<TABLE width=500>
/ T4 T& {# q9 }<TBODY>
; L$ s0 `* ~3 Z/ r7 S<TR>
5 d3 Z- o" h' Y<TD><PRE>Method 01 0 V, n0 I( {( s4 Z6 v, N
=========1 B+ p0 d3 B; \ ^+ `* ~7 }1 U
9 m5 j/ w; {- I! ?! f$ T
This method of detection of SoftICE (as well as the following one) is
# ~) d+ e: H; @5 f1 R1 `used by the majority of packers/encryptors found on Internet.; \ G3 Y% r# D! u4 F' l
It seeks the signature of BoundsChecker in SoftICE
# _" V) N5 ^5 Q. J- O. ]; B
9 ^% ?$ \5 E6 O& e mov ebp, 04243484Bh ; 'BCHK'- {: P# n$ P+ ^+ }
mov ax, 04h5 Y9 T2 V7 [/ p ~& [* _
int 3
7 w4 @* x& a- \1 h( ^& _" Y cmp al,4" f! \- ~) z3 l
jnz SoftICE_Detected' ~# m: w, {; B( ]5 e' L1 D
) c! h4 |* z! l/ b% J% @
___________________________________________________________________________
+ d* H0 j! k+ s8 Y6 ~. c* \" q7 a" {: V4 `: {$ i
Method 02
0 M' s: P6 o: x% A=========! F$ V' x% f ^% Y$ h7 t
- L1 t4 m+ z: n) q3 t
Still a method very much used (perhaps the most frequent one). It is used
7 [2 ?, n: Y: [7 C/ B6 U4 B& u# Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 h R/ [4 |/ A$ P- g
or execute SoftICE commands...
/ Y& n; y6 l2 oIt is also used to crash SoftICE and to force it to execute any commands
o: T3 z$ `6 O2 ?1 A; z(HBOOT...) :-(( & g* K; c* N* h9 j: p- ?* J$ X6 M
! S1 I9 @9 x' S& z+ p# y. W& RHere is a quick description:* ~. V& b0 k% R
-AX = 0910h (Display string in SIce windows)
p8 F* X- j5 I- w0 i2 N% @! i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ h1 R& u- {2 {-AX = 0912h (Get breakpoint infos)6 B& _5 n y% D5 n1 V1 l; y
-AX = 0913h (Set Sice breakpoints)
5 \- n, z! A# g-AX = 0914h (Remove SIce breakoints), k" o/ m& O. y2 P- _, f
, |- G* }: p: L' \+ I5 Q! d' U
Each time you'll meet this trick, you'll see:
7 g X3 Y" Z, S-SI = 4647h5 u, m$ i$ @/ c* w* {
-DI = 4A4Dh
- B6 h. P0 r8 g% XWhich are the 'magic values' used by SoftIce.
& `, g. b3 r8 ? e" WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) ?3 E5 f4 Y& O9 K; P2 A2 v( ^4 O
, ^& Q) v' e: O) X; C- M7 H0 eHere is one example from the file "Haspinst.exe" which is the dongle HASP+ A8 o% H; C9 r/ _ z4 O
Envelope utility use to protect DOS applications:
. c" D! e) u0 u \& e9 r3 }- P7 Z+ ?; A! C0 i* \) C
, g& E c3 l& i
4C19:0095 MOV AX,0911 ; execute command.. B: n3 L( Z" s" l) z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 f1 S0 V0 g4 V
4C19:009A MOV SI,4647 ; 1st magic value.4 O: P3 Y! `6 a+ z, V Q( |
4C19:009D MOV DI,4A4D ; 2nd magic value.
, L" I% h* d T5 ^; b( c- q; m+ [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) q; u& G4 a9 X5 b& t& |, }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& k& d7 s/ J E# y9 g0 }6 \0 R! @# i: z
4C19:00A4 INC CX# @6 R W# ]3 |. v: J" R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' d+ }- p2 V9 b* `1 Z8 k4C19:00A8 JB 0095 ; 6 different commands.5 t) m6 i2 b! R) @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. [: q1 ~8 c. K) e, r' `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( l" t/ @6 [8 d% ~( A8 \7 V- E. z' F+ A' y8 j+ U+ H2 ~
The program will execute 6 different SIce commands located at ds:dx, which$ O% j- M I+ ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( O- ~! f" K# ]" o# e: X' V" \- l/ r/ _ l7 \6 M; v# j, A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
y! l# a! U. l2 {& j___________________________________________________________________________. V# n+ u/ v6 f! i2 F4 i0 ^: x
' n$ [! a0 ]6 r9 Q4 F) V, j$ I z6 H. x
Method 03
}- S% ?: u2 D% l- [* f=========; Y) D1 N% Z g0 \9 [3 i4 |/ `
& F) @; o/ Q; F5 R" ^( [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 S% {4 \8 w P( w$ [
(API Get entry point)" P5 U4 ]5 u8 I9 n' @
6 ]& ~- ]( D$ R$ H2 U4 _/ v
6 z" N* R1 L, k; V; V xor di,di
% g# y- w7 A2 Z+ v; n# h- H7 }; j mov es,di
! ]7 O/ q, s! s. ]0 p mov ax, 1684h
8 ?. X4 t1 X1 T# ?, c8 } mov bx, 0202h ; VxD ID of winice) I0 b0 n$ Y7 C6 ]* T
int 2Fh8 @2 w$ x+ q( J- ?& [. g9 f
mov ax, es ; ES:DI -> VxD API entry point+ y1 _2 z/ a" R! ?" V5 g5 a
add ax, di, |3 D' d- H! T" w3 Z% G5 _$ G
test ax,ax3 G" c+ _: t2 Q6 A9 R0 `
jnz SoftICE_Detected& U+ g1 ]& ^1 P5 X+ }# Z! Q5 Q' e
, A% c$ T9 u* T
___________________________________________________________________________
; K2 F" y; P& g
( V1 l1 g5 H/ Z) ~5 WMethod 04
# h* B9 X% m, R+ \1 Y( c- E& F% ]+ V=========
4 { X' U( m& s0 P. Y- @# q
5 e) c9 y2 H) V) w! d0 o9 VMethod identical to the preceding one except that it seeks the ID of SoftICE4 h# c$ A6 X# Y& J& J( o' v# ~
GFX VxD.5 K! R2 S: f& P9 |1 q$ v
) P' f" n# ?/ B xor di,di
9 O" d7 J! q( o7 M5 l. H mov es,di# k1 R' |- `- f- J* M
mov ax, 1684h
+ J9 s" s0 I$ s mov bx, 7a5Fh ; VxD ID of SIWVID
r$ {0 I& D1 L r3 M int 2fh0 K( D* C+ Z9 Z) [1 m% Z# M0 ^
mov ax, es ; ES:DI -> VxD API entry point" c9 Y7 F+ j7 T( I
add ax, di
9 ] B& N+ x' Q/ d, h* P test ax,ax7 A" E5 _) N, R" R- Z; C$ o
jnz SoftICE_Detected0 q7 x% S# o* L- O) F
- n$ s6 y; K# K
__________________________________________________________________________: ^. ]1 b- `& S- S% W
4 {9 t9 {6 T1 v6 l9 ?- s1 _5 p- i
1 R! I# W3 s) d) yMethod 05( S- [: Z9 }7 d; |. F& B
=========0 d: ?3 {7 d0 p$ c7 v0 Y
8 q( s0 A1 u5 a$ u0 {8 w$ R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) |( ^7 C( J) G7 N- _8 H. ` ?debugger. It calls the int 41h, function 4Fh.3 e1 K2 F) @& z/ a" S
There are several alternatives. + e+ q* ]- R$ ~4 W# q5 m
+ m t. c" r. {+ G3 o5 w- ^
The following one is the simplest:
4 ]1 c: V& N6 b; D. p$ ?9 g7 D9 A& G/ u) X1 T4 H9 }
mov ax,4fh, m$ K% [! ]: M7 K8 K, a
int 41h
, c3 o$ a- n, w3 D* e2 U$ E cmp ax, 0F386
, b5 Q& Q9 F' Y2 I/ w4 r5 L jz SoftICE_detected
3 J, G1 e% V: [& R! D/ h; R* u F) a$ {7 M4 A
4 S' ~7 Z- J _1 _Next method as well as the following one are 2 examples from Stone's
6 t/ O% A' z1 W C- ]5 k9 |"stn-wid.zip" (www.cracking.net):
# i. w$ N7 v# {5 h' T! ?
! j; m2 E6 `+ I. a$ e K, @. R mov bx, cs" ]% |0 Z' n: Z7 ^
lea dx, int41handler2
8 z' u7 b: M; b m xchg dx, es:[41h*4]
, t9 B K3 `, b T xchg bx, es:[41h*4+2]
2 o: r9 Q9 g7 V mov ax,4fh, Q8 L ?* g7 w3 w
int 41h7 E+ t4 e2 I9 S) B4 d3 e7 f
xchg dx, es:[41h*4]/ i. Y @9 a, G& p6 n) J3 O
xchg bx, es:[41h*4+2]
/ R. s! S% p) x* I cmp ax, 0f386h( F. W. h" l2 e
jz SoftICE_detected( a0 V" w& J& H: g4 Y* r1 e+ P
4 r* z7 J: X2 k9 w0 | Rint41handler2 PROC; O# y/ } L& s4 C' L; f, ]7 ^+ z
iret
! Q4 K/ Z z$ B- _, X; r& W8 ]int41handler2 ENDP
9 B% }( T& U2 w" t2 L& b' d8 Y8 F- S
3 j8 m, ?$ Z2 Y3 ]5 q. C2 h_________________________________________________________________________
8 _1 R3 e6 X! Q ~; Z
: }/ c) L4 z E! Y9 r; N7 j
/ _1 D, @1 N5 i% JMethod 068 s/ U4 G: T2 X" N7 C; o
=========( R- i1 w0 W$ h
, p" j- z5 d$ t$ d/ w' B7 Z
- u; B( {$ G, L6 W/ x2nd method similar to the preceding one but more difficult to detect: U' n X0 k2 L
9 q |9 K; ^2 k/ `0 J. u, T
$ J2 b4 Q( X( {, O: P! u4 }int41handler PROC
8 g$ _: m' Y1 X$ F4 k6 \ mov cl,al& C. {6 y+ {# C7 V1 Y+ I
iret1 J, e5 K2 A9 \2 W4 c
int41handler ENDP' o8 A% z! P0 {8 A/ h. ~6 t$ s
' V7 F# ^+ n# L4 j% g" O
% U6 M2 F+ J# R' S! I* ^
xor ax,ax/ K0 M$ X: n' `) n( E& N
mov es,ax
2 K0 w% t! S3 D B6 a mov bx, cs! }+ r5 u$ ~, B9 R( y$ a! I7 K
lea dx, int41handler
8 ^$ P( ] ~' d xchg dx, es:[41h*4]
- O$ A9 @/ f% [6 ~; n; ] xchg bx, es:[41h*4+2]
2 ^/ M- ^: l q in al, 40h5 B" p* |* e9 {. E
xor cx,cx+ i( a! P! n: t, M( @$ A) \
int 41h# Q! n; u7 s; t. v) A
xchg dx, es:[41h*4]
, f2 `( t! |7 Z y+ [ xchg bx, es:[41h*4+2]
% g( p8 j$ E9 X! [) I* f' |' `+ K cmp cl,al
" J0 P/ s4 j5 m3 n( B jnz SoftICE_detected/ W- U* p8 f3 |/ M9 K5 M4 g% l
# h6 q* e$ _8 a$ I4 K_________________________________________________________________________
! \& l+ @; i5 p% A4 `& @, o' B8 R1 b# e5 Z0 F9 [6 c+ }
Method 07
5 W5 o' p& N4 B6 g5 _5 |=========
" a5 z7 @1 V! K- z9 H
; y5 P) D+ B& u9 r9 ]Method of detection of the WinICE handler in the int68h (V86)" {/ b5 _9 o9 G2 T
' ~. k) i6 M I
mov ah,43h, q/ g5 n. I! B) X& q( u
int 68h. w/ f5 d5 v" i" d4 I
cmp ax,0F386h- M+ E7 @6 x9 b4 @
jz SoftICE_Detected
+ o' }. Z! V- R
5 l; C) i# {* B
h% ^, x G+ l; Q1 \' m. B5 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' V6 C d2 H6 l! R+ c
app like this:# _2 B% w1 I: [1 x
+ Q y+ ^# R9 |/ m6 V1 [& s
BPX exec_int if ax==68
3 p3 J7 f' z+ l! i0 c; F (function called is located at byte ptr [ebp+1Dh] and client eip is
( S( p$ W. i0 Z' _) B5 n# G located at [ebp+48h] for 32Bit apps)
2 F$ c/ E! L D( L& c__________________________________________________________________________; L% d8 f7 ~0 S( W# _ S
' J- v/ b+ ~( ~, w1 c$ h; P: m6 y) f7 V' L0 b$ F! j; }; A$ L0 {8 m
Method 08+ i( b5 `& o5 [9 ]7 M: z* ^, b
=========9 n7 ^. U$ u, {$ i
( \. H3 A' O' h, R5 z9 w
It is not a method of detection of SoftICE but a possibility to crash the
: Z& E; t Q5 t( P d fsystem by intercepting int 01h and int 03h and redirecting them to another
/ t! P/ o& |+ x# e7 D* Croutine.
' j/ ]8 M0 u! a# w. S. bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 M; ?( ?- I2 f) U: h. n% B
to the new routine to execute (hangs computer...)
( S% r2 r7 X! O( c" W+ w: S: E+ L- w, @9 W5 X1 b! C# ]
mov ah, 25h) \. X' e+ m+ F; n. i2 I
mov al, Int_Number (01h or 03h) B, T8 o: b4 T. ?6 u
mov dx, offset New_Int_Routine5 ^: H+ W6 P. U# Z- M2 f, r
int 21h# @( M x+ O x1 T& ]
+ b. J/ X( F( b" I' F: t0 K+ w# c
__________________________________________________________________________' {* y3 R& p1 J
: A @6 C2 V) ?1 s& vMethod 09
+ Z P: x6 K( k: O& ^=========
& _$ I. r% |1 D2 u |
6 C, h; B! J. W' @. TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ Y( \9 s: P) F7 q0 J/ |
performed in ring0 (VxD or a ring3 app using the VxdCall).4 H$ \+ {4 S/ T5 s3 g0 q
The Get_DDB service is used to determine whether or not a VxD is installed" C3 T% K4 J+ Y
for the specified device and returns a Device Description Block (in ecx) for
! R. B8 c3 L+ h$ b. {9 i. F3 Bthat device if it is installed./ m8 d6 Z% ]& V! F5 G V, C( B
$ }4 p6 C9 F- f* q7 a2 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# I$ a* a8 S- V, u% Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# @8 x! S5 T8 @* o( M* x) \* N VMMCall Get_DDB
; } ~2 E2 b2 N( a( U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: H# \7 W1 h( i) v& [
: C% q- d: Y, W3 j( {Note as well that you can easily detect this method with SoftICE:
5 o( H0 r$ R; I8 ^ bpx Get_DDB if ax==0202 || ax==7a5fh
' I- ?- |% Q; I, b$ j- z1 t- K9 U3 {8 F7 ~
__________________________________________________________________________, {& }; j% ^$ ^6 \0 x+ o
6 r4 e# L& ]4 O$ v! U
Method 10- ^$ |; ~8 ?1 b- z- m" _) R
=========
( S j0 F, t* U8 j! x& Z+ W" D$ R" V- [, \ n. Q$ Q/ i7 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; ^! ^8 s. D p, a0 Q+ w SoftICE while the option is enable!!% w0 B) X% i6 X! j6 J6 U; w
; u7 Q1 E" U% O. V( N
This trick is very efficient:
8 x( ~ N) S. X5 u6 G. w: l( Q& x9 mby checking the Debug Registers, you can detect if SoftICE is loaded
/ I6 H: O W$ N% z1 i! F4 t" {# a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 L: n9 |5 }; i8 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; A: N6 U# j0 Z% q) ]% u T/ Bvalue (in ring0 only). Values can be manipulated and or changed as well$ ~# `" _/ b/ z% x
(clearing BPMs for instance)
0 \, V- G" J A7 _/ }, c7 v+ X( d z5 y0 b# `, ^- k; `
__________________________________________________________________________
# W9 l! F* Z9 A U9 g% Z
& }5 a) K" d# A, }Method 114 Z" ?; {2 u9 e% x
=========& [9 t/ I, n1 l& ?; V% ^$ _
* Q" B3 b) l+ Z* |0 o4 X# n
This method is most known as 'MeltICE' because it has been freely distributed2 f* y9 d7 U, x4 i9 K8 s
via www.winfiles.com. However it was first used by NuMega people to allow1 ~9 E6 K# E* {& n; {7 y; T3 n- G6 C
Symbol Loader to check if SoftICE was active or not (the code is located
' `7 o/ I7 Z0 i9 b7 a$ Tinside nmtrans.dll).
2 e9 a9 _7 p6 ?
- w8 |9 J, F1 z( K; v/ ZThe way it works is very simple:
; `' C1 c4 K0 E% R F% J% m9 {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! Z" d* G- T% l' K( T( aWinNT) with the CreateFileA API." b1 e M, u! w9 r
# o V" I# v. P c
Here is a sample (checking for 'SICE'):
$ x9 k/ I/ T5 b; w' r# C5 }) }' D1 v! q* ^: a/ K
BOOL IsSoftIce95Loaded()
* z; O( ~& y4 S1 ^, B{
) `& u# Q! L$ V$ V' O. H, w9 V$ x HANDLE hFile; 5 j5 B+ v4 b& T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 |- v' X) g$ T; p+ W FILE_SHARE_READ | FILE_SHARE_WRITE,
5 r0 m% X( g; G( _8 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; v' C) t8 i1 A6 t; x- d
if( hFile != INVALID_HANDLE_VALUE )8 f1 E! {# `# S6 z* m5 u
{$ N- }' w, v* j+ Q& g/ q. a
CloseHandle(hFile);
! [6 F/ ]) j. i/ p return TRUE;
+ f& g* k$ K& P8 D3 k* c& c3 F3 ]1 m }
1 R5 m2 a- m* t4 k return FALSE;
' o0 V& N+ p: U1 ~3 ^}+ ^1 E7 w: Y5 d$ L/ X& N0 O" _# x' C
* ]5 h) S% m1 K3 @" \Although this trick calls the CreateFileA function, don't even expect to be5 {* R+ i8 R" g4 m* z2 W% K; c I n
able to intercept it by installing a IFS hook: it will not work, no way!: \; A" e& o6 b6 D- J! P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 F! O9 {" z9 W. H; Q. [3 K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 d6 c+ K' v" Y& ~4 [3 C: X; @# ^& gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! e ^, E, G, g: f# ^field.
, {3 r5 }" J3 R$ K0 @In fact, its purpose is not to load/unload VxDs but only to send a
\0 W+ `. a6 K) r) F. u3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- r( @" @" Z$ z. i) H( g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 j7 A6 F# F$ M- P. q! a sto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 o7 `2 C, q: i7 ^+ l+ u- H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) l: [0 ~* v" J7 N- V+ bits handle to be opened and then, will be detected.
5 T! B% L( c; W: v& SYou can check that simply by hooking Winice.exe control proc entry point+ U0 R9 l( }/ p( }' g
while running MeltICE.: j( F9 b. P! {' J) b! |
; z) {, V8 M% C" Z1 z/ V, G# d ^
9 v1 }% c) z2 X7 W- I
00401067: push 00402025 ; \\.\SICE; U' ~( } F' _, q4 R( z) _$ q
0040106C: call CreateFileA
: f" N: z1 l7 e: ?& j 00401071: cmp eax,-001
& V) x$ m; l+ q$ B% S" U6 | 00401074: je 004010914 I, J: h& L. C6 }7 o" g5 Z# N/ L
( _. w2 c% {" F; d& a! n1 s9 R) F
4 x9 N g L* \' N* m
There could be hundreds of BPX you could use to detect this trick.
, V8 m/ t. L/ v/ R-The most classical one is:+ t d3 D$ i6 d! O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' M% I; P: O/ s1 ?2 l- [0 [) a
*(esp->4+4)=='NTIC'
& e4 }( o2 x' |- b) h; v% X7 H7 u3 p @
-The most exotic ones (could be very slooooow :-(3 V1 L) {0 [! I; x# |7 ~! Q' N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; l4 w H* k4 _8 A# p6 R ;will break 3 times :-(( d, J# _5 p% N, K, {/ m% |8 c- \
! Z# d8 g* {+ j: P. B7 c! m( o
-or (a bit) faster: 9 i2 p& p8 z3 V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' {" W4 ^; l; E: [5 G% S
8 t* M' u& ]: w2 W6 `( m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 `! M' A" q( r, C4 L ;will break 3 times :-(
- k _. S7 [: }% n6 N- v
5 i- c6 n, L' r6 q, h* X' W* G-Much faster:4 L% U' ?$ H. b) U. O1 b- s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# q$ S) g: `* J' y( {7 i6 @
6 f) [- Q+ R1 N1 p @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 u1 [0 v4 i) H4 afunction to do the same job:( l( A8 B' G! k ?; m, d7 K
! B6 Y5 s( }1 F2 f: Z! r' _) C
push 00 ; OF_READ
5 a6 Y$ \5 B6 h. @- X" p mov eax,[00656634] ; '\\.\SICE',0
5 v* T8 x4 ^' a% h1 n7 J* ~1 l push eax
* l* T) D3 P9 T( M- x, ] call KERNEL32!_lopen
8 Q5 _4 s$ p0 M+ Q! G inc eax
8 f! v9 Q: z1 ^1 [ jnz 00650589 ; detected
+ b2 H- n: `! v6 | }! H' Z- J push 00 ; OF_READ
; w( X$ s6 Q- w) u. f mov eax,[00656638] ; '\\.\SICE'
9 S, v/ u4 n+ k( ]) _& E1 G& I push eax
4 t& w6 [2 L9 A. U5 b call KERNEL32!_lopen+ \, s/ A! C$ B( Y3 j b
inc eax
) K9 l9 B4 G' x! j- u9 ?7 q jz 006505ae ; not detected
' r+ |( f3 v4 h) J1 }
# }6 F6 _9 @: G, c |9 a! ~1 O6 d/ q/ o: N, u
__________________________________________________________________________
! t6 [9 o- O1 B7 ]! X8 N6 r! a5 @0 q# q% u( Y
Method 12
7 M& N+ t/ z* N=========
v S, B B4 r# ]' A, x) V- ^* D6 B. P+ G
This trick is similar to int41h/4fh Debugger installation check (code 05
2 n; `: T8 s, B# x6 z. R+ z& 06) but very limited because it's only available for Win95/98 (not NT)* h* n# o2 T5 y) i) V6 M( _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! b! P) |2 W2 Q3 i
# W% ~+ j) I: E( r0 N* ] push 0000004fh ; function 4fh
" ?3 F1 a6 i# m G+ m; I/ E/ H: M+ s1 F push 002a002ah ; high word specifies which VxD (VWIN32)
6 S" T6 c2 A8 t; N ; low word specifies which service3 y1 C4 \ `7 K0 W+ t4 w
(VWIN32_Int41Dispatch)
2 @6 u5 _% \( q; K X" f call Kernel32!ORD_001 ; VxdCall
2 J$ U% Y D! `1 q/ c7 {$ Q$ |5 A cmp ax, 0f386h ; magic number returned by system debuggers
/ v3 f( X0 j- F- i4 v. @: X jz SoftICE_detected
A% A( _# _6 Y9 p+ b9 d5 c8 e" o1 G
Here again, several ways to detect it:/ j! |! \3 j" k! Q+ U
- D& C9 u' b2 d# o* n
BPINT 41 if ax==4f0 }% k3 u9 y, ] D8 G- i) Y# A' B
( S) D ~3 n% B! O/ X1 Y3 g+ \2 H( ~( H2 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( R# H+ Q5 |4 {; a# n1 T* t
0 C6 d$ ^; w/ e! v( e! A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 E7 u# S' z8 w! |9 ]# z3 Q
5 M/ ~# b3 J! a, Q- m/ x- b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 y0 ~/ i3 r6 l- A ~0 J+ q
( }) I, s* v( _
__________________________________________________________________________, C1 w+ f! Q1 q1 `8 C
/ K% \4 Z3 H, a0 xMethod 13
5 m# |! S8 }2 u3 G=========* ~/ a' m- t8 L! \8 Z+ D8 \
4 U& T, s3 X% aNot a real method of detection, but a good way to know if SoftICE is7 C+ f& [. P! G. z
installed on a computer and to locate its installation directory.
5 J" Q* m5 s( y; ?. |- gIt is used by few softs which access the following registry keys (usually #2) :6 o T1 _: }% Q0 v1 A* j: ]1 ?
7 |+ T7 d. u Q+ z: `# M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ T1 q! M% M; x+ N @\Uninstall\SoftICE1 y4 k4 I8 B i2 r8 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( C/ N. a: g9 G8 ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 F* C! u) k" p# {\App Paths\Loader32.Exe
% f5 V* h& `" M4 _0 R
% u/ {3 Y& I' `$ k+ n* V$ p/ A; i4 Q4 L6 d, V! M( l1 [
Note that some nasty apps could then erase all files from SoftICE directory
; e$ F9 P) ?6 V(I faced that once :-(
v% w/ U' t' F; E" v7 g5 M2 K4 F5 U' T" i' f, Z0 B0 I
Useful breakpoint to detect it:
. e' V5 G+ t3 Y$ E( T3 w
3 y! Q* E+ n; n9 G! I# D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 D: t# w( r3 |6 R/ O
* Q) A( u; Q) K9 m$ f__________________________________________________________________________
; }$ S" l2 ^3 E! Y! n; ]/ b% K' p7 {- Z1 B! M8 e
7 ?8 R# |3 [8 |" P$ J2 T
Method 14 & U0 F3 Z1 a& r* B+ M
=========6 F; T. I& K1 o8 @, P$ |& Y) a9 L
" P9 k2 p r$ V O4 b1 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 f* a" Q* r1 W( X# G! [' i6 ]
is to determines whether a debugger is running on your system (ring0 only).
_7 ]( @8 f5 x" c" s+ f2 J3 Y7 w) S
& [: q4 s2 {7 T: B& R VMMCall Test_Debug_Installed8 R& ~7 @- u! G0 B% q' a' x3 v O
je not_installed
3 d. i v2 g0 k
0 d( Z3 h/ p* q. v& z1 d% uThis service just checks a flag.
4 \& t9 @% p. x- h* T) V</PRE></TD></TR></TBODY></TABLE> |