<TABLE width=500>
4 D- d0 B6 d- X b: v<TBODY>( t' o4 Z7 P3 }; L6 o$ m( d! h* l
<TR>
1 n2 P7 Y4 R2 z! [5 c0 c! s<TD><PRE>Method 01
( |" b. l4 @6 J& T1 {=========
; a* T q; a" L! I- x0 k* ?
& ]2 i u3 M: {# j; f. uThis method of detection of SoftICE (as well as the following one) is
# s1 ^, f* X3 _% Yused by the majority of packers/encryptors found on Internet.
+ c- f/ f4 h0 y; ]$ \( RIt seeks the signature of BoundsChecker in SoftICE0 f4 C0 v: M" q0 j' r& c* Q% Q
! v$ j4 p0 b: n W" ] mov ebp, 04243484Bh ; 'BCHK'
p2 y% J( D" N2 ^ mov ax, 04h
# a! M# c5 A, e! Z* v2 ^ int 3 , Z2 |; Y7 A. g" {1 K* U. M
cmp al,4' R8 q# v' O% r9 |" b2 C/ j
jnz SoftICE_Detected: b6 ~' A9 d: m/ t1 N3 }- `" f, d
; q2 k) x7 `) V
___________________________________________________________________________
6 w) z+ `! W" `. i* L5 N
! E: b1 j& X5 K- j7 g( g; ` P( t6 i$ zMethod 02
6 |% a- w( n3 {- n9 L5 J% N* c=========
5 o8 \! z$ }7 D" J/ }' o3 X, `& _1 J
1 J& r/ \% j0 O4 P! f, ?Still a method very much used (perhaps the most frequent one). It is used D; _3 E; A& @/ j- h" q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) W p4 n: {; X N' J& u+ d' f: c. U
or execute SoftICE commands...
6 j, J+ }, \5 D5 j* t+ nIt is also used to crash SoftICE and to force it to execute any commands. i+ y# R$ b3 P; l
(HBOOT...) :-((
- K6 }* R5 E. s1 c5 ^& n
+ i7 T6 _8 x& z5 r; iHere is a quick description:$ H) }9 h6 K, ^. y- [8 G
-AX = 0910h (Display string in SIce windows)
+ Y1 }! P* o5 \- l) G4 D3 Z& o; ]3 y- U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 v% R# C3 D, s% s! ?-AX = 0912h (Get breakpoint infos)! E% v, C0 C6 R
-AX = 0913h (Set Sice breakpoints)
* \+ l9 |. X: g1 n# `+ ^/ P0 J% P-AX = 0914h (Remove SIce breakoints)
: B8 w" _+ f; ]7 k9 `# F" O( ~* ]2 F. |$ x% A0 V9 k9 R H0 b
Each time you'll meet this trick, you'll see:
" C4 p- I" n$ K# u' M; `-SI = 4647h# E" x; a. }- T! m" P, O; b
-DI = 4A4Dh. i) ?$ D- C* s* Z9 M/ v Y
Which are the 'magic values' used by SoftIce.) _+ q$ G- [" Y6 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 f) H% K& ?, b7 C
9 u+ d( U/ u3 V" l. \0 I) c5 a
Here is one example from the file "Haspinst.exe" which is the dongle HASP# L9 s( g# U+ }1 R
Envelope utility use to protect DOS applications:7 a: w8 L. n% C
% f6 ~' U. l; {$ [! a0 {, ~9 n0 k% W& X, z
4C19:0095 MOV AX,0911 ; execute command.# ]- m; ~' }3 ^8 ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# a. a7 K3 c" `4 J4C19:009A MOV SI,4647 ; 1st magic value.( b# \: p4 d+ M- u2 ]4 X5 T8 H
4C19:009D MOV DI,4A4D ; 2nd magic value.0 k; y: D; f2 @- U6 l7 _1 x% k4 A, }( n4 P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" Q0 O% g% j7 t% j) D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 n" H! O2 S: E* _: w4C19:00A4 INC CX
2 O' L$ F9 y, F }" o& {/ u: y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 V$ B9 k' T. D4C19:00A8 JB 0095 ; 6 different commands.
, J3 v) ?) ? _* A5 s4C19:00AA JMP 0002 ; Bad_Guy jmp back.( ]: Q+ F8 [- e) ? m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Y7 H0 A, {& x3 x8 D- e
) K8 x" H% b/ C M/ G7 y" B% H! FThe program will execute 6 different SIce commands located at ds:dx, which$ o3 L, k! e1 C( D% b8 E* j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 h- p5 @' K6 g% q6 s
W: g' C' V6 y* i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 Y5 |0 Q" Q5 y% F# X+ q___________________________________________________________________________
! {, ~. }5 {/ D' Z, N! q
z5 O1 P, M, b. S% X9 f" | Q- E( z+ I P9 L
Method 03% R3 @) v! C4 O$ s
=========, Q! n' S. O6 E, _' h
9 X. k) P2 l# N, VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: X) M, E3 Z& x(API Get entry point)# ?9 X' t. a7 T7 [" \0 q; g& U
, u: h6 w# ^, T! m
% N' l! g( c+ X; m9 j4 f9 i
xor di,di
. t* M9 K, ~# p9 v$ i mov es,di; t1 N( O; }# g& E3 y( i1 e) t5 {8 k
mov ax, 1684h
5 k9 Y( m# m. o( i mov bx, 0202h ; VxD ID of winice
0 ~7 E ~* I4 N& p% T+ d int 2Fh
, P* F9 B# i$ Q5 r" T mov ax, es ; ES:DI -> VxD API entry point
. ^9 k0 L7 i/ s add ax, di
' H6 `: W h/ h' y$ }/ c5 q; { test ax,ax+ L; r9 p1 t" J! g
jnz SoftICE_Detected; C1 a& ]# O8 X
" G! o$ H0 v3 q% K
___________________________________________________________________________6 h: Z& [4 y, i! U: c8 V9 E
8 G" \. F; y' u4 TMethod 04
% O& n) ^( ^5 H% p=========
( x$ z; @/ C( s9 h, M0 N5 s1 h2 O% F7 Y0 I$ G7 A( m. e$ M/ k$ `
Method identical to the preceding one except that it seeks the ID of SoftICE+ v0 i0 k0 Z2 T4 S+ A8 H$ S- O
GFX VxD.
) u$ G- F% r+ [; k0 @# Q
7 b0 r, T( \$ m/ S. g xor di,di+ K9 T* G7 q2 ~+ T
mov es,di
! I- `0 w, g6 k' `+ S* A mov ax, 1684h
( N [3 v# y* x: a- f7 g mov bx, 7a5Fh ; VxD ID of SIWVID4 H4 X" Z7 c4 @2 k
int 2fh( b7 R: m: E* T. o1 O# D
mov ax, es ; ES:DI -> VxD API entry point
" z6 } I6 K A8 h; t) z add ax, di
) `) n3 L" I* Y2 M6 _( Q5 K) B6 Y* d test ax,ax
' p3 U4 o/ L' ^) c jnz SoftICE_Detected
$ t9 h4 e! L8 @9 N
- W! g- g; L; ], J! ]) [1 L__________________________________________________________________________3 u1 U. u7 @+ v% ~0 U) t' N
5 ]" t7 O) O! ^$ ~$ m5 q U3 R0 C( \4 b8 Y# Q3 Y9 P+ F
Method 05
- _0 o- u6 ?# W! f! e/ l=========
/ Z: w- z) u4 }, J Z& G- n; b# M$ E4 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 W9 }) c: ?7 M5 \& E/ y8 z. r
debugger. It calls the int 41h, function 4Fh.: R, v! P% Y1 D6 K+ @
There are several alternatives. $ [( ]/ \1 v% S# M5 @
- q7 \8 M$ k. Z! p' W' S0 cThe following one is the simplest:
( N# D0 m! y5 o/ p# `- O5 z* Q3 l& X. z
mov ax,4fh
# {' o$ p8 T( n) N3 b int 41h
; _) J" {8 x$ S7 r6 z( ~1 r cmp ax, 0F386
; Y; S+ {# a ^9 P% c7 e! Y$ s jz SoftICE_detected( @4 g2 k4 n. i9 \' Y
/ [& K0 y" p2 m& c u9 Q
# a( w; V- E( t2 l- ~5 e! v- r, Q9 fNext method as well as the following one are 2 examples from Stone's ( f+ o3 F) o/ J8 a! g
"stn-wid.zip" (www.cracking.net):" W$ P) q6 Y& O1 F* Y5 ~
/ U4 v; r3 l: N/ i. X8 \ mov bx, cs
# v/ t7 D9 e9 {" v { lea dx, int41handler2
1 m' Y( }( z' x) b) s xchg dx, es:[41h*4]# ]% }7 n, Z% @2 P* x C' W* b
xchg bx, es:[41h*4+2]
( N% D1 O( v! Y2 h$ I7 }' v mov ax,4fh) j% R4 B* S- z; `
int 41h
$ Y( }, `9 \- s( n xchg dx, es:[41h*4]
- w; Y6 U' G& B% _3 T/ J0 f2 ~8 @ xchg bx, es:[41h*4+2]: V/ w; v4 F* D& |' W. E* _
cmp ax, 0f386h! }! X- }6 N, @' R+ |) ]4 h
jz SoftICE_detected
# B$ h- A9 E: Y, [" z$ {5 I' C& T/ B6 V3 |5 I# A3 @; t# ^
int41handler2 PROC
9 M+ V9 d* ~- P9 m iret
' n, ^8 T) D0 Z! ^% wint41handler2 ENDP& K5 l3 J$ C8 R. R' O+ R
) {! k/ Z5 t7 L/ T4 k
! S+ m+ {0 k* W% ^* f_________________________________________________________________________
8 g( \. n8 x- G% z
7 m2 H9 u$ y6 h9 D; Y
5 s! U! B( h4 zMethod 063 } C6 M+ k3 o
=========
3 K/ R5 P# u( e6 T" c) O# e' N& i$ ]+ n: G1 ~4 G7 t
( Q. g; x/ c3 [ B2nd method similar to the preceding one but more difficult to detect:
5 \2 H. f* H4 A, _6 ?' {
; c& U. e7 a% o5 K/ g/ p' U7 j. Q) R4 y5 M6 C
int41handler PROC
r5 ]: L* \' ?8 c% R$ l8 | mov cl,al
) n+ X8 G. }- f/ ^/ I iret. J/ A; j0 [% k, L- o9 }: c
int41handler ENDP
+ a* D1 c( O5 o, T2 ~) {6 T$ y1 @: m: Y# G, J( N3 q
$ }7 m5 ^( z9 K9 W. b( K) A8 [/ v" _
xor ax,ax
% E+ ~5 X! i$ X) \" b mov es,ax5 m! C3 {6 x0 @) P2 N- l0 z
mov bx, cs
* L$ n3 m+ n; \# ^, k# o8 b lea dx, int41handler
4 F2 n6 ^3 g4 D& q8 ?0 [ xchg dx, es:[41h*4]
4 A& A h9 {( K, ?2 \+ `1 p1 T; W o xchg bx, es:[41h*4+2]5 `: {) T0 a9 m( M- J( A3 N
in al, 40h* p1 s' \/ G+ Y4 W& I
xor cx,cx
E& o% }4 l3 }) W% o int 41h# ?% Y" I% o$ e7 D
xchg dx, es:[41h*4]5 C* B. \+ t- C9 j O9 }1 {
xchg bx, es:[41h*4+2]/ S1 V `, C/ E1 |# N
cmp cl,al
, i% g) V0 D% o4 j jnz SoftICE_detected
+ E4 H/ Z6 \% ? A* [3 A3 a
" A% i [; x( X5 R1 `7 P7 W- r_________________________________________________________________________" p- m- v6 N- I/ k4 [/ a, J) Z" _& N
/ u9 H8 C: Z c' ~3 T* i' e0 Q* ~Method 07
- Z# \/ X$ j& h+ W- d=========
6 V4 D! I8 I% ?# R. W
! z5 k! _, H- G2 \- M8 G% M4 m+ sMethod of detection of the WinICE handler in the int68h (V86)
2 a! }0 k- q9 m" L5 Q
( m( h1 k+ `2 m mov ah,43h0 U$ Z5 @+ w' l$ O; y$ j
int 68h
! R. A5 W* I! E3 b$ C cmp ax,0F386h! [7 U- G2 ]6 u& U) K# |4 h+ t
jz SoftICE_Detected- X" q1 q" V$ f( A2 m
' p# }8 \+ @' }
% ]( h0 l3 p0 v, z# C8 h/ L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 O; @/ B7 f: u9 S. j. u8 }) v app like this:! O. a: \) L; O- J" P z
% c) F5 n6 {" m. B' \) C
BPX exec_int if ax==68
- [9 K2 ~: N3 F" v! y9 l3 Q+ F! M% O (function called is located at byte ptr [ebp+1Dh] and client eip is. H: m: t; z9 U+ i* E
located at [ebp+48h] for 32Bit apps)
5 P2 f/ j$ X' X* ___________________________________________________________________________
* m& q0 B+ K4 J* p8 \+ n# F
" U5 |8 j' m& n+ j1 X6 B- t
! P" j* P# |2 Q5 GMethod 08( U" s% k" e6 H" e
=========9 _7 M0 |% f4 Z9 r0 i* n, k
+ p i; {. z! D) Q) z( P6 r) TIt is not a method of detection of SoftICE but a possibility to crash the* C( l6 l- I4 R2 m
system by intercepting int 01h and int 03h and redirecting them to another
! R7 Q) \! B% q& z3 ], `( iroutine.
; _" M6 y, m5 v+ X, r oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! y ^* v2 R8 D# Z+ h- p/ bto the new routine to execute (hangs computer...)" [: w4 }5 n+ H; M' `+ Z( x) W
8 b7 i$ k4 I% e1 o8 u* A mov ah, 25h
4 t" w$ D7 k2 P; \5 q- L5 f mov al, Int_Number (01h or 03h)* I+ [$ L1 Z% V" q+ }0 F* g
mov dx, offset New_Int_Routine
. a* D) q; T9 g7 h2 x4 P3 W int 21h
% J: x! Y% f) a6 ]0 b1 }. q* ~( |/ J& i b# q3 w, m. r; I; e! F
__________________________________________________________________________
, _2 T: h7 O; J& r, D, `
( _1 N; d$ f: z& B" \4 D; sMethod 09
# t6 r: \4 D' Z, x=========5 m% a5 C* y) ?' o. a
* g9 I+ S) g; U1 i/ W! @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, \4 z6 ~! n! c- r. e' Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
" S! V# N& j5 M) z' i# ^' a1 PThe Get_DDB service is used to determine whether or not a VxD is installed. c% H! z8 G( J1 l% f; |
for the specified device and returns a Device Description Block (in ecx) for
8 i" p, Z$ H6 y& Qthat device if it is installed.& r. c _$ T' B' J
5 E$ @1 z/ g, k! o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
S9 R% @2 Z) Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% M8 Y: ?" I1 u+ g, v( B5 o
VMMCall Get_DDB) Y) v- q# C, ?- ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 u8 h B: F. K! ]( ~+ g
: _1 v0 W+ |9 x: z$ _) s6 y( |
Note as well that you can easily detect this method with SoftICE:& {8 T3 q3 P+ H5 r% K/ q
bpx Get_DDB if ax==0202 || ax==7a5fh& ^7 |6 a) J3 t+ ^7 E! q& }& X: N y+ E
9 B8 V- q3 _4 k; z& W; l7 Y( N
__________________________________________________________________________* A& \- ~) g+ @" e) ]1 T
8 Z. j5 x& v! e: XMethod 10
" u9 @1 n; G- `/ p=========
: p$ Q& X/ M+ X; i
- H: T5 I% T V& D% {8 I/ D=>Disable or clear breakpoints before using this feature. DO NOT trace with# T1 z2 `! @: {8 M
SoftICE while the option is enable!!2 o/ O4 c% d2 a3 n
7 B* W* x* l6 a* Z4 H9 vThis trick is very efficient:& |: {8 ^+ _3 {) R, Z- `' ]& z# B
by checking the Debug Registers, you can detect if SoftICE is loaded
' a0 Y3 i3 E5 {- S1 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) \5 ?, i6 }9 D7 p% v- N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* Z) G3 Y4 @9 [+ i; ivalue (in ring0 only). Values can be manipulated and or changed as well
9 `4 d* U. c9 |8 b(clearing BPMs for instance)
1 c2 R1 X5 e3 ?( ]* Q
0 j9 a; P' O2 j2 g4 t0 g# E, Z__________________________________________________________________________) i. A+ i. j' _- S4 F
" O" ?# Z n9 F9 e9 a
Method 11; ?4 \5 N6 V7 y/ n
=========
- T5 g. C$ R" Q% i& ?& C. ]! W1 Q* V1 W, _7 J
This method is most known as 'MeltICE' because it has been freely distributed
; U" E3 ? v; G1 Z$ zvia www.winfiles.com. However it was first used by NuMega people to allow' V( k, f% {: C" o$ ~+ H; ]4 o
Symbol Loader to check if SoftICE was active or not (the code is located
9 G( p8 ~+ C6 p* vinside nmtrans.dll)., W4 {, j* E o& ?8 g" s6 ~, g
6 b1 v& g" f& n6 N; \9 G; f* `The way it works is very simple:
( a; j, y1 {# p/ f$ @$ d! x$ ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for F$ n4 K) x& O; m- C6 L
WinNT) with the CreateFileA API.: ^; Y* a1 q. d
4 C5 L0 V: q% a* K4 x7 w, l
Here is a sample (checking for 'SICE'):
$ i) f: P7 e U& n& x7 H: r* }, T" d. s6 B
BOOL IsSoftIce95Loaded()
. \9 N: y2 X4 H# g: L{
6 y8 [2 U+ I/ U. n8 U4 } x/ b HANDLE hFile;
4 f, B y |; z3 N4 }% D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 B; Z: w( }* A- e FILE_SHARE_READ | FILE_SHARE_WRITE,
: ]) w" K, y- J6 N3 D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) u# p: H A* l f3 T& i! J
if( hFile != INVALID_HANDLE_VALUE )* ], B, M4 w5 ?" [* j+ K( ]
{9 \8 i( K8 L0 S- l: b
CloseHandle(hFile);) b, E$ s, y* x2 @3 g- Q
return TRUE;) y" @$ {9 `* c& a5 c- _ d/ ~
}8 e/ {: f% ~6 r5 Y$ ]6 Y6 H- T
return FALSE;* C1 E2 F5 ^* b: x9 F
}
% Z: v: b. u: m. ?; |5 Q$ J4 d. h; u- d; y- a$ c: W3 k
Although this trick calls the CreateFileA function, don't even expect to be& W2 z5 C. a# r! r: S' M
able to intercept it by installing a IFS hook: it will not work, no way!( I4 P! e1 Q# L" x2 x. S3 q; h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: X, \# n& f: h4 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 [3 p9 B# e" j" u" o) a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 D6 h1 F" T0 [, }* b# h' k& \field.% Y0 Z& i d% G! L5 |7 A+ ^
In fact, its purpose is not to load/unload VxDs but only to send a
& F& p& x, G& a0 FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 J, y% U# P0 e' F" u+ U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 _' h1 Q r( y4 N3 a4 Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 O9 j* Z3 g- |6 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 d j. ]. g* l/ tits handle to be opened and then, will be detected.& E! b+ w" u" \1 d
You can check that simply by hooking Winice.exe control proc entry point
5 Q) z9 ?3 {8 \: U7 jwhile running MeltICE.
* L9 O; A6 {% \0 C% S+ @4 B+ ?
, a& ]1 m- B8 }* z
^) X& L$ }' E, Z. d: Y$ F; l6 V3 b 00401067: push 00402025 ; \\.\SICE
5 H' k$ Y" Y8 E/ L' [/ N9 h 0040106C: call CreateFileA
8 `, u; g2 a, [' m# n: w 00401071: cmp eax,-001
0 {8 @. }- V+ L4 [. O 00401074: je 00401091
8 {. ^: ^( i" n+ T# l, x
" T8 r4 N i4 _/ t( C( p2 v( |) c" j; K
There could be hundreds of BPX you could use to detect this trick.
- s2 e/ `# D) {2 Y- B-The most classical one is:9 Y% \% T& b2 a9 S" Z0 l3 _& I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 K" Q) j, t' ?1 i1 \: M% x
*(esp->4+4)=='NTIC'
: z; z8 n/ H" q+ Q# L! \, D# M8 o- }& O2 o% c0 O! f) x
-The most exotic ones (could be very slooooow :-(
; M5 t1 m3 N! h' b& D8 J1 F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ h. b! ]5 ?* r2 H9 ` ;will break 3 times :-(6 K0 n; R; f* ^2 ?" L) \
3 u8 V. P) l& q5 p. w0 s6 e. _-or (a bit) faster: . P9 o5 }( _" _- j) @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& v& ~4 g- r& c# ~0 s
# v5 z; h$ f6 x) t8 y7 x/ C# x8 N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) b7 h' f8 H" q9 n2 q
;will break 3 times :-(
# _7 ?4 v0 A/ k$ ~$ ~
; F. \; T& n! u) v-Much faster: `& ^5 M: M: O( |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', d$ \' i8 J4 D- }- ]
8 l8 M# `' J0 p7 [0 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 ?1 m7 J0 V) T) k; T& x
function to do the same job:' p: n( Q; X6 j, W* G6 n
2 Q9 |5 H( |" V! A1 e) s push 00 ; OF_READ1 k2 n! a8 c- O H0 w3 Z9 [6 R- Z; z7 P
mov eax,[00656634] ; '\\.\SICE',0
$ F1 V+ U* Y- R5 q push eax' @5 K; C' P; ?6 u7 |- S S8 U
call KERNEL32!_lopen: n: _/ G& B- S5 N+ U6 w7 u0 g
inc eax
# W/ n2 |( ~* W jnz 00650589 ; detected
7 S$ e; _' v& g; Q* C: W% p- h push 00 ; OF_READ1 L; E i" a4 W2 X! W
mov eax,[00656638] ; '\\.\SICE'
, @; W1 ^) T! l" P+ |! H push eax
# _4 l# g: L% t7 x call KERNEL32!_lopen
) h; M1 k3 ^2 N0 K% T5 L9 S5 [) A inc eax5 O' X/ `4 p8 F* R; o4 J
jz 006505ae ; not detected* { Z+ B9 ^) P* Z. G, {
0 U$ T/ A \) b" ?) d6 X8 [
/ y* h, ~" ?8 A( n6 r+ m9 I
__________________________________________________________________________2 [% v, f% o0 ~* ]3 V# m% J% G
' e$ x `, m5 n" d0 X0 l7 b
Method 125 f$ d) B% [( ]: |
=========6 V/ O* E! y# I9 V L) Y
; m1 Q" M" R7 F B* Q: PThis trick is similar to int41h/4fh Debugger installation check (code 05( a: ?, z% N1 n+ B h8 ~9 R; s4 a
& 06) but very limited because it's only available for Win95/98 (not NT)* g6 b& ?0 P2 z. f* ^' E* n7 b1 {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) x. d. S. `1 u5 H! x. ]
& q R( G# b, l0 }& X; v push 0000004fh ; function 4fh
" B% l# G9 p1 A2 ^+ z2 Z9 \- U push 002a002ah ; high word specifies which VxD (VWIN32)" X6 O3 }5 i' Z+ }, Y" W
; low word specifies which service% ]6 {# ?4 Y7 D1 M1 n' p
(VWIN32_Int41Dispatch)
! N# F- @/ V' r, X' K call Kernel32!ORD_001 ; VxdCall
- z5 i ~% `/ i, q* C$ W3 p& Y _ cmp ax, 0f386h ; magic number returned by system debuggers
) p+ W1 n2 X# e, a jz SoftICE_detected
0 I: g6 Y4 r: m* P4 N$ f4 e; g$ D! T
% M( Q2 [. u5 mHere again, several ways to detect it:. {6 ]+ L3 i* y( A
& u) r3 W. z2 Q" M O, R7 v( { BPINT 41 if ax==4f6 y/ [7 W" |- e0 s
2 a" E0 L3 b6 k+ ~3 T3 I; m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- A$ t" @; u s9 Z
0 f$ \* A1 z) A* f: {' z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ J9 R4 |1 @0 ?( i6 p
2 i4 R/ V6 ]$ x" ?7 z) p/ B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 a# F! a, P9 F% P, B3 P1 i$ p3 ~( l6 G. Z
__________________________________________________________________________
/ E1 }4 B& _8 l! W: L$ ? e- u
. t# ^6 t3 E8 |# ~Method 13
* P4 {" r3 U( E1 k+ l=========5 B, S" b# U7 Z# ]/ {+ _" Q
; a0 N) a) u4 Y# p7 I
Not a real method of detection, but a good way to know if SoftICE is8 C, j/ T, l1 V
installed on a computer and to locate its installation directory.
6 G/ |: W9 M, ]It is used by few softs which access the following registry keys (usually #2) :
2 ~6 u8 j! N. i* ^' [. P- D6 c; a$ z; A. g% h7 W) l$ x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- _" @2 }7 c& D% d# f) Y) X6 v\Uninstall\SoftICE' r7 Q& X& [: I& B4 _ c! H* f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, w" U8 n. |+ U( @& ^$ K# b! P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 m) l2 z7 f# Y9 ]! b7 y! {\App Paths\Loader32.Exe) \& \- G# \ a' s7 T' \
( I' P/ j: K$ r& k* G' z: b
% |) F/ y Y3 m8 R' o/ ?' Q
Note that some nasty apps could then erase all files from SoftICE directory1 x, E2 E4 S, @3 `: h
(I faced that once :-(
) B+ c, [$ A p) ]
7 }6 p2 S0 c7 C1 YUseful breakpoint to detect it:
! q/ [$ y0 E* U5 Z
( V0 k8 v# ]% `0 g- R& u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': b& w, i8 Z1 R1 e
; A$ Z$ T/ a9 ^* t; m3 v/ K__________________________________________________________________________2 C% }+ ^6 M/ a+ d; C: O8 m
; a) ]- o& @- M
; v5 H) T$ _2 `Method 14 # C- t, I6 f8 Y0 x
=========* G8 B4 V! N% N D( u
' H( N ^ X8 x' v8 n! O8 |, B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 [+ {$ p2 U/ T, C$ z b
is to determines whether a debugger is running on your system (ring0 only).
; n+ R6 z3 [+ w
- q+ |: _6 b0 Q9 x" ^ VMMCall Test_Debug_Installed
: E4 |& b, h l. l6 L6 U je not_installed7 L5 a5 N( ]- G8 h; R. m7 l
/ F5 q5 g$ y9 u
This service just checks a flag.! y* o7 R1 e- i
</PRE></TD></TR></TBODY></TABLE> |