<TABLE width=500>+ l6 C( b y# i
<TBODY>- |5 {3 O8 O" s$ x6 ?9 X8 V' ]
<TR>0 S0 x0 ^) f6 k
<TD><PRE>Method 01 . X7 c& W# |4 U
=========# I" ?: D) e) J" H! M
: [5 y4 q3 q$ u/ S- ~$ k) `8 xThis method of detection of SoftICE (as well as the following one) is
( A7 Z+ w6 V2 jused by the majority of packers/encryptors found on Internet.
. Q6 v' S) @& X/ ~( P* m9 L2 WIt seeks the signature of BoundsChecker in SoftICE' Q( t7 a# L* p. M
7 q* s- X' T$ Q) H: [" E
mov ebp, 04243484Bh ; 'BCHK'
7 k# ^2 O" W+ n mov ax, 04h9 Y8 T4 }( ?# v1 s' g: r
int 3 ) T) D2 ?2 D8 g: m$ a w8 m2 D3 X
cmp al,4 M% _' E( m6 e! ^: Y X
jnz SoftICE_Detected2 ~9 r6 o n5 G
, O- K7 o8 W0 {- `8 e L; U( l9 O( U___________________________________________________________________________
) L3 v) E+ c9 P( F* K: ^) i% ^( ^/ r' \, [; k# g4 Q5 v: D7 ?
Method 02
) m2 z' x: F; A+ M% A========= z7 v. ~8 k* Q" e3 y! C- H
1 u9 B; j y* I! d+ r+ _
Still a method very much used (perhaps the most frequent one). It is used6 f1 L% B0 f* d/ q6 |! w: I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
O7 R: C% S2 x& Q% Ior execute SoftICE commands...
& s- e5 S" B4 D5 s, D$ g! y6 ]It is also used to crash SoftICE and to force it to execute any commands) x& ^& F/ {/ C2 O" u5 G" A6 U
(HBOOT...) :-((
, N+ @4 d/ h# L% |2 Z/ j0 y$ `/ H! x8 ~. v; N# X \7 U
Here is a quick description: {6 ~7 m: u5 n
-AX = 0910h (Display string in SIce windows)
& E4 [0 t* K: w; f. Y9 G: {7 V5 M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 T# e* c6 i% l% B/ d4 Y# V& d-AX = 0912h (Get breakpoint infos)+ N! R. ~5 z2 l$ `8 F) l
-AX = 0913h (Set Sice breakpoints)
6 @/ q& |5 b+ Y% _' E9 l-AX = 0914h (Remove SIce breakoints)
4 h# }$ x* F4 u4 W, `& ~2 h% H1 b B( @7 ^0 S) u3 N. G
Each time you'll meet this trick, you'll see:
$ K# z4 O# W" T) |4 x: [ C-SI = 4647h
, ] K/ A$ Y- N& Q5 m-DI = 4A4Dh
* u( l b9 O# J G7 G" F( x8 FWhich are the 'magic values' used by SoftIce. E* `0 A6 E# n7 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 P6 N; C+ [. F
7 f6 P+ _& b$ I$ m+ C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( u& O% X% t2 T% |+ b- _: e! E HEnvelope utility use to protect DOS applications:
7 X/ T& K& i! m1 P) j- o! [$ c. j% J8 }. D) w; P
9 k/ J" }7 [% r' m/ G% V
4C19:0095 MOV AX,0911 ; execute command.! n; C/ O% T) A- B4 o* p: T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' \" I+ ]3 s2 b) W4 q
4C19:009A MOV SI,4647 ; 1st magic value.
7 `7 i2 W' }1 \7 O `4C19:009D MOV DI,4A4D ; 2nd magic value.% [% K# V# ]/ c# V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); ^' Y$ V$ Z# g q6 z4 d5 _, I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: Q# H _) Z) J0 n& P4C19:00A4 INC CX
5 j6 d4 L0 \! |6 z8 z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) `+ b! d2 j( f" C- V# S
4C19:00A8 JB 0095 ; 6 different commands.
9 V k" J2 x+ b) g) c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- d$ @% T4 S, e4 G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, B" a. [( \ H2 }3 W$ p* m0 l! L% x6 r& L1 |. H6 R9 H$ H; e- v
The program will execute 6 different SIce commands located at ds:dx, which
$ ^+ _ {4 s0 y. ^1 Q& [3 lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 c1 { R" n, h' }3 T# J3 }! |2 X8 j2 j+ T4 k% T# T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 Y8 A+ x& `+ o6 V5 [
___________________________________________________________________________
7 T/ b, u1 Z1 \9 p
8 R" O% D0 J7 h5 O' o* G. C' F" L; E9 i0 Q; I3 R; T$ z( J
Method 03
. A4 W! [* ?6 ^=========
* C) f4 S2 L% w* s3 f4 h: K' p2 k9 N w- ]& Y3 \5 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% L0 ?* ?9 y" X0 g9 P
(API Get entry point)% m4 b, v, G- O. n
: H2 K- {" v$ @/ `6 f' H) _
2 @# q/ A( a0 w) O xor di,di. F5 t# w9 a% Z2 R
mov es,di
: x9 G+ H- H3 j! D. D/ o7 F( \ mov ax, 1684h ( {/ N) l. ?0 f0 ~
mov bx, 0202h ; VxD ID of winice) A1 `7 K* a+ m: m
int 2Fh, j% ]: I1 N% i& ^3 u/ G
mov ax, es ; ES:DI -> VxD API entry point
% {' B8 c0 O8 G9 I1 U$ U$ M add ax, di
3 e; T0 E( J: w1 x test ax,ax# C; [5 Z+ p5 U2 {2 X1 @# S) `- m
jnz SoftICE_Detected# k2 z: v* e' n6 l& _6 Q/ W
7 E7 |# N+ a2 |5 e* n% V% B& T, ?. L___________________________________________________________________________6 Y5 c; L4 _9 ^2 M* v# k( s! q. o
2 ^0 \3 @; c6 L$ n/ K d
Method 040 a: q; [! o; Y3 {
=========
% _6 m# ?4 ~6 j( u7 ]4 r1 F D) z
Method identical to the preceding one except that it seeks the ID of SoftICE
7 t8 e$ P- j; m' @4 P- f5 R6 R# gGFX VxD.
; Q# j# ?: K! {$ r' ^
+ F3 M' u: @* `6 r p. b) o, k xor di,di
6 n& g \) {/ O# B8 ], _- _ mov es,di# C8 b% z* z& w" Z4 d+ a; I
mov ax, 1684h ' d: ^% }& ^, w2 i
mov bx, 7a5Fh ; VxD ID of SIWVID# Z' `& k$ b+ W# a% F
int 2fh
0 ]* S% `' m) L' @& X mov ax, es ; ES:DI -> VxD API entry point
# ^* u z F# W; P4 e( g' _+ J4 ?/ j add ax, di8 o/ r6 l/ F8 r$ l( A
test ax,ax
1 M! ?0 R6 v2 S1 W( p) u: c5 s A jnz SoftICE_Detected
- f! [6 ?, x2 \1 W2 \+ d9 X. e
- B. p6 J N2 x$ U7 X: Z7 a__________________________________________________________________________
$ ~& p$ X2 u" I: x! J9 p& B d; \8 f" x+ n- w
D; `- f% j Y* a/ t2 J
Method 05: j6 b% a& n+ U% p) D. U
=========* u5 }+ t- }$ Q# G" x
4 R1 D2 Q- v$ V, R+ O9 ^/ s* ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 s! X5 u# k" f+ J/ G
debugger. It calls the int 41h, function 4Fh. o. |. y& J/ F! H" k
There are several alternatives.
& A3 l7 S* T, {- L! U/ T9 c8 Y% d- t/ g) m) [
The following one is the simplest:
\' B' t% h* c- t( E
# R# x; T7 C" }) n# E mov ax,4fh4 o/ n" }& i% r+ S5 @
int 41h0 e( ?4 |, A, w
cmp ax, 0F386: N, Q% T; f# ?8 {% P) g
jz SoftICE_detected
# z6 r8 e) C X! T
+ J- {5 ~. ~" P# A8 y6 f
0 }: x5 N3 [" g8 }1 W9 {Next method as well as the following one are 2 examples from Stone's
- y k) k! Z8 ~"stn-wid.zip" (www.cracking.net):. N5 J. S: F) x6 S
9 G x$ t3 [% }1 u5 z" f3 `) W
mov bx, cs+ x- \& L" X4 T. E: a
lea dx, int41handler2
% s0 S3 {2 {+ f' Z2 c/ C xchg dx, es:[41h*4]
9 c) O- [6 v: E/ S0 ? xchg bx, es:[41h*4+2]
$ ^$ O) A. Q) R3 a! ~2 k mov ax,4fh, n$ \( p: @) e- l# m* O/ r8 E
int 41h
+ B1 H/ G6 `! r# I xchg dx, es:[41h*4], W! x0 M* I1 `: X/ ~4 |
xchg bx, es:[41h*4+2]
' Y6 M& ~% a3 F. z cmp ax, 0f386h: g- w* F: p5 M) B3 i6 v- v* J2 V
jz SoftICE_detected* _3 F! I* ?( |0 v
- i1 o3 x5 p+ r7 z
int41handler2 PROC! ^8 K* h1 l) a$ L) Q* r1 t) n
iret) b1 j$ } e4 o6 G0 T' y( A4 U2 y
int41handler2 ENDP
/ y( m/ ]4 @9 l/ H8 i8 O' j8 X7 f, f ]
- J* a; T0 @4 ]: B r1 U+ X_________________________________________________________________________
+ N- J# J9 D5 v9 w4 D b
* A7 \# h3 P0 Z- l& ]+ g. `6 \: B: b7 z4 K: _3 ?* e2 u
Method 06/ I; P- x! X+ F( Q: t4 s" C8 J
=========9 {2 x/ z( }! M1 Q* u. b( x$ }: c
- Q, W# K( P {( `
8 y" g" S+ r) J: G' W1 Z* _
2nd method similar to the preceding one but more difficult to detect:
6 b$ G$ \/ ^: S' }8 [
" V6 U8 t* n+ `$ y$ Y6 j
$ C7 D m; s1 e4 D5 Pint41handler PROC
( {! o" R! H; L! b' E6 o1 n mov cl,al1 m+ u: M4 A* [% N% b f
iret" N! B4 Q" u2 R7 D( S! H4 @3 n3 _2 }
int41handler ENDP2 ]5 J5 Z5 m5 |8 ^6 n) L
; ]) k# Q4 r. t3 n
; _% L' E) D- N* S0 h xor ax,ax' \ `0 B9 o& p% P6 n- ^* P4 ]
mov es,ax
5 n+ @# r* C) [ mov bx, cs
$ J& o: g. W: C; g1 b& g6 k. Z lea dx, int41handler
/ l! p( x* R) e! M xchg dx, es:[41h*4]. t& i* P# B, Z0 Y: W, i5 E
xchg bx, es:[41h*4+2]
9 Q. Q& \/ f% U5 g, |& ?- Z, H in al, 40h& W! m- D, ?5 R
xor cx,cx7 Y" }$ p& i; Y! m' o) x+ C% X8 N) p
int 41h0 Z5 y" L- T- b9 G
xchg dx, es:[41h*4]" ?) j& x3 L+ z6 O
xchg bx, es:[41h*4+2]; v( h! T$ H( K, Q/ u. a
cmp cl,al" ^# B) U+ }) T3 `( W- L3 R
jnz SoftICE_detected# h% _4 H+ B$ ~. }4 o
- r1 ?4 G {+ J5 H& H
_________________________________________________________________________
) J1 o. x7 ~, K' B3 q4 r8 Q
) u. t7 \8 b, d6 F3 aMethod 07
' ?' I7 c6 X0 l: z4 ]' @+ o( U=========
$ I7 u. h p5 w$ t8 [ Q: b) z; ^
0 o+ g1 I4 D* R8 c2 NMethod of detection of the WinICE handler in the int68h (V86)! x; Y/ W8 s5 X9 O: J! s
. U' k. p& B$ f( j
mov ah,43h
+ `4 ?6 E, L" }0 x int 68h
" L5 C/ C6 k# c; K& [. H1 j cmp ax,0F386h
4 Z; x, M2 h1 P. [, K4 A4 k; f3 K jz SoftICE_Detected- |6 E. T, U# f- u; S8 k
. Z2 j" G) E9 Q; ]7 M; K3 g+ ^- m2 [% I( u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ `0 s; q1 k2 G* e app like this:) p( t+ ?& @2 f* _
$ B$ E+ q/ E3 n- a6 d
BPX exec_int if ax==687 ?- G+ G+ x& t) V7 m! ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ d ?: {5 G3 ^' W L, G located at [ebp+48h] for 32Bit apps), G7 N [( W/ I; E$ B$ ^
__________________________________________________________________________( b! v3 u3 C7 l& E" j4 x& I2 H
+ T& ~& k2 l0 Y* S2 ?6 c2 @ o8 l
" N# I- V6 L- o0 e5 B) mMethod 08
2 k9 Z6 X& J* x9 O$ R- S- x=========: ` q! H3 D3 ]( `
& O/ d7 \% q1 f( A( \2 H. E5 T
It is not a method of detection of SoftICE but a possibility to crash the
2 Y# K6 B+ s; G _" O2 Lsystem by intercepting int 01h and int 03h and redirecting them to another7 N Q8 D5 K3 j5 l3 h3 [6 [
routine.
# s+ }) u+ w$ L2 u$ rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" g: v2 O M+ Jto the new routine to execute (hangs computer...)
9 V+ c4 t7 L1 ^. E' P, e+ T* h" \7 P+ M5 E6 b% e d: h
mov ah, 25h9 a* [* |9 [: M
mov al, Int_Number (01h or 03h)' b6 A& v9 X7 l6 T1 X' Z2 y& Q
mov dx, offset New_Int_Routine
: T. p. x8 F5 g$ x int 21h
& \: M) Y8 t3 z$ Y1 D' L
, v# {9 q# k8 c+ n# r__________________________________________________________________________
" r' z' K$ f7 p0 g0 f
. a0 p* y4 ?6 w* hMethod 093 o# _4 T$ ~5 k) p9 r( n
=========- b% i4 Z: D/ a! {6 @! i/ O
& J! q+ o" Q5 M2 ?; t- X4 KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% n: t3 A4 C8 W/ g1 m
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 q6 S2 R3 b0 l8 g/ Z sThe Get_DDB service is used to determine whether or not a VxD is installed
0 D8 w6 `7 m( ^& e; e5 z3 v, ~, xfor the specified device and returns a Device Description Block (in ecx) for, _9 _' T ]# w' S1 f
that device if it is installed.
+ Y6 F4 c. y! r% w$ x# u8 z, f
$ o' s. |8 W+ c0 ^( U) s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 `4 [) M( ^* u) F3 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 @+ I( R0 U: a6 X' b( ^- S5 l0 H VMMCall Get_DDB4 W8 Z4 X, E. F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 h7 c/ e0 K4 ^8 y o- j9 [! b
8 N. q* b8 F7 Z5 z! XNote as well that you can easily detect this method with SoftICE:( S7 z. U- z- J
bpx Get_DDB if ax==0202 || ax==7a5fh
5 }: E4 w/ t7 D3 m9 M
9 B9 p2 w9 ~( ~) a$ g__________________________________________________________________________) _1 s0 ^ v: B" M! R# t
( W# _5 y) k8 K. N8 T. Z- y I" s( C
Method 10
* ?4 W% p: c* X5 n. o1 i=========
/ q: F) y: U, h2 }. r& c" Y3 y+ N5 H5 K, S1 O7 n0 {) c2 T
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 A5 E, w+ @+ W9 `$ G SoftICE while the option is enable!!4 |/ J- v2 @! \) g
6 y6 r% l7 J+ d2 k; J- _9 s( j6 D' TThis trick is very efficient:& _+ |& W; h$ p5 f
by checking the Debug Registers, you can detect if SoftICE is loaded# q( {3 r" E _8 d: h8 D/ r- W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& M( v0 M$ L2 `$ |9 x. p: x* [there are some memory breakpoints set (dr0 to dr3) simply by reading their
' C6 e I" Q- {, {3 Y4 l; kvalue (in ring0 only). Values can be manipulated and or changed as well
/ {4 `8 h" l! E- `4 V(clearing BPMs for instance)
) G, M. ~3 Q$ O4 c. Z" o: g
' H0 ?+ a5 |' b- Y( h__________________________________________________________________________: ~+ w( {. r: W
; G9 ~* c/ |( D0 b
Method 11! q M8 y& f: u6 i+ s' b3 p
=========' \5 M1 [, E9 R8 ~, I
/ G3 Y: c. Z) N, ^) M
This method is most known as 'MeltICE' because it has been freely distributed( k9 u0 \* w2 G1 ~" Y2 i0 u- D
via www.winfiles.com. However it was first used by NuMega people to allow
# d, ~ M6 i' n: j/ v8 b; k+ BSymbol Loader to check if SoftICE was active or not (the code is located* V6 h+ D/ [7 G& G
inside nmtrans.dll).$ {: m R3 T* y! G
: }8 G) Z4 p7 f& G3 FThe way it works is very simple:
/ K1 v- K8 M; k4 Y% IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 Z! d# D( y$ U; ]
WinNT) with the CreateFileA API.4 }$ M% R k% N4 e2 D" A
' y& A9 z3 K0 t3 p2 f( S7 m
Here is a sample (checking for 'SICE'):
0 }: ]0 ]( }* F+ A6 j( a2 b4 R' R9 q2 x2 N. t! P7 ?3 p
BOOL IsSoftIce95Loaded()
/ G. q& z1 U( v9 z2 F{
5 ]1 X: a& n$ d4 ]- S7 \ HANDLE hFile;
: M6 M. }# I4 D) Z2 y! @+ L0 D. X. L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: R( O" d6 ?, w FILE_SHARE_READ | FILE_SHARE_WRITE,
+ Y# E4 Q- ~% M1 {, i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' h' q/ r* i/ W8 S: u1 [8 C5 r
if( hFile != INVALID_HANDLE_VALUE ). }+ Q0 R0 ~8 D6 h" Y7 h& w0 Z/ x
{
3 c# ]6 I; E2 t: o CloseHandle(hFile);- R* O% Y# H3 ?. W/ |
return TRUE;2 K; I; a1 w3 n# `3 i" [) d0 M
}& x _% I2 o0 E5 U# p$ m
return FALSE;
- y3 v$ u$ l7 ]1 ^* p: U- ~$ U}7 l% a) M, \; V, |9 K& M) x* F
+ c6 z7 n. ~* X$ ?
Although this trick calls the CreateFileA function, don't even expect to be4 n+ [8 Q3 U( R U
able to intercept it by installing a IFS hook: it will not work, no way!
& Y5 F5 V9 E+ ~ U3 r- D' wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* X; d" Q" E; s% O8 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ f! x9 g7 w. Q+ F+ e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# e4 r1 J9 q# \2 ~3 \field.
5 J0 e9 x& ~, [: HIn fact, its purpose is not to load/unload VxDs but only to send a - d8 a* g6 I6 l6 ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; S; b% J, f- G. V( Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
`. w+ L/ i2 |. M# Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" @8 F/ G, M; w4 MIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" v4 Z, k; f/ |) ~6 G4 Bits handle to be opened and then, will be detected.% C( t/ g( f8 Q# r& {$ }( o/ X
You can check that simply by hooking Winice.exe control proc entry point
0 R' W0 a3 E0 {& Z. Z' i' Kwhile running MeltICE.( S, ]2 T- A) O
, x. S* ?# ^6 j# v& D
, ^ I7 J, N, u j' k9 d% V7 e; M
00401067: push 00402025 ; \\.\SICE
/ W$ [( f; n) X! X( n 0040106C: call CreateFileA9 e. B$ a$ W6 }
00401071: cmp eax,-001% c4 }& I- a9 M
00401074: je 00401091" }- ^8 Y( G2 ?! Q5 P
: `. E5 K C4 c3 i% a4 ?
. O+ ~: ` }" @- FThere could be hundreds of BPX you could use to detect this trick.
4 N% s7 b& \# i! j& t6 @) r-The most classical one is:
( A: P1 K- M6 Y! d" {" ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 p( U9 j' K, L *(esp->4+4)=='NTIC'
: r- V" \# E _( m5 U5 E
; d2 I( M1 ~: M; _-The most exotic ones (could be very slooooow :-(; f. ^( ?* p# a! _. z) l# Z% H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( G+ S9 L/ R1 [. d" A( q ;will break 3 times :-(& s7 I6 Z2 Y, r4 T- i* P
$ t' K& H4 B4 M8 u! {
-or (a bit) faster:
3 Y \5 e% p( b. \+ @. n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 ?/ g, G, v. v& m N# A% w
5 u; b, W5 t R, J1 X! a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : W8 X. F' N7 z$ n
;will break 3 times :-(9 R1 Z3 J7 A% F/ s: O
& D) ]6 M% A% T c2 h7 J: e
-Much faster:
- B6 T7 I0 z' I+ F5 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') ?7 r" N/ P, f5 O& T
4 `, {) f! O) Y1 N) L: I" X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 a, |% M* J& q2 [
function to do the same job:
1 ~0 k! W- V( G4 Z- |! N c Q1 s3 V1 O2 ~
push 00 ; OF_READ
; d: {' X, Z" d mov eax,[00656634] ; '\\.\SICE',0 F0 w( d" t4 u/ ~. Y
push eax
' j1 f+ x* r. ^! g2 ` ~ call KERNEL32!_lopen
+ Y# u3 u4 ?# C" i3 f3 j6 u- \ inc eax
/ }% p, i; Y) W& w+ Y; y4 T) e jnz 00650589 ; detected( `2 x) H4 d4 G' H5 F/ S8 K
push 00 ; OF_READ w" b% G8 T4 k
mov eax,[00656638] ; '\\.\SICE'0 n: F# l4 A! x" f
push eax/ E3 d- `2 M" V4 a! j8 u l2 C
call KERNEL32!_lopen4 f! T* O. {, H6 Q6 D
inc eax7 o$ N( [- B$ m7 k$ S- j
jz 006505ae ; not detected" [ W' |$ R. M3 l- |
' t9 _& I( V; X& K
: ~2 o D, C9 s6 w__________________________________________________________________________
i% H: `7 ?) {1 s& J2 H% H( e/ M5 V8 X
Method 12
2 M$ `5 A6 }9 i3 s1 C" e=========
1 Q t! D0 R8 N) \ M: _" x1 E+ S$ u1 k' @6 g4 ` Z
This trick is similar to int41h/4fh Debugger installation check (code 056 t8 M% E" B1 A/ |. o# n8 g' ~
& 06) but very limited because it's only available for Win95/98 (not NT)
2 u1 Q* ~" K/ f' V i0 [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: B1 ]/ u. u8 T
; H/ }. e- h2 U4 W+ a- W2 e
push 0000004fh ; function 4fh0 J, c! K6 t' g4 K- d
push 002a002ah ; high word specifies which VxD (VWIN32)0 I! Y0 }) h5 F% A$ B
; low word specifies which service. H3 G3 w: i' _/ @ i% {
(VWIN32_Int41Dispatch)" `2 ^4 W4 \) @2 J! M% Q- l4 O
call Kernel32!ORD_001 ; VxdCall
7 Z* |$ a% g8 y8 p1 a" ^) r cmp ax, 0f386h ; magic number returned by system debuggers
% ^% P( R0 V2 _8 k$ q jz SoftICE_detected
3 Y2 A2 z) u2 p6 S8 M$ [2 E' T* ^3 @4 K( }; q8 L6 b t
Here again, several ways to detect it:/ h2 b7 h" h2 K+ b4 ~
& S& i- {3 Y# n# U
BPINT 41 if ax==4f
$ n- s' H$ I% t( n* @3 G( A
3 Q: x$ c( p) K$ m7 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# _5 q" Z( P; F/ G
1 t9 z' y, L% \) k% ~: ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: U. j Z- R$ u, v2 ?( U
0 q5 l" G+ q1 O# C _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' s3 a/ G0 a" t& f1 x
* P" t2 y# l1 h" Z8 d__________________________________________________________________________
& u0 X) s5 H1 ]6 s- M& q0 v% e8 z7 t; p3 l
Method 13
' j+ N, N) n2 F6 ]1 l! g9 a=========2 d' |. j1 b5 Y3 i7 o1 X8 V
8 N- Q& @+ W, T0 i" s$ L& ONot a real method of detection, but a good way to know if SoftICE is+ h- A- v! e( }: N* P, i1 {1 ?
installed on a computer and to locate its installation directory.
! H+ [6 P! W9 A. RIt is used by few softs which access the following registry keys (usually #2) :/ N" w( B/ v5 Y
% e/ U2 n; [0 b0 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v1 J6 x& r6 l1 Z: Y$ n
\Uninstall\SoftICE7 i$ ~; w2 s, D. @/ ^& a I' k( T# G6 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ u! a6 h+ q: ?2 C( G1 Z0 O. P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 V Q3 P4 j4 U\App Paths\Loader32.Exe
4 A6 p9 K! x* G! h. n$ F1 r* J* I8 t! ]: B% \
7 N2 o4 a! k/ h8 {" c9 MNote that some nasty apps could then erase all files from SoftICE directory$ A/ L I7 _( O2 a# W8 d4 x
(I faced that once :-(
T' W$ }! w, d
, ^: ~7 T9 A7 N0 H) p" SUseful breakpoint to detect it:7 T* G! Y5 M, d6 _: T; j# ~
0 r9 y- |. v7 b1 K+ F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ @2 b7 `7 N( A& F
" d" G! H! {1 C! o: H
__________________________________________________________________________
, K0 A. |8 P% G% V. G$ l3 n8 h+ @2 p
- l- N' `) `3 @* ]. d% }
Method 14 $ _' q3 I% V, [; i
=========: F# \1 \* t6 B& R: H$ P7 @
' B7 k3 L3 J) m' |3 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 h& b& l" i0 k3 N' s7 P0 p
is to determines whether a debugger is running on your system (ring0 only).7 ?0 d. e3 X, P( G! L: H* |" T0 K
C9 Q. H$ {) k/ ` VMMCall Test_Debug_Installed' l/ D" q j. J$ ~1 e9 U. J0 G% Y
je not_installed
. h( t% E: S: W6 T1 M5 O0 U) c E3 O& h( S8 F
This service just checks a flag.+ p% l! S, F8 U- k3 Z: f/ W
</PRE></TD></TR></TBODY></TABLE> |