<TABLE width=500>
8 h Z2 B% {- g. {% \+ H<TBODY>& M. Q7 g: k1 m' l/ L
<TR>. f6 S* P0 V) [2 Q& W
<TD><PRE>Method 01
( O( m! c' n+ m+ W=========" |% z0 b! i, R3 j2 F: i8 K4 g( p/ T
4 B; Z8 h3 ` ^& `: @9 g
This method of detection of SoftICE (as well as the following one) is- G$ S: c+ s/ q2 d6 w! k
used by the majority of packers/encryptors found on Internet.1 o: ?, ~( m. r9 `" m
It seeks the signature of BoundsChecker in SoftICE- v7 F, C6 o0 O+ Q8 c2 R
# `5 | d/ {+ q7 ` p mov ebp, 04243484Bh ; 'BCHK' Z! I5 M& \4 U1 T. N9 }1 V
mov ax, 04h+ S# ?; E5 c% C n# M
int 3 1 G+ Z1 g( D( e- s# R; Q
cmp al,4 S9 B# g h/ B8 x% j
jnz SoftICE_Detected0 T% V5 \; g3 o l# O
9 T8 r3 g: T/ G( y7 c, R: c___________________________________________________________________________
* b9 o5 h% l0 w5 `" _
0 D" t; r& t; IMethod 02
- X) H& J: C/ |2 R- X- I9 m=========/ I# L% _! @- g
! p/ V% [0 p' E/ D% n5 i/ U2 {
Still a method very much used (perhaps the most frequent one). It is used
/ O8 R# ^/ I' R2 X' I# ]+ Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 }- C, N% S( Y; T
or execute SoftICE commands...
+ s7 G+ {2 l, X0 y* x; M: ^; XIt is also used to crash SoftICE and to force it to execute any commands
) Q* A4 \+ U( o(HBOOT...) :-(( 8 y( N: w1 U, [7 V
# j \% ?& r' D( A$ X/ \6 K" @( zHere is a quick description:
8 W6 X; P; g5 l2 K1 h( T" J-AX = 0910h (Display string in SIce windows); p' T* n9 V5 s- ]5 p: }/ f) u$ M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 b7 w7 z' Q. k" r3 S, L" }1 W-AX = 0912h (Get breakpoint infos)
& j) l S$ U* z6 a$ |. h+ L" a-AX = 0913h (Set Sice breakpoints)
`' ?6 Z: |; H1 E-AX = 0914h (Remove SIce breakoints); a. u0 D9 h: u& H$ |7 C8 u9 w. @
( }7 H' g e" A* O5 S. {$ cEach time you'll meet this trick, you'll see:. c9 E( E* H7 O9 o$ Z0 f7 @+ [* T
-SI = 4647h
) e9 p6 |. ]3 b1 l8 S-DI = 4A4Dh( {% m, \" C# d/ f
Which are the 'magic values' used by SoftIce.0 v: x! n- e4 A6 U/ I, M5 U' x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' u8 e3 `/ V6 q# f8 H# K' h8 N0 A$ d5 n' O3 E* H3 S1 {5 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 U4 u3 `3 o: Q7 j' A- ]6 U- M! DEnvelope utility use to protect DOS applications:
* G. j9 G/ h( R8 u* Q
3 ]* P% }" ~# W9 Q
" Y# F5 J9 K: f& E9 ?+ V* D; p4C19:0095 MOV AX,0911 ; execute command.
( R- l# r* `8 O7 Y% k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ y7 s3 E* |6 t- L, R9 E
4C19:009A MOV SI,4647 ; 1st magic value.
3 F* ?" L: y( ^% k! A( v/ o8 e4C19:009D MOV DI,4A4D ; 2nd magic value.
+ b+ o% F- b& P- h1 T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) ^/ B7 N2 }7 j, K$ t ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 V* W1 v6 L& K& w4C19:00A4 INC CX) c4 p( W7 o' i: z. M. @) R0 u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 ?( K1 j( |: O8 d$ L4C19:00A8 JB 0095 ; 6 different commands.# H' `: ?% r1 ]/ Y( }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( o q* @/ V2 H) I1 ^% y$ j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 ?9 @9 c0 R& h
( e& `8 [& y2 j; _The program will execute 6 different SIce commands located at ds:dx, which
$ V2 r2 b' M2 T3 ~" I- Y! T8 Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' S* C" n+ r: d( p; \5 [2 _4 b6 i7 s
% b U; R" K- V! \2 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! f3 y3 T- G7 u, k' o___________________________________________________________________________% j, b8 j! f# C& m
! b9 |4 Q: A( s% b' L4 U7 k2 a* D0 f/ A7 p! ^
Method 03
% f4 @# s* o/ _! D. @+ D( A$ K( \=========
% |$ J+ G5 n7 i! X9 F& N5 L7 P& H7 C$ c: O1 Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ u/ H- k9 M* N& b b( f1 R(API Get entry point)
G0 e6 ^0 ]! n 8 q" J4 w1 C5 v6 b6 [9 Q4 ]( [
- r) H* [6 G, m4 D! t# I
xor di,di
1 t, V ~' {' [9 O* C; w" { mov es,di
% o! [* U* R" f1 ] mov ax, 1684h
! Z! a1 q# h. e( i4 `. a! \ mov bx, 0202h ; VxD ID of winice: c1 t) C# ]/ [4 v, \
int 2Fh
- t+ L# v5 I! t. y# K) W: a9 o mov ax, es ; ES:DI -> VxD API entry point) u( s I: m% p. E4 p
add ax, di; C5 D4 D& P+ U
test ax,ax
* g' v; R4 J& k3 ~ jnz SoftICE_Detected
; ^: H9 D0 @. W: x) F+ @
' ~$ [; C. n# w$ b2 m0 ?, l' M___________________________________________________________________________) v- H Q Z6 K" k
& q9 _! S8 U/ LMethod 04% B' y0 }+ i5 Y8 N+ ]* K! m4 N
=========8 y# k$ d, y. g6 r! l4 y
9 k% F/ W# I) }& SMethod identical to the preceding one except that it seeks the ID of SoftICE
4 x, x, H9 F; {) @% y6 t5 @8 ?GFX VxD.' Y; R' |9 X& s5 N; _- [6 f
) t% s+ f" G: o9 [$ w6 ]
xor di,di! V# @* X; {- f* M5 j
mov es,di
4 U" D/ W9 s7 g9 f8 A mov ax, 1684h : y8 C- u! U) t0 |+ B
mov bx, 7a5Fh ; VxD ID of SIWVID
b, f6 g3 s+ C2 ^ int 2fh' r( v2 [% m4 w% ^% J
mov ax, es ; ES:DI -> VxD API entry point5 t9 y- i6 ]7 K5 O9 G, t
add ax, di2 e0 y& b* c8 @ N2 B; f) N7 F8 u
test ax,ax
8 [- M- F2 b/ W/ k# u; h jnz SoftICE_Detected$ M& V }1 B3 s/ O8 j* T
% Y* M6 R2 X; i4 [
__________________________________________________________________________2 t" r; F; s6 S9 k3 f: l
! m3 b5 f( e/ P+ \, p2 ]" I3 K3 E0 [/ R D X5 `
Method 05: ~1 `% d# t+ I
=========
9 k) y: N }# G8 V6 Y5 i+ X7 s
. m7 e2 M/ z4 [( t- v& rMethod seeking the 'magic number' 0F386h returned (in ax) by all system W- }! @9 B1 A1 i- R' ~
debugger. It calls the int 41h, function 4Fh.$ G" u# K, |& K% i0 m$ e' m
There are several alternatives.
2 W3 Z: Y# J0 P! G& v3 M+ D; {
. N- n' o+ m! m% ~The following one is the simplest:
- ], Z/ B4 e- l6 E; f: ~9 f
) Y" z8 s4 M, N) j% f) l: q mov ax,4fh a9 y/ b3 F$ t$ y6 e3 M
int 41h
6 z0 _5 r* Z" N! G6 u0 Q& H cmp ax, 0F3868 B) B( \/ @; e% B9 {5 W
jz SoftICE_detected# a3 v) t% Z. p M) Y" t
; b& L7 v- L4 E# i+ ~ v) I/ D
9 [% V* d8 Q1 y3 h1 x- F
Next method as well as the following one are 2 examples from Stone's ' Z0 t: t% D7 j% n7 @/ S t! w9 P, U; U1 U$ S
"stn-wid.zip" (www.cracking.net):. H+ L# X* U) Y
! E* c3 M9 ?; f1 \ F mov bx, cs( s7 u2 `3 c4 d, X; N. |) E5 j+ x
lea dx, int41handler2
' p) t% j/ E/ v* |. w3 v xchg dx, es:[41h*4]
- b( e8 V# L1 k* Q2 |9 G* g xchg bx, es:[41h*4+2]
; B' ~$ {+ B5 E$ O$ [( \ mov ax,4fh! F, ~5 x N- Y7 x- H0 C# r
int 41h, p, S) L7 s( d! X: `' O( ] r
xchg dx, es:[41h*4]4 M8 p" [# x* D+ M) j+ o
xchg bx, es:[41h*4+2]
' o% D0 q9 B, t7 O! T& ?+ ~ cmp ax, 0f386h
9 n6 L* |% f' d( n" ]1 a f jz SoftICE_detected
r/ \- d! w( J1 X
0 W0 z: r3 l4 ~( M$ zint41handler2 PROC' G! j+ S7 E' g) B6 ?
iret
, L/ F- r. ^* K, [7 G p0 }int41handler2 ENDP+ O, b, i# b3 G; e6 x( R5 Z0 D
- @7 N9 t& } {( Z
* C' o% S' k+ y' u_________________________________________________________________________9 H. Q) O+ d# U. b5 \
' U" D) V* r5 C7 S
x+ o; L8 B5 _1 C% a3 vMethod 062 E) r& c' y1 p2 w, o3 l; o- {
=========) D! m2 q x% ]5 ^5 N+ ~
; v4 K' B7 e* s; A* T9 D e
& J& \( H7 Z, L# M
2nd method similar to the preceding one but more difficult to detect:
0 n7 R L( |. ?. }1 n K# S' ]$ w( a/ R- \
[! ? |# X% \3 [' S+ m& Qint41handler PROC x) U2 G! }0 G% T* S
mov cl,al
, s5 D F9 V) {5 C' [" g% L iret
3 J4 f' ^& ~! d$ Wint41handler ENDP
5 T4 Q8 u0 z4 K$ { ?- X
0 M m4 }: @, L8 N9 ^. Y5 P8 o4 O0 F. a
xor ax,ax2 {1 c; ^8 z ^% T% a8 H( V$ v
mov es,ax5 O9 o2 o% h$ x" B ]
mov bx, cs0 v' Z# H$ e9 u6 P C! a
lea dx, int41handler
) r+ B4 z: i+ T3 _ xchg dx, es:[41h*4]% k7 _5 T5 L3 t/ {: x
xchg bx, es:[41h*4+2]) s, @5 z3 g4 w$ w: D
in al, 40h0 f( u7 a: G# K: Z
xor cx,cx
) d3 O( g8 j' K1 Y q int 41h
4 x& z0 Z+ f6 G. I. {6 A xchg dx, es:[41h*4]; a- ~9 A+ @2 q- O D. K! l$ P
xchg bx, es:[41h*4+2]
) s! t7 _, X* U7 K" Z f cmp cl,al
% M4 z" E7 @! {. _+ k jnz SoftICE_detected% b. b9 p9 o5 c% f% H4 h+ G
0 J: ~7 e r* l6 y+ G8 `! X& F_________________________________________________________________________% x( {0 _, y9 _" B2 Q% \& }* n
% @! \) A! j) [) c9 d7 y8 yMethod 072 f; J) t6 Y2 G+ D3 v; z8 C' Q7 f
=========) S$ P0 e/ D) z* L+ v; i
3 k. `5 N2 W- ~* k# J$ d) K* J+ G, ]
Method of detection of the WinICE handler in the int68h (V86)
& U" e- r* X) y* g% {5 y3 k Q( z; Q) h8 }
mov ah,43h
. g( }! a" N m W# q' h int 68h
) [4 L2 [) M2 e7 X cmp ax,0F386h
6 h3 Y3 n5 g& G3 ~4 b# {& c% v! z jz SoftICE_Detected" j2 t7 T- m, x8 M$ R
6 B- U0 V7 N: Q
7 o* ^# M9 S j4 S1 I8 R* N7 i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- |$ l' P! b8 P3 u app like this:* }1 U; W$ ~4 Q! h B
+ f. M. [* x) J5 a BPX exec_int if ax==68
$ q, e, P! U$ `4 Y! U (function called is located at byte ptr [ebp+1Dh] and client eip is
/ G( x) e; b4 s4 z$ S# B9 O3 u/ K located at [ebp+48h] for 32Bit apps)
+ Q2 C, f) `: D. I! m__________________________________________________________________________
1 x4 q4 J9 X2 K1 h$ D( Z6 w
/ S' g6 n' A/ S v% |( v4 V$ f, U) n% Z5 `/ X
Method 08
5 w- `4 u5 D' q1 M=========
9 Q; ]- G" L9 G6 m9 v3 y) s: k; Y) x$ F; i! s. V% p8 C/ G6 i
It is not a method of detection of SoftICE but a possibility to crash the2 y" O/ }: @0 A$ J
system by intercepting int 01h and int 03h and redirecting them to another3 o7 L! A) |$ u! i
routine.
2 M6 m! t; d. o6 Z% u3 J4 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 p/ P8 h" G4 h2 Rto the new routine to execute (hangs computer...)" a" ], x3 V1 v( Z$ [, u
; z2 d' T+ ^/ i5 [$ T mov ah, 25h2 C! ]- U( |8 w# W' ~0 ]. j
mov al, Int_Number (01h or 03h)8 ]8 l+ V, h! H- [; G% A) L
mov dx, offset New_Int_Routine
2 ?8 F! U5 [7 G ]) b( u int 21h
# l4 D0 J' F0 }- w t
k0 P7 T1 b% p$ s/ e9 x__________________________________________________________________________5 C. O/ t" R3 [6 G" U j z
( y/ C6 j- l1 ?4 A8 SMethod 094 m0 H b9 F5 i1 T0 C) R6 V0 h
=========
5 Q: m4 [5 l2 G4 g. i$ x% _ Q+ R( N& b: a) q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 y& s- j/ }& f
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 [, \: B1 I0 E9 U9 w- Q; K# {+ dThe Get_DDB service is used to determine whether or not a VxD is installed' c: t4 i& y% i9 H% ?! h
for the specified device and returns a Device Description Block (in ecx) for
# p5 p& i6 N" z8 H7 e& n- Lthat device if it is installed.! {7 W) t5 h; B- z' r9 I
( k1 O( T1 L9 ]& B8 ^* V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 i8 e$ a8 b% A* I/ u" ?/ b& L! v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& `& I7 X4 d6 ?* a VMMCall Get_DDB F1 H8 u( c( e9 V9 @& ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 W I7 t$ g( G! N% Y, b% r
6 h9 I8 o3 l9 c' |+ [1 z' ]& c
Note as well that you can easily detect this method with SoftICE:
4 S: [+ {/ N3 U$ T9 G) _3 H bpx Get_DDB if ax==0202 || ax==7a5fh
& Z+ g3 ~+ T) R- F) ~ G. G
9 j& L: ?- l F3 X) S__________________________________________________________________________* _& w8 V1 M( g
& P7 p$ W$ S% y' `+ w+ M! f
Method 109 h3 P5 J* A& V; u: E2 ^
=========
7 e H* W, o' F. w1 h3 S, t6 g, h' h( G; W# @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# q! B4 g$ v6 n SoftICE while the option is enable!!
4 A5 v$ I! u& l1 k6 h2 h8 X
/ F8 i% f0 B* H0 j) U: d6 |: Z- wThis trick is very efficient:
5 Z' r5 S' E$ {% v) tby checking the Debug Registers, you can detect if SoftICE is loaded7 I% S4 a1 U( n: M: q5 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& S, {! F, R: U( @there are some memory breakpoints set (dr0 to dr3) simply by reading their
. P6 ]. \* Q X( j4 c, F6 A3 m$ svalue (in ring0 only). Values can be manipulated and or changed as well
1 v- L' Z g: q, B(clearing BPMs for instance)+ U0 B& J* F2 D2 \1 z7 \1 \
4 @, u# l' L, x" ^/ a3 R9 \
__________________________________________________________________________" ~1 k$ ?% R& E( R+ L6 l. T
8 C0 e& @+ _/ V# g, q* ?* `- W5 {Method 11 A% S! N- y X5 W2 h
=========! b8 D; p9 B! f0 y
/ ?: M1 E s2 n% _8 UThis method is most known as 'MeltICE' because it has been freely distributed
0 P4 o5 j. h5 W1 w, kvia www.winfiles.com. However it was first used by NuMega people to allow' b! ]8 F1 f9 o0 w
Symbol Loader to check if SoftICE was active or not (the code is located. H1 S1 [( H" q, f1 s
inside nmtrans.dll).
[0 q( Q1 P; w( K7 y1 i
5 R, e& |! L; t7 ?2 U8 `The way it works is very simple:
+ m/ v: [8 ~, A" Q9 ~ @( K6 ]* pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# ?% o" ^6 A1 nWinNT) with the CreateFileA API.' p% n, |: S! ?9 P. ?
" z2 N/ n9 x, p+ S/ v& O- _2 W$ _/ C
Here is a sample (checking for 'SICE'):
0 T* K4 g7 u' b: ?9 H; J
% R& T' W1 R, o& K9 ?# uBOOL IsSoftIce95Loaded()4 [# t N( z4 u5 m o, j p$ Y
{' v; x. K* H) w8 r
HANDLE hFile;
3 B2 h6 g% u! w6 ?7 P9 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 v% r5 i( v1 y+ [4 n. s# D. S FILE_SHARE_READ | FILE_SHARE_WRITE,
( U/ F6 S9 P+ F/ c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, `& l# ~- Q* ~
if( hFile != INVALID_HANDLE_VALUE )9 e# n$ @ P3 f* n$ m# K
{5 V- V# j C& J7 i r" _) O% j
CloseHandle(hFile);" d; {1 s. D/ D" A
return TRUE;, A( H2 C; d& I9 j' X* G$ Z
}
2 k; E9 ^& S' \& C0 } return FALSE;1 W5 h6 K* ]0 c E/ t
}5 v1 n$ A5 r/ Y' z
; C9 g: O L) a& i- s) \6 |2 L$ x: Z
Although this trick calls the CreateFileA function, don't even expect to be
* ?1 n# |# |+ Bable to intercept it by installing a IFS hook: it will not work, no way!
+ |+ I' b, [" I- R" l% T. PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" v" |, R) l1 ]1 J. X9 t1 ]2 s& jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ h% z6 y* g- i- f9 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc& e! L. O/ X) Q/ `; k, b
field.( e W5 z4 y( g" U
In fact, its purpose is not to load/unload VxDs but only to send a 2 z2 O. M2 ~- B5 d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ ^6 x' w4 k! x5 @ g4 H- r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 m# R- g. I( @5 b# x& Q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; y! ?3 m2 j) e$ M1 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow% o( u' A$ o& n% O4 ?7 Z b
its handle to be opened and then, will be detected.; n; f! ?, x1 _! j: @
You can check that simply by hooking Winice.exe control proc entry point
]# ]) o) [& {/ D3 Kwhile running MeltICE.7 P- D9 E) \- k* H2 Z' `4 F
0 U4 x; r* d5 X1 N, ^5 h0 F4 f7 t- z5 i2 z8 p
00401067: push 00402025 ; \\.\SICE
1 D O7 q' u' W/ k D5 _% G 0040106C: call CreateFileA/ T' F/ T+ l& o! O! p. X
00401071: cmp eax,-0018 ~5 P9 _* F( M$ S \
00401074: je 00401091
, q" g( c' p9 B- {/ d: [9 ^% ]& D3 [; }" i8 b# i1 L* R. z
7 U; L3 F( o8 Q9 b9 M; Y/ uThere could be hundreds of BPX you could use to detect this trick.
4 g7 [1 d, H' L+ K7 V% J-The most classical one is:
6 l5 b+ S1 p1 b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& [5 I4 g" t' s
*(esp->4+4)=='NTIC'
& Q0 u+ i$ r: J' @! k$ j1 T- J. I6 k' `; L+ D- C) A, u. z
-The most exotic ones (could be very slooooow :-(
8 T/ m* g& h0 b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, g/ E7 d8 B n3 k ;will break 3 times :-(
4 \# |) D) T6 D( R M" t, o8 p- v+ V) | v' D! l/ z, ?
-or (a bit) faster:
4 h! \; I1 m( E8 d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 G5 x5 K! ~% X. n% y
6 n4 E( c) T2 w$ g% T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' |; h# W! I1 O6 j. g
;will break 3 times :-(6 A3 [ s& I2 y C+ p' g: f' N
& V' G* W: K5 ~6 c7 ^6 k
-Much faster:/ b( r& c) n! a, T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 G8 Z- c0 z; T* K) m: `) j
, }0 z9 |" o! `6 M' rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! P" B1 n+ W7 i! D+ ufunction to do the same job:
/ I, R9 ^; C4 [3 v6 A+ F' H3 G, O4 ]! v) X2 J( V
push 00 ; OF_READ
$ W: b2 k/ h2 }3 M- p) q% p mov eax,[00656634] ; '\\.\SICE',0
# l! ^+ ^6 f$ e# M6 f push eax' [' u2 ^8 g5 J6 d
call KERNEL32!_lopen' j! O9 p( g3 ?2 f; d; \3 `* W9 H% o
inc eax
+ n4 _7 s5 Q- [& d, S jnz 00650589 ; detected
9 O2 d$ ? `. h. C& x; x2 ` push 00 ; OF_READ V0 L# w- p3 D+ M5 Q' K
mov eax,[00656638] ; '\\.\SICE'1 R1 z7 P- b$ x1 `# C) I
push eax/ e; a0 d0 n3 Z
call KERNEL32!_lopen) B, d$ b/ |) _2 q* i
inc eax7 g L# k m! U
jz 006505ae ; not detected
( q! F# D4 a6 s# q4 l
+ ^4 p7 x" ^. h
$ O) I. K i1 ~' ^__________________________________________________________________________% ?. R1 Y( i! R# P8 {) U5 K& \
$ I5 D2 N3 ?& c0 I' e/ AMethod 12
# y, u) e5 i4 F6 I: M7 s/ G: S=========9 e1 ~6 ?' m% M9 o7 D/ @9 v& Z) o3 U% j
# K0 i. G' y- A' _' K
This trick is similar to int41h/4fh Debugger installation check (code 05
/ |. u k9 g* E, V9 o' D& 06) but very limited because it's only available for Win95/98 (not NT)
/ L: h8 p: @& U7 S4 [) d5 m1 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.; ?$ F! O$ ^& I3 J9 y8 H) U
* h Z' \1 I& N ~/ X push 0000004fh ; function 4fh
) s. c# i: g: J O4 `: s$ N. x push 002a002ah ; high word specifies which VxD (VWIN32)
3 G2 r. E- k9 x0 Q" m7 W3 o ; low word specifies which service
0 a# S) |9 c# R8 E' k% p% B8 t (VWIN32_Int41Dispatch)8 B7 h, T2 G5 A' K4 a+ v
call Kernel32!ORD_001 ; VxdCall) J- e' ] I, D1 D( g; E
cmp ax, 0f386h ; magic number returned by system debuggers& l! S$ p3 b0 _ _. U1 S
jz SoftICE_detected: L6 q) v) K. @9 r8 ^5 H) `8 H$ w
2 E% K1 k b: B) d X, k
Here again, several ways to detect it:
# P3 z" ~' k- {* U8 E$ X9 {( U Q! A+ A# _: ^$ [! q$ R: q T
BPINT 41 if ax==4f
0 J. c, [7 n! z1 u9 V3 d6 b4 J1 U+ Y1 s0 }3 q0 a" P* p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 M: u) `6 U+ R3 _+ U% u
$ a8 X: b( i' P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# ^/ k. N9 e% o" i
2 r+ ^8 k. l0 ?: T+ ]9 [2 V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( S( P3 N! Q" c) h
1 P; }# N) r ]6 ?
__________________________________________________________________________% p6 j! v) V! Q( H+ s
* H0 A! [) |1 e( \
Method 137 Y$ ^) K7 ~+ V3 |7 r8 G
=========+ q8 z Y, k, a. z0 J/ d8 E0 Z
0 Z* T; v6 v$ O4 u
Not a real method of detection, but a good way to know if SoftICE is
1 V7 h0 s: P7 s+ o6 R. F2 minstalled on a computer and to locate its installation directory.
% j3 c9 D: R( z0 D0 EIt is used by few softs which access the following registry keys (usually #2) :
s) M& M! U* s `+ b" A
, L" E. u6 C9 E: U5 ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. ^5 ?' g6 ]! w ]: z. A
\Uninstall\SoftICE' O* u" m' p$ ?# i1 M, y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ u' }% o2 c7 E, N8 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- d) j# q, G8 W
\App Paths\Loader32.Exe5 _' Q6 Q, R7 T" |
% f& L) x3 y9 z6 j; Z- w
% r# c9 l% L% [* f6 d: t) N9 X nNote that some nasty apps could then erase all files from SoftICE directory
$ T" J0 z# R+ o. b) z, k(I faced that once :-(
( T7 t' O1 H6 _4 W/ P8 b0 y2 l* z; X2 |. u5 H" R2 p
Useful breakpoint to detect it:
. w7 w! X. s: b" ~! S7 C
3 P$ Y4 W9 f3 f3 W8 y- g) Q5 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, R/ U0 `; q# {0 ~8 m7 J2 z6 c ?8 U9 d# i& [! Z+ I, D
__________________________________________________________________________; D% g& j' l* E
( g7 x# x7 V1 k9 z/ T% c8 t0 \' P, V8 p0 L
& |6 ^) Q6 |6 I/ y; E# sMethod 14 0 B" }* g* ?0 E* V8 Z. n: g
========= b2 r+ J& J" F- t1 y
6 K6 n, T- j9 y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 M; I$ L: w3 l) {# B+ [- bis to determines whether a debugger is running on your system (ring0 only).- d( |" i/ Q' \( Z1 F" `; N0 y, w s
& n+ c* c2 n6 }) d$ w* C
VMMCall Test_Debug_Installed2 d. \6 [% t' q: D& _
je not_installed
( c! N; B+ |8 O% ~4 F; \% v! [( t# B" [, y
This service just checks a flag.4 |% _0 m! s/ T& |- Z% F) U7 d1 |
</PRE></TD></TR></TBODY></TABLE> |