<TABLE width=500>, A. u$ y& k) T# H+ V7 Y
<TBODY>" q) A' `, F. _, G# ~
<TR>( Q9 t5 ~( [. c. h% j* H( S% G
<TD><PRE>Method 01
* V2 b/ b! N6 O3 i- \2 _( X=========
. y! P5 o9 R2 Z$ B- z7 b$ ]( D8 k [1 E# h& J5 E
This method of detection of SoftICE (as well as the following one) is
+ c2 V0 c- \: K+ ?+ f' oused by the majority of packers/encryptors found on Internet.3 ~' [+ h- b' O5 Y% c8 p* ?
It seeks the signature of BoundsChecker in SoftICE
Y, N6 w0 j4 [ s+ j7 T1 c8 N1 O) k, @$ T0 G
mov ebp, 04243484Bh ; 'BCHK'2 [' h. V/ M: `, g: B3 o
mov ax, 04h7 ^: d4 |% J" z8 I: P# h- Z
int 3
1 i1 i: h8 Q" Q, ]( r' x+ K cmp al,4! F5 B7 g2 I+ f! P# X/ `
jnz SoftICE_Detected# U; ]4 ]) p' X. j' V" _2 J
# R' [* \, f1 H/ Y) T+ E, ~1 Z! p
___________________________________________________________________________1 T* b1 l+ E4 v; y
2 I E! D& A) ]: s' \- P4 ?
Method 02
: E' A9 V G% ?=========
4 ~7 ^# x4 h$ v1 R* t! r5 U' v6 ~" `$ {: W g
Still a method very much used (perhaps the most frequent one). It is used
' b+ M. t9 b+ T! d3 H* U+ ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! r, z( ~* Q% D8 B* }: \! {5 sor execute SoftICE commands...
5 T$ G% L( d' w1 r* }9 \It is also used to crash SoftICE and to force it to execute any commands: ^2 i2 e( a( z# D
(HBOOT...) :-(( ) k8 `- \$ n& r6 R
% d/ w" Q6 v( p; e0 hHere is a quick description:
5 G5 C; V& J4 A-AX = 0910h (Display string in SIce windows)7 M7 Z) P/ V0 ^+ ~7 M0 o3 x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- U" r& H o: Z
-AX = 0912h (Get breakpoint infos)
( Q4 k2 r5 S5 r; Q-AX = 0913h (Set Sice breakpoints)
# _0 V% \: X6 m. T( Z9 Z/ G# G, ^-AX = 0914h (Remove SIce breakoints)
& l7 U' z! l% p# o5 C9 j. g; n1 B+ ^' {. c2 t1 w
Each time you'll meet this trick, you'll see:
' \- H' B( f# }$ a2 c-SI = 4647h
" ?3 G4 c2 `3 N: [* h% B- V" h1 K-DI = 4A4Dh% | K: a1 q0 @8 B, I/ E
Which are the 'magic values' used by SoftIce.& A: T {& u+ [( [9 F: i, ` q, N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ e; m; }% z' v/ g2 s4 K
$ K6 J% l7 Z e/ ?$ k& T* }8 [Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 ]1 H. s4 c& h1 x# g5 ]Envelope utility use to protect DOS applications:1 w! @7 W& S4 s* |% y& h0 |+ e- h( {
: S) w# S$ H3 K2 K
+ Y! U4 V/ ]3 a7 D8 U8 ?0 w) R4C19:0095 MOV AX,0911 ; execute command.0 Q- }5 k& U1 |4 {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) C( t/ f7 K" H/ y
4C19:009A MOV SI,4647 ; 1st magic value.
9 I# F: B4 |2 i7 q8 ^4C19:009D MOV DI,4A4D ; 2nd magic value.
& Q( o# F( G1 f' o" `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); e6 f' B; a, W; e* i) r# t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! o/ {7 T6 {" ?- `* l0 R& J/ x$ m4C19:00A4 INC CX8 H# p$ n' N+ K* m* A0 H7 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" _: U D2 P" x5 X+ z! C( v8 v4C19:00A8 JB 0095 ; 6 different commands.
" j6 S8 ?" r" s5 x2 F$ s# O4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 U& {% F% ?: k+ c) i1 M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 _ L1 m* }$ j4 j
' n3 }& X: R0 r
The program will execute 6 different SIce commands located at ds:dx, which9 L8 l) m+ A' n7 I, ?( [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# p" H9 u! U$ Z2 i% W3 g
+ |0 s* h: j& j: p6 `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% I5 U2 n* d% J& x4 p' e H( W& Y0 u
___________________________________________________________________________" y$ _9 I% F. \5 Q- q, K) A9 Z, X
7 E; M/ Y1 Y# j5 a
: x$ i$ Z5 d6 b6 f. |
Method 03
& c# s# C' g- ~) y7 Y/ ~! s5 T1 c a=========& \' Y9 a7 }& S5 r: o* ?
0 }% d0 i6 M M" G, S ^. W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 u& j: Z: C! E: r8 v7 u
(API Get entry point); Z$ x, S+ f( y @( _6 _
% |# \. b( w V4 P H1 R
, z- m$ ^$ x* W s xor di,di
" s, S, O) V, p v/ }9 S mov es,di3 v F- d$ {: L d
mov ax, 1684h , z- j$ \9 a7 a$ D, K" |
mov bx, 0202h ; VxD ID of winice
1 C' N6 ^ ?8 E$ V3 a; K5 p int 2Fh9 e9 r: P* L7 L: [' }' ]$ G
mov ax, es ; ES:DI -> VxD API entry point
I( ^& N5 n- h+ [, [" K& @ add ax, di
, |6 ]: e3 f& r$ P" M1 Y- S+ P* ~ test ax,ax
; ^0 q( i5 i+ G5 i0 {5 p jnz SoftICE_Detected W1 R# g# l! z) J2 d- ~
/ W* H; B7 K+ S# D( V6 ~___________________________________________________________________________4 d. x+ |. K( I. w
9 Z3 J% a. q! O7 } `Method 04' [1 E8 D; p( H( O& @
=========
6 L4 ~! o) ?" T7 k3 N4 I* p1 }8 s' L7 b
Method identical to the preceding one except that it seeks the ID of SoftICE: ^+ B7 i$ v& Y3 r6 P: m( l
GFX VxD.# C6 g) a/ D& y& ~9 o( q9 ^
9 t3 L: A7 s$ [% J0 _7 o9 K" ~8 Q/ Z6 t xor di,di
Y" C2 N/ M2 e- ~' ]6 Y mov es,di4 g! z$ W+ p8 J- ] u4 j9 p3 ^
mov ax, 1684h ( W1 d# B9 z3 [1 F. s6 l
mov bx, 7a5Fh ; VxD ID of SIWVID3 |9 d ?' k: p3 {/ E; @
int 2fh5 ]' d" v4 W9 [7 T* N4 ]
mov ax, es ; ES:DI -> VxD API entry point. K1 }7 f/ \; i, [! Z+ @5 n3 h6 h
add ax, di
) o9 l6 F& s0 c test ax,ax
' {- N( k4 J( r- w! w jnz SoftICE_Detected; K; H8 R) H2 _1 b! p5 W* m
. N" ~0 z1 `$ p+ F; r! [__________________________________________________________________________
$ ^, v( H' p1 g7 b m5 F7 P* r& b. ^& d# D/ u
) D9 D. j J9 M& t; {
Method 05- z. S6 g# J9 u0 n( o% {; _1 L
========= I+ b) V' K* W
0 x( e" O- R: m4 b/ z
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 F% d) [% R7 e6 V1 p% c+ E( A! s% j
debugger. It calls the int 41h, function 4Fh.4 W' |, h8 }" F: u4 x" H' I. \6 B
There are several alternatives. ~6 q7 B6 z1 y
' i, V8 q3 }2 E# }- @( D! N! }
The following one is the simplest:
. r& C! a9 c& k5 S! n# e! I; o/ G! f
mov ax,4fh" s8 {! O" q+ N7 H+ _3 I* j
int 41h
! J" R: e, S- @. L4 | cmp ax, 0F386
/ h: T0 l7 M- t jz SoftICE_detected
/ U# [, W: D) r! z z) s/ K7 v
, P( l8 f N6 F; U n- ^9 T# B- J, j5 \2 }- o% E
Next method as well as the following one are 2 examples from Stone's
4 ~- v* N4 |* W: ~" b"stn-wid.zip" (www.cracking.net):
& R) M8 U0 P' T/ e! S
" k! }' ? b0 D/ w: a9 B3 I mov bx, cs4 k' m2 d! `3 S7 w* j; Y1 y- b
lea dx, int41handler2- h# E& |% q8 J; R3 l, R5 H
xchg dx, es:[41h*4]# J+ C! a0 H: _: }7 }/ S
xchg bx, es:[41h*4+2]; G! y' ^6 T5 \4 y
mov ax,4fh2 [ V9 F+ }0 q) s1 g' T& ~ h
int 41h
& ]: @ w0 q2 a3 P0 v) I) m& I; Q xchg dx, es:[41h*4]) C+ V. i2 C! A0 L) @) O8 e" W q5 B
xchg bx, es:[41h*4+2]: F% r( j- V$ N4 e# q: y! d
cmp ax, 0f386h5 q% o5 R0 b( h
jz SoftICE_detected
& Z Y/ ~( A6 q+ {: e" V, Z: e u4 l+ B: G5 z. \- A
int41handler2 PROC
: X0 E" O% z9 Z" J' B. x$ u iret
, i% y7 Z' N3 p( \6 S8 d; Q0 m" Dint41handler2 ENDP
' O5 r! n4 v# _4 R% l; y; R& \
" ]' S4 h0 c% Z# t0 J+ R4 m: {
# ^3 u: y' i9 B' S$ X2 J_________________________________________________________________________7 ^! U+ b$ N- Y# s# Z/ Q: x# i) b
. Y" q! N, T! Q# G$ f3 V: G% k* T& P, e
+ V9 I+ @: y6 ~1 u+ G" }# w1 u1 p0 SMethod 06
. x1 {! A) u- f& z1 W=========+ f. D6 y1 {' f- K7 C
7 E6 j" A. j) U* c3 P/ m/ q; ^7 D' U! X- Q8 v
2nd method similar to the preceding one but more difficult to detect:
+ }) R2 k: U, j( I
& u" | \$ e; q p6 m
% Q3 l) @$ d' Y. p% C! R6 P, eint41handler PROC, w$ `7 t' u, ^% Z( i
mov cl,al
2 o2 @2 B1 O5 c0 O* r4 O$ O iret0 X$ M3 G8 l3 x9 r' P
int41handler ENDP, b8 D6 f# E* t* `" |' i" Z
- W- c3 X9 U" K* q, r
6 W6 O9 I& m* F# \* o8 s xor ax,ax
& x9 u# a& `. C8 [$ p$ O/ f: c mov es,ax/ x( {1 L- j2 I$ v7 o3 k
mov bx, cs9 I2 E7 _; o% @2 p! V1 |
lea dx, int41handler
) R! u5 i! [/ P xchg dx, es:[41h*4]
6 C: H0 `$ L% g- c' Q3 J/ Y xchg bx, es:[41h*4+2]
; ^& @ t" ?: G7 f, V in al, 40h1 L2 O8 j; L( f9 D$ o% Y) v
xor cx,cx
8 j9 f' W2 T1 f: ~ int 41h4 n% s* V) |" _; u0 H
xchg dx, es:[41h*4]2 S/ H/ u2 D+ ]& m( h
xchg bx, es:[41h*4+2]' M& n+ r1 U1 C; S/ H, j
cmp cl,al
% o2 N( \/ x# p1 x4 j jnz SoftICE_detected# E; d: |* W4 R* o
: j! x9 U8 }) c4 H_________________________________________________________________________
8 f2 e* t0 W' v/ m
?, J% y7 x3 J2 {Method 07
# z- C* E; e4 n) p=========
+ G' I: N) }& Z8 p% O! L1 L" F& y, p* T
Method of detection of the WinICE handler in the int68h (V86)
! r1 m1 [: {5 }6 P4 [9 X) _0 e: M
mov ah,43h
" b! U3 A/ Y! Y3 w7 z& x int 68h
$ w1 f7 B: p! `2 Z cmp ax,0F386h: Z! o5 i8 f# L8 F% H
jz SoftICE_Detected3 I5 ~& A, V2 Y1 k& \
5 D7 k1 Z9 R5 o7 n
9 u3 t/ b2 {: T9 n2 k2 s7 d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ B2 x2 Q4 k3 h E+ c b app like this:
0 |3 u- C4 y' ]& s: L- a0 `7 k1 i
. Q9 v0 g: e; s7 ^. M( j, t BPX exec_int if ax==68. f7 i3 Y8 f( Y( I$ e
(function called is located at byte ptr [ebp+1Dh] and client eip is5 t! m% h4 T1 w d# s% K' M5 [
located at [ebp+48h] for 32Bit apps)
6 }9 D3 @ E- Y+ M3 v, [. M__________________________________________________________________________# E8 S7 r% ~+ ~. T& L4 [$ u
1 c1 c$ i1 H7 M5 e7 ]9 w4 x. l& u* ] ^- W+ V
Method 08
% L" Y9 z8 a/ O* C$ C( ^=========
6 _4 D: S* z( ^( K2 `' G) y' l; Q9 A4 j4 O) e5 }+ u
It is not a method of detection of SoftICE but a possibility to crash the% z! A _. F6 h! ~: B* {
system by intercepting int 01h and int 03h and redirecting them to another: O& S/ a" D8 s
routine.2 H" P: o/ n1 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( v8 f2 @# h" U) j5 ?- `2 s
to the new routine to execute (hangs computer...)
7 ^9 s1 `$ ?# E2 b$ H! l1 n
* k3 _5 Z. ?1 _) O mov ah, 25h* c3 s/ B/ W t6 G
mov al, Int_Number (01h or 03h)
0 Y! U) o; ?, G0 A0 q& F- I9 \7 m S$ ] mov dx, offset New_Int_Routine1 H6 @9 L# J- \* [; D( F9 m
int 21h. ~6 q; m& |# X( F! l$ _1 o, M- W
4 w7 |) _; H1 R* @
__________________________________________________________________________% y* e3 T* [3 Y: n
* x q. D5 d3 b; f ]
Method 09
$ w+ {$ W3 ^8 u9 L' c) X, y+ [3 z=========- d: ]/ `' @. i5 [* t
0 S! M1 K5 v! `0 `( R- I& }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! W7 Y1 k: q0 j# b9 B0 E
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 m! ]6 |7 u3 {The Get_DDB service is used to determine whether or not a VxD is installed6 {( ^0 \3 `7 d: I# @8 j
for the specified device and returns a Device Description Block (in ecx) for
9 y q0 z" W! i& Y: rthat device if it is installed.( t2 X( v" w/ g! u
5 j+ l% H# A" O5 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 l/ F. y3 e1 l* V9 ~4 A& g% W3 B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, H$ I) p5 Y J- j: v4 @! I VMMCall Get_DDB4 g3 ~. {* |& E0 Z) ]. I. R" N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. e8 f+ p' B$ Z9 o
2 y/ W- m2 Y% x. ^2 `Note as well that you can easily detect this method with SoftICE:
; L9 L% o- V% u0 l! k& M! d bpx Get_DDB if ax==0202 || ax==7a5fh
* ?4 s9 M: c' d0 G/ A
, X7 G J4 ^4 u0 b% X__________________________________________________________________________
* b1 Z0 v$ M0 d4 K2 l" D/ D3 U4 r5 k' K4 g- W9 H0 t2 s
Method 10
: \+ m$ d& T" a" g7 G8 b=========% |! t1 O, {- c3 j+ U$ f
+ P4 u. ^$ Z$ K, n- q* ?2 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with- y* T; Y. Y- H2 b( ]8 T
SoftICE while the option is enable!!- t2 r& Y4 O0 z3 x
8 U9 P7 E, Q9 R' I+ ^
This trick is very efficient:
( c* B' j( z2 g3 wby checking the Debug Registers, you can detect if SoftICE is loaded9 d& d+ o/ m ^' f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; i# j u3 b) F1 `. W6 J& b: @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) W# `( _( h/ } l# W7 A8 a2 Tvalue (in ring0 only). Values can be manipulated and or changed as well
8 Z! |3 K9 S5 [% j: D(clearing BPMs for instance)4 H9 ~8 p1 a& x
1 l; ?' @' [* J/ l9 h8 B( A- X__________________________________________________________________________
: B0 y/ V7 q& L, e. ?) g
* d. `, A- X7 Y# k5 @Method 11
! ~- m, ~7 }/ R4 b7 V=========1 P) b: w# V6 b: z+ V' S; X
- D. U8 B: h! j0 X0 y
This method is most known as 'MeltICE' because it has been freely distributed
0 f+ O' n' {, t: L* D0 [0 gvia www.winfiles.com. However it was first used by NuMega people to allow
3 q+ _, g5 p# iSymbol Loader to check if SoftICE was active or not (the code is located: I* _! Z9 B Z6 u- @
inside nmtrans.dll).
4 r5 T6 I6 F# C1 }1 E4 Q6 m7 H* p/ Y# A3 O( b9 b
The way it works is very simple:) j" B3 k' Q6 {4 k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# }* N3 P2 ~! s) r( `WinNT) with the CreateFileA API.- {9 t+ z6 w/ A* b9 B
7 L) Q+ w# A& c# D/ I7 f! i' RHere is a sample (checking for 'SICE'):
+ H" @; o& a: k/ s7 b
/ L% o# d& z* o3 _' V! G( VBOOL IsSoftIce95Loaded()
8 S/ O7 S, c* S+ g$ d c1 n4 ? X{0 Z" l3 I" s5 {( Y0 x/ B& T
HANDLE hFile;
. m* A+ C; |# I* ^' e# h3 J8 n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! y. B i8 f' R0 i5 g FILE_SHARE_READ | FILE_SHARE_WRITE,6 G3 C& ?6 I6 i& v/ _0 x1 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, L9 y* v' I% e. f" [( _ D if( hFile != INVALID_HANDLE_VALUE )# e2 b) q+ r5 k
{4 s0 h" j2 x, X. @- K! m1 F& @" ?
CloseHandle(hFile);6 ?7 c U/ ~6 `0 U; O" ~4 q% O
return TRUE;% S4 N9 B( Z# B W9 z
}
9 }' R8 H c; x) h8 X return FALSE;3 i" r6 F) l3 L/ E; p5 Q
}
. G# `3 v! W1 n9 h7 @0 `7 j" T1 `* r- ?8 S, K- L* P
Although this trick calls the CreateFileA function, don't even expect to be
/ f5 ^, @8 _! V9 M) i& Hable to intercept it by installing a IFS hook: it will not work, no way!
( G3 G% u3 Y& B5 x8 w5 }) bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F! T7 s5 I* V, n& V5 B3 C% g! {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& o3 }2 U6 @7 L) l% J( x6 Y5 _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 m, ]4 S# e( n( x( p
field.* v. R2 W' f) f7 M. `2 Q' t! p+ p
In fact, its purpose is not to load/unload VxDs but only to send a & k* l9 v& f1 I L7 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 i. R, S. x& b9 V* [2 o2 H7 v2 |4 k9 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' |! o7 C6 `4 K$ Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# S% w! E' x, Z6 a1 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow# ^8 d9 ?% T( N) [1 d& B5 @! y
its handle to be opened and then, will be detected.* s2 ]* Y4 g y0 h
You can check that simply by hooking Winice.exe control proc entry point# ?6 {3 t0 s. U. }
while running MeltICE.; e9 _% L7 q" e; Z
: h. K: }* q4 Y1 R6 E+ m0 I2 R5 U+ e! }
00401067: push 00402025 ; \\.\SICE' \; i! W( F' S8 K, X
0040106C: call CreateFileA) O$ Y u; f7 ?0 p E V
00401071: cmp eax,-001
2 [ r [1 j' R 00401074: je 00401091
! S5 A5 Z! O' R0 K- f, {/ z) @4 E0 d9 U. Y) k# j( k v
' v+ X6 {# _7 ~There could be hundreds of BPX you could use to detect this trick./ a8 T: d0 l% m
-The most classical one is:
5 D8 [, ^5 } {, M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! M3 f+ P" H0 b5 v
*(esp->4+4)=='NTIC'
2 R T/ F7 i* j/ K! G0 M8 D+ D: n; P) c8 L0 g0 c7 _7 l
-The most exotic ones (could be very slooooow :-(5 G9 i" N5 i4 F- h, @; M& s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 d% U) G8 G4 o% g. Y ;will break 3 times :-(
$ m* L- N( e0 j- h+ D2 N* h# e8 m# _ W
-or (a bit) faster:
$ {7 h0 k9 V0 S6 ^2 x& s m- E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 i( Q r8 W! [
$ ]( @* g4 H3 J+ k! T" E* f4 P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 E9 N) d9 n4 U$ } n ;will break 3 times :-(
5 D9 g' h) X, B* P* G# @& w3 ~5 h
+ U# d& [* [) e( _6 {: F1 [-Much faster:
; i9 {* O; {- O$ T( k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', p: i |9 u/ F7 p6 D' c$ u. X* c8 o; @. _
9 g: S1 \. E9 f, i9 C1 u9 G8 C: h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# @. f1 `7 L, q S/ [. Efunction to do the same job:% g# |1 ~, L9 Y
4 b3 D: ?7 Y3 _. S0 L: ` push 00 ; OF_READ: M) G5 n, _7 X3 h+ Q
mov eax,[00656634] ; '\\.\SICE',0
8 [" ^3 B6 `/ h/ \ push eax
4 f8 j* B5 v! U* d1 q% [5 _1 d1 } call KERNEL32!_lopen
3 d: D0 f b1 t* n% `- V( h" P inc eax$ e- w% m+ I& R2 E2 E! \2 J
jnz 00650589 ; detected1 o: A+ M: `2 P9 x9 h$ N
push 00 ; OF_READ
! m2 `9 Z% h, {7 b) ~+ T mov eax,[00656638] ; '\\.\SICE'7 R" D& B* u3 e9 f4 n
push eax
3 }0 e' `0 ~# A/ `: ] call KERNEL32!_lopen" ]7 w6 Y% [! P
inc eax
& |& k7 c# ~. n( e( d2 @/ d' i jz 006505ae ; not detected
( y7 e- \: y% y1 c6 ] s |: B# a& e" T: W
* w1 c" `4 j* W- w8 O" ~__________________________________________________________________________# f- j0 j+ w8 G& J) w3 ?3 ~
, t2 [" M) I. Z3 _# ?+ PMethod 12
$ M+ `$ w7 G7 t8 Y: B=========" g9 A$ f! _ S5 o. Y# |$ v
^( m) Z; S7 _7 X( xThis trick is similar to int41h/4fh Debugger installation check (code 057 O5 X; C' R! P; I& m
& 06) but very limited because it's only available for Win95/98 (not NT)
! c$ u* V* f2 ~+ [' u; Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 K* T9 i3 V. `9 V
' ~6 _/ O8 y# y. i push 0000004fh ; function 4fh
3 s' l' x7 [+ x" h push 002a002ah ; high word specifies which VxD (VWIN32): T5 M# ]) {8 w' {, ^& Y
; low word specifies which service
/ R! S' g, z o+ S5 _ (VWIN32_Int41Dispatch)# `9 T% H: V) d( g+ w
call Kernel32!ORD_001 ; VxdCall' p7 Y* z3 u L; F& {
cmp ax, 0f386h ; magic number returned by system debuggers: i: m4 G4 K: v
jz SoftICE_detected
! j. C- t% |# Z" F2 }* J: R. ~
% }4 `/ z; V0 K. w' i: I, X7 DHere again, several ways to detect it:& y: k H. X4 A4 ~4 h( Q
0 D' p e9 P* Z5 c9 p
BPINT 41 if ax==4f
$ S" L" e. c7 c1 n7 F3 _( y
; [) R' [$ K, i" r T t- `' D4 s* ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- N- ]& M' i D5 }
5 d( E+ T; z" J) P- t/ V% x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 u) b6 V2 M+ g& t9 N/ @3 f+ j- V3 K& V5 |% o. t6 d1 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# V$ l, {- ^ h0 C
* u. E Y( o. B) J6 f4 z0 w
__________________________________________________________________________+ T1 ^9 u4 i1 ~9 X
! K$ A, e4 t5 O
Method 13
5 T, p8 T' P E9 [* z=========
r: B8 X4 n; D; G0 e6 y5 {; _+ b9 |
& }: k* B" `6 k) m" f5 L9 [Not a real method of detection, but a good way to know if SoftICE is
( }3 P/ [$ {: g+ D2 xinstalled on a computer and to locate its installation directory.* A7 n5 ~# \- n1 Q
It is used by few softs which access the following registry keys (usually #2) :
+ T$ _4 N$ j8 V0 S6 z8 j6 x' _+ s) L9 `/ w9 k4 M+ a: F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ O& z2 [4 ? f\Uninstall\SoftICE
6 K' C/ V4 {; n Z; l' U" w; x8 S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& g* x$ ^: L' J' M+ y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ k9 O9 o: h+ a0 v\App Paths\Loader32.Exe
7 ?, P5 V3 |3 k: ~6 R
' {) f% ~0 ~% B1 l
4 ]7 h2 `- A5 J% @Note that some nasty apps could then erase all files from SoftICE directory
9 Q/ Q* M' S8 R! R* A(I faced that once :-(3 Y) _4 v" D: r2 Y
# m2 a p" I# h3 L2 V
Useful breakpoint to detect it:
, U" C, D( m( U S+ ~2 H! o( T- Q1 C& T1 i9 f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' d" A" q: v# v! j- Q) I5 \( i
6 g M9 ?: P! w' { m' Y) ]5 w( c__________________________________________________________________________
" o* Y+ g+ v& i5 ~
& [2 H/ w: R. }/ q2 O. F3 i. b- w3 f Z6 |6 I9 a2 ^0 b- m Z
Method 14
& j$ J+ ~0 v$ u/ i=========; N( U4 ~( h0 F
& ]# Y( R$ Y/ h& o: P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, G4 s; o- C' L1 y
is to determines whether a debugger is running on your system (ring0 only).
% O% Z9 p5 e. N5 M
6 f1 g+ J( Y4 b' t# ?' A VMMCall Test_Debug_Installed
. a, @' r- T) S$ z1 ?" G je not_installed7 B8 B& y3 Q% L# ?" ^* r3 _
. ? R3 E$ G7 L" _7 z
This service just checks a flag.
' I2 [! S: R) A$ _/ n</PRE></TD></TR></TBODY></TABLE> |