<TABLE width=500>
) V0 D" A# {) |9 Y$ m<TBODY>, o, u3 ~: |' t9 e j
<TR>* t; M0 _) h3 P. |' X* H# V$ U+ m
<TD><PRE>Method 01
& F' b. I+ u; i) n$ A. B+ q=========# G$ c" n4 r3 _* H* o1 R( b0 w
- ~2 B7 g# u, S! [2 hThis method of detection of SoftICE (as well as the following one) is1 D |. |6 O: n5 l/ w1 k
used by the majority of packers/encryptors found on Internet.6 y4 k0 ~; @4 s: G! T; r& |
It seeks the signature of BoundsChecker in SoftICE- a& c; e: @+ _1 q9 s
, l+ ]6 F6 ~4 p- @1 N4 g mov ebp, 04243484Bh ; 'BCHK'
1 E& J/ [/ G, H/ k4 Y mov ax, 04h2 ]" B; j1 B) G2 u* W7 J( _: |
int 3
" Y' z4 k7 X7 c; Q, m) M cmp al,4
; R+ F# o" u, b# V# ]2 J, O jnz SoftICE_Detected! A) X' h- Z4 e1 f |/ T8 H5 V
1 o" X9 K$ h3 V9 w
___________________________________________________________________________
0 s9 A* Q/ u1 P5 Q& F$ q7 }- V5 Y3 {# A% o T
Method 025 t" E% N( I1 O& ]6 x3 \
=========
8 ]' }6 y/ U! \, q1 a0 g) R, b9 _$ l- k) a" x* @* }! Y0 {. Z$ S. p3 y
Still a method very much used (perhaps the most frequent one). It is used
( B9 j- q+ A- X J4 K* ~; Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 K: s; |$ c! r4 b; q: xor execute SoftICE commands... z# G2 ?: y) `; I1 h
It is also used to crash SoftICE and to force it to execute any commands
7 q% b& T2 z0 g(HBOOT...) :-((
, K2 Y0 D3 g9 R% K* L0 x
0 t T6 e: s' w! M( w# S$ V5 t% c: ZHere is a quick description:) B+ O2 U9 R% ^: ?
-AX = 0910h (Display string in SIce windows)
$ I$ [6 f7 v9 @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) k( D% M8 m" l% A1 r3 \5 ]
-AX = 0912h (Get breakpoint infos)& S' M3 U6 D0 {$ p& l2 Y& Q
-AX = 0913h (Set Sice breakpoints)
$ h- {; W& v) |2 g-AX = 0914h (Remove SIce breakoints)
7 R. o0 I% r" D0 r$ b: u; d# ?: V, h: l* z8 C0 z0 {
Each time you'll meet this trick, you'll see:
. @9 M# P8 I- Q5 I: ^-SI = 4647h D% X! z* B% e. @1 O% {
-DI = 4A4Dh
9 R$ o& z% h, P8 M0 \Which are the 'magic values' used by SoftIce.7 C% v( r- P/ ~ T& ~) Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ g, F) {1 L( z, D# @2 M# u) v& L, s# M6 F& g
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 E J2 `& X* L; K2 r3 Y/ ]1 kEnvelope utility use to protect DOS applications:
) O, w; Q! E0 G/ l5 ]( P$ M" L: I* y
' K9 P3 x+ b* @6 U. V3 I& J* x2 c& y3 b% }! J, B
4C19:0095 MOV AX,0911 ; execute command.0 X5 U2 M6 ?/ g* k* f2 g4 g2 Z! c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 G8 N6 v$ X/ D( S; o4C19:009A MOV SI,4647 ; 1st magic value.
$ x5 q; x2 ]' t# j j9 |3 M4C19:009D MOV DI,4A4D ; 2nd magic value.8 e; Q& q; |3 X8 \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ z6 E- x+ r9 v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& f( T1 R' w$ g: E R2 Y3 e
4C19:00A4 INC CX
% B8 ?/ M6 o8 }% r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 p' Z0 H- B' f1 H! \ i# {" A6 {
4C19:00A8 JB 0095 ; 6 different commands.
" u* [$ f2 y% J' h+ b+ O' p4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 i7 W, z- B# n& F$ }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: y7 K% j0 s; {. B' Z6 g* X( z9 [" y8 K2 H/ ?
The program will execute 6 different SIce commands located at ds:dx, which; }9 f A5 H- L# H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ n7 ^8 J* l" F! `) H$ m
+ g! F% C/ h( H8 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- z, \, b u+ m___________________________________________________________________________
* t# q6 F' t* J6 V) b6 [1 t7 j& k' N# M* N
* M5 {% |6 A9 P6 Z% p x) K
Method 03
1 i& K" j/ @. j) m0 a=========9 a" k9 X, r' z/ q7 [# A
7 e& [8 v! H6 y* e: ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ f: W. r5 L4 m7 R7 F6 p5 ?. L5 a# X. m
(API Get entry point)# u5 {7 M2 d/ J5 F8 W1 x0 _
9 Y( _* M5 y0 S
2 ~2 H3 R$ T' h! u1 J$ F! R xor di,di
9 t0 D* p, N8 V1 ^% R ] mov es,di
- |9 c! g# ^6 t( ?8 Q mov ax, 1684h
6 S3 U" ]5 v2 Y3 u6 r mov bx, 0202h ; VxD ID of winice
+ n0 u4 f+ z3 U7 V8 f int 2Fh
* K+ B, \% l4 T1 a3 M7 X8 \ mov ax, es ; ES:DI -> VxD API entry point& Q' f( g3 J) r3 j
add ax, di' A/ _" ]7 j3 D3 n9 p) I
test ax,ax
# S5 H9 K0 z" ~" m4 j0 { jnz SoftICE_Detected1 Q) |! ?, ?8 n& H
B: o- z9 G, Z& F. z
___________________________________________________________________________
( m2 i$ x) E C) |/ |
. z+ o* L; b! o- SMethod 04: H6 Q5 O* s1 e, _5 j% e. R! R+ M8 i
=========5 v! G4 O. Q: I
4 e. c! y$ ~4 y P: Y0 fMethod identical to the preceding one except that it seeks the ID of SoftICE
4 S4 D8 T" X. d; R" _% ^6 i% M# }GFX VxD.0 @6 ?! S$ s% {+ u( u& V
; V, G, j8 _( Z
xor di,di" t7 j# p) Q( C- ]* u Q
mov es,di) z+ S% r5 C- H9 E3 c. K
mov ax, 1684h
1 {+ a- U% {& i: X, E; V8 a9 n mov bx, 7a5Fh ; VxD ID of SIWVID: E) j/ Q" U+ F1 j
int 2fh# r! N# t; u+ X$ M( T: D
mov ax, es ; ES:DI -> VxD API entry point
7 p3 H" V) ~0 D% J7 @ add ax, di# a9 \% [. ]5 i% I1 w, }
test ax,ax
5 l% Q% ?5 a2 x+ ]% s) ]0 a jnz SoftICE_Detected0 |( [ [7 _) x
1 o8 A s2 i) @; @" x6 @, ?* V
__________________________________________________________________________# N* ^) ^4 R& {
+ g7 B$ x( { R7 [; h8 g) b
6 S) l6 z' a; X6 hMethod 05
; e; L8 x" a6 l- T; s- x, Q=========
% m# w6 E! a" M& y
" g$ u: o3 t8 {5 j. jMethod seeking the 'magic number' 0F386h returned (in ax) by all system( f; K$ ]- ]8 K
debugger. It calls the int 41h, function 4Fh.$ q* k! L* M# ] u/ }
There are several alternatives. 5 `+ [3 Q, V( W& g1 E* [% x
( P/ T3 U5 C2 r5 L( U
The following one is the simplest:
1 r+ p* m2 |" o8 O' a) A
& E% {! j4 b2 r mov ax,4fh( g C$ D% d. p9 s
int 41h- [' ], f& X8 ~9 q o4 `
cmp ax, 0F386 b0 o5 b* C. P7 C7 l( r7 _
jz SoftICE_detected
q1 t$ O5 n$ C* r* n7 i
: f1 s1 B; q1 v; T; R
+ j' l% @& _ DNext method as well as the following one are 2 examples from Stone's
% o& y7 v( w4 l' c4 f' a* Z1 i* }"stn-wid.zip" (www.cracking.net):: I J( o+ x2 S. u+ W6 j+ Y
# C) H: ^5 d. K7 Y8 X0 v6 M. M mov bx, cs
# u9 t; s2 V* o4 `- i5 c lea dx, int41handler2! _) K: [1 K% _( J( E4 v
xchg dx, es:[41h*4]. t: C7 z+ s' L
xchg bx, es:[41h*4+2]
9 J0 f* O. t/ J, [$ F mov ax,4fh
9 {5 z! A, H; N int 41h
+ }1 c+ G) J9 C7 {* o9 M& Z7 y xchg dx, es:[41h*4]5 D$ x) J% I- B( }
xchg bx, es:[41h*4+2]+ h2 m& }6 y, N+ g7 l/ I* q, r J
cmp ax, 0f386h
: E2 ^: I3 p9 a0 n9 w. m3 v jz SoftICE_detected; W+ Q; h5 S; a5 Z9 I
: m+ B/ o |6 w5 i8 O$ O
int41handler2 PROC
3 l8 e# Q* z* W8 \+ n iret9 s4 p" Z) d% K$ H3 ?0 N6 G
int41handler2 ENDP
5 W j( ~' P( X# T( H, B$ B6 D
% \9 M/ K) ^( v, _
" x5 F$ M7 ~8 \- `3 u- d/ N_________________________________________________________________________- o" G& M2 T1 z
9 i5 n2 S$ R/ u2 A* w6 o# K: a* {
, x9 Y+ x8 ] [Method 06' J8 q1 j; H2 [5 h ]9 F! h- B
=========8 I7 j( b1 E/ n! V, y) i; a: @
; W+ I5 k7 o3 p _2 W; l7 V7 a' g+ {( h( G- L6 k
2nd method similar to the preceding one but more difficult to detect:
7 v1 L$ w6 A+ X, W! u" P5 w8 t1 `. X8 N8 J+ V4 |; o
, b( Q; Y8 L8 I! d! h
int41handler PROC& a3 y1 x# N' ~/ U+ P: D
mov cl,al) `2 s, j6 g+ X+ U8 x8 e
iret5 {# D" H$ W% k$ z/ T
int41handler ENDP
3 N* n9 B6 p; p$ v* x+ j! A& x5 c' ?- p" u
# C* }. L+ g0 K( f: O xor ax,ax
1 f' j3 s3 w( S* U$ B mov es,ax( {3 |$ U9 c" C' n
mov bx, cs4 X |* R* o# f
lea dx, int41handler
& M" K0 O% |2 K* E xchg dx, es:[41h*4]
# P6 [! g: a! b( A$ d xchg bx, es:[41h*4+2]! L% h( ^" a5 E {
in al, 40h
0 Q" c2 Q/ o2 X/ {& f1 c: T xor cx,cx
. t# F2 W8 w, o7 G. l) E: Z% ?( D7 } int 41h# p/ [" e4 R9 [+ `4 y1 y% e$ Y
xchg dx, es:[41h*4]: u' M* M* x# H8 \) W- I2 f5 t
xchg bx, es:[41h*4+2]
' R. }, x7 L1 u; A$ l/ e! M/ p) i1 C# V cmp cl,al* ?) t' V; H# v& ?8 z! `8 o
jnz SoftICE_detected* V3 q$ j8 w% o7 @+ t+ T [
5 N& }5 G' Y, [" R4 t- t5 P2 {
_________________________________________________________________________; v1 _6 Q! a4 d! n
' m L4 z; i# w* J& Y! J1 F* L
Method 07
5 k& n9 J0 h! V* f=========
& U8 c7 r$ F; C/ J& }2 f
0 I0 `& }0 X/ F2 U. e5 `( iMethod of detection of the WinICE handler in the int68h (V86)
+ y$ [' H$ @1 R5 E" [) i, i! p# f' Z% b K, Q5 }/ q2 Z; t0 T
mov ah,43h
# J. V' x: N+ ~ int 68h2 Y' \7 a5 m7 V$ M4 F" k' m
cmp ax,0F386h
7 v6 o9 V6 j. S: a8 e4 X+ p" g jz SoftICE_Detected% l! B& i1 t1 u9 s7 T2 I( O# c
) v! M9 S! x. o( Z/ {$ T1 K% c
. u! y$ ]. ~" a( S2 u* o9 d4 w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 U: n1 h: K& u4 ?% d+ L, O
app like this:& t% P$ N1 Y8 O; b# A
5 M& Y( o0 P9 ?$ h) s' t5 x0 J2 w BPX exec_int if ax==68
, v% Q4 h. i/ [) e, a; S0 c (function called is located at byte ptr [ebp+1Dh] and client eip is S- R7 Q6 y. \% {" ~- [
located at [ebp+48h] for 32Bit apps)/ U+ u6 r/ @# {, l0 }1 J
__________________________________________________________________________
" |3 n: w: e* _! }1 ~
5 q/ R( B* ]' @- g8 N( K0 i
0 |) [, w M# B9 MMethod 08& o0 S5 H" [0 B9 I4 i
=========# _. y! F" J7 `1 m. y( y
) I( W3 F& z% u! G9 ?
It is not a method of detection of SoftICE but a possibility to crash the
7 `4 x# p* A9 x C2 z! i( C# d* jsystem by intercepting int 01h and int 03h and redirecting them to another5 P1 ~! y) D& \6 @. x& x* a; Z4 _
routine.4 e" V3 q. N1 \6 N% }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' H4 c0 e7 O5 S' _
to the new routine to execute (hangs computer...)
8 N \4 H, q$ a4 c" [8 `8 K+ W# g% u- r( i: s' U3 U* b
mov ah, 25h
8 C4 q* y2 n V, r8 r mov al, Int_Number (01h or 03h)
7 ?6 t2 o/ w& l2 P0 v" x" q mov dx, offset New_Int_Routine, `7 R% Q# ^' l+ b2 Q& x
int 21h
0 I* Q+ N' x, a1 ~# M1 E. a' ^5 \3 Z; X# B
__________________________________________________________________________( n+ _" s4 a& Y$ u
8 J- D& B9 _# g! `* u
Method 091 E: _$ X! b! x
=========" H; S; Z; H' G9 a
& P" E& u$ g0 ~+ V6 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 K9 H* E% {0 t% ] X2 e
performed in ring0 (VxD or a ring3 app using the VxdCall).! n. y9 u5 K" A! G+ b9 Q
The Get_DDB service is used to determine whether or not a VxD is installed7 |+ C4 P; n" y$ F
for the specified device and returns a Device Description Block (in ecx) for
/ q9 s# R+ c& y2 v, Othat device if it is installed.
8 z+ Q% d$ g% ~* I5 m8 ]- X- t0 |: T( S, y7 Y; f a3 D/ u/ X+ j Q; P) j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# W) b$ V1 W( U" j* E( b% s# U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 T; K' Q' Z6 M4 r
VMMCall Get_DDB8 N- m) u3 A( |, r1 m: p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" a0 c: d: R+ X" H M/ x
1 |8 s5 ]9 t7 e3 W8 B
Note as well that you can easily detect this method with SoftICE:6 c; T; k9 Z! L# T2 l
bpx Get_DDB if ax==0202 || ax==7a5fh4 ~0 G7 H' I; M |7 I
7 S7 m+ t4 Q9 p0 Z, ]__________________________________________________________________________
( C# C5 ~: D! ~# r; d s& ~$ C2 c% ?' g0 x5 j3 h
Method 10' C# y$ H" G/ `/ ?& b; L* U
=========
% H6 x4 S0 p% E5 s' d& K% Y5 r1 O
' u6 \ ?; a( e=>Disable or clear breakpoints before using this feature. DO NOT trace with/ A/ z, z) s' d( t
SoftICE while the option is enable!!; @! b; ~7 n7 @ e% {6 D
! X! ` j- j4 p5 I
This trick is very efficient:
* i4 _ I5 U3 d/ H: vby checking the Debug Registers, you can detect if SoftICE is loaded
9 o4 J4 O4 g! y1 s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& W: a9 L- [3 O5 i1 l0 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 ]# R# z; g: B d- `- V: ^
value (in ring0 only). Values can be manipulated and or changed as well6 z5 Z9 L0 {" G5 \- [ C
(clearing BPMs for instance)
$ _% C9 u4 e, J* B4 [
- ~& j/ Q4 V. O% Q6 \; ~__________________________________________________________________________
: t7 H% v- l3 F: M
+ {' R" X0 S8 v& ZMethod 11- ~2 O# o- H0 }! p! E* O% D, k% k
=========
0 `+ V4 a' e& R$ I* W1 X3 U: d. t$ S3 `6 ]& s
This method is most known as 'MeltICE' because it has been freely distributed
" \- y7 c8 u6 V ?, a- D! a# M- xvia www.winfiles.com. However it was first used by NuMega people to allow
/ x5 c) g% J! v- n; B0 l; r& `Symbol Loader to check if SoftICE was active or not (the code is located! m) ]" N* b5 V6 `% G
inside nmtrans.dll).
' O9 h8 U* {% B4 G
" w& }& i2 P6 O; }0 T* B. fThe way it works is very simple:
6 |# l$ C' s P9 p% @6 gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 J( Y& Q1 A+ o& G) aWinNT) with the CreateFileA API.7 w( z& y7 V; o# d$ s0 L* y
/ E: n4 k3 h. u% p+ W3 Z( mHere is a sample (checking for 'SICE'):1 b# d8 e2 l/ W: ]1 r$ B' ^- E/ V
, o- P8 P* f3 w5 w% o; L9 i
BOOL IsSoftIce95Loaded()( `% E3 ^* z2 k
{3 v' _5 f! Q& s2 ~
HANDLE hFile; " U; p! j; r$ ]/ `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! }- l4 h% X' H' \5 N
FILE_SHARE_READ | FILE_SHARE_WRITE,( I+ d' d% F/ `# T! O" y1 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( e& B% k# [* t) s. ]$ Z
if( hFile != INVALID_HANDLE_VALUE )# k* r: m7 Y3 N" Z5 [+ a' ^1 P
{
2 _1 S* w( H7 c+ s. V1 D CloseHandle(hFile);5 S# }- a4 D1 Z
return TRUE;
3 N& r; C/ L8 z: z }
( k6 f! J" ]% \- p! T return FALSE;
2 n6 a* R6 z0 Y/ `( y}
S6 }. M! J) L" x4 a9 W e+ X% {8 } `3 A
Although this trick calls the CreateFileA function, don't even expect to be$ U2 e! U0 W2 o" [* _! b/ M0 t
able to intercept it by installing a IFS hook: it will not work, no way!
0 j: m5 e9 \: R/ M% L0 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: H& r) e" G% P, Z3 V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' q' ?5 X; e/ q8 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' o# v; u0 ~: ^* q _3 [field.8 n: _8 U7 ^/ _
In fact, its purpose is not to load/unload VxDs but only to send a 5 v* ]3 s, D5 O3 s! s6 l$ n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, r. d8 R# M5 ^0 ^: p: A" pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' |' C/ E0 V9 j- h% x* @! v) ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).# B4 m9 T3 E9 V/ f
If the VxD is loaded, it will always clear eax and the Carry flag to allow) W4 |. `3 ^# r9 @+ [; Z
its handle to be opened and then, will be detected.
' w. A! a$ k1 ?You can check that simply by hooking Winice.exe control proc entry point4 K7 P- q% w7 G, e
while running MeltICE.
. c. _ G7 G9 ~7 G' M( T6 b/ k3 g p0 W" t
( a$ ?" v- U3 ]! j* a2 [$ A 00401067: push 00402025 ; \\.\SICE/ n3 L* s" l0 F J. w4 j
0040106C: call CreateFileA- s# _/ s5 b+ ~/ T
00401071: cmp eax,-0018 p4 |, K2 i0 ?6 S
00401074: je 00401091( H) w# {, U2 U# P5 A
; S! j8 M& X3 ^1 G9 D4 F
. v3 N* k+ @0 R# t* m* s2 g0 J4 ~; J$ oThere could be hundreds of BPX you could use to detect this trick.
( B9 I7 f. \6 j, ]5 F: v' G$ o, y-The most classical one is:; @5 `) c8 l; |9 z( g4 T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 Y) }0 H( ]% P
*(esp->4+4)=='NTIC'
5 C+ f7 ~/ o6 w4 f- f7 C) }+ x5 R
/ S& n8 P4 q3 S9 q+ z" i' W-The most exotic ones (could be very slooooow :-(
/ ]# H: M! V" I8 ?1 x4 d8 V1 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ X8 e/ R$ g$ @* ^- F ;will break 3 times :-(
+ T6 J/ } V. B$ _- R2 j& w/ O
3 }9 d8 R [5 t3 d0 N* \0 Y; }# }-or (a bit) faster:
6 q/ z5 W8 c' K' b' m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& X1 U! b% H& n! Y% e
+ ^- h' e0 q5 S. o! L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 O! P1 V' _2 X4 ~5 J1 D: y
;will break 3 times :-(
, v/ G; q+ Y/ P" J0 a1 a/ K3 w" t- k B! S
-Much faster:+ e/ {- [5 j, l3 P4 `& o3 W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': I7 d: E$ D2 r& R8 t6 r
* T. h! q; m/ E- _( [1 B6 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, |. @8 T2 B0 W% Kfunction to do the same job:, U- M( E! L2 ]4 a
2 Y% @5 R. v. U+ ] push 00 ; OF_READ5 H9 J. l$ M$ J4 _5 @9 E, o
mov eax,[00656634] ; '\\.\SICE',0( i+ b# ?* y" X/ H+ G/ o# c5 x
push eax. X0 ~# r; r/ Y; r2 B$ ~
call KERNEL32!_lopen
( {9 b4 `# J+ | inc eax6 S0 F3 P- r- U9 q* K
jnz 00650589 ; detected. \; t' c4 p: y! `
push 00 ; OF_READ
$ H# I# Y6 Q$ F1 i E& N. j r mov eax,[00656638] ; '\\.\SICE'4 A8 t" B! R7 R- \2 P
push eax
: i7 w: u- f/ [/ ~+ n call KERNEL32!_lopen8 S# {' A0 W# ]% z0 b- p) v
inc eax6 a; z( W, ~- f$ z: s5 {
jz 006505ae ; not detected
h5 p! n7 _3 z, Y7 I0 S8 s/ E7 }# F" s9 {6 w2 Y t( P
5 Y" d- V! }5 a a5 a' R9 J! l
__________________________________________________________________________9 V ~9 X. r2 P4 r
+ | u4 o. }* L Y3 R
Method 12
. D. ^% ^# \/ s k3 l) s3 @=========) }$ n. ]2 R3 l4 {& F2 Y) D
! J( J% i" a* @) C" [' Y' AThis trick is similar to int41h/4fh Debugger installation check (code 05 y% H) w5 m3 P# e& S
& 06) but very limited because it's only available for Win95/98 (not NT)
, v! I" Q- P9 @0 S: Z: \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- z# h# V0 z2 l. y i9 P" {
; y" }( G# t! o1 [5 h( T push 0000004fh ; function 4fh& U! t: t! s: M$ ?% H
push 002a002ah ; high word specifies which VxD (VWIN32)& t- j- q* E' U
; low word specifies which service9 Y% g8 Q; ]8 m. z% V
(VWIN32_Int41Dispatch)& r. Z$ c& L7 v. t
call Kernel32!ORD_001 ; VxdCall
& f# ^/ G' [6 I8 X! G& s. U( c3 D cmp ax, 0f386h ; magic number returned by system debuggers% w# I' R) t& J( U+ o( A) R) \
jz SoftICE_detected
5 ] i! D! h" `- @0 b$ j, q$ }. K1 C3 Z( m
Here again, several ways to detect it:# j. R" C' z: f" F4 b& G
, ]6 b. Q3 O: m
BPINT 41 if ax==4f' e$ n# P& w4 k& t. b
; p7 H; N* q0 I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 U: p% F1 y$ s4 {9 _1 c; N; L: s0 Q* J H [ `# [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- Q+ A) L$ F7 d ~0 G, w
( ^1 V+ s" T) P9 i* @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 } B4 w* V; U1 O/ O) e, W
8 J% K) A+ h' N. ?__________________________________________________________________________: c. X. ]. B# q+ F2 L0 Y2 ~* S
, @0 E1 N0 w/ F" c$ G9 {+ UMethod 13
- D7 w$ p0 h+ Y- b+ p; m" @6 T4 Y' d=========
3 F& Q7 `$ S$ @" l- |. j; F t1 y3 L- x
Not a real method of detection, but a good way to know if SoftICE is
8 q5 C& R; a! {' o+ Z6 kinstalled on a computer and to locate its installation directory.' X0 r# l0 T& j8 Z3 L( s
It is used by few softs which access the following registry keys (usually #2) :
6 V+ y4 x2 `; o, Z& Q: N9 B/ H
2 H( |' t$ i' j( ?7 ^; }$ Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 e8 C1 j& ?4 \* B. e6 `* ]! i1 M/ i\Uninstall\SoftICE% p; W1 L4 S& F9 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* [# ]$ R7 k1 n7 I" u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 S% @" L) T* {( v' N, ^2 b
\App Paths\Loader32.Exe5 Z6 ?& H+ M; D0 V( F4 A* @) y# _
1 s2 n! \0 b+ o/ i7 o# h* s0 z* w* [9 j! U
Note that some nasty apps could then erase all files from SoftICE directory9 V- J" U8 e' U) t* c% P# D
(I faced that once :-(
7 m7 M0 Y# `3 o3 g4 q
8 h, L" d$ b( C1 H4 s JUseful breakpoint to detect it:
- T. u- H( b9 I [* e/ b' r3 \6 A; A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! ~' t, B; J. w/ @: _4 z, a, s8 I% b+ w9 W9 z6 j: z6 S
__________________________________________________________________________! `# _5 R) m7 V* v/ w: h: ]- \
1 g/ w3 a' y/ o( d! N$ B6 ]! c8 X
7 Y0 W% Z4 _( {, P) L5 LMethod 14
7 b' o" k2 M5 K, _6 g=========. G! z& X) H. D
9 v/ M0 Z6 e5 l$ z$ P; `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! O# `' F9 C" k4 v( d, s
is to determines whether a debugger is running on your system (ring0 only).
$ z- I& K2 B3 z3 n5 N1 w
$ h% U* k/ V( ], O2 f VMMCall Test_Debug_Installed5 J, p* b/ ~* k1 b5 ^
je not_installed k! x' d! Q9 p' P" ^2 x8 B
2 _7 _ l8 Q/ v* c& m
This service just checks a flag.9 N& K) O4 G% O1 o& |
</PRE></TD></TR></TBODY></TABLE> |