<TABLE width=500>
. h# D5 I8 q$ O. h<TBODY>
2 E: o0 V6 V9 ~2 d' ^6 J9 z1 ^<TR>
0 K( G% A. Y" J<TD><PRE>Method 01 8 R4 ` _3 d: x, o3 a: U. H8 W
=========
3 g3 z7 g8 `# Y5 z' Q
( ?: v% P: X" K, ]' x" JThis method of detection of SoftICE (as well as the following one) is
+ K$ `0 w* O- \9 nused by the majority of packers/encryptors found on Internet.& q( C: d' S6 ^9 z2 f
It seeks the signature of BoundsChecker in SoftICE
0 f! r+ X7 q* o: e# V& j, p8 D" P6 B; s, g, C, M: R
mov ebp, 04243484Bh ; 'BCHK'
7 O, |8 d9 M; o( j* _9 s \ mov ax, 04h2 |! P/ m6 S' ? x2 f6 P$ j! r
int 3
6 o: ~) u/ r3 {9 @, s* a$ _ cmp al,4/ \+ N/ ]1 P3 b4 S
jnz SoftICE_Detected
( c1 c* F1 h9 K N6 {& L& ?# s3 S; ~3 d( R$ u5 K
___________________________________________________________________________
0 f- b& T# q; Y: f7 B+ z
4 w, w l/ `1 z _# }' t3 [# cMethod 02
+ t3 O: r% ]7 Q=========
' C. d6 h2 r U8 R& I1 h: D2 B' i; t2 ~7 \; o. Y- d1 b
Still a method very much used (perhaps the most frequent one). It is used. e* A+ t/ k. ^8 H3 {& j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 O/ {' f& |6 l6 j* K# b8 Z ^1 A7 p
or execute SoftICE commands...
1 x5 X7 \, I- Y* O6 P& z# S. s6 J8 VIt is also used to crash SoftICE and to force it to execute any commands w; S& m3 `( W/ h. u/ N B: ]
(HBOOT...) :-(( ; i2 V4 P1 }, \9 B# o3 L
5 f3 R& Z6 b1 W F [! hHere is a quick description:
6 j; h4 x, q" w-AX = 0910h (Display string in SIce windows)
2 L* \% M1 b) {5 b; v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 ^) h# t6 t! t$ c4 f; g! F* v) J
-AX = 0912h (Get breakpoint infos) |, n- t. A9 v
-AX = 0913h (Set Sice breakpoints)
2 K& m# t) j. s: n9 e. I! p-AX = 0914h (Remove SIce breakoints)
1 I8 O0 ]( u* T! h1 J' z5 ]& w+ V! y
2 O; T6 a! g ~+ F: ^7 e) BEach time you'll meet this trick, you'll see:% J, _7 |" }, x S" o. r2 W/ ^9 G2 h
-SI = 4647h
; o0 _" O/ F, h) ?/ o8 H' ]& @- U! I-DI = 4A4Dh) p4 d' }' K* j, g" H( [1 i2 I
Which are the 'magic values' used by SoftIce.9 ?5 z4 j; n5 _4 K/ \! b" H9 S& ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: c* r# Z; s: ~) Y! L0 g9 v0 ?! N! E S# ~: p: O
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 E1 g, W! _, ~( V g
Envelope utility use to protect DOS applications:) I! Y E4 U4 m
' A$ o) [& D, q# f! G* r+ }1 t6 g: a8 O- E
4C19:0095 MOV AX,0911 ; execute command.- R; c/ K9 v6 [1 T! v) U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: O" w: [' `( F' W' a& G9 z" Q
4C19:009A MOV SI,4647 ; 1st magic value.
4 X6 A7 {& p# T2 v4C19:009D MOV DI,4A4D ; 2nd magic value.
, D$ ?( S* H- _9 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ {4 T- A$ T/ A1 \: ^8 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* u) Q5 j6 v# Q* v% L4C19:00A4 INC CX1 v& j( A1 G# x c" c% O: Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; I5 C) k9 S. @5 r/ i
4C19:00A8 JB 0095 ; 6 different commands.
7 |4 Z/ _. f: s: g+ `* Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 Z1 x0 b2 Y6 k; G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ J7 z8 I, h( G* q- j: M
( {7 y) i/ D1 U6 X0 L
The program will execute 6 different SIce commands located at ds:dx, which. Q/ B8 g8 P1 ^! s( c/ n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 u$ C. T2 `/ S3 O: s F, m% `" @: R! s1 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* R6 ]0 o. z1 x0 [
___________________________________________________________________________
, |: K# m9 z9 }7 }- I) X1 Y% D5 m0 W ?
& w/ y5 N6 G1 v" Y& ]Method 03
, \: T: o" {2 o7 B- ]% y+ H& U=========
1 Y1 [" ^' X7 k9 ^9 V8 Z
% G# k7 ]; j; \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' }( a+ x- h; S) Z2 B(API Get entry point)
( r7 X1 K* Y; H6 z 3 F1 f% T: v" k- j
. j- L# U) a; v
xor di,di2 r+ n7 \" \; ~$ n0 ?+ g
mov es,di
+ t0 d8 C5 m& k0 h4 |9 q mov ax, 1684h
; F8 E2 b: d$ K mov bx, 0202h ; VxD ID of winice
7 Q. v' _' z/ {4 L2 d! K- x& |, }, X int 2Fh) h) J y5 t3 f0 ~5 V- j
mov ax, es ; ES:DI -> VxD API entry point
; }$ M Q! A, Z0 K add ax, di7 _* d3 R" |5 Y0 P8 l8 c
test ax,ax
2 h% A8 K ?* c) A+ F9 d4 `5 J jnz SoftICE_Detected
, M- o/ p) u* D
+ N1 c g( y/ t/ p- |. k___________________________________________________________________________
7 E8 v& e7 B3 H+ r/ v& |
5 p8 {- F2 P4 d$ f2 cMethod 04" t+ p4 D5 T+ q' _9 ^+ _
=========
% t6 v$ U2 r3 {, ], _# |: e6 x2 L! {3 W! e, m1 B
Method identical to the preceding one except that it seeks the ID of SoftICE
& v3 w7 D4 i ]* O' kGFX VxD.; P; x( B: C7 G" \- F* G0 ^
- t4 B* W& b( N9 o3 z2 W xor di,di/ P5 D; i5 `' j% [
mov es,di
* p! |6 g1 Q, O# i2 L8 u mov ax, 1684h
$ L3 B! U' U2 G mov bx, 7a5Fh ; VxD ID of SIWVID
6 F* D4 G6 P W/ |, l int 2fh
$ C" G' k/ j3 j2 Z1 Z mov ax, es ; ES:DI -> VxD API entry point
8 c& |$ j2 p2 R% c add ax, di
. @( |3 m% }2 j$ f4 O3 a# g9 A& u test ax,ax% s4 d) K% e! ~' t1 h8 K- h& S
jnz SoftICE_Detected
, N7 V9 _' x/ c6 \. Q X0 l; R. s3 d2 z l
__________________________________________________________________________
' j5 S4 i/ [8 [' g
- l7 H; w! w7 [& B0 j+ _' Z: N) Q5 e1 ?) Y, e& ~# M
Method 05! Z0 L# ^/ c: @. k+ ?
=========9 K! v5 O; h3 X) B5 ~1 ]9 G6 c2 q
) J* k" X: U6 I S9 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( @; |" n2 ]1 [- C' B1 E' T) N1 l, idebugger. It calls the int 41h, function 4Fh.! f) e& H- i/ ?. S# Z
There are several alternatives.
, z6 R Q; ?4 ~% ?# A
4 _# Y/ l% s4 p0 u0 M, sThe following one is the simplest:
8 {4 V' X9 |- B: s3 q
' h' z6 ]( s3 S" c& \$ Z7 I mov ax,4fh
4 ]* q' {! H4 z: K1 J int 41h
8 Z3 T n1 e" F: U- {% B! Q, u4 } cmp ax, 0F3863 o* r$ C+ p) \ f
jz SoftICE_detected
' ~/ S! [! A& |% V6 Y
: w& x9 c- ~+ z& Q. T
/ G7 e6 Z H. o# D4 r6 J" F4 a5 RNext method as well as the following one are 2 examples from Stone's
8 O- Y/ B* ]' l3 J! A0 |2 u$ m"stn-wid.zip" (www.cracking.net):
Y4 v# W# Q3 k; R7 Z3 c
) y& d' U6 u5 H7 w5 X7 C mov bx, cs
5 L* Z! u! N* G C+ b% E$ H$ w: i lea dx, int41handler25 N# P0 t) r% _- ]- S6 k9 C1 X9 f% g
xchg dx, es:[41h*4]
n: M: V$ s- _1 l xchg bx, es:[41h*4+2]
( ~: p+ J6 J& U( b mov ax,4fh
7 ^# l5 z) `- I6 d8 p. @ int 41h$ m# r+ w, ]2 f, w
xchg dx, es:[41h*4]
8 n4 b3 R! t1 i, O7 y5 L xchg bx, es:[41h*4+2]
$ N6 i2 Z. |! u- s& \ cmp ax, 0f386h4 X0 L5 V8 T8 q9 D5 ^9 D
jz SoftICE_detected
$ a' p" A, u5 G1 L: g2 G# W$ c# n% z) }
int41handler2 PROC$ v' g0 x9 e3 |: ~
iret
# D+ _! ?9 a" t$ R" r8 Nint41handler2 ENDP9 e! M' a# V, V; L- o3 f9 U$ G7 `$ H
4 ^" u5 g; [7 r, O
) n7 ]6 L7 l s* i' c2 L( m_________________________________________________________________________! z) @6 A4 ~: C, P7 c
/ J5 a, E; Z; D- b# L
9 n. `# `5 c7 s9 gMethod 06
8 q5 R) z S% `=========8 z3 A) b) h; N; R: o% p3 d [! [
G k8 t( A! u( u I+ k# J) T9 x( f
! V6 Q' G2 {8 a1 S+ D* _% d, s2nd method similar to the preceding one but more difficult to detect:
! y7 ^5 X9 L( L% n6 u ~' v! \# }& j0 o2 ~
9 J2 ?8 c3 s1 n" u& @1 bint41handler PROC! R" U/ V) ^* y: {6 q6 o3 q
mov cl,al
* q& N( S, }$ J5 v9 R6 { iret
- i7 b* g. A; ~8 e4 P ~- T6 dint41handler ENDP
: X* y) C: Y# L3 O. {) a4 K; X8 K* B7 D; p
# O9 E- E, N) {7 t7 W2 ?' r2 t6 P1 s
xor ax,ax
- u& m/ B3 @- i% c) t mov es,ax
. `' V7 U& f) _ mov bx, cs
$ k& v/ p3 i7 K8 F( N; L: n! w lea dx, int41handler) w- I7 ~1 `8 r; b4 U( O: C% l, N
xchg dx, es:[41h*4]
! ^. w* _$ m1 M0 y# {5 } xchg bx, es:[41h*4+2]. ^8 T) F/ i! a& q4 D
in al, 40h
) p! q; `) E# G, t xor cx,cx/ r* k, I3 q, l ]2 Y, v
int 41h7 x' l- N5 a3 x& x7 O' Z8 {
xchg dx, es:[41h*4]
0 E) e3 R4 \4 H" G% N9 U# w xchg bx, es:[41h*4+2]
K8 ?( M9 A: @: ~/ x5 B/ A- h' h cmp cl,al3 q K% {6 h' `" a
jnz SoftICE_detected0 {- D4 d5 a; `: @
9 ~6 ?0 s- L0 V$ u: J6 H$ P7 d' M& b. J_________________________________________________________________________
& k9 j% L" I- F( Y
- r# T- P6 l+ K/ L( Z1 ?* nMethod 07
8 ]+ |5 v" `! s=========6 p* t9 g& _/ ]* H* f& C6 p, y
! N4 @2 [; `9 P/ O& ^0 _8 y% l
Method of detection of the WinICE handler in the int68h (V86)
) p! t2 | b0 b: Z& u- `. G
% o4 l6 {- R4 H% Z% Q mov ah,43h6 v5 l- I" l& f. O
int 68h
$ N& r# O- Q7 |7 {9 v: |8 I cmp ax,0F386h( S1 p3 F' |8 p. z8 E: v
jz SoftICE_Detected
0 I! ~* V3 U: {* D
+ a$ O# P, P% M7 w
w/ s: C4 D$ I, Q1 ^: ^8 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ ?! f7 a- k1 x1 D app like this: ?. [/ R& @, c* i
0 A/ U$ j; A* Q% C3 I; Z BPX exec_int if ax==68
- S* |9 w. [( t: U/ B (function called is located at byte ptr [ebp+1Dh] and client eip is- l( F# g" {: K
located at [ebp+48h] for 32Bit apps)0 p9 Y" Z& E( o& m( H. E! g% D, z1 x' I
__________________________________________________________________________0 C3 W4 f" q V; }. }' H @& W
) |" m* u& j- \6 q9 J8 _$ ?4 a& o$ x- J; J
Method 08" j) r5 q6 P8 z
=========
: b9 F3 e. X$ Q |: B5 p+ g q
1 U( x: G7 T! [# kIt is not a method of detection of SoftICE but a possibility to crash the
1 H) d" h2 I& J% }% q" Y% q5 usystem by intercepting int 01h and int 03h and redirecting them to another
1 A2 z, A0 u% ]routine.
6 D( F. ?, w7 W5 U- Y4 H' JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ s2 V6 g+ l0 U- r/ H
to the new routine to execute (hangs computer...): ?, I& z/ N- _- c) u2 [7 G7 s
; d/ Z- H& g7 F& N. a
mov ah, 25h
, _, [) S+ f. h) X& U. C2 ^ mov al, Int_Number (01h or 03h)
9 m) x! a- G" j7 G9 E mov dx, offset New_Int_Routine) J8 C0 n( L" f
int 21h
# u* J; r" M0 E1 }8 p
# r4 }9 ^+ \8 k2 Z& V$ M__________________________________________________________________________2 E5 J _; q0 }) G
X' j' A- r* Q1 c8 h! R/ M! VMethod 09
" s7 \) V0 n% }# A$ }% b/ _* Y( J+ ?8 X=========
$ M, `" Z$ B2 K) ]' Q- X8 D$ R( p$ N& W; E- m: H- L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 ^5 ]! y+ }" r$ W' @3 uperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 g; S1 G. f1 O4 C# b$ @$ j6 z |The Get_DDB service is used to determine whether or not a VxD is installed
# q! S2 j! ]" j9 R7 V0 }% ]/ Cfor the specified device and returns a Device Description Block (in ecx) for
, T9 a1 w" T) Q+ b( a1 B n9 k7 `that device if it is installed./ G/ k' @( ^: K: r, x" P F
7 k# g1 G0 y* o% i4 o4 P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. k) A3 W8 ^( u/ U6 _9 m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ b+ H/ l2 N% U/ S8 D, I0 l( P0 B. k* }: Y
VMMCall Get_DDB
' ]" C$ G; ]' y+ I4 U0 ^' o; Z& X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ P9 a/ G5 \& Q( v. p& c
% l/ F! m& i- [ n1 N* R
Note as well that you can easily detect this method with SoftICE:
. \; M# V* i3 y3 j. v- x bpx Get_DDB if ax==0202 || ax==7a5fh3 t, H+ {1 `4 {
# H( o0 X# ]7 l8 g9 l/ N
__________________________________________________________________________3 ]' p- \7 `2 l" Z
- ?6 R$ ^. H* p, I! G% z% o5 m
Method 10
4 S0 Q8 L1 u* E0 D" w0 `=========
7 L/ _5 t, j/ F) E: ?1 R$ z+ p$ O4 y( U; w
=>Disable or clear breakpoints before using this feature. DO NOT trace with! S, E) ? B/ R
SoftICE while the option is enable!!9 b- P f/ |" j" R: t0 g
/ n9 X- c, l5 ^6 \: Z
This trick is very efficient:1 \5 t5 m7 K9 f" y8 P+ f3 R
by checking the Debug Registers, you can detect if SoftICE is loaded% T) b- l4 F6 e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& ]* q: ~9 m- u1 M' o" q4 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: r" w$ |. ]" \0 J- }( cvalue (in ring0 only). Values can be manipulated and or changed as well
2 ?: Z, C1 S# `0 Z d8 E% [: {(clearing BPMs for instance)
2 N1 [/ r- B2 [' E+ x, F8 ]2 H7 R/ c7 C- ~% r) n4 E
__________________________________________________________________________
/ p" o* t! d, m/ y
: b. T( D; O& Z7 ^. `$ p3 A3 I! MMethod 11
! v0 ^6 y/ w; G+ u! z! E=========8 j2 l, m6 n6 o" f ^
% p3 n7 x8 K. s& z+ B0 x
This method is most known as 'MeltICE' because it has been freely distributed8 g. b; A0 {9 M- x4 u, q3 `
via www.winfiles.com. However it was first used by NuMega people to allow
, w: |; A/ s3 b" _2 g: pSymbol Loader to check if SoftICE was active or not (the code is located6 w) \# M/ ~6 v$ V9 q/ y
inside nmtrans.dll).! {8 [$ K' \. _
; b9 z) d+ _" c# q* O! \; Q7 T$ [
The way it works is very simple:
) E) q' Q$ @7 w* o$ aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- ?9 Y: O. ~ A' m3 F
WinNT) with the CreateFileA API.* k$ C6 H: T3 [
" [* V0 `9 V4 r' D* U
Here is a sample (checking for 'SICE'):' F, l1 k3 Z$ s6 N/ ~ e/ o. p* w
" \- d6 N5 x# W% v! dBOOL IsSoftIce95Loaded()1 a! A4 Y/ R x, e7 r0 t
{
I7 Y( s; b: D HANDLE hFile; " Q$ {7 H7 Z& r% Z: h* U& }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ A$ Z- x, c7 v6 ~+ Y9 E FILE_SHARE_READ | FILE_SHARE_WRITE,
. h9 M" n$ m$ ~) H$ t( J- r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 K9 Q Z( I# I$ N E; N0 m0 l if( hFile != INVALID_HANDLE_VALUE )) U- r% s$ P9 q% ]5 P
{
1 f) v5 K) K( f& x" t4 q CloseHandle(hFile);7 i! R$ G, }+ g& A' U) g, o
return TRUE;
6 W9 U" ~* d! W, k! z }6 K% o# G% l8 |/ t' X0 A
return FALSE;
* Q& T9 j& b6 ?- l8 g. ^2 X}5 W4 E/ f) o }! D% M1 v3 M
+ m6 |0 \( x$ \7 U0 kAlthough this trick calls the CreateFileA function, don't even expect to be3 }$ x* l% Q! X. }
able to intercept it by installing a IFS hook: it will not work, no way!. e$ ?# u4 T: ?% B4 b* t. z; S2 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ f' M: Q* Q5 B" M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 [ `0 I9 l, D! b+ L2 L' z- D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' X: ^: G `' ~field.5 T# [9 b8 U% A$ m9 G1 |* C) B
In fact, its purpose is not to load/unload VxDs but only to send a 4 f$ k* T2 n5 w! \& D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) t2 K- c$ f& S3 u) X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" A2 T) a% M- b* ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).& H3 i5 D# o8 C5 v8 l5 O) K
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 j) t* O* n. F" U" n( D
its handle to be opened and then, will be detected.
5 ?$ y, Q1 r* u. z9 v# ?You can check that simply by hooking Winice.exe control proc entry point
. l# Q6 b# C" P0 R! Z; v- G5 Dwhile running MeltICE.
6 y+ w# e9 w+ M; p
Y6 e+ G+ Q1 z) G; N) L, v3 T W% B5 }* M( W; V K& b
00401067: push 00402025 ; \\.\SICE. j- [: s: p A) U8 Z* m- t
0040106C: call CreateFileA J" V6 o4 Z4 n) C1 H9 f
00401071: cmp eax,-001
9 J- n2 z! G' w6 }% f! S; A+ x 00401074: je 00401091" |3 k$ |/ x4 t+ J
9 [2 ?0 j; a% ^+ Q* N5 V% j
i! [% l5 V- h- J$ tThere could be hundreds of BPX you could use to detect this trick.
5 p, P+ D( \7 t! K+ q: D-The most classical one is:
/ o1 v' T8 s2 @6 q; g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% q2 ~1 }3 F9 s4 r2 u
*(esp->4+4)=='NTIC'
; } e8 G, F. U
- r# i$ n" v& m5 x1 b; p-The most exotic ones (could be very slooooow :-(
( x- e& r5 V! _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 `* A- }& Y& V ;will break 3 times :-(
; k: n: m- E4 X( o' M* _
& A) K0 @9 ^! ^. \: y" d2 b# E-or (a bit) faster:
0 r" O/ Y9 A& L+ X: T4 i8 r- K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 f( u( ]9 Z9 |2 R8 F) g
/ e5 G, V: c2 b+ u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * h# n) ]& p9 \9 h7 k( _5 R
;will break 3 times :-(1 |9 S" Z A0 ?2 }) q4 s9 A
! U# C* e6 Q0 n2 z
-Much faster:
2 h4 Y/ }& ^0 L: f- e# H9 E5 u! \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ i( H f: x( s9 b, }! S( K% Y) a/ ?- G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" k5 {' I4 i. M( Afunction to do the same job:2 M7 p2 r; j7 [+ ^5 I
! E ^: ]/ K3 @9 `' D push 00 ; OF_READ
1 E/ K& `! S* z7 e mov eax,[00656634] ; '\\.\SICE',0
: Z; k$ O. q$ f9 z" F/ c0 t) L push eax# ?0 Q# A) [8 m
call KERNEL32!_lopen, S0 A" W3 v* Q! e# f! ^0 [7 K
inc eax ]. } a! ^& ^2 G$ E9 b. N
jnz 00650589 ; detected# r8 `% E( z1 g! s
push 00 ; OF_READ1 c$ D( A' |- k1 {6 n0 }
mov eax,[00656638] ; '\\.\SICE'
% l' W1 P3 K' q push eax
7 f: n- s3 ^3 y a& E call KERNEL32!_lopen* u, [( R0 z, B# o& v+ K0 h
inc eax
: e- I ]) g2 c jz 006505ae ; not detected" a a, H) [5 y* `! ]: J4 L
. T7 j! o9 L: C1 R ^+ x$ n6 y8 P& [6 r! s5 \2 [
__________________________________________________________________________# Q7 D+ J* Y w7 D- G9 n' ?' T5 t1 ]
( ?) t! l3 C. B3 z- q+ O) S) fMethod 12
1 k; A: x5 N* _- ?5 J4 T: N6 R=========0 p+ m9 Y* ^) o
0 F* {4 Q/ \/ s( K) vThis trick is similar to int41h/4fh Debugger installation check (code 05
; E% N1 Q1 H) d( K5 z' ]& o& 06) but very limited because it's only available for Win95/98 (not NT)' I# h8 G1 q; f p2 f5 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 U# t: @8 @( m9 e A( Y! c
! e+ @! ~( i$ k8 B push 0000004fh ; function 4fh
" d {/ V9 L& F: Q3 ~! a push 002a002ah ; high word specifies which VxD (VWIN32)
" c* [' b. Y) B3 |. l/ C ; low word specifies which service$ Q; P! K- s6 r; Q
(VWIN32_Int41Dispatch)
* Z$ O) t7 M. q. M! k, [ call Kernel32!ORD_001 ; VxdCall: o" P: B5 B# o5 g; |6 X7 _9 A
cmp ax, 0f386h ; magic number returned by system debuggers1 {, I2 ]7 t. L) \( \; B- i
jz SoftICE_detected
3 X; z. U9 v) a9 i0 [# d
) t" ?/ @9 v- C8 R, C+ VHere again, several ways to detect it:$ I+ i$ d: H. C7 d* I( J7 t
6 j% E6 J) u5 c) x/ a6 | BPINT 41 if ax==4f
; ~1 l- F1 C& |1 q r5 e
/ o7 a4 z$ D" n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" @7 w6 u3 z E/ `. \
7 I- R" g/ e* w& H/ e' v1 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, J! G5 w$ a9 j6 u
5 H \- c* x8 [9 H K) |& K# p6 P2 R. G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 |# R/ G- x" l7 i9 _, T
3 ?2 U3 u% v# r8 G5 l
__________________________________________________________________________
1 M: H9 Y$ k: x8 Z& J f4 o% |; X
6 E3 c# M& `9 K5 g6 `2 T; W6 B/ OMethod 13+ X" c7 L S$ M1 W4 \
=========/ ~: Z, B- \: `
6 _0 w! k& W' ]* Y5 o
Not a real method of detection, but a good way to know if SoftICE is
3 M1 `( q$ x; ?( n, p: C8 tinstalled on a computer and to locate its installation directory.0 `/ T- @) B3 @7 U$ n
It is used by few softs which access the following registry keys (usually #2) :
# Q! M4 _/ V: w8 }6 ~: ?1 A( g( t/ T4 }" o7 } h3 Q: s. K* s4 D4 ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ B8 r r3 x) @1 E\Uninstall\SoftICE
2 z1 S- a, H& g+ {5 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% {8 K; |/ |" J3 h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 M1 ]) @9 H+ ~! O- ]
\App Paths\Loader32.Exe
8 i# P0 R0 j6 D9 i2 e1 m0 X8 Q1 v, A5 Z. ~
# f! }) M* g0 X! K& F- A5 d& sNote that some nasty apps could then erase all files from SoftICE directory
8 y: Y& i0 G/ j7 O(I faced that once :-(& {0 w- _' z0 W$ ~) I9 w+ d' ?
9 F5 L. u- M8 Z! bUseful breakpoint to detect it:6 i- \ i$ X+ ]" V8 Z4 `! K
0 l4 c# u! B7 B% ?& ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 T% l }6 L% H* _! c* g$ `% j* L U. O$ B
__________________________________________________________________________
) v$ s. _* y L; e
, D8 w" r6 D2 z& y* e8 |1 ?! u/ p! y* \; K0 n, n4 S$ y/ Y
Method 14
- q" k- t- K8 k- P=========
- G9 V9 K+ h! m5 a; ?/ C' n; m1 w3 z' Z8 E1 W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% s4 {. |% n' k1 b: R3 j6 d
is to determines whether a debugger is running on your system (ring0 only).$ H5 Q; X; h- f+ x# W
) M `) u& J6 q7 Z6 F/ N8 f" ^
VMMCall Test_Debug_Installed6 T3 r+ P! g5 E$ M2 W n. V
je not_installed
8 q. _3 L, B! E, w- G5 _; M; p# k% E* w9 i- ]8 b
This service just checks a flag.# z& ~! H, C0 X: _$ t0 K [
</PRE></TD></TR></TBODY></TABLE> |