<TABLE width=500>& }) G2 J7 B6 {/ ]2 p
<TBODY>5 _4 N8 P. l4 h. `$ a
<TR>
- f( i( ~. ^1 S' ^7 L<TD><PRE>Method 01
( k/ B& Q b. R2 F7 w=========8 o0 ^0 j+ o1 ^- ]8 z3 T* ~
7 u9 F! H# L& Z: N
This method of detection of SoftICE (as well as the following one) is
- e+ `8 Z: E6 r# }$ Bused by the majority of packers/encryptors found on Internet.
2 Y, A$ G- P m' N2 b2 IIt seeks the signature of BoundsChecker in SoftICE" m: w, _7 ~0 i, O5 M$ p8 F: t0 F E
/ N& z$ b# h! [4 j- y5 W& y
mov ebp, 04243484Bh ; 'BCHK'
4 D4 Y5 y' q1 z) c* y. d mov ax, 04h2 B( z. s5 B$ { F4 b2 n
int 3 " l( q, N4 U) k) p1 W
cmp al,4
, n; x/ Q4 W( H5 u- F* `% t1 Y% B. X jnz SoftICE_Detected1 ^% L( Y0 u4 F' \/ O6 C1 q5 V
1 H; w% ?# C8 r- n& P5 v___________________________________________________________________________
" d5 C5 R( v. ^- {, M) I
3 y- j/ `! A+ N% CMethod 02
! c( T: O1 @! U, _) V8 q8 I7 V=========8 g6 h' i: U a D
! n/ ^8 E6 l- w3 aStill a method very much used (perhaps the most frequent one). It is used
. j+ l. T1 i0 x5 F4 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 Q9 W. Y4 L( G8 @
or execute SoftICE commands...
! }" I; ~& [0 S4 P8 Z4 w* U# qIt is also used to crash SoftICE and to force it to execute any commands4 n& s( a8 {) B1 B* N2 ?
(HBOOT...) :-((
' R1 v* @) U! h+ z0 q+ z
; M& p5 k4 u! e$ w# w- q9 b* a! f6 h9 mHere is a quick description:9 i3 w0 X6 ?+ ? e* M* O6 I r
-AX = 0910h (Display string in SIce windows)3 E& U. n" k" H$ Y) p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 O; O0 g B( O' K2 I4 d: D-AX = 0912h (Get breakpoint infos) n8 x6 M& ~6 I# U
-AX = 0913h (Set Sice breakpoints)
1 v) `/ N& {% K. C' S-AX = 0914h (Remove SIce breakoints)
$ {* ?, _+ A8 g9 I* o* _: x6 U- R3 V3 P% }& J' S' u
Each time you'll meet this trick, you'll see:
6 r, O; h' S8 G( c-SI = 4647h7 w5 S7 S9 c' s1 ` F
-DI = 4A4Dh4 }9 B6 [; M$ s
Which are the 'magic values' used by SoftIce.2 T) z# W' h* ~1 A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! \5 x+ n( b5 u% q, Q; C$ u. E* J$ y( e
Here is one example from the file "Haspinst.exe" which is the dongle HASP% M: [9 w$ H6 z2 q; {! ]
Envelope utility use to protect DOS applications:. T5 Q* y+ Y& w, A: }& w6 h% S
1 `. E8 t" W7 b0 H% v
4 `; R& D7 J5 S
4C19:0095 MOV AX,0911 ; execute command.
/ ]& K1 j% N b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., L7 [+ H9 C& p$ Y# @6 Z& s
4C19:009A MOV SI,4647 ; 1st magic value.
' }+ n0 U) b' {6 X4C19:009D MOV DI,4A4D ; 2nd magic value.
9 d2 ~7 [# F- @1 Q2 y1 F) K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 T& [1 Z% l( B Q& w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, g+ e5 a( \# c6 A8 c& i
4C19:00A4 INC CX
8 M+ ^1 L/ \9 f5 ?2 {/ t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ Q9 `) |9 k1 Q+ s i5 T$ S- H
4C19:00A8 JB 0095 ; 6 different commands.
( ]" D" Y/ y1 I! Z1 D4 i' \' \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; N% |- L* c$ y* p# e! |0 _ B4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 Y8 N" Q1 {( N* ], g' I2 k; `0 o, V
The program will execute 6 different SIce commands located at ds:dx, which
% `! r1 e6 \3 t0 a; s3 ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 a4 L& ]+ ]' K2 D% E) q: g
! s5 M2 Z5 L% |; S4 Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; d/ K5 p& i" ^. D; n___________________________________________________________________________
- n% E; L# L- x( q7 }' s* w$ o4 e E
3 j1 U; I1 n4 r4 c% g! T% e x* m, ~! m
Method 03& C& g6 [0 I, l7 Z6 p9 o& c0 ^
=========8 M% y/ N4 H: ^5 ?
( K0 o% c5 m1 K, XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ f' B$ T: H C: n
(API Get entry point), o; |( w: ^. o. m. h% e7 N
1 T3 o8 P! w4 C+ R/ U
& ?; r! K0 d" w+ ~ a xor di,di! P+ @$ D0 y8 _% j- j- J' B7 v
mov es,di5 |4 P1 F/ \$ A* @; g+ [6 @
mov ax, 1684h ' i4 I0 a' b+ a6 }3 O. E& d8 F
mov bx, 0202h ; VxD ID of winice
1 A8 r; `0 D+ z2 F g3 |% @& ^% x int 2Fh0 o9 U d9 z) R, g6 @
mov ax, es ; ES:DI -> VxD API entry point+ e3 K1 F6 F5 y% i+ D8 X
add ax, di
: O1 g. ^8 Q' P( h& y8 G4 e test ax,ax1 |$ h3 k( Z2 A& Q5 f
jnz SoftICE_Detected/ Y* o0 r6 |) Y0 ?% W
( X' }6 w$ k& j/ E( J9 i& o___________________________________________________________________________
# O" o% M: a: U" E6 g" |; Q8 R$ j2 f! x9 N; U }2 L. I% n
Method 04
! E. Y6 r( w+ X9 y* n7 Y& u, a- |=========, G g% j) v b+ R* W6 Q
2 Z! C6 S) a& w, O" OMethod identical to the preceding one except that it seeks the ID of SoftICE
+ p! `8 W. r# M t+ Q( S; O' a LGFX VxD.
7 J, Z; N% J$ p! n7 Q5 ` z: P: w$ [% U# J/ |! f6 {* }9 Q
xor di,di
& W; y& W* u6 {1 H! t mov es,di
. P, @. e G6 K2 X mov ax, 1684h
3 T, q% b) A& B- l mov bx, 7a5Fh ; VxD ID of SIWVID
: D" k$ ]. o8 J5 U8 _ int 2fh9 S8 f2 { J: j
mov ax, es ; ES:DI -> VxD API entry point6 X3 V$ x, ~1 o. c
add ax, di
" ]5 D. f: ^! u4 S0 l test ax,ax. I6 T6 Z- r0 n) G1 b3 g2 E
jnz SoftICE_Detected
) b: ^( U5 z0 G* c5 S- |! d, y, Q9 |6 _- d
__________________________________________________________________________) G/ n2 G8 \2 I k7 R+ N9 P2 r
; n' b* J9 T, Q+ y8 i. V/ C
6 h0 x3 z4 m1 f5 L
Method 059 J; X8 H8 u6 L! J5 F6 X
=========
7 ?+ C2 d6 \+ B+ v1 \% k0 R- g/ P/ N, ~, [8 G% g. J. T% A
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ M G2 a7 p2 i; M6 j
debugger. It calls the int 41h, function 4Fh.
1 {' p! m- [/ \There are several alternatives.
& X# [* K0 `( d P9 r! R* D9 q3 v, |. Q( | R v
The following one is the simplest:
0 F( l, F! d9 ~( K9 K" E# e+ m5 A( ^$ r- n+ Z* x' s X) M) a% Q2 c! I
mov ax,4fh9 c3 Y) @; U6 K5 R9 z B1 A
int 41h
: \; L" x$ N" l, N" V cmp ax, 0F3865 D* _$ a( X j% P9 \+ {# {
jz SoftICE_detected
$ n$ v! L( @: K2 y1 m: r& Q' P& @% |& I, g5 c6 g- K& H- q' ]) P
, F9 Z- a; ^: V. y: m4 a4 uNext method as well as the following one are 2 examples from Stone's " c D6 y+ |. ?0 V/ w
"stn-wid.zip" (www.cracking.net):
( ^/ C6 }* K/ r* G5 h. [& v" ~ a D6 _" Q
mov bx, cs* S+ ?! N) S4 l3 a! s
lea dx, int41handler2, R" m# S" A9 T+ K" [( Q
xchg dx, es:[41h*4]: P8 ]% s% N1 F4 O! ?
xchg bx, es:[41h*4+2]
$ x( G% t! y/ s* s6 i& U mov ax,4fh# H% G5 p8 G9 P
int 41h5 ^6 _* _: ^$ Q" i
xchg dx, es:[41h*4]
8 b; }! L7 V: f, f; h xchg bx, es:[41h*4+2]" g& F% x2 J" ?) _% S
cmp ax, 0f386h
& z3 \; M. `/ H. g jz SoftICE_detected M/ Z! G% r" S/ y
! c$ [/ V4 a! V* l+ V' p" ~int41handler2 PROC# p1 P0 R/ o* ], ]! x
iret6 y- G2 r) l) M
int41handler2 ENDP
) `# F! `% f8 h7 @3 e6 k L {5 |
, B! n# x2 l+ j, S* s" `* V* |9 J9 d# K
_________________________________________________________________________7 _/ u8 z: j- x& ]; {. P5 \
3 X( o: |* U# g8 [' [% ^- O: ?& P# f, C" a0 m# L6 N
Method 06
' p- @" b/ x4 R4 o, @% o4 c=========
6 z- W- H0 M% t- K ~2 P) ]. |2 W8 t
, Z" p, G: ]0 _/ c& f( \2nd method similar to the preceding one but more difficult to detect:* m3 Y% A9 ~+ z. F4 w- z% o
6 M& L: k% g, O
. D; ~+ G) U8 A% ]2 V( Gint41handler PROC
; t' r, s0 C. w% n$ N mov cl,al! a0 P2 r0 c c3 j
iret
8 u( U6 ]# s: _. O kint41handler ENDP! o; v3 j& G# U! v% i% K1 h
6 `* D, W, w/ Y& V) h3 P& @
, o" ~. b7 r% X6 k0 e
xor ax,ax
1 B* s- m; _2 ], h8 |, o/ z mov es,ax2 a3 T! i' O# }2 J1 L( r8 s% V- t
mov bx, cs
8 e* a+ Z% w$ K! x. m& @6 H lea dx, int41handler9 c. ^5 P6 [: z! g9 _( |
xchg dx, es:[41h*4]
9 G# q6 q. O1 s0 |. b% ]- ` xchg bx, es:[41h*4+2]
' w: K3 |# }! k d% f in al, 40h
8 X+ H/ D% \/ r: a: ? xor cx,cx
- i# A) Y- r! D3 A; ` int 41h
6 ^, `0 T( ~( d% o% Q& T, g$ s7 ~ xchg dx, es:[41h*4]
+ {$ P, V* k2 D1 Z8 ^4 i" k xchg bx, es:[41h*4+2]
7 t; o: v, Z& w; M3 O$ H6 { `( t cmp cl,al8 V6 r, v! g2 Q: z, S9 I
jnz SoftICE_detected
7 t& P' f8 N7 T3 y: O6 [- A# c; l" W- F1 {: Z1 P
_________________________________________________________________________0 c" D5 s- }+ S4 H* r: g% R
1 ~+ w) M$ d5 ]. F( j
Method 076 U, [! }& g" H7 V$ L: A
=========
; j' Z {; n0 R5 E
8 ?7 }$ Z3 y) J* T# aMethod of detection of the WinICE handler in the int68h (V86)1 ?4 V; [/ E( l; c
, m6 }& |! \2 g; v& H6 m7 p
mov ah,43h2 q' {/ L- |4 `8 O" \6 @4 z
int 68h5 s2 X: a3 T; i& B: _. w
cmp ax,0F386h2 `* A# y( [% [; h7 f$ b; |5 m3 F
jz SoftICE_Detected* `& c/ D# ^& a9 Y. {" u
1 V( @- e7 j f2 U6 R
) g$ r1 C* H' _# i1 X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ Z& n$ l4 K3 Y! B( a/ W, D, N app like this:4 c# z9 y- p- D: O
1 |# H7 G8 e; \9 E BPX exec_int if ax==68
) g5 k9 X9 _7 \, `# t# w5 U4 s2 ?7 o (function called is located at byte ptr [ebp+1Dh] and client eip is% F: m2 Q. I7 |4 G( k, N
located at [ebp+48h] for 32Bit apps)9 x- o% I' }9 ^' C2 ~) J
__________________________________________________________________________
m" b9 G0 y, ~: l6 h, J5 }- |. Z
" o z2 o- N8 T- h. i: A4 v' n; u6 u1 b- I
Method 08
& L+ x# a# W1 I3 u1 z=========
1 e9 @0 X2 K* ~7 z& P
2 ]8 p* x" \% I/ jIt is not a method of detection of SoftICE but a possibility to crash the0 d5 ?7 b2 N% o m
system by intercepting int 01h and int 03h and redirecting them to another
/ {2 Q. r w& @) D; S- _1 G s7 jroutine.7 [: u; F9 T7 \3 @9 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& y2 G# d- V. Q
to the new routine to execute (hangs computer...)& h9 _. [5 K. N* m! O7 Y2 ?
, m5 L5 `: P% }0 h6 S: v2 \& e
mov ah, 25h
: g& M. Y% U( V& O mov al, Int_Number (01h or 03h)
7 d! `/ G3 Z4 ~+ m" c; Y! S mov dx, offset New_Int_Routine- v$ e$ T V! V9 k6 R
int 21h5 v/ Z- J0 h9 Z- M
6 T9 T" ]4 Y2 a
__________________________________________________________________________7 z' i! @8 {3 `, k& ]& ^; Q
3 c+ I: C7 R7 I+ a6 a, r5 EMethod 09
" f! ?! C* ?; D8 R=========
7 h- F3 r6 [( ^' ?1 X- o7 F( y
( _; L3 C$ Q, F6 X" h/ \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. M% Y' `- y$ tperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 Z% S. [& d2 A7 ~The Get_DDB service is used to determine whether or not a VxD is installed |3 ^: I5 G/ a% K9 s
for the specified device and returns a Device Description Block (in ecx) for
8 m( C6 o* H: l. Ethat device if it is installed.
; s3 S* _/ V" o* a4 z) B1 z7 T7 S/ K3 U- Q: K: S% K0 s6 ^; V- O8 F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 p9 B" Y; ^/ w8 a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 q, T* ~& [% h- U2 }( H& J VMMCall Get_DDB0 L0 R+ @/ y* |6 P# S S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 ~: \5 V! ], e$ [1 Z, B! j) ]
* o, @" W) ^! g, @5 yNote as well that you can easily detect this method with SoftICE:. ^. u% y6 X. o7 C" A% e
bpx Get_DDB if ax==0202 || ax==7a5fh8 F5 j- |) V+ d+ f* Z: i0 {
2 @. ?7 n: ]( }; S! H
__________________________________________________________________________
6 u3 G, {7 X* [+ n
% P* j7 V, J( D7 d! y6 S4 _Method 10
, w. G' |# ~5 g( h9 m0 a=========
: K* J/ \% H/ j% n( ]6 E/ T. V; ]2 K4 T- s. y8 w+ d. R$ {
=>Disable or clear breakpoints before using this feature. DO NOT trace with- _0 o2 }$ D( F
SoftICE while the option is enable!!
5 L4 w% d4 u; z% M& i8 ^) k
9 t6 y1 u; K2 [' N/ iThis trick is very efficient:
% U9 y- a$ N# Tby checking the Debug Registers, you can detect if SoftICE is loaded' R' x# f, w3 a; p+ e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 p& `, Y! ~0 s7 h X3 Y" Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ G: L$ a# {: cvalue (in ring0 only). Values can be manipulated and or changed as well! M0 j% X4 F5 G. j) O, b
(clearing BPMs for instance)
/ i( `8 f! Q+ s/ A) x. t& V! N' C v0 \. v9 ~
__________________________________________________________________________
* k! l4 `4 i, B3 Y& q h- U" H0 Y& ~: W8 h1 ]2 c6 P- \6 e$ C. {; J% v
Method 11- e3 m6 X9 r& ]/ m$ Y& S
=========
2 c/ V- o& n2 r1 P+ t/ z# w3 ]' D
This method is most known as 'MeltICE' because it has been freely distributed
2 [4 a, B" p2 [6 dvia www.winfiles.com. However it was first used by NuMega people to allow
. E' r/ J& C; N" }; `0 v2 C- WSymbol Loader to check if SoftICE was active or not (the code is located ~2 f0 O5 v% N$ [0 r2 w- ]
inside nmtrans.dll).
) t% z' L: T$ L% \* s
4 x( K! C! F; k1 YThe way it works is very simple:. X p( [! N6 \; o3 j3 w- @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, B, C0 [/ K$ l c) p, ~WinNT) with the CreateFileA API.0 ~) ?. b( \# t( i
' X3 U m0 z; o% J7 R+ E z
Here is a sample (checking for 'SICE'):
1 z; S/ Q: Y' P/ P& m' _, g- o" z1 K/ F9 }4 d3 Z1 \( z, |, [7 ]
BOOL IsSoftIce95Loaded()
% o1 w6 Q$ X* u9 I{; q* }5 p: ^( }( I/ V8 h# Q
HANDLE hFile; 2 E @ M2 J- I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: K3 j* d2 V; s1 T/ |. {$ D; T FILE_SHARE_READ | FILE_SHARE_WRITE,- k6 Z- p) ~9 u# C, v/ A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 y) F7 Y* ]! n+ A$ k3 y if( hFile != INVALID_HANDLE_VALUE )# `4 P. J6 E. ~' F
{! K8 ~1 |. R6 q' Q1 |
CloseHandle(hFile);: r% g8 j; G" Z& `6 L- w+ b8 w
return TRUE;/ q; W! }8 u' l, j# H
} u/ m9 m' E: Y8 C: L
return FALSE;! _; R/ r$ K, q* X1 l! o
}; g ^/ S# N& Y3 h, y6 G9 y2 p
" g+ L2 U7 x! o& U6 n* y3 f
Although this trick calls the CreateFileA function, don't even expect to be$ M) n3 I* x; {' {9 `
able to intercept it by installing a IFS hook: it will not work, no way!! N. D' J; m- J! i& @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- J8 Z) C1 r' e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); T* @" @- G. c1 }) N5 f) a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. ]$ @5 v2 X( e! R: E% r
field.
9 G, }, I7 V7 vIn fact, its purpose is not to load/unload VxDs but only to send a / n, {$ t- P; k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& T% @" W& [: t% C" y# J9 v- h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 Z# r- ~; O- b! s: n+ X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: j+ d7 }) X. D. N: `7 M8 z3 z( k) f
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 u6 Z4 n! \, G4 u
its handle to be opened and then, will be detected.% ~9 k) t5 x1 R' D
You can check that simply by hooking Winice.exe control proc entry point
; m' M8 |$ p* l6 F- ?8 ]while running MeltICE.9 M0 z( r! y# S+ y* q9 H
- {4 i* u& O4 b& _ T( { |) T& L8 v1 x+ C- A7 d
00401067: push 00402025 ; \\.\SICE
* r5 }3 m. y/ ~' g; G" d. {& v, U 0040106C: call CreateFileA
0 m, U/ [( ^$ ?$ |- g 00401071: cmp eax,-0017 h9 l f9 L7 G; j- j1 D! Z
00401074: je 00401091
3 {' b" [$ p( o( n$ w3 ^% v0 M/ A- G! X
, B0 ]+ O& y& H% i
There could be hundreds of BPX you could use to detect this trick.
4 Z* U8 ^' b# Q-The most classical one is:+ Q0 c' A+ n# k, }- I- P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" N6 u% E, q# C4 u$ R- G+ T4 l z *(esp->4+4)=='NTIC'
# Z. j2 v& b- r8 y# r4 n
; E6 O# h* _' @$ ]- Q3 n-The most exotic ones (could be very slooooow :-(* Q+ e7 Y1 y5 K* b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 x. H- H5 \" n3 L9 c0 N
;will break 3 times :-(
8 {1 |% I% K* z0 j* q$ H! U, z9 }: `! G+ `# x" F2 ^
-or (a bit) faster: 6 ~& O/ P- N5 M# k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 P Y8 B1 U& _: q+ b" z- ]
8 `9 r& H/ |8 b# m* d: V! a3 f$ U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 n4 T2 @9 G- ~' i ;will break 3 times :-(
% K9 F8 m" Z; v$ Q S# j1 Q& H9 w* r4 s4 _+ q) K
-Much faster:
0 s: f: v6 K& Z7 L* D6 F+ Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; [5 M/ j1 k9 e3 q& r+ @6 z) h
- D5 b0 z0 \) }, @; W6 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 A1 r+ b* R( t6 @9 d7 h9 G; bfunction to do the same job:
& c7 X _1 i7 l: P/ b5 b& {& ]: L& A' c+ o# D
push 00 ; OF_READ% ?* G l `. {2 L: P& K
mov eax,[00656634] ; '\\.\SICE',0
8 \0 P& S" S* t. e) M7 V. A) x4 {) E! D push eax
: v/ t5 V: }$ Z( ^6 C0 M$ \) O call KERNEL32!_lopen( D5 `. A9 a( x t" H. C Q
inc eax
5 T5 ]$ o# G, Y8 X jnz 00650589 ; detected+ o( [9 @3 ^5 @
push 00 ; OF_READ2 \; M8 g% B! N: {2 ?- w/ j+ e$ Q7 V
mov eax,[00656638] ; '\\.\SICE'8 @; G* k1 w5 d) \3 z
push eax
% M Z( c# C1 t! u6 `/ x call KERNEL32!_lopen2 l) k! O; V8 y& d+ B. S
inc eax; l. ~; i. g W$ @4 t( n* j+ ^
jz 006505ae ; not detected4 u4 W! Z, u0 h) h( j
- E3 g0 o W9 m$ e3 x- T
# m& c1 _$ n' q9 p1 @$ a6 U! U__________________________________________________________________________
- Y$ d! @/ j/ ]/ i* \' b1 ?2 M0 F- `2 G
Method 12
% N, R4 U9 U' R0 a=========6 K5 t% U3 v. [) d7 A) I5 X
Q0 T c) @! L* M8 N4 LThis trick is similar to int41h/4fh Debugger installation check (code 05
, a2 f& _5 Q0 u5 w$ {& 06) but very limited because it's only available for Win95/98 (not NT)2 e# s- q( c/ o. K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( C0 u/ c, e# k$ _, ~ e2 h/ i4 u+ F1 t3 M* F( }
push 0000004fh ; function 4fh
- K A* o: P5 p7 D+ v% o: e( _ push 002a002ah ; high word specifies which VxD (VWIN32)
- _. @1 Y, m4 ?0 d% { ; low word specifies which service
; O( h- e; P5 `3 X/ F7 y (VWIN32_Int41Dispatch)2 Z7 r9 _! j' l' u0 A5 N
call Kernel32!ORD_001 ; VxdCall# A$ R$ g5 b# A
cmp ax, 0f386h ; magic number returned by system debuggers8 e; {) x& R+ z/ k, d0 M% n
jz SoftICE_detected
* A# p: B* D2 t6 ?3 K
0 E5 U! Y3 A! n: MHere again, several ways to detect it:; g# ~& m, G' e% G
( r% K( J. @2 E" |: y, T BPINT 41 if ax==4f4 Q, j( J1 m+ m
4 U# ?% h; h) v+ s& |" Y! b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 ]# X, ^8 E* q& R- b* k! Q! t5 B
3 V n2 J% j1 N9 Z* p% k- }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 _6 g) t2 X( g3 W" ]( \. j% |
1 t1 h2 e, s! h p" y6 A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: U3 Y0 u' Z0 _; ?' I% ]7 d" X
$ w/ l) R0 ]* `& j6 D' w__________________________________________________________________________
) Z. o+ v) Q) R% u+ k
+ O+ X( a! a M* nMethod 13
" I6 y2 Y" Q4 X: O=========
- c7 N+ Y0 R, r/ x/ N: B* N$ B7 |' E1 o F9 p4 ^
Not a real method of detection, but a good way to know if SoftICE is+ F+ s% @ ~/ P+ ]1 u
installed on a computer and to locate its installation directory.0 @8 y* R8 m4 z; B
It is used by few softs which access the following registry keys (usually #2) :3 F% w5 F0 f1 n8 C8 w" m) ]9 V
1 s+ y4 f h U q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# r* W1 }9 u$ t' m% l5 d( i! s\Uninstall\SoftICE# P" V3 i+ t) d2 I3 m. m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( \( G6 f+ X" }' u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; N3 I$ }6 Z+ C) N @\App Paths\Loader32.Exe
4 L: t1 e$ v' U8 B6 F' m
, L8 s/ a8 u/ k
9 s3 z- [# F, ZNote that some nasty apps could then erase all files from SoftICE directory! U' ~7 E: }9 u' g" n
(I faced that once :-(
/ Q# W) E- q7 f# U& P3 [6 k h0 J! e" A
Useful breakpoint to detect it:
* c4 ^& E3 K/ z I" Y
4 u2 G2 L" I0 |7 u/ S6 Z% { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 I4 ?- o5 R% J: ]: }8 l: X/ @& ]" F1 ?
__________________________________________________________________________8 r/ B# K4 T5 d. z, L( J* a
7 ~) {5 \$ w" k' ~' D0 k$ g4 p2 \, ?% q! `6 w
Method 14 ' P- G; g8 {+ Y1 C
=========6 C1 S( n Q$ ^: d ~! X
) S4 J4 s0 f4 ]- `7 nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 j6 y, W8 w4 e' J: z) v! U6 U
is to determines whether a debugger is running on your system (ring0 only).% A% _. N i5 t& S8 U: A. ~
0 J$ G3 t5 R% v4 V VMMCall Test_Debug_Installed1 f2 L4 r2 f8 s
je not_installed
$ R! r$ F* F7 b; P. ^
2 } }. g) O+ ^: ^3 QThis service just checks a flag.
* _3 e! E2 Q- K( t</PRE></TD></TR></TBODY></TABLE> |