<TABLE width=500>' W5 M. x9 @* T2 D* z: e
<TBODY>( D# ~- q/ W7 l' |; N7 \1 u% p
<TR>
. r: x( c n* A$ t<TD><PRE>Method 01
3 R8 ~ G9 P% \, v3 b% K: n; u=========
j: I) [4 R4 {6 F
0 a. v4 z1 m5 w" [* l3 L3 bThis method of detection of SoftICE (as well as the following one) is
* a$ N( t) L, X) V( ?, @+ G1 pused by the majority of packers/encryptors found on Internet.: Z' w s9 @' V( p0 t
It seeks the signature of BoundsChecker in SoftICE
$ f/ [! A" T* D9 G- l7 {) ^
# K# `) N* K7 H8 K1 ] mov ebp, 04243484Bh ; 'BCHK') Q1 ~: b* u. V5 q- j" O/ n
mov ax, 04h
4 T# r& V9 T2 B% o1 J. \ int 3 : l) A+ E- h) K6 U
cmp al,4) E3 {, g9 A) _0 C/ G
jnz SoftICE_Detected
% _- M+ J3 J7 V, g; V |4 R( ]" p0 \8 A. x3 K/ V% o6 i
___________________________________________________________________________
3 \) @- J; K* E0 c O) `+ h+ ~; y L
6 @9 k2 J% ?6 C( Z ?$ mMethod 02
6 h n$ h2 _* W+ [- W v) b7 z=========
/ k$ o: a& V- R$ v: t6 W0 Z$ E U! g, }% x5 s
Still a method very much used (perhaps the most frequent one). It is used
% F: [) o' w5 \) s" G# Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( O& U4 O% q% X0 }; r/ s
or execute SoftICE commands.../ X5 q0 b+ a! O1 D" b
It is also used to crash SoftICE and to force it to execute any commands
: Y* o- k7 Q8 y& X! S(HBOOT...) :-(( * A/ Y6 o7 Y4 q2 J c, F
& I0 c# H6 r' t! F% g5 ]Here is a quick description:
8 o' D1 f( a3 o( I V-AX = 0910h (Display string in SIce windows)
' L. ?4 }- L2 d. e- n" {% M2 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) M" ~1 v/ h" N9 |: {8 {) p, ?-AX = 0912h (Get breakpoint infos)5 _+ r( h) T6 N5 O
-AX = 0913h (Set Sice breakpoints)0 y. i! u1 H4 P3 o' P% P: H% }
-AX = 0914h (Remove SIce breakoints)8 f1 i' s0 k& ~8 [' V+ ]
1 ~- o/ ?. q# [ S8 o
Each time you'll meet this trick, you'll see:6 u6 e# Y8 J J% c& l
-SI = 4647h& `( X: m6 b% Y1 T6 n: Q
-DI = 4A4Dh& C! A) M. n1 {) b/ J
Which are the 'magic values' used by SoftIce., h* \& p0 a' X7 V$ R& P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& S4 b7 }' k- f' U( a7 k
: j8 W5 L3 H' C0 D5 k3 D/ T, ]Here is one example from the file "Haspinst.exe" which is the dongle HASP
( c" G @" J- b5 D! e" B' sEnvelope utility use to protect DOS applications:0 i) S: {* X! I3 V( A
7 a4 \2 B% |/ C* h% |- p
6 W; C6 V4 Y& G Z/ P/ S2 \4C19:0095 MOV AX,0911 ; execute command.
4 B$ m% u: i$ Y+ e7 V4 ~- R; r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. F) C# _) i9 U/ _: B6 l
4C19:009A MOV SI,4647 ; 1st magic value.
$ o/ {7 i4 R3 z: }3 F8 i( Q0 x% O& o4C19:009D MOV DI,4A4D ; 2nd magic value.8 Y! I/ P! V# \$ J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" j+ G2 M0 e' L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. ~" a" k4 |2 S6 ]% x/ G
4C19:00A4 INC CX
6 P. s4 T% F) ^' | C; d4 k6 M% ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" H* U' M3 j" o- u0 M& o
4C19:00A8 JB 0095 ; 6 different commands.
8 ~! i2 K6 \9 q/ m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) z# j: f% W4 x y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% |" e% z6 t& U, P+ o2 i
$ \! A, F& m# v1 L- J& JThe program will execute 6 different SIce commands located at ds:dx, which9 T3 d2 K( O7 [$ B; Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ o- r/ a A- I& O/ Z
/ K* V( U- w0 y6 ?; i. c* w/ f* X4 e2 n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# o% y' n8 X* i- I4 J
___________________________________________________________________________
5 `2 @* @5 y! _! X0 F# X
% g. ^ ^: W7 C1 X ]% T% K- G$ G; D6 X L1 X5 ?; K/ h8 Z+ _
Method 03
. D- B" [1 e' w& C+ m8 y; ?9 s=========
) Q! j' ^3 Q' F% H. b+ V# k3 g' Q# l/ u( R4 j% T8 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 X& p6 e/ H0 D: ]4 \(API Get entry point)6 q' }2 L4 q+ `- J
j5 T# G q. V9 R5 p3 Q p* f
# N$ q2 d6 T! I3 | xor di,di8 C( X; B) V) O: X7 A) V) V; {
mov es,di$ p. b; p) v3 E8 Z9 {, l* n; W
mov ax, 1684h 7 q2 g" J4 P2 |5 m3 m! ~% O; |- D
mov bx, 0202h ; VxD ID of winice
! w/ H. v8 t! [" ~8 l7 E" x# X4 A int 2Fh
2 ?3 f7 Y& K T% v( u mov ax, es ; ES:DI -> VxD API entry point
' S5 f% X$ h* ~ add ax, di
: l' |5 L2 B$ t3 r+ e/ [) e9 Q test ax,ax
& [1 Q. G0 L5 R* e5 I V( K* E jnz SoftICE_Detected
( Y$ t. V6 M9 j6 P, ^
( G4 [' B: y C5 ^& Z___________________________________________________________________________9 {8 E+ V5 }$ o8 W$ v
3 \+ Q3 I* R5 v
Method 04$ X0 e. V- [7 p& C
=========; A9 T- Q8 g" I; k& {
5 h9 o' y0 \; `
Method identical to the preceding one except that it seeks the ID of SoftICE
3 u( L& v" T1 I. y- x$ f7 @% N* TGFX VxD.2 G8 j9 i- C9 P1 j8 V% t
6 h5 S$ c/ _" p: i; u xor di,di; b5 _& H4 ^/ @" y+ L
mov es,di2 p$ {$ i/ g9 K# E. X
mov ax, 1684h . O7 g8 X* Z1 J7 q- i0 Y* D
mov bx, 7a5Fh ; VxD ID of SIWVID/ e/ R- f S" a2 y/ [
int 2fh
" `) t8 v3 D$ ^ mov ax, es ; ES:DI -> VxD API entry point
9 O" s3 f0 T) j9 H add ax, di+ b- i/ p9 ]8 ^6 x* U5 B8 R
test ax,ax
9 z4 G/ ]; E6 E jnz SoftICE_Detected
% A2 y7 U d& v# {% a# z2 \5 E; d3 `) N b* L
__________________________________________________________________________+ Y `+ {, J; t, \4 R l
4 v5 K( D" W6 @7 J* E
% w; t% m. [6 ` n9 O
Method 05
! C, P* S8 l& g2 ?) \=========
' x# W( K+ r$ q3 P) h2 H& g
; R }1 j( a7 F( UMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 f: U' {8 b6 x; h0 N% ]
debugger. It calls the int 41h, function 4Fh.
" Y' e% |9 m X3 W$ w7 [% `There are several alternatives. + q9 l+ M8 s [* N5 M/ a/ z
) j& t) {. H! q4 M6 I x
The following one is the simplest:# f% H/ Q+ b5 |/ l" y
9 [0 i8 {0 `/ @) h9 t: t9 ? mov ax,4fh: _9 N2 `6 Z; t/ z/ d& T6 s# i
int 41h' J8 _* ?+ f) j! G1 H; U F$ @+ c
cmp ax, 0F386
9 m- N, w/ f8 t- m3 O/ a% h1 A7 Z1 u jz SoftICE_detected
: y& S P* w7 n% E7 I& {5 c) x' I% C$ O( \+ e6 t
. x6 o6 X+ N( Y1 r) q: j# \$ PNext method as well as the following one are 2 examples from Stone's
! s. A$ ^: c, Z8 E"stn-wid.zip" (www.cracking.net):
# L$ B* O( i) t4 s: {3 \. |
' I& R. Q) }4 b6 J0 T3 I/ { mov bx, cs- A" F+ {# H, F5 Q2 Y5 o' V: A
lea dx, int41handler2- V* c- ~: a2 i) I
xchg dx, es:[41h*4]- t) }3 H6 h! W
xchg bx, es:[41h*4+2]5 g0 B! c. v: C
mov ax,4fh. S( \2 b2 f, g7 `
int 41h- @4 O# }5 C# V6 c- L
xchg dx, es:[41h*4]: Z y. f% G4 z" k% R& p& X$ M
xchg bx, es:[41h*4+2] b8 d* W+ m6 H+ S1 r2 \+ A
cmp ax, 0f386h' [1 C# E( Q! W% ^
jz SoftICE_detected7 g+ z' \0 x' ~/ a8 @
. _1 h0 {( u( a: a9 R
int41handler2 PROC& Z; Z$ O0 F0 [4 x! [
iret2 E |8 P( a* G5 @) ]
int41handler2 ENDP
0 v2 g# B$ G/ t6 g1 @& M' e0 R1 k5 Q. O
$ E9 ^3 n2 k; p8 d k/ |& N+ b
_________________________________________________________________________2 p+ M3 ?" r+ F( [7 g7 L
4 O* Y2 C# z. y* D5 c4 N
; T a. y4 g8 n- \; k3 H# jMethod 06
8 t- G H. X, ~6 J9 N=========( a" |/ [& C6 U$ B
! Y. i. S, w$ ?: [7 C4 E
- o, k6 U6 ?3 Z* J
2nd method similar to the preceding one but more difficult to detect:
8 y, n: K. [4 z' T ^2 X6 m; V+ G. L) k. |* a2 w" ^
0 F% r5 u& R0 U" ~8 f4 rint41handler PROC
" B7 C3 c9 Y( r+ i* G% A7 x mov cl,al1 m* @! i3 Z1 y% k; F' Z
iret
" v- F0 c3 b- r. ?& zint41handler ENDP! U: I6 @8 B g. b' }! @" T# I: b
3 i. m, s* Q- _
: F1 F. G/ i' a) Q9 W% } xor ax,ax7 D& L5 q% }( |6 S9 \
mov es,ax: ~/ Y3 [; `! A
mov bx, cs
( z+ A7 {2 w2 k7 T! k1 C2 ? lea dx, int41handler
3 ]& ]* g3 u) x xchg dx, es:[41h*4]
/ A& }/ y3 `% q xchg bx, es:[41h*4+2]
J. ?& k+ w' L1 u in al, 40h
1 B/ p- P5 ~8 v3 ] xor cx,cx
" }) {& c6 M* N" G, C1 @ int 41h
0 ^: o3 u# z8 W% }8 B3 W" q6 \ xchg dx, es:[41h*4]0 c, }3 E" L- l: Y* A
xchg bx, es:[41h*4+2]) X, u0 V) V2 D4 [, Y! G
cmp cl,al( w3 d. c; X7 B2 W/ X. G
jnz SoftICE_detected
9 n( k$ A& Q) b& _* m: D* s1 I) s1 |: j& P2 H: k0 o8 F6 r2 D
_________________________________________________________________________. m( F! y4 y4 f* L2 {" v
( K6 l2 _' X% @4 q! |3 gMethod 07( E# h; _- O9 s* I$ [' N8 x3 X
=========1 J! [1 O; J; S2 T+ [! A6 y
1 |- Z+ @0 Z5 @2 ]7 d2 gMethod of detection of the WinICE handler in the int68h (V86)
( `; g5 `* b9 p1 G& ^9 f* g: H( G4 u9 X3 f. n0 w/ { ^. ]
mov ah,43h- j6 h+ k9 @$ K! A0 ~, e
int 68h
, \* A8 o6 u; ^$ N cmp ax,0F386h
; P& K8 ]! I: [' ?9 w, |, V jz SoftICE_Detected4 \* W9 M: e& J% ]& z
/ k+ c, o& {! F' Z% u# @( a8 {# q
& H) c/ F0 ?# R I; r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( `4 t" M& ]5 Y, A/ P7 W$ X
app like this:1 X/ [! C0 k* E, G: ]0 i j" t9 t. ~
/ w& l5 M# e3 o1 H
BPX exec_int if ax==68
1 p. \. T( |7 y8 k: ^$ c- e. \ (function called is located at byte ptr [ebp+1Dh] and client eip is
. X6 G- X. I) U' y% b4 d8 l located at [ebp+48h] for 32Bit apps)+ U: _, u. Y) @; \+ m4 d# V
__________________________________________________________________________
8 S* | A. y9 S+ T3 J: M6 h; I' b6 |# s6 l# ^
# { B+ v. L3 b- r$ ?) r
Method 08
) h) z. P$ X! B7 g=========) v1 v6 ]: V0 }5 w" V4 C( g, a
0 n' B9 w9 a6 _- B' x7 l. M
It is not a method of detection of SoftICE but a possibility to crash the
& e6 ~+ i" y# Msystem by intercepting int 01h and int 03h and redirecting them to another
& _! s% j! c9 U r+ w* Q! u- |# Rroutine.7 `! v; Z. C: _: V1 O3 ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points e R6 X: h: K) y: Z2 w) l
to the new routine to execute (hangs computer...): b4 V X5 x7 g0 Y
6 \# h) b+ x+ z mov ah, 25h
0 ~5 g) P! |0 G s% l( [0 o mov al, Int_Number (01h or 03h)
' q# ]0 y3 H( }: T mov dx, offset New_Int_Routine* Q% u u7 U/ t9 Y: _! J
int 21h2 @- ?! U( ]5 R* L" V1 {
- _5 M* t t" F. B
__________________________________________________________________________
5 {, P' ?9 `' n( q( a# M' o a4 H" X9 v- t# e
Method 09; H7 F# L! Z0 L R& ]% ?5 a
=========0 q+ Y! p6 ?" l. N
C2 i9 u- t, [. {. ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) b: f. e7 r8 C. ~performed in ring0 (VxD or a ring3 app using the VxdCall).. ~4 S e# k, ]) I i
The Get_DDB service is used to determine whether or not a VxD is installed7 h$ a. {# V" G0 z- F" R
for the specified device and returns a Device Description Block (in ecx) for
# G" s! m1 k/ s. G5 B( {4 W! wthat device if it is installed.
0 D6 d9 Y2 B, t0 k/ T! | B% y7 u, t) Y8 O; i3 O7 S/ M+ _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# K( \$ G$ k2 h$ J$ Y+ N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( ]8 o: M0 J; I) [2 P
VMMCall Get_DDB
+ E0 {2 `# Q4 t% l* o( p2 w- V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 t$ v; Y' F( V; i, }6 G& o+ | q- f) }1 H
Note as well that you can easily detect this method with SoftICE:
* Y3 T; ~. R6 ^7 v- O" E bpx Get_DDB if ax==0202 || ax==7a5fh5 U# O- r! ]0 h4 `' m
6 |- Z X2 ~- ?& u
__________________________________________________________________________8 b; H, T/ O5 _
0 t) X' d, h: N5 ?
Method 10
) W5 I4 |- t! v' j, o& G=========6 K1 M5 u. M1 C
/ f8 V* s7 s# [. K6 M=>Disable or clear breakpoints before using this feature. DO NOT trace with1 _* l) ]) I" M, D2 L+ b; M; E% \$ x
SoftICE while the option is enable!!
" y. R) [ W# `" E. C% f+ c( {3 q9 ]7 X! ^
This trick is very efficient:# [" ?5 k# Z4 v% S& T* _2 P, [, a
by checking the Debug Registers, you can detect if SoftICE is loaded* z. ~8 s- m3 \3 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% j& ~" c* l0 T+ w+ `. `& ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 M8 I4 z2 E5 x9 N/ Fvalue (in ring0 only). Values can be manipulated and or changed as well
5 g# b) ~$ M+ C" n(clearing BPMs for instance)6 E5 I, y7 y: z5 g9 g0 ?, n
3 b- N! V/ F4 D! g__________________________________________________________________________ F& \5 z/ q4 w# l: s/ {0 a! f; z
3 W+ W: V; n5 a5 k4 b" x) h
Method 11
8 A" B( s! p2 x0 C- o% S3 O=========
\* |# C' I6 [2 Y# X# [7 m: p! y, t) q5 a. F
This method is most known as 'MeltICE' because it has been freely distributed" S5 R `0 }( C. J* f: M
via www.winfiles.com. However it was first used by NuMega people to allow# Q# B# P! G. O/ C2 O
Symbol Loader to check if SoftICE was active or not (the code is located2 g4 |/ N4 o3 l
inside nmtrans.dll).
. n' g7 i# A I# |3 w1 p
) e2 I) P% p# X' TThe way it works is very simple:
. A- @. z- c2 I5 b; g& [: x/ H; rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, K+ \6 n& a, E/ r% AWinNT) with the CreateFileA API.$ S$ N6 ?; y7 T
1 @$ k4 P1 e4 }! YHere is a sample (checking for 'SICE'):) H3 l! V7 O4 A* _) a
" ^, y4 a8 r/ p* Y
BOOL IsSoftIce95Loaded()- Y3 r' B5 W8 \" @( a
{
+ {1 J& f% p* j1 r! | HANDLE hFile;
! v) E2 w: X/ N! [8 Z1 M3 d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ ]9 u5 Z& ~9 Y0 n1 ]# z FILE_SHARE_READ | FILE_SHARE_WRITE,
8 A' d) e$ Y2 O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 Z, w( ^, [# [9 E7 l0 E/ A; D
if( hFile != INVALID_HANDLE_VALUE )% K& e6 V% N% I6 [6 |
{* ~, h- a# H# W9 r2 N& N+ ^
CloseHandle(hFile);
/ T0 B# W' v8 P) ?9 E return TRUE;2 M" \! `% K- p9 ?; d& B
}
; Z# M) c9 P8 G% q6 i return FALSE;
! C& ^; |) w& R0 B% ?4 O}/ @( a9 u6 D% k7 [1 x$ s
" O0 j4 h0 _) v+ c) e. x
Although this trick calls the CreateFileA function, don't even expect to be
8 Q' |. ~) h( h' M4 s' ?6 aable to intercept it by installing a IFS hook: it will not work, no way!* T% S6 T! U0 ]+ P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ l. y$ m) h; p. Q4 T( ?( N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- i& p% T- Z, O/ Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc# ~* b5 D0 z! A5 Z) I: @' T2 Q
field.& O* }) E H* _2 }! J4 m/ I
In fact, its purpose is not to load/unload VxDs but only to send a . v" z7 C1 o$ v& u6 a7 X1 b3 q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 t5 x! H% ~! [) Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 u9 y" k' h( ] Q* G) c& A& H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 L& q# V( J( ^6 e+ b
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& D6 E* _* e- Xits handle to be opened and then, will be detected.- F+ G7 u% B5 \1 V1 z# C T+ r8 ~
You can check that simply by hooking Winice.exe control proc entry point( X$ @% {- x+ B- \( b3 ^) J- ?$ E* @
while running MeltICE.9 `( @. t T' \( k2 n
7 N/ ^. K$ s" Y6 ?* N/ L; P3 ^0 T* u
00401067: push 00402025 ; \\.\SICE
5 @1 r. V5 G' `/ x9 I; v$ N0 b 0040106C: call CreateFileA
3 M! o& J2 Y2 s' M V% Z# o$ S6 ? 00401071: cmp eax,-001+ q5 f; r X9 w1 ^) [! S
00401074: je 00401091: c( W! \1 F6 h+ P0 @
4 t! [$ M K; V: `: w
/ w: T# ^7 ^3 M5 I0 T3 Q
There could be hundreds of BPX you could use to detect this trick. y6 b; m9 i: E, N2 p2 o# ]
-The most classical one is:
* M: m( W! R1 R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: N Y# k3 _6 @6 F! o$ { *(esp->4+4)=='NTIC'
, ]! S* K" O* ~/ \% l& _* V8 K; `
0 P1 Z- W9 I5 ^( I; }. |$ P-The most exotic ones (could be very slooooow :-(
# v5 g0 ^9 o5 p* w1 E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ ?! G7 F8 D3 m! I
;will break 3 times :-(' G8 \" V4 B8 Y9 x0 b
4 ?/ ]+ |8 S$ [: p: `7 W# M! t ^) n) V
-or (a bit) faster: * t3 G3 W# D t4 i3 g8 ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
[3 D; I- @3 F4 f2 |/ O
" K) L+ c% e' `0 n6 h' E4 Z+ v k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% Z6 M: k% ~9 N) L ;will break 3 times :-(
6 X( F3 _ G, v5 q1 |1 p6 L1 N* v5 j8 ~. u# m
-Much faster:# W* K/ Z) M, O- r( `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! X7 ?; S$ l( P3 v: \/ }4 O% m& s
3 t9 C4 b4 U3 a% E, y# K, ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 @3 j* i' `% R6 R( \0 q x: o
function to do the same job:
) K5 N. G; V1 N1 p# ?
% M' }) t8 j+ ] push 00 ; OF_READ) `5 ]! V( O. m
mov eax,[00656634] ; '\\.\SICE',0
) H. R6 Y" }* Y K push eax5 X2 I! d: Y+ k: P. H
call KERNEL32!_lopen
: ^# d$ S! i& ?" K5 e4 r7 M% o: @ inc eax
6 z, r$ n* Q- N& Y! f1 B$ J2 A' F, i jnz 00650589 ; detected. M6 T5 X" }0 ?; x8 W U3 i
push 00 ; OF_READ
, H5 n4 I2 j! b3 v( i# ^+ A( [1 I' B/ ] mov eax,[00656638] ; '\\.\SICE'4 k Y. i: e2 c0 D' K6 v
push eax7 {4 ?5 i6 w9 D4 D: U
call KERNEL32!_lopen; R0 h0 w0 N2 f( V: y
inc eax
9 u( b% j6 S$ X) L7 W% I4 v jz 006505ae ; not detected
% z, q. D9 S |3 M: t, X0 f7 n9 a$ I. o+ x* j1 P3 `
. i/ `& d/ v! e4 a; x
__________________________________________________________________________' b- G( T. W, G
3 R& O2 U; s& ^# a6 w0 G* R
Method 12, l V7 x! z7 `0 F2 c* O
=========# g. B9 z0 |( d& ~( f
" J1 J, ]8 Z' U3 l' cThis trick is similar to int41h/4fh Debugger installation check (code 05* j4 o! ^9 X. z! X
& 06) but very limited because it's only available for Win95/98 (not NT)
, X0 w2 a! }/ Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 \* Q! l1 ~( k7 E. |, ~5 h4 z; l K
% B1 I; }8 p- A! Q+ s( |
push 0000004fh ; function 4fh
% w: Z) D2 N! s; x4 J% Y' j# }* h6 I2 i# j push 002a002ah ; high word specifies which VxD (VWIN32)
; E" c% \4 R' l# Z8 p ; low word specifies which service
* a1 S6 @1 f6 S# A (VWIN32_Int41Dispatch)
. ^; B" O+ O U9 { call Kernel32!ORD_001 ; VxdCall7 J8 c6 S' y* `
cmp ax, 0f386h ; magic number returned by system debuggers( D& [# K( Q8 b) @4 O
jz SoftICE_detected
$ K6 q+ R# k7 T( T4 f9 F, Q
1 J9 G6 y( V7 ]+ m0 i* NHere again, several ways to detect it:) B4 I2 d! P" N1 Z R, j
8 q9 G4 K. P1 N$ f; G8 | BPINT 41 if ax==4f
+ [' b7 s( `) M; S9 }) ] L& r( g7 e/ }& i. T: H; M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& h3 ^- E1 @* _5 W! R
/ Z# m Q6 k$ v6 p: z/ G: ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ F5 A2 X `7 u+ ~- |
' s7 E# j* B$ t9 V! v0 o4 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 P, Z8 \3 w9 A) D% b7 L4 F1 I
$ _3 a7 ~# A/ b F, U__________________________________________________________________________
: i) }! s3 `/ t8 q. ~
0 y" ~ Q4 m3 ^4 W6 WMethod 13
9 G8 Q5 \( U, ?$ g9 L. ?=========
& T9 F/ _% Q- N0 A3 _. f# x y7 R, k! ~+ z9 e
Not a real method of detection, but a good way to know if SoftICE is
2 e' q- p% F. y c% ]installed on a computer and to locate its installation directory.
7 K& ~4 Q7 l* c" N( A4 fIt is used by few softs which access the following registry keys (usually #2) :
9 ~) R+ z& n/ L$ s& O0 ?2 }0 b q* `8 K/ T: N0 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# {' X3 s3 e. P& O' B/ k& U
\Uninstall\SoftICE
) _$ E& }8 s8 z4 {. \1 l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% }( Z* H& A& E) Q- y* E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 {9 w$ ?7 Q2 e0 ~, M1 J\App Paths\Loader32.Exe" q0 A1 k1 e0 ?
3 q ?9 s) x6 C/ O- p; S6 x
0 ?" M P: y2 F* y! e2 xNote that some nasty apps could then erase all files from SoftICE directory. u3 C1 P$ v. y1 p, d
(I faced that once :-(3 f) l; k( t3 T0 V9 |% f6 j
# o7 @. Y8 c$ @( Z+ p; iUseful breakpoint to detect it:$ c; W: I& c) t7 h6 U6 t# @% S7 Q
2 P! ]0 s9 {8 {! }2 z$ _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 j% K9 U5 N8 T5 T2 A. Q: _& }) V# g0 t; ~# u
__________________________________________________________________________$ f/ P- ]. R. I7 \4 \7 _( i
+ @5 o# U% w7 y5 O$ ^
* _! Q8 F q6 O8 b: d8 HMethod 14 2 m4 u! z* C" K$ D% q& x9 ~
=========) X' b' Z' b7 P- _
+ |9 ?1 S) e0 Z6 G- s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! K+ i: R3 [0 T% F$ T' @
is to determines whether a debugger is running on your system (ring0 only).$ p( _" v; n# n6 c- t# u; n% K
9 C2 m' \6 S4 J$ a3 V' B1 O VMMCall Test_Debug_Installed' x4 p6 I7 l ]0 ^) i, A" m
je not_installed% K, F4 \( A: q& H N
- z" e! R) X# FThis service just checks a flag.
" |5 l: R1 n0 K1 L1 R" v</PRE></TD></TR></TBODY></TABLE> |