<TABLE width=500>: W7 o* ]: ^% q2 }
<TBODY>
! l: A# o+ L) @$ f0 R0 ^2 b3 J<TR>
1 N9 Q4 U/ K. c) G+ I<TD><PRE>Method 01
, t$ n. d! U4 E) Z- G# p=========$ y" F; v; J) }- T+ C+ u
" _3 ]8 R& j5 y$ h6 }This method of detection of SoftICE (as well as the following one) is
( [1 p) S. K6 ?1 L# Nused by the majority of packers/encryptors found on Internet." x. j+ y1 d1 x$ p8 \/ Q F0 U
It seeks the signature of BoundsChecker in SoftICE
$ _3 X: r3 [, N7 M
; ~9 F* { V% _6 P/ S mov ebp, 04243484Bh ; 'BCHK'
) J; [* ~2 d/ R6 K( g mov ax, 04h, c; M0 I& S# T0 r( _3 d
int 3 + _5 f3 G: J: E# ]: }0 ]
cmp al,4& |+ d+ c( ?7 s! X
jnz SoftICE_Detected
& b' h6 H0 C3 ^9 b: Y x+ c
! ~8 O8 n* W# Z- F___________________________________________________________________________
6 b* U) }* N, Y! }
6 F V* K7 Y' Z% {9 G7 I0 XMethod 02" i8 p. P% d8 J% c& Q. ~
=========, G7 {7 U) e1 L1 o
/ j- ?/ [$ { G1 x3 tStill a method very much used (perhaps the most frequent one). It is used; B8 j& i% T- n; h% C" u+ p' t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' d* \9 Z2 Q- Q2 m" W$ ~( F" ] U6 z4 o
or execute SoftICE commands...
! \( w0 v$ H% [' Z! PIt is also used to crash SoftICE and to force it to execute any commands% p F. z0 j$ N) u* S8 M
(HBOOT...) :-(( G) V4 x0 Q. @ V4 M0 o
" B6 [: k9 S1 J! b2 {6 S! I9 a( zHere is a quick description:% _ w. f7 q6 q
-AX = 0910h (Display string in SIce windows)8 Y9 d. @4 e7 f% U2 r8 ~, h5 i) g: s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! G" A8 p, l6 Y; f; s) c
-AX = 0912h (Get breakpoint infos)+ w4 @" \4 F& ]1 _% p6 l& L$ \
-AX = 0913h (Set Sice breakpoints)
9 V9 I3 ? O v4 X! K-AX = 0914h (Remove SIce breakoints)
8 ?6 @/ v. C% a7 n$ r( `2 ^
& Y' o. Q/ L. j6 q. C- HEach time you'll meet this trick, you'll see:7 J% p* X* n/ P2 A. y6 q/ n, N, i. D7 q
-SI = 4647h
$ o3 U1 Z5 b# p8 [3 T6 v-DI = 4A4Dh6 i- V5 S* q8 n/ ^, R3 u7 X- B8 E- H3 n: C
Which are the 'magic values' used by SoftIce.
% P2 ?' o5 i" f- N2 WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 `: t" i. m" [9 H8 _4 V2 s; P# ]$ E
) P; l3 v6 s) P' `Here is one example from the file "Haspinst.exe" which is the dongle HASP
( e j$ K Z4 U$ ] ? s. k( jEnvelope utility use to protect DOS applications:, Z* P$ S) W6 e4 @1 {5 k: Q ]
3 G$ D# o# V- U+ i b; Q8 b+ G1 g
/ t% D5 Y$ L( Q7 T4C19:0095 MOV AX,0911 ; execute command.1 Z; E* k+ m( z/ _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 d+ B0 O6 V9 L+ `4C19:009A MOV SI,4647 ; 1st magic value.
9 ]2 i/ z: A. H3 y% r( B4C19:009D MOV DI,4A4D ; 2nd magic value.
% M1 y( s7 S' r4 m+ H; ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) ], B% [7 i! N: b5 e1 H+ \& L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 m j1 Z( m" b/ R0 r8 T& f& K2 @
4C19:00A4 INC CX
( E0 `% D+ }, p/ ]& r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ h7 `" \8 C7 `4 e6 X5 f- s4C19:00A8 JB 0095 ; 6 different commands.
. v! T/ u- p; G+ n3 P4C19:00AA JMP 0002 ; Bad_Guy jmp back.' D# M1 K$ E* I! \+ w' \' G) a/ b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' g5 X8 `0 ^6 ^% P
9 z* M& z- h0 ]8 \3 ^6 ^The program will execute 6 different SIce commands located at ds:dx, which
" Z: v, P7 ?- J# X& M' mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ J7 J8 B' Z* W5 T9 e5 p$ `4 E6 n9 ~: y' r( A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- a& u( _1 h) g0 a- {' s) O
___________________________________________________________________________
& F$ u3 T3 H8 x7 L0 P+ P
" U6 H( E1 ?/ \5 v* n7 s$ i, h$ Q3 N/ v
Method 03
N1 }. {/ O% D; [" ]$ d% g=========
; ~" T7 }$ f" s7 N
( }! h/ j4 v9 j( ~4 _4 JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 R3 a7 P3 T3 n3 U4 H9 z
(API Get entry point)2 S& M$ M$ _4 q" S# J D2 c
& k! d, W" l0 M$ E9 _% T
v g" S/ _7 u# _1 B xor di,di$ D8 ]# q' k- q1 Q: J5 [4 U
mov es,di: w1 d0 q' [1 o! g/ d( _
mov ax, 1684h
- s8 }8 T: J! t1 S mov bx, 0202h ; VxD ID of winice) p. c" U( `2 y' ]; {
int 2Fh9 \# E- V z6 B5 q
mov ax, es ; ES:DI -> VxD API entry point1 S' z9 g6 J& K. J' {4 M2 I" B! W
add ax, di% d, [( N9 ~# t( S# d8 c. @
test ax,ax
0 `3 _: x4 \1 o jnz SoftICE_Detected
3 D3 V2 \5 @/ e0 `" s6 j7 e8 G& N3 v( T: x; @) f5 b* i
___________________________________________________________________________
: a- w ~ d8 L
6 b# Z' C* W" Q, t2 ?Method 04
. i: D' J* u& Q: I- y=========
" G0 q) r+ \" D# V) [1 d! [/ Q9 g4 X) t7 Y7 X6 P
Method identical to the preceding one except that it seeks the ID of SoftICE5 p) L/ i, r! c# |0 \5 }+ ?6 i
GFX VxD.0 V' [% T# `5 x+ A! s: d( n! I- a
* K2 r$ F( W/ q, b/ U) X. Q8 ~# i xor di,di( k' g& v {' Z n4 ~
mov es,di* i- o: E$ E! F" |" _, ^6 w2 L
mov ax, 1684h
. R% ~' D- S4 ~! `6 w7 J mov bx, 7a5Fh ; VxD ID of SIWVID4 S: Y# L/ T, B4 Z* r0 K
int 2fh9 y& Y/ O w7 z; x2 e
mov ax, es ; ES:DI -> VxD API entry point
9 o" Y' L5 k0 K9 ]4 I, w add ax, di6 Z ?( K, J2 _& T
test ax,ax+ s$ y- c' U* T( ]( u8 }! `6 a
jnz SoftICE_Detected. v' A* {$ {/ Z8 ]: _* R
. e$ k2 ?- k0 L9 h: O5 s2 l
__________________________________________________________________________
3 h, l: i, S0 T7 o$ k9 {9 T4 H* a5 q! l1 [
6 D1 F) z) G9 K$ }! }6 U( b/ mMethod 05- T" p5 t. _ ?7 H1 k1 B
=========7 p5 `) p8 c _& ?: R/ \; G- |/ ^
7 v# f( e* x& m7 `: Y, f: d4 H+ p
Method seeking the 'magic number' 0F386h returned (in ax) by all system# \, ^1 ~. U0 ]- s4 R$ Y
debugger. It calls the int 41h, function 4Fh.0 n5 a; h$ X+ R, h; O& ^
There are several alternatives. 2 V" L% I1 t8 G# X) E$ s2 M$ A
- t! ^0 `9 n0 Z! g$ |5 l4 e
The following one is the simplest:
G E4 z2 O* g w
: w+ ~" K5 G0 t mov ax,4fh% } ]9 H7 B' A3 z
int 41h0 x# d9 C( p7 g
cmp ax, 0F386
! u+ ]3 D4 z4 P, b1 s/ ?1 @ jz SoftICE_detected
& b% i7 m0 `2 x2 f
7 f; e1 `" ~: A. o6 w- ?* [2 m7 U- r/ y7 N% s: d
Next method as well as the following one are 2 examples from Stone's
( U8 \) E) a- V) r" i+ u# Q ?"stn-wid.zip" (www.cracking.net):
4 m% H. |8 P* o" `* t* J6 W' p8 A& M
mov bx, cs
& W! K- c/ u4 _' F lea dx, int41handler2
7 @$ M( ]2 U0 r xchg dx, es:[41h*4]
T; p' a2 p, \2 e* C( R6 s xchg bx, es:[41h*4+2]
}) F8 I9 f: F: k. W: M1 t+ J" q mov ax,4fh
7 j3 S' t1 {. i T int 41h I7 x ]' P5 U6 Q
xchg dx, es:[41h*4]
8 a+ L3 j5 c3 [9 F xchg bx, es:[41h*4+2]
% K" `6 S0 z) u6 ? cmp ax, 0f386h4 }8 v% {0 _( J+ j, p- o
jz SoftICE_detected
3 u5 J4 m% [" w9 I1 H
6 B6 j. J; I+ t% _, zint41handler2 PROC8 |4 H! h7 j; ~! A
iret
1 Y" |. l7 {; a- `# Qint41handler2 ENDP7 V0 I u3 Q, _1 F m
4 U7 e# v4 c" M! F, C- B3 A
$ m, J' p# u( h- H/ ^* F) D" A, P8 O_________________________________________________________________________; {/ z+ i" r0 y P
8 L- t6 W& E9 G
. u9 _- a9 O, k9 vMethod 06
; R% A" P* p; z8 R: g7 Y* @=========
8 t; x. ^) D& ]5 \, I8 O. o7 G8 O# C" @) J4 Y
9 e) B# I0 T# O3 q
2nd method similar to the preceding one but more difficult to detect:
, {, |/ N" z8 W" B% Q' u" V. V2 ?& |& \
$ w; s T! L9 O ]$ g
int41handler PROC
. u9 A9 w/ ]8 [( ^ mov cl,al
1 C1 l: n9 l4 M$ c4 D iret- @, D" T4 f+ Z7 O
int41handler ENDP( a6 i) R# k- K2 E
& a3 _! o o# A0 q. i
8 S1 U# h8 ], b, {. E2 L& m) ^ xor ax,ax x9 ]" [% ]0 L* P& q1 m* ]$ x
mov es,ax! j4 p: Y" }# D3 [3 F# x1 d
mov bx, cs
' q; x6 [* v3 N% \' Y5 @9 |+ q lea dx, int41handler
* T3 H1 w% \6 I xchg dx, es:[41h*4]
. Z, J: U3 H" @8 t7 @" u& C xchg bx, es:[41h*4+2]
; ^: {9 s% p6 w; Q& V } in al, 40h: r1 \7 r8 c- Z) a
xor cx,cx" }5 j" w. N6 M9 _
int 41h3 t2 ~2 E. P: K$ |0 W
xchg dx, es:[41h*4]
. j+ P: _4 g7 B2 s- l( D: B- V0 K; x xchg bx, es:[41h*4+2]
, z/ g: C$ ^2 ?% o, j. j5 N0 E cmp cl,al1 E/ k1 A8 }& s
jnz SoftICE_detected3 k1 ^# @& E* w/ j
9 e$ j3 V2 L, N4 \% K6 __________________________________________________________________________- m, v& C H4 a
& V6 B" w5 ?* G0 q% X8 t% v4 A6 qMethod 076 U$ k! L4 c& G; k3 F- Z5 d5 g
=========
* s% J) { u1 X# i$ f# |) \+ E2 r. w- X- R! W P# o7 d
Method of detection of the WinICE handler in the int68h (V86)/ N# q1 H2 E* o- x1 T5 n7 W# n& ~4 z
1 d; R* m, u3 X& k1 ?. t mov ah,43h& O% h% Z$ F; K C! L
int 68h
! b! @) \6 @0 m; _. ~ cmp ax,0F386h8 `9 S& ]8 _$ H8 q( F
jz SoftICE_Detected- g# D t7 @1 c# K
: P* Y q0 l! o
3 e& X8 g( F' \5 W3 ~: b3 n' r" l3 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- _. O+ k5 D% N( w% M9 Y, M app like this:
1 M) N+ ?5 _3 J1 I) O# g9 b- t4 I/ c% C) ^
BPX exec_int if ax==68
' b' v T0 ]3 }2 [ c6 z/ z (function called is located at byte ptr [ebp+1Dh] and client eip is6 z2 m, Y+ m0 A' x3 V$ `. Z6 R( o* v
located at [ebp+48h] for 32Bit apps)+ _; l: `$ _. ^0 a
__________________________________________________________________________2 d; @# j: r' B' R( _
' Z% V4 E9 f \8 N d2 @, w+ G! u! Z
Method 08
% G0 Z4 ^6 {. B! y* W7 H=========
0 y+ ?" W4 Z: g$ k" U6 Q i7 X1 g! l, ~7 g: }$ v
It is not a method of detection of SoftICE but a possibility to crash the$ I. u' W- D6 e/ R+ f& F& I& E+ e; S
system by intercepting int 01h and int 03h and redirecting them to another7 ~4 K$ x! t( D! V
routine.
; U6 ~/ s7 ~% G& d# _4 E# yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( V9 F9 V O& @
to the new routine to execute (hangs computer...)* V2 Q- a9 B/ z( T! }" d
5 h f- ~8 C) K; y9 ^; r* {) D
mov ah, 25h9 m! g4 N7 z; f2 D1 R- Q
mov al, Int_Number (01h or 03h)5 u" ~ F7 ] u! a; I5 r+ p B
mov dx, offset New_Int_Routine- Q$ I+ t' J* A; v
int 21h; M4 f" C1 h& e# u
}/ T$ @. H/ d) |__________________________________________________________________________
5 ^ c' n4 N0 Y1 B, g9 [
- s- T7 T, ^4 n; `# j' @Method 09
, S# f) L$ V5 U3 i=========' I$ s& ` j) h; j7 w& z
. E, h/ m) D& l* RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, F7 V8 u/ S: E X8 F) d Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
% J# S, U- E; w: t' a* OThe Get_DDB service is used to determine whether or not a VxD is installed
5 ], ^. h0 x4 m1 u0 r, ?for the specified device and returns a Device Description Block (in ecx) for5 F' \$ x0 H6 {6 ]6 A9 L! J: m
that device if it is installed.
: V- A' H, C+ H. X5 J8 i* D/ Q/ }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# d) @2 `3 [' I: w3 l8 {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 O( |9 ^0 e+ x2 ~/ o, l2 p
VMMCall Get_DDB
) d2 `: o, T* d4 T2 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ H D5 {9 g- k( N, h9 z, B* E9 x
4 I- t: B a: F1 j; h. d0 N0 }' {Note as well that you can easily detect this method with SoftICE:
8 s6 \( x& _6 ~( h( @6 f# M bpx Get_DDB if ax==0202 || ax==7a5fh: {7 T0 f! C0 v; F* W# V
4 D2 \& ~+ n$ `3 s( \__________________________________________________________________________
. J/ Z. B7 S/ q2 Q; J4 n- F- a9 I' p& |5 E# ~4 @# X7 }
Method 10
# f, h5 ^6 T& U/ M l" p=========1 m% z5 x. Q& T5 N
/ d; T5 h+ h. A, _6 M5 R
=>Disable or clear breakpoints before using this feature. DO NOT trace with; Q, c9 k1 |( ]
SoftICE while the option is enable!!
; G: _7 d; a4 g5 ?' \" z( H! x! s+ i
This trick is very efficient:8 c7 l0 A2 [+ b8 H
by checking the Debug Registers, you can detect if SoftICE is loaded
% H# y% Q- U7 W3 X2 ? q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( _2 W7 \2 ?6 f' l
there are some memory breakpoints set (dr0 to dr3) simply by reading their% Q' c7 F, M: Z+ m G: o. ^
value (in ring0 only). Values can be manipulated and or changed as well
( w1 O5 F" o) q(clearing BPMs for instance)
, a' b) f- f7 d0 Q# m) l/ e
" U+ E) Q z# \+ V" u' ?" |3 M+ }__________________________________________________________________________7 e: L- u* E P4 ^* C( T
: }: b* _1 \1 m6 UMethod 112 R; D6 h4 G j
=========
! S$ ~* V* C. W+ ?2 Y' ^. b9 |- `; u4 E* W% f% H+ y
This method is most known as 'MeltICE' because it has been freely distributed8 V% v& @# [7 I! v2 S; r# Q2 P8 E
via www.winfiles.com. However it was first used by NuMega people to allow
: w3 A$ f) G* W2 E0 O, q! DSymbol Loader to check if SoftICE was active or not (the code is located
" V" J: l) r- U- w1 rinside nmtrans.dll).
# H) m2 q1 B4 j' }/ R- u
& r5 z. Z: P- G$ s% f; y$ IThe way it works is very simple:
) Z( J |/ Q% ?$ h: J' iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' ^" @* [# N' M1 e# d
WinNT) with the CreateFileA API.
8 R. z3 C9 n% M& Q* p$ p( l8 l; T8 ]1 j/ {- W' I- ~. G% d3 S
Here is a sample (checking for 'SICE'):
1 X/ [7 K- z Q+ ~
9 Z4 C7 I q0 W- k. A, v* vBOOL IsSoftIce95Loaded()
: `. n1 p4 O! p C4 z, [' ~{7 I( ^7 `1 E, I8 \7 C4 }
HANDLE hFile; # T; N0 s+ e L: U' @) @" o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, X) {. f" h' L a
FILE_SHARE_READ | FILE_SHARE_WRITE,4 @4 Y4 U# u, j5 ~9 F/ O* V1 F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- Y# O0 q, a c- X4 X( V. s if( hFile != INVALID_HANDLE_VALUE )
: Z G& E/ D& s( z2 s; l {' A' K% p* E0 J% s0 B" P
CloseHandle(hFile);
4 h. X+ X: Z( i N! q- o return TRUE;
. N/ ?& }% I1 `" s ]( _, ?1 L/ G1 [# l }
" Z$ l# k. w' G return FALSE;
' x1 w. l* C: R7 L1 p}
7 v; h I! S7 F* O# r4 S! y& d! j D% U4 Z% z
Although this trick calls the CreateFileA function, don't even expect to be
/ ]0 M% c+ w2 x5 [# y) I) ?able to intercept it by installing a IFS hook: it will not work, no way!2 |- }( ~+ k K5 a/ N; g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, v4 F8 ]9 o6 Z& Y7 o' Q) s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). `( L# g9 W9 J, E3 j. F) U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% |% e1 w( F6 O, D* W. n% Lfield.
& f2 T) P9 V) z' aIn fact, its purpose is not to load/unload VxDs but only to send a
) Y1 N- g: P x5 ]$ M" @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 m2 E5 }2 f7 |& Z) `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
Y% n; }8 a4 K( ?4 [; Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ |& v: E g+ M. S$ _6 z& [
If the VxD is loaded, it will always clear eax and the Carry flag to allow( `) J" z7 M0 b* h
its handle to be opened and then, will be detected.1 w5 t9 d/ A0 s9 b7 f/ i
You can check that simply by hooking Winice.exe control proc entry point; n8 I# w* t+ a7 w, U" D1 {
while running MeltICE.
9 [: @# A3 Z! f7 B
7 R8 _1 r# K5 v$ j) B3 l2 }4 j
) Z: H0 H' z/ s( p9 t 00401067: push 00402025 ; \\.\SICE
& ~# t/ s8 l7 s* ? 0040106C: call CreateFileA3 x0 x& q4 u& @2 \/ o: R: P. G; H
00401071: cmp eax,-001
/ J7 ]. t) R! i. _# O 00401074: je 004010913 x0 L' g: x3 d5 k
6 \7 K4 \6 P' S+ M F! b* u! n
/ L' ~7 R# R9 O( W' wThere could be hundreds of BPX you could use to detect this trick.
" Z5 s9 E3 ^' J: f, R5 ]6 p-The most classical one is:
* G! W3 x$ f: u1 v! f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 B0 F" h) ]! X7 ^6 u* i) S2 \7 Y *(esp->4+4)=='NTIC'8 p& G: I: i m8 ?) s. D2 q4 |
+ U @# T8 _. J
-The most exotic ones (could be very slooooow :-(
7 d# Z) f9 |% v- w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; Y& Y, ~) g) {9 J! z ;will break 3 times :-(9 B1 |$ y3 Q2 `; ?( ]/ H: d Z
5 n4 l7 B7 t" v3 ?. C-or (a bit) faster: ) H; a. U4 m5 K: A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; j6 P& u2 S5 b3 x" ~* i/ E9 S1 T3 ~% n/ d5 }; A" v, ? v' W( ^# J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / A7 Y Q2 `7 B! n, {3 V2 ?* u" K
;will break 3 times :-(
3 [5 a1 E5 I1 a% `2 V
6 k6 |5 i, D) k( s8 a6 N8 Q9 P2 T+ @-Much faster:
+ u- `; [* l q7 j c" x# @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ t" W* W# k$ O/ T5 C! a) h
9 t7 l0 c* b1 d4 e# a, U( M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ F- K, p8 S7 z6 f( K& mfunction to do the same job:# Q5 h# b5 k8 X% ?# P) G1 p
5 f! J/ |6 U3 `$ ~* H) M push 00 ; OF_READ
6 P: A0 }: h& p- X* r mov eax,[00656634] ; '\\.\SICE',0
7 s0 H$ v, e5 C5 a1 J* h push eax- ~, L0 l- ]9 M# @+ n
call KERNEL32!_lopen
7 \2 j4 ]: e2 e/ `. n) H0 m1 r inc eax% ~5 R6 e7 a. S0 z, s
jnz 00650589 ; detected
7 w; P8 t" z. e. K& {, r push 00 ; OF_READ! m. q$ N! J. g5 ~: _: d
mov eax,[00656638] ; '\\.\SICE'# _# z' T8 v( Z' |7 S
push eax- x% J4 W' H# `4 x% f+ g3 F. i
call KERNEL32!_lopen! f8 M- L) e+ X
inc eax
4 }' V8 \; Z( ?4 D/ R jz 006505ae ; not detected- `, U+ h5 x) m, u5 {! @( o# n
, N9 H E- V- S8 C6 ~
: }& A+ H1 ]0 x' N7 W
__________________________________________________________________________- O2 g- N& I8 R3 P2 z8 w7 s9 _
# M. c {: F" N7 ^% Q
Method 12) @- x( i7 K, k/ m3 `
=========. r$ F! a% L( \- }! P
* d# N' R8 ^: ~2 P4 ]This trick is similar to int41h/4fh Debugger installation check (code 056 n; ^$ u, h' }) ^7 k* N
& 06) but very limited because it's only available for Win95/98 (not NT): r1 G+ ^8 i K) p3 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% p5 r6 ~! h8 S. |; U7 s' O
2 z9 M1 \" p9 M/ G& R
push 0000004fh ; function 4fh& @, H4 }* Z! s9 N
push 002a002ah ; high word specifies which VxD (VWIN32); f; L& x2 f. g* I, y3 J# h4 v1 {
; low word specifies which service
! V1 H5 X% J" Q (VWIN32_Int41Dispatch)
' r* P* ^* s" L0 F; N call Kernel32!ORD_001 ; VxdCall
+ P5 I) M7 i6 Q cmp ax, 0f386h ; magic number returned by system debuggers
- a; X& Y. A' U; q jz SoftICE_detected
$ C9 G& q9 R( B. Q4 R* Q1 D
, M3 y/ M* n2 p+ sHere again, several ways to detect it:) K2 b; ?% o4 v- Q/ m+ [
, @/ M' p4 Z3 v, i8 k BPINT 41 if ax==4f
/ _; F$ m5 C: T; z0 I8 [# E0 S' z8 D3 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 h2 a4 S2 `) B
9 _/ J8 O# R( k( O; T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 \9 q5 k1 l2 `9 n1 L1 g$ b. Z3 v* t" T7 @; H1 m: B/ \% @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" j7 b" E, g7 M, A1 a5 p0 _4 j
: @3 I9 {$ p& v- q6 Z) e__________________________________________________________________________
/ y; G: O: m$ P8 b/ o9 T' x5 _; [$ y2 X
Method 13: K3 n# n# v' P/ s! z9 E: ]
=========1 |% m+ T( g/ [
' x% n6 k; I% Z# w6 _& e& Q |1 z$ a, UNot a real method of detection, but a good way to know if SoftICE is
6 {3 @7 L8 [3 Rinstalled on a computer and to locate its installation directory.
B$ O9 c! G) Z8 U$ t, g5 F+ uIt is used by few softs which access the following registry keys (usually #2) :& m/ ?& x$ \ M' ~/ u2 N
; H A( x$ v; ^9 O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- n* Z. q" f W$ u
\Uninstall\SoftICE
" Z* A1 U0 k1 i+ d- A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- l% f. {+ w* X: l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) O+ C% t, x: ]% ~$ @" f# I0 j\App Paths\Loader32.Exe
3 u* K/ J2 @6 O$ `
: M: J7 O) ~& I1 a+ Q; T& f; Z+ R8 O6 `% p. M! }9 {
Note that some nasty apps could then erase all files from SoftICE directory
1 K( H7 T$ L0 e% v7 z5 _& n(I faced that once :-(
: D; C& O* x- f8 M+ p' v
/ W0 ~% [; S8 eUseful breakpoint to detect it:9 D( L$ W' Z$ B# s
( k# B! z0 [- Z9 b: n2 ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 f+ F) r+ G! ?) z5 f" U5 a+ w- j' X7 ^9 k2 p+ _
__________________________________________________________________________
6 y) _- M+ g- i- { u; B7 E* O8 r8 {+ ~! k, G. E
8 d! E! _& h |3 K! h
Method 14 2 G( x o- ^% B; p5 X8 L9 Z: s
=========
: Z. \8 x& y& l0 g2 |' W, R4 |7 c) @( Z5 k7 z) w: \8 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ ]7 ~" B' \- }' P# ~/ U% {3 fis to determines whether a debugger is running on your system (ring0 only).7 I0 M' X+ I5 u C0 |& K, h; ^
% F/ C+ w) a7 i m% k& P VMMCall Test_Debug_Installed3 l a, m/ x9 j. q
je not_installed. C" z0 L6 x8 n+ h7 C5 ^ J
5 r* [) Q* F$ \% a& y9 c- g+ I/ F2 ~
This service just checks a flag.
) R4 o8 |, d& ^. ]( |</PRE></TD></TR></TBODY></TABLE> |