3 V, r0 W9 U7 `
xchg dx, es:[41h*4]$ s2 B- f8 w; j5 Q# t
xchg bx, es:[41h*4+2], r0 A0 Z( ^* p2 H- r! ^
cmp ax, 0f386h
. m" `5 v" u. M& O- C% K1 u2 p jz SoftICE_detected) n0 H& b2 I( ^8 Y
) `7 v7 {6 u' y5 r
int41handler2 PROC
; m& n2 R) y1 K, h& f$ } iret, q' ^* i& V% F0 c# I
int41handler2 ENDP
* W* h9 p0 x1 P4 p5 d/ R1 N2 `- `
4 c5 C0 O9 D; W& r2 @_________________________________________________________________________
% R4 r+ \) v$ C% w8 Z% r
& b. Y! J/ S) ?1 N+ Z( F6 c* E! U$ l0 m$ C& X
Method 06
! H3 c) x7 u, s( ]' q! B ^6 y=========
* L7 Z" G& o: Q J4 W$ j
) K8 n: h" f. e; Q6 p5 |" g4 z5 {* y6 N3 ?7 x
2nd method similar to the preceding one but more difficult to detect:
( Q7 a0 _* Z. g
" S$ E& r# C7 r! y& S
5 j; @: j; |7 T5 P5 z; t! Qint41handler PROC; r. S9 `0 T4 z" m2 U& C* J
mov cl,al- @" G6 ~- j! R. i0 j2 L% X
iret
$ r5 ?% M; b" x. _4 lint41handler ENDP
9 n, p6 y+ J- N0 G; p" j
5 c* z5 D2 C' R; B9 k# t2 b$ k
xor ax,ax
$ ?$ s& }1 @* ?) e mov es,ax5 N2 z' W( S8 W8 s
mov bx, cs2 h, V" g% Q: n! ~5 g
lea dx, int41handler
( ]" d E* z' J. K xchg dx, es:[41h*4]3 Y; o* U6 y2 o4 x6 V" t. p
xchg bx, es:[41h*4+2]
6 ^- D0 c1 ]% T in al, 40h
* s* t# J5 Z) {1 |) ?) V5 o xor cx,cx
$ j# b0 r' U7 f- Z. x3 H8 Q int 41h
8 W; G) Q1 N: m xchg dx, es:[41h*4]
6 ~; P h, b$ K5 ^7 y3 b xchg bx, es:[41h*4+2]
* L( q- l; I& C' q+ U1 `/ m cmp cl,al
% i- c0 s& |3 h9 E! W. A% b5 I! m jnz SoftICE_detected
0 l6 {6 M" f& O6 _
J7 O* Q9 ^7 A4 l. p_________________________________________________________________________
) j+ i2 t% U6 n+ W0 X% N) F) a1 |" h" W* S$ k
Method 074 I0 E3 U/ t, b. _
=========
I4 h( d6 i* r- o% D: n# C6 \( ?9 X6 U( k l! s3 G+ X5 R
Method of detection of the WinICE handler in the int68h (V86)
4 p. Z0 @: r- N1 R
0 T9 s2 |7 t7 c$ a- D; D. I mov ah,43h! K+ Q, i3 {% @0 {2 Y
int 68h
# K& b: X: t _+ _3 i5 F cmp ax,0F386h$ Z2 K3 Q+ ? F4 m
jz SoftICE_Detected
, r* Y( F; M8 r8 b1 ]' R
4 A; @" b" }! ?. I' L6 e' q# E% N. `6 Z/ p m" m" T, Q5 p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 s3 i, [1 B, h2 _" e app like this:
% N. G( U. Y+ l+ o: S# U+ T( w4 S0 K1 I% t* U$ y0 N4 p$ U
BPX exec_int if ax==68
: V$ ~: ~1 w" n! q- B( G( h (function called is located at byte ptr [ebp+1Dh] and client eip is
! y& P4 J3 b# J, P located at [ebp+48h] for 32Bit apps)
2 x! l0 \* H4 }& P; `__________________________________________________________________________
" R6 c3 n. C; c0 V3 m/ N, K0 W4 K" c5 I1 S3 ?1 Y
$ z1 Y$ O3 N: b, UMethod 08
' t4 q9 h) Q7 \: _5 j) [+ W=========/ ~+ T( V) _. M% {2 g
8 |6 e9 k$ ^ ]% F3 M c7 w
It is not a method of detection of SoftICE but a possibility to crash the/ X n! m$ \- T: o& a! y
system by intercepting int 01h and int 03h and redirecting them to another& I- W7 j3 ~- ~5 X4 d \
routine.
- f& N; |! V9 g5 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. K6 ]0 J* r. a q( t( z
to the new routine to execute (hangs computer...)4 }$ W, ? x% L/ Z5 m
8 ]4 k1 V# b9 y; Y1 _2 K7 k0 w
mov ah, 25h) O) ?- J$ T9 n5 E# ]7 u! o
mov al, Int_Number (01h or 03h)
6 [9 n4 {/ D" d% x# ~ mov dx, offset New_Int_Routine
8 @* U( ]2 f/ w# l int 21h' z; Q; B! }, ?* v' W: C
' }" k- Z8 O8 S
__________________________________________________________________________4 Y. @5 e. _: C- W$ U
8 y8 f! s% N4 T' ^( ~5 _( T0 z( cMethod 09, c, X# A: k- ?/ I/ S+ M
=========7 ] y+ |9 d: [- O, G: K0 D; J
S+ \" q9 w) |* O* Y- ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% e7 v T4 Z0 K- T4 \. y3 M0 x
performed in ring0 (VxD or a ring3 app using the VxdCall). M0 ]( P1 ?! k
The Get_DDB service is used to determine whether or not a VxD is installed& I, Z/ d2 A5 D3 L+ v& |& f& O. t
for the specified device and returns a Device Description Block (in ecx) for D. b" _4 r+ l5 i& R: b
that device if it is installed.
4 X! G' L1 o* \; O6 A2 @- |1 D( ~! h {' ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, V. H- c4 V0 D) U, ?, W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; h4 w' ]0 K3 z VMMCall Get_DDB) I. ^. ?- Y$ V4 p& z. | R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 U* ?) [: f2 @: a6 ~- t+ o
! S, W) `( q, u! }* A
Note as well that you can easily detect this method with SoftICE:
% D' ^, f* z( ^' H0 y1 J4 s bpx Get_DDB if ax==0202 || ax==7a5fh2 f; L$ B0 ` T2 m& \4 b9 \: {
/ i8 k0 V9 U' }
__________________________________________________________________________
( D" n& A; p4 D; v4 ?( q' Y8 Y" u7 {8 f. n# P. h+ f
Method 10# j3 g, i8 Z0 d' z8 z4 J
=========
/ v; `6 q$ B' Q& U3 }
! p6 l6 j5 I4 d7 Q! c=>Disable or clear breakpoints before using this feature. DO NOT trace with3 V$ D- ]- \4 g. u. m U% [
SoftICE while the option is enable!!
5 B# E* t" T6 r( }6 W7 g, [ N% V- R; G) O; ~' Y! G
This trick is very efficient:
! d$ o/ c5 P1 g) x# a S- T% ~by checking the Debug Registers, you can detect if SoftICE is loaded
. L' `& B, ]; [* i, E: X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" S0 o/ z2 @% T' |5 h" X+ |; U) D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) }8 ?4 T* G/ h% Z" c/ Cvalue (in ring0 only). Values can be manipulated and or changed as well3 i% E ~. a. ~; `# C0 a$ d% C* F* ~
(clearing BPMs for instance)9 ~: C5 e( ?$ S1 k' p7 l$ O
- S* g, I: | {, z4 d, Z
__________________________________________________________________________1 V* Y; h. k) k, X4 _( X
6 H$ \5 H- ^* B: I
Method 11
4 o+ [$ v0 Z. Y& M" r. S# z: ?7 ]6 \=========
; V8 K/ @1 ]2 q1 ~2 B1 c
) o9 Q/ |7 Z' \/ jThis method is most known as 'MeltICE' because it has been freely distributed
: [3 P( a8 ]9 X8 g" ^0 uvia www.winfiles.com. However it was first used by NuMega people to allow
' J4 L' \/ d; m) f# }$ S$ y% b$ ^0 Z' cSymbol Loader to check if SoftICE was active or not (the code is located
! Q/ ^4 ?" s- o# Pinside nmtrans.dll).
8 P) N' \0 T6 o4 n- o g3 N+ Q
8 x5 N& x4 ?4 c8 g3 VThe way it works is very simple:+ e m u2 J7 e+ @6 T& b% x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. L/ F5 K9 |7 b- Q. tWinNT) with the CreateFileA API.
# A9 w# `& z$ `0 _
: f) f4 S1 C0 j5 h: THere is a sample (checking for 'SICE'):' v! G4 t8 [# g( I' X. ]7 r
3 c F# G3 N) c* M+ p3 T% b
BOOL IsSoftIce95Loaded(). j0 u; V: r1 Z9 P- z* @% M( P B
{; u A# r6 V1 H5 z! p: ]' i- V5 a9 j) w
HANDLE hFile;
7 o5 h" s/ u' O; y4 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' G) o+ W b! k3 r5 \ FILE_SHARE_READ | FILE_SHARE_WRITE,
0 j( Q- @" C2 f) ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! F. x3 C9 c9 C3 T' J. s% r if( hFile != INVALID_HANDLE_VALUE )0 x4 {* W7 q* u
{
; E8 b$ J; _' R6 G5 H CloseHandle(hFile);" \( U8 f g1 B" L
return TRUE;
2 L* L- y# W) f7 ~$ E h }
* K+ ?. h) q; G! [3 |% { { return FALSE;/ E& `- x ]; ~9 z* n3 r: `+ o, e8 Z
}/ n% T' U: n$ G
j: P3 B4 L3 b1 y5 U! W
Although this trick calls the CreateFileA function, don't even expect to be
7 E' s" l9 U: R* m0 |, D0 Nable to intercept it by installing a IFS hook: it will not work, no way!
9 o/ B$ c* J+ K: H3 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 S& V0 ^; ?% y& v) _( {6 P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' ^6 n6 r8 ^+ \- f% mand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 m! J) R6 M& a5 u; o# ^6 O* W+ E
field.
1 ^8 d8 ]! l8 o3 T6 ]/ Q. DIn fact, its purpose is not to load/unload VxDs but only to send a # c1 e* ~) Z/ \- B: V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 \9 _9 ~& C# S& k5 p, Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
! q o& y q, Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) h, U; {3 b/ \' y. dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 a( J0 W# r; Vits handle to be opened and then, will be detected.& j8 n; {6 Y; F
You can check that simply by hooking Winice.exe control proc entry point
( C5 t: g6 A7 v9 ]1 S* T& Ywhile running MeltICE.0 z( l, V7 e8 {1 ^; A
) e6 H! [5 j* o5 r) }5 [/ v
9 ~ F6 Z$ L" u$ m 00401067: push 00402025 ; \\.\SICE, P) M: p/ i; |: ?
0040106C: call CreateFileA( ?7 p8 N. l3 ^6 i% ~4 d6 O6 Q( G
00401071: cmp eax,-001
6 t" `3 e$ P) L( `3 V- G4 ~5 h 00401074: je 00401091
9 @$ p+ a# q8 f2 f: C
; m# r8 _8 h2 C' X3 G
2 a4 Z, u9 o% L2 P9 x' g h! xThere could be hundreds of BPX you could use to detect this trick.4 I( e. w, H: k5 D2 y
-The most classical one is:: z8 ~9 E9 v- x; z, |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 N% }( g0 F: L" f9 m7 G1 P
*(esp->4+4)=='NTIC' |* s3 I- P* c4 E# N
6 Z0 Y4 Z! W1 Q) x2 g% A, S
-The most exotic ones (could be very slooooow :-(
3 X u2 ?- T1 s6 M1 `4 }( j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % ~3 D: ~& \/ L+ a
;will break 3 times :-(. \2 M2 o: y5 i0 e* y6 I4 G- |
0 ] j9 s# q t) ]3 s-or (a bit) faster: # }5 b4 N+ B* u) ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 L0 M1 [/ t% _# f1 q( d% v
& j& u. I& e7 r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & A% ?: }. f: `" J/ H: X( `2 a5 o7 W
;will break 3 times :-(9 v( g* l* V1 z
; I5 J' h# d- B0 U
-Much faster:( i: j R. H w# F3 q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 w. @6 r1 E. Z4 x
9 q" B6 L, B, W' wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& w6 e( [; T) k; X" Zfunction to do the same job:
, L( v% y8 E+ \
9 t+ `. F6 J, t' ] push 00 ; OF_READ9 p" P# ]% x3 z- ?2 p
mov eax,[00656634] ; '\\.\SICE',0' l+ ?; E; o7 M" L+ `
push eax" Y% Y% N8 B4 F* k6 n( d
call KERNEL32!_lopen
+ d) ? ] z" u4 K inc eax! Q3 Q) O0 d+ x' O- q$ e
jnz 00650589 ; detected
6 u q I- a2 m% E& R push 00 ; OF_READ7 F9 K! u' I! h' @; i
mov eax,[00656638] ; '\\.\SICE'
, r* \7 k: C7 d push eax
d1 |/ u: O0 g call KERNEL32!_lopen" ~3 K. E0 d& U4 P; N& B9 j
inc eax
( S/ Z: x7 V5 d7 l1 v. q jz 006505ae ; not detected
7 _- ]/ t+ M. N: T
1 C5 [. z" ~# |6 t' ~. M0 a9 t6 O. g# I% Q& G
__________________________________________________________________________% i6 S" N" u' u: a1 K: U9 r
! m- C5 q8 F e, f' fMethod 12. p# m6 i$ F( ]
=========/ E8 T' i1 Z( I: f9 L; C
2 ]2 |; D' A+ v% t5 K: FThis trick is similar to int41h/4fh Debugger installation check (code 051 ]) V% p, Q, K2 \ p; H
& 06) but very limited because it's only available for Win95/98 (not NT)- N4 h6 X `# M& B: G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% R1 b! |3 g3 y8 C
1 p* V: x: l0 F4 [ push 0000004fh ; function 4fh' y" m1 _) F3 J0 A) T' _- L
push 002a002ah ; high word specifies which VxD (VWIN32)% Q- F O6 V& J9 c3 H4 d
; low word specifies which service3 K; i$ P3 a8 J1 h2 `
(VWIN32_Int41Dispatch)
@; ]. _9 e9 e- z8 t call Kernel32!ORD_001 ; VxdCall J v% c: P, H" @6 D% \6 H
cmp ax, 0f386h ; magic number returned by system debuggers
- X9 R4 l# \. \/ m9 Q! Q, c; o. M3 L jz SoftICE_detected
1 H, b; A( i3 J; g% T. X5 @0 | D: s
Here again, several ways to detect it:
5 u) g7 Z0 z T3 Q2 u
3 h2 Z9 e7 I! B2 c( u: y1 x BPINT 41 if ax==4f
3 \1 `- f6 M" q6 L C: z) ~9 r- W5 S6 K' b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
M R3 c8 f/ L- J3 r6 W$ O) @
' g2 u& Y3 Z k) l; [% x1 P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 J0 H& V9 Z. H1 o, M& m" u$ O) }
0 ~& X* w" J. l' s$ e* M& a: a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: U6 c1 R. ?: U5 i, U' M: Q! E: `: x$ \! c
__________________________________________________________________________
: |( [ w" ?; i: D% c |: q
4 I! Y( v7 `8 d1 B8 A! H/ AMethod 135 C/ }3 a$ M) L! K& u6 r. v
=========. B, j3 {/ R2 C8 C! E7 A
. J8 s5 o/ P- D- L: {
Not a real method of detection, but a good way to know if SoftICE is( r' g- l2 d& `, J! D- ]6 X) G6 `
installed on a computer and to locate its installation directory.5 y5 S6 N% L3 s" E* M
It is used by few softs which access the following registry keys (usually #2) :
; c, k" |+ u: R1 {2 X5 Z% @$ W& Z- x, X( R& s& d; @" M' f M) b0 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ l& m3 `4 l7 H
\Uninstall\SoftICE
. l- U( f- W8 j& |7 [' C& y" @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 C! H) x8 T( _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" l5 D) e7 o0 A$ V6 {5 }+ p9 V" w
\App Paths\Loader32.Exe
! k: ?5 K3 [% I" d# M8 Y
# Q3 S. ~, ]& k$ ~( v7 C, e1 R4 P9 g' j9 N
Note that some nasty apps could then erase all files from SoftICE directory9 I. K6 x4 B3 b* i7 a% h& z
(I faced that once :-(- K5 m+ Z" T1 }$ t' j( ^. I: }" z, U& `
8 Z+ u" `8 z/ l, ?6 c$ W! x+ TUseful breakpoint to detect it:/ l# z/ l$ Y5 F1 x8 [
3 B5 j e8 W) \: A5 ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ s; c- G: |' k' C
1 z* u$ B, _- X0 x& a__________________________________________________________________________+ q- L' N3 G! i" _" O) X5 [2 m
3 P2 q9 u Q9 Z7 e; d
) f' h0 F$ w- ~Method 14
) f$ S. J# m$ t1 y$ i) S F========= D' ~8 _* L) @8 v- o+ \
2 [$ [ F' q# F8 n2 n$ T1 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' P7 ?9 ?5 ]. s" x2 \% k P Q9 L2 X6 X
is to determines whether a debugger is running on your system (ring0 only)./ T0 ?) w6 z% d4 e# s# `- \
7 y- R- S! _2 h* E9 {" D. u
VMMCall Test_Debug_Installed
& X# ]. w3 s" F6 h- q% @6 q je not_installed
: L+ D9 A8 o" r: ^8 S* ^0 E
0 v, M q2 d! u# t0 I3 w" t& k$ n9 eThis service just checks a flag.- b+ t' |: Y' x8 c0 S) R% q# A2 I
</PRE></TD></TR></TBODY></TABLE> |