<TABLE width=500>" H9 w$ c& C( n* }9 `- {0 t5 m0 b
<TBODY>5 a( _' k4 e5 k7 Z
<TR>( U4 Y+ Y2 m* r- d4 C: V
<TD><PRE>Method 01
5 s. V; Y5 c2 I/ Q9 k5 \ e=========. ^9 j* x9 V' }+ B; z
2 k9 T5 e) r' x+ AThis method of detection of SoftICE (as well as the following one) is6 j7 H# a. k5 b6 ^, `7 Z
used by the majority of packers/encryptors found on Internet., U5 g2 @; V1 V: r0 c6 O
It seeks the signature of BoundsChecker in SoftICE. I! }0 C* Q- t( Q Q0 L% S
% z1 h, Q/ a& q* Q" ^& W g r
mov ebp, 04243484Bh ; 'BCHK'( A p: y0 M& l+ x/ d+ B3 _
mov ax, 04h
" j6 |$ N7 Y! P+ h int 3
9 I/ f3 C5 \1 m0 I5 d' H cmp al,4
1 Q/ i0 ?# |: Y2 t4 T jnz SoftICE_Detected
: L$ D& o$ b- M! A4 K6 ?; h' @
8 Q/ K2 E; K! E' L, z% V8 ^6 \___________________________________________________________________________3 H" a. B O# @1 `3 a' `
+ n8 V$ d0 @5 r+ V+ q/ dMethod 02
# t& b& {, Y6 K=========
& n# f; s9 C. l# @( r/ z
7 N/ d/ P. D) ~, R0 g! cStill a method very much used (perhaps the most frequent one). It is used) ^8 T3 M" H) I! L* ]) n' `7 ]3 z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; r+ _. y. P8 n# k7 |or execute SoftICE commands...8 r8 o& p4 s/ k: M7 k
It is also used to crash SoftICE and to force it to execute any commands, w! i: J8 t% a- v1 A/ K! q3 S
(HBOOT...) :-(( D# J) t+ C5 [3 r
. b2 G% a# o6 [8 g1 k. QHere is a quick description:# m# M Q! q: T1 q
-AX = 0910h (Display string in SIce windows)" }+ S5 @" F9 @! I* ]% P# Q4 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); D0 R O/ a8 H9 R9 v# G" ?! \
-AX = 0912h (Get breakpoint infos)8 |) I: A8 _( I+ _2 s7 U R
-AX = 0913h (Set Sice breakpoints); V8 a, A! e$ J2 T4 \& G" B
-AX = 0914h (Remove SIce breakoints)
$ P* ^& m! w5 w$ E! }, U
, {+ r% v0 q+ W/ o0 ?* V. N6 R0 tEach time you'll meet this trick, you'll see:2 h' J/ X' z8 Z8 u+ k9 ` N
-SI = 4647h
/ E( w3 z4 u+ ?2 R( }2 n& {9 x! c4 p-DI = 4A4Dh
, z6 G+ D* {1 L( M1 }& eWhich are the 'magic values' used by SoftIce.
; {6 g! j6 ]3 G) cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 E! |9 Z+ p; s# G1 ^1 F M1 e$ y) E
; o& e$ `0 p$ }Here is one example from the file "Haspinst.exe" which is the dongle HASP: U( y! s$ M" m" A
Envelope utility use to protect DOS applications:) q2 o. N) ~: L
% R! Q {2 |. S( T2 b- N
6 d/ E/ H$ l) n. M4C19:0095 MOV AX,0911 ; execute command.
# y* ]0 g o/ E A$ l ]: h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 {" @2 @' C/ H$ r) H
4C19:009A MOV SI,4647 ; 1st magic value.& J& ?0 \, \7 C
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 u/ t4 Z; z# M* c' M( v) b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 P6 h6 v$ \) ^* f# m. |/ s% N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 w+ o( b J) P$ b4C19:00A4 INC CX' N4 K5 y' [& d4 S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% u; e: ]7 H8 y% L; R
4C19:00A8 JB 0095 ; 6 different commands.# f) o7 v, d* [; Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ x' f3 Z, T! o; [! t
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 D' x+ j7 V0 m: I/ o0 R6 I
5 h6 @! y( H: ?# ?! x) y
The program will execute 6 different SIce commands located at ds:dx, which
2 J' k# b' b6 p+ X- s( A8 W( bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ R9 T9 P; @- s. L; h
! i4 H* P% o7 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 h/ u, t' T1 q1 A___________________________________________________________________________: l6 R5 z! O+ D+ I! _
6 H0 s8 n: W# [5 s, `% f4 ]5 |& p9 G4 m& X v! s5 ]
Method 03$ V \: o5 l, b) ~% c, P6 m
=========
4 ?6 {9 D: [ W" O2 h- i/ s2 M! d* X; f/ X N8 g( T A+ f5 u6 _/ \0 C7 o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 K4 Q) A8 C% Q( p
(API Get entry point)/ w( R$ ^! p- @0 h* L
! P+ w" P# Y5 V( v/ l5 i" r
3 d0 g% L; g4 F w( y0 _! |9 R& w xor di,di% h. g' b+ F2 M4 L# s+ M% ^- z' G
mov es,di
7 m5 ]6 s8 T) q) Z" S mov ax, 1684h 0 H# a1 c, R- r) e G1 x
mov bx, 0202h ; VxD ID of winice
" s* E6 @ U/ d" h int 2Fh
w2 J Q0 J& y) y1 l2 s mov ax, es ; ES:DI -> VxD API entry point# i4 O& g5 X( u; U p' Y1 z
add ax, di
5 I; Z, j* T" f1 k test ax,ax
/ j1 C7 e4 f2 V jnz SoftICE_Detected9 h5 K) Q/ S3 I- @4 P% U
& c) p+ | M1 j4 t0 W7 q
___________________________________________________________________________0 y: F8 X( p$ I8 n
, N, o" m8 L$ C% a. y* H; m
Method 049 y6 z/ S0 t1 S$ m" |
=========
6 C5 q4 ^4 w1 _9 Y2 \: d3 |2 z) Z: X8 p$ g
Method identical to the preceding one except that it seeks the ID of SoftICE: R; C' `/ X% j5 b6 G& u3 l; z
GFX VxD.+ U. z) @/ B6 [
5 j+ O$ t7 Z! t2 J5 _4 e. C) Q4 H
xor di,di
) r& X# C6 S! j3 z mov es,di; N$ @+ b8 @% k% z1 J+ `
mov ax, 1684h , a$ n# v3 q+ x
mov bx, 7a5Fh ; VxD ID of SIWVID
7 w! |/ L+ s% i! R int 2fh. u0 {" O% T1 G: H
mov ax, es ; ES:DI -> VxD API entry point
: }. Y( T3 h# }5 ^; I9 h4 F add ax, di4 K1 h8 i: F/ F4 @
test ax,ax& f4 W2 I9 P4 s& U8 N' Y' D$ C7 m
jnz SoftICE_Detected9 j q9 Q# Z0 a# s3 A
) m* X4 h! C- ?* D3 b. a' Y1 q__________________________________________________________________________# Y2 C+ _7 t; A2 C6 i% X; V
. W4 ]8 t4 Z6 j# M( o8 M5 ^. ?0 s; F0 L7 M5 ^
Method 05% L- j. }9 K, A. Y1 h3 [8 j
=========
% ?5 O" S. v' s/ g$ {; F+ |& _, ~9 H4 |. c/ `- ?+ |
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 P7 Y9 f. ]: A6 i$ ~1 Q
debugger. It calls the int 41h, function 4Fh./ p" t: W. k# H9 e `& i8 P+ c4 c2 v
There are several alternatives.
+ f# O/ G/ D( S& T4 T( i# ]- m k2 @ O* V Q+ B
The following one is the simplest:
" R4 K9 n# o3 y* V/ b
: p6 p8 w) J' E' _- Z& c mov ax,4fh
0 f8 N1 Q! w. ?" R int 41h/ {1 O# ?, b! D3 A8 ?, D
cmp ax, 0F386, {" u) a( a2 h/ j6 F/ ?; b! S
jz SoftICE_detected$ g j- P9 f! I: g9 U+ Z5 f9 L
5 x f: J& {3 l6 C' D: b" R
) i. v/ a3 N9 H7 LNext method as well as the following one are 2 examples from Stone's
! Q" A7 d( z) j+ w"stn-wid.zip" (www.cracking.net):- [; i4 }9 Z- n: z% |9 A
+ `- n2 S3 P. _! X- {8 ~5 b
mov bx, cs
. S. w" U: \7 {% x# b lea dx, int41handler2
# U8 m* n \1 v S: x- r xchg dx, es:[41h*4]
; t/ e4 ~0 ^. d* l1 w xchg bx, es:[41h*4+2]
. B" Q' h' o1 S& c/ @ mov ax,4fh
. R4 W# j# W) N# K Y int 41h- v; f6 f1 O3 g& u V; y# i
xchg dx, es:[41h*4]
2 w7 Y, V: `3 F6 Y7 ~ xchg bx, es:[41h*4+2]: x/ P. [ o% Y) v! M4 T
cmp ax, 0f386h$ M9 u8 ^: x5 }
jz SoftICE_detected
* r2 ]" t+ J+ T# ^% C+ K: b/ @: U: a7 ?$ D1 \ D" E& W3 U
int41handler2 PROC& j% X1 p- t) r3 }- p/ Y- s
iret
6 I0 |5 L/ l# b7 f$ A& z4 B' M& Lint41handler2 ENDP6 V- A% T: H- E; x
5 I0 I# i- h- c5 |) _- x
+ t, G; @! W) x4 J+ i& D
_________________________________________________________________________. F- e0 }( z. h4 ^; Q4 k! J
' ]2 f# @# D! y1 Z6 x4 m7 Y$ S
8 c7 m4 x( \. ]% J- d
Method 06
3 ~2 T1 g% z1 _: h=========
8 e0 }2 G6 q7 X9 t2 H: ~8 r; V( m" ^8 M) ~- ~: p
% R3 |5 k1 g: X' w4 s3 ?6 a* D
2nd method similar to the preceding one but more difficult to detect:4 e/ h& M, b6 l g7 u1 _: r; J* q
( r# R4 w& k& v1 y3 `' A
" i: N, h) j5 N% W. cint41handler PROC+ t5 s: b2 r; X/ r; m
mov cl,al; @: }) V, g$ s2 `* H. V) I- p
iret) y4 J5 a1 o1 J z& l
int41handler ENDP6 V, N. d, q0 N4 _: p4 n
! u( t* X3 G9 I3 g0 F1 C
: F2 X9 A4 E! ^9 p1 @2 A$ b: g) T/ N9 Y
xor ax,ax
, V8 s D% ]; U/ { mov es,ax
6 ?" D) T( ^2 F) P( x mov bx, cs J) E% c1 v; \/ Q4 s! J6 x* h! N; R
lea dx, int41handler* R2 ?; m. l/ V7 F6 K/ E
xchg dx, es:[41h*4]
! J5 q, @7 Q7 S; H [& ? xchg bx, es:[41h*4+2]1 _6 L, u5 R! ~3 ~
in al, 40h N3 y; @! T9 _3 K; T! H
xor cx,cx* U1 e" K; S" d, R3 R g1 ]4 ~
int 41h; B+ R9 ^" q8 u+ d( |9 T: u# m; l
xchg dx, es:[41h*4]7 k u+ m. c, U
xchg bx, es:[41h*4+2]) R0 O! D E3 a9 u) y- b
cmp cl,al* ^3 B5 X8 b# C' a4 i5 W
jnz SoftICE_detected( q( P/ j; L+ `+ T0 n0 p
9 r7 a4 `% k0 l! w$ m- @4 o) p
_________________________________________________________________________
7 t2 C2 s$ y" F+ A: v9 Y0 i) r2 Y8 @' m
Method 078 P0 ~ m, i5 p7 ?6 m: W' m) s
=========
: }# P3 x/ D5 L$ @' v( n/ A8 U: }/ B- d# n4 x1 A9 V4 a
Method of detection of the WinICE handler in the int68h (V86)
~ C2 }# O/ N8 V, Z
5 z2 K6 r& L u- x# L: D3 \7 A mov ah,43h
^. { K+ @6 E( ?$ a) N/ m int 68h/ ?+ m; g; w9 d! `( A6 a% F3 Y5 M
cmp ax,0F386h
% @% d( y. W8 ~/ u) d jz SoftICE_Detected
5 h6 V9 c5 U* K5 A5 b2 h- S- p7 Y% q. m1 x
# L' S C4 ?+ Q& r a4 R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 b9 L' Z: E5 p: M app like this:
5 h7 v% L4 p& v: l$ k- O6 P- B" i( {% S1 ~$ f& h4 ?4 K
BPX exec_int if ax==68# z/ {, z$ H. X' f
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 q% d! @0 y4 K8 E- Y located at [ebp+48h] for 32Bit apps)3 o+ V* Z( [0 w5 i$ L8 n3 j0 M: K
__________________________________________________________________________
$ i0 w/ ?& j, [% J3 ~9 L6 A. \0 z5 z% G1 G
# b8 V5 V: t8 j' _8 S0 C$ w' aMethod 08/ {; Q9 \* w6 N
=========
1 x# L& L0 g$ G) w* j# L
& I) @; s; l1 ^7 I5 R% k5 ^It is not a method of detection of SoftICE but a possibility to crash the
" ~/ @8 U6 H8 F6 T# V9 {6 g Xsystem by intercepting int 01h and int 03h and redirecting them to another
5 ^9 z: h" B. W8 Droutine.
# `+ v% Q/ o+ o" x4 UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
Y7 Z& m4 ?5 h6 v2 q4 s" Oto the new routine to execute (hangs computer...)
- [3 |5 v% W' f& M8 D% z8 [" ~" V' t* U7 T0 _7 Z
mov ah, 25h5 H. V2 {5 Z6 \7 i; [% v
mov al, Int_Number (01h or 03h)
" M$ N! C7 H* m N. F mov dx, offset New_Int_Routine* O9 F |8 \' [
int 21h6 v' ?& |* n% p4 E i2 O
* n8 w6 b! Z/ H& }% K# L# M- V__________________________________________________________________________
, s* p5 L% J U& D
% W+ }% N" ]5 R5 _% n) T! iMethod 09" n8 h& Y8 c* n. o1 j
=========7 f# i4 r% V5 a) r1 C6 [9 ?' A
# O. A0 A6 [( p4 M# yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' q8 h1 {# E0 G. Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 q: N% w/ U9 ^ y) AThe Get_DDB service is used to determine whether or not a VxD is installed b) s: h- Y# ~/ q& r
for the specified device and returns a Device Description Block (in ecx) for
1 F7 _) a& w6 z5 Ythat device if it is installed.
& O4 ?5 U# R7 Y: x& R% i
3 L$ B& A2 `* }# U" k. g4 _" z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 Y, f0 E3 b4 e4 c S! R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% ~# h: H" M* I) U4 ~ VMMCall Get_DDB# F. Z& @& n* q" y- c$ T: x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' Y. J R4 C" w1 `: @* G( l/ e* r6 Z" V: [/ b, [: [# @
Note as well that you can easily detect this method with SoftICE:$ u! |5 j( [" K( T3 j3 u
bpx Get_DDB if ax==0202 || ax==7a5fh
+ {" C v4 K9 K- ^8 W0 ^) s6 b& E! t* N# Q3 i8 b9 E7 } |) X
__________________________________________________________________________
7 f0 V2 I! W4 @( l9 `) v0 D0 s5 s: T; _% p( g! j* `- o) x
Method 10
( M( V9 A: C$ Y$ N' ?=========
8 h7 C0 Z: b/ W3 f7 l
) [4 z/ A9 `( F z7 o=>Disable or clear breakpoints before using this feature. DO NOT trace with/ R4 N z7 F, @: x2 d
SoftICE while the option is enable!!
) y& o' @/ ]$ V6 q5 {
& K" a1 |# N- i' ? iThis trick is very efficient:
! P' z; ]0 z% r0 t( nby checking the Debug Registers, you can detect if SoftICE is loaded, U; O1 d) ^/ t7 ? y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( e1 s! i% r' u: M# n1 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) N' s, G- I0 z. Ovalue (in ring0 only). Values can be manipulated and or changed as well
. U' f& i/ J0 B6 j S% [(clearing BPMs for instance)
4 m* B! `9 o6 [* o+ V. s. \8 U* B" n- A2 g3 m
__________________________________________________________________________
p& L4 j0 x5 p& N0 r% n4 J
) S1 t) L7 H) `4 O4 g% G* O6 Q4 xMethod 11
* u& {0 @& Q% K- w=========! H5 I4 ^0 h8 m+ ~
- a& J" R0 t+ R
This method is most known as 'MeltICE' because it has been freely distributed
) G* X" {8 ~3 U, {. s6 u, ^6 Lvia www.winfiles.com. However it was first used by NuMega people to allow
3 _! |, D: T8 L' C2 N* a1 [Symbol Loader to check if SoftICE was active or not (the code is located' E1 I5 N. c: I# S9 x- o; y
inside nmtrans.dll).5 n7 ^) X& B, i
4 {9 L4 ~0 ^1 Q S
The way it works is very simple:
# S0 Q$ ~; x' ^' yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. D9 ?; f/ ~ _. C" h
WinNT) with the CreateFileA API.2 G ?# k5 R; k2 H
: }2 Q$ l7 F- l5 l) nHere is a sample (checking for 'SICE'):
' ]1 ^& \) r" M" m9 R. Z& p) o( O, @( J' U/ B/ F! N
BOOL IsSoftIce95Loaded()+ K4 W1 p2 H6 m `
{
( t+ Q7 J6 B# E HANDLE hFile; ' h- C. T7 y: V, X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! @( y+ H1 x( O- E
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 h: O; y, `* x3 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 ]) ?% g; x% C! ?! ^$ K* @ ^2 z
if( hFile != INVALID_HANDLE_VALUE )8 N" U: d$ l$ i* J3 w; w
{
7 G4 F2 `" e1 {! p$ x- E CloseHandle(hFile);
1 x) d, h* x& w) S: P" J# f7 z& w. P8 C return TRUE;' h1 L4 P3 Y* |) y1 x
}. g/ f! x- `$ K7 y) p. Q
return FALSE;. _% O* q% P( z
}
6 G9 O2 K. J0 X1 @" }: H, D' R2 S. x7 R0 h4 l
Although this trick calls the CreateFileA function, don't even expect to be, Z6 o$ l9 |2 o8 F+ ?$ Y
able to intercept it by installing a IFS hook: it will not work, no way!$ X5 g- ]; L0 I' N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 M: S1 J8 _; K- i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( Y) N0 r5 k* Land then browse the DDB list until it find the VxD and its DDB_Control_Proc3 s' _0 a& w( v, ]( ?# L
field., i, [" I$ |+ X
In fact, its purpose is not to load/unload VxDs but only to send a 6 K+ C% I! ?: O0 H I+ N ]8 [" n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ u* {( q+ U9 N: j! X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) U' l1 D3 j& K" a6 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 L9 i. f4 s* o- R1 zIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 L8 K+ Z- z# g
its handle to be opened and then, will be detected.
% n5 ]' @/ }" q" a pYou can check that simply by hooking Winice.exe control proc entry point. n: t0 B$ [: a
while running MeltICE. z! Q6 J- W. ~- Y3 p
9 p& J$ _: {3 H6 F( d2 L
" t8 d( D+ ]. \- K 00401067: push 00402025 ; \\.\SICE
- c4 g* N4 g. j/ j& I7 ^0 M( s 0040106C: call CreateFileA1 F( y$ N* a! G/ C4 q- b
00401071: cmp eax,-001+ B! R, F% B; N& B# s3 x
00401074: je 00401091
6 {" D B1 ]6 c9 a R5 y+ D: _
4 l/ J1 q5 O' Y
There could be hundreds of BPX you could use to detect this trick.0 W& N6 a+ Y& ^; w: U( S& P
-The most classical one is:$ z; `8 l& \3 A* b; s0 K Z1 V- @$ a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! n; Z/ X1 `' u T- B s *(esp->4+4)=='NTIC'
4 g8 I8 C6 a( g+ [
7 U) j; p0 b4 n3 L4 _-The most exotic ones (could be very slooooow :-(1 f2 {* |% ?: L: D/ |$ n7 Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! m3 t* J% O; C0 a$ e( x
;will break 3 times :-(
& D+ T. K: j8 ?# X. r! H
I8 U: @7 P, T! q( Q-or (a bit) faster:
$ j7 L& d2 Y x& q( |8 y0 I) ^, q BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); p) |( ~+ ^. X/ h6 ~* |
5 Y$ k( m, @) @8 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& G- y6 l9 q2 Z1 K( k$ \* r& j ;will break 3 times :-(# Y* L9 ~0 m/ ?4 l- I
5 R6 ^' m: L. V-Much faster:7 y, \' R) }7 S! a7 i6 D7 W; x7 w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% [2 c" p% D0 _* x4 H) _
6 n5 q# M/ y9 E' x2 {" u' GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 Y) S2 A) J9 d9 rfunction to do the same job:; c. I) ~+ _( S: U# I: G& h
& M; e# C' s) T4 v( q% M* N
push 00 ; OF_READ3 m0 L4 t1 ]9 q8 r: M ?8 j
mov eax,[00656634] ; '\\.\SICE',05 C8 ^ i: E5 h) f- \
push eax
/ `. A5 {4 n' X5 J! I. Z& K call KERNEL32!_lopen
* E" u/ n5 P# k/ u- D& w' t8 [. u inc eax
7 _! V6 M5 a c1 ^" j jnz 00650589 ; detected) L" x L8 {( ?7 g; j
push 00 ; OF_READ
: y1 t) x5 x9 y; o mov eax,[00656638] ; '\\.\SICE'
( c7 i% U; I1 d! j9 m. d( z6 | push eax0 G+ c/ o: U- q% e7 y
call KERNEL32!_lopen
! n5 |8 ~/ H7 O) Q( a6 b1 J inc eax
- n5 J2 f9 p T& {, T" o. g+ o: d; g jz 006505ae ; not detected" @3 T+ ^* A+ \+ S
" m( n% g% g1 |' m
* [4 [8 y- K; ]' }( e
__________________________________________________________________________
2 Q* b# R) A/ Y+ {" N
7 F) g @4 T' AMethod 12
& s0 D3 W/ f% }% D8 c; y=========% x7 ~3 F- x: C
) T) V+ s* w% p9 h1 L3 p& ~This trick is similar to int41h/4fh Debugger installation check (code 054 i0 t& }' d; k3 V+ K1 K6 g# m
& 06) but very limited because it's only available for Win95/98 (not NT)8 p2 f4 _3 V) D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. h) {; f" f4 m$ l r( r1 k) `
! Z. x: {. F1 M& K3 G0 _' `0 W
push 0000004fh ; function 4fh
2 k$ p! q$ N! z! ?. B' n push 002a002ah ; high word specifies which VxD (VWIN32)& M: E2 x! }% z9 g) _# s/ ^- _
; low word specifies which service/ \. p2 r: ?- e+ D$ ~
(VWIN32_Int41Dispatch)2 n: {$ L+ Z- g* C2 g; X
call Kernel32!ORD_001 ; VxdCall1 y) A. v' p1 Z, V& {
cmp ax, 0f386h ; magic number returned by system debuggers& C% _! z6 T$ V1 F* @8 H
jz SoftICE_detected7 ]% L' j+ i) Z: @, h" z |- i
+ t) S+ S. D6 E7 R4 w# i, DHere again, several ways to detect it:1 }3 i5 c' e1 s9 H1 m# V
7 ?0 E# E+ E% }$ |5 h1 ^/ d BPINT 41 if ax==4f. E, `) h2 C1 C9 @. g8 z" u' }
# g9 y8 m' n# K2 Y* A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 j/ t! p$ K! W
7 u h) j- `4 b A. P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 ~' N) D% I5 G* E$ \
* T+ n# O& K# X& H& I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 j- |6 K% ^( D0 I, y- a" a
3 u5 a& k, w2 l, j/ p. t! j__________________________________________________________________________% B5 f* M" R8 m$ {3 Q* y9 f9 \/ ^( e
) O- A) F# `; J. g- w/ }% U0 K
Method 131 y! r2 \& f$ ]3 R1 V& p
=========0 ]0 I( T* A% G$ Z1 \/ r2 H! C) t
" V% }3 ^1 n5 J6 a; }! gNot a real method of detection, but a good way to know if SoftICE is% D5 X7 \* n- W
installed on a computer and to locate its installation directory.
. X+ L- T s' o6 Z$ q; dIt is used by few softs which access the following registry keys (usually #2) :$ b6 @$ v6 @7 j
1 f9 Z1 W' l5 R& Q. r8 d5 g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion c: q" k" T: h9 Z, v2 r) T
\Uninstall\SoftICE3 j: N! {+ `# p0 X+ q. F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 W4 |3 k% q; e& q, {% Y& i9 p) @$ A3 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# i4 Z0 t, I5 r6 d0 s4 W
\App Paths\Loader32.Exe! s: O& [& c" m; y) D6 g9 C
K- o+ q. U& J3 a+ d9 H% e: V
: X6 s( c% K$ Z9 p j' ZNote that some nasty apps could then erase all files from SoftICE directory
1 Y p2 Q% b/ z3 E; C: k* l- t$ T(I faced that once :-(' k- P Y/ r' ]) C; H0 D4 R7 {
5 L! U, a* k/ f2 F
Useful breakpoint to detect it:4 ~' y) H& _8 k' a* X) J$ a
2 K7 Y1 K- O/ M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ v2 O: T3 N4 b& ~1 x; {) @* C1 j
) q8 O( \! ?8 k/ x
__________________________________________________________________________
% m# ^ P* w! M% k. ?9 c- p/ v
e6 ?7 Z" s8 \0 a7 Q( S3 V7 v: \& C J' M: @/ B$ ?; [0 W
Method 14 ( Z2 q$ W3 i- v& E
=========
( D2 D5 h0 J6 u4 m
1 ^: C1 j2 F, I# v, iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& P( O/ @7 [+ ~, a6 _is to determines whether a debugger is running on your system (ring0 only).
# |0 k' m& C8 \0 w
3 h9 x% Y4 l u0 o VMMCall Test_Debug_Installed- u8 o. [1 a3 A% e: d
je not_installed" i8 M+ R1 m8 K( k' } J
: n" v7 K6 `2 c0 AThis service just checks a flag.! S% L3 ?8 w3 |
</PRE></TD></TR></TBODY></TABLE> |