<TABLE width=500>
# [; D, z9 H$ ]) x& ]% Y<TBODY>6 X( G; h! Z" f( _
<TR>
4 s1 K( q$ _' D2 s) _<TD><PRE>Method 01
! c" L \5 P0 `2 r% p( C6 S=========
: Y2 e& N' Y) k) _! z( j) [
0 Y [; J6 j% RThis method of detection of SoftICE (as well as the following one) is3 q+ I, C' H- l* A' P
used by the majority of packers/encryptors found on Internet.% k" ]1 O* n5 y0 f4 d
It seeks the signature of BoundsChecker in SoftICE
4 Y& L& y* r" ^# ]0 X
5 X7 E! n, [+ l, H# ?+ s mov ebp, 04243484Bh ; 'BCHK': P t; e4 Q: P% k. w0 K! B
mov ax, 04h& n% i) ]4 D0 W" p+ U; w3 a
int 3 8 |+ I" I) k% K/ [4 j) x
cmp al,4
/ N& D W8 S/ B$ ^: R* I$ x0 Z jnz SoftICE_Detected
. r+ _! ?: m: z9 Z2 `) G/ S8 t# g: l) L
___________________________________________________________________________
, m; g3 U( ?- e
* |& U) P1 H/ |Method 02
) y8 B% C* n3 w* d- G/ Y=========) T3 E* Y; a9 `) {" P; {/ o4 ~
8 g7 n9 J" ^2 M; L5 eStill a method very much used (perhaps the most frequent one). It is used
3 A9 ~+ }" A6 c6 j; C: ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- `4 y1 j# Y- O# {" t a4 Por execute SoftICE commands...# s) ]9 O6 F" t9 x( H4 y: C
It is also used to crash SoftICE and to force it to execute any commands
1 M. ]2 t6 Q& L& a& z(HBOOT...) :-(( l' W( k" v: D! @
: Y9 S4 _6 v( ] i7 e7 L8 R9 k* ]
Here is a quick description:
5 F# m* r1 d! X* ]: b2 t+ w-AX = 0910h (Display string in SIce windows)
6 |9 f+ v3 M% P$ r' V$ ^0 c/ U8 I0 j' J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) u7 p$ c) ?3 w9 b0 h; c& n6 y
-AX = 0912h (Get breakpoint infos)( D- M' p, c8 m( N! L9 u
-AX = 0913h (Set Sice breakpoints)
! m' ?0 ?. E0 m$ z8 _" b0 a-AX = 0914h (Remove SIce breakoints)
9 i, v+ @( b) d1 u# j/ s: c! }" L, w4 Z2 t+ o/ J7 \
Each time you'll meet this trick, you'll see:4 G" g8 m0 S4 ?. ~6 q- ]) o
-SI = 4647h# v1 F' i7 Y- R
-DI = 4A4Dh, a- n5 f4 `& F' z& J$ ~
Which are the 'magic values' used by SoftIce.
0 k& J( d+ i& ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ q& H: y! D5 O3 u+ j* \: R
3 g( @" C s0 a5 T- @1 I7 m6 \Here is one example from the file "Haspinst.exe" which is the dongle HASP
' o: U* N3 I/ Q' T# H5 d6 oEnvelope utility use to protect DOS applications:
1 r5 b* t, k0 X% c' G
$ l! g' I o7 p; t9 b4 R e2 g( a0 X4 L+ }3 t( m/ p
4C19:0095 MOV AX,0911 ; execute command.* T1 y4 T: G P; S: _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 L! h8 {# Q4 Z0 ]0 Y
4C19:009A MOV SI,4647 ; 1st magic value.
' Z; b: i; ]- n0 h3 a8 [9 M0 f: u4C19:009D MOV DI,4A4D ; 2nd magic value.( r: U& {- D r8 _: q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ z) N+ Y) a) Q8 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 \' T3 G9 v7 R( j4C19:00A4 INC CX
/ z. J& E* e; a" v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" K* R; T4 b4 g4C19:00A8 JB 0095 ; 6 different commands.
, f4 L) |) I8 H; S/ s' g4 L6 i8 {4C19:00AA JMP 0002 ; Bad_Guy jmp back.# N. r+ A. m s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 z8 |$ P5 l" s% m6 b
1 @ Q: c4 j- B2 k
The program will execute 6 different SIce commands located at ds:dx, which
- `/ S1 E9 _( v+ V; k. D5 K+ Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' \8 \4 t, T4 X
% _: a& `# \6 l4 a; y1 W, N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 p% ?2 ]8 r; A! m) ]7 n
___________________________________________________________________________8 B0 ^/ {3 O @7 a |; H6 N) o! U
$ x" }, k0 d3 t# ^8 t3 G8 o
4 C, _/ r2 U" @; @; e, ^Method 03, A7 M3 Z6 g/ C8 ~: N! u8 G
=========/ e! P+ t: i( p' ]/ b
$ e! p4 O U; A4 c! d' gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; u' o" U# E# D! a. h
(API Get entry point)
5 Z; x+ a" R }3 ~ # x7 ~3 C4 _4 D; Y: W
5 v4 m# z, N# t3 M4 b" G xor di,di; ], H: g. f# y& z) ?
mov es,di; l1 ]5 N5 L, [, L# m5 j; ?5 P
mov ax, 1684h : g/ E2 w: a/ w
mov bx, 0202h ; VxD ID of winice Z; B3 E" [% s2 Q2 z7 v K3 P
int 2Fh
W" @0 D! o0 x' k0 M9 b) E: e mov ax, es ; ES:DI -> VxD API entry point; q+ h6 T2 F2 m# x
add ax, di: Z4 Z# `7 I4 a
test ax,ax! z. B+ [0 [6 w: ]
jnz SoftICE_Detected
2 s. I5 u* \1 b/ T3 M
, H* L9 u, {+ o8 W+ s. L6 G___________________________________________________________________________
& Y) }: N; }& r
, A3 h1 ?3 S" J/ g; Q- x( bMethod 04. I* w% U/ L: ^% O
=========
* h/ n3 T2 ]( l3 q- N$ S6 |3 g
% U e& K) D; L3 aMethod identical to the preceding one except that it seeks the ID of SoftICE
( W. |0 I! X0 bGFX VxD.2 f' g0 I- }0 Q
' }3 b, c0 s. |: t2 j4 @ xor di,di) D0 N( Y/ m5 a; i* b; F
mov es,di# ]% H! J! k4 Y7 Y0 @
mov ax, 1684h
" I, C1 k8 Z E% y/ @6 y2 n mov bx, 7a5Fh ; VxD ID of SIWVID
! K ]1 m9 J( L4 X2 @6 [7 \7 I2 ` int 2fh# z" @4 i; K; i
mov ax, es ; ES:DI -> VxD API entry point* m8 h$ ^) k0 l% b) E7 N
add ax, di3 j5 \0 O( o, X' c$ q1 S3 A
test ax,ax8 c; x5 h, h- o& J
jnz SoftICE_Detected8 i+ q/ m4 H) }3 m
: t; ^, v- R+ C1 ~
__________________________________________________________________________! J8 U, S9 [1 U# ^6 M
$ h: X( T* i/ \1 e6 Z, ?9 T6 Q
: g, f6 o( {% c: l/ bMethod 05) R M& k8 s4 x- V1 i- u6 ]
=========
* M; M ` ?0 m3 E( I
( n% l1 k1 N, B7 o% A4 { OMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 S' j+ ?7 O \" T; p6 B7 ^9 a. W/ G
debugger. It calls the int 41h, function 4Fh.; {6 D" |5 Q2 x' b
There are several alternatives.
3 |% X6 I9 f2 a' r" Y8 m+ F2 |& ^/ |# B1 j! `9 |5 V, f/ R: v) S
The following one is the simplest:! o) W6 n4 J, P. w* g/ O; u7 L" ]6 T! Y
2 M m) b$ f$ Z" l! H. y" \, \
mov ax,4fh% l2 e3 c. L& q6 G9 B2 `
int 41h
) `3 e# [3 k2 n8 Y6 c D cmp ax, 0F386
2 P0 `9 [' d& u. m$ ] jz SoftICE_detected
5 O* T1 E' L2 K( Z4 z) X. W* D8 {0 S+ J9 \& K+ J; M; w! d- J
! g6 t' H; s2 ?/ D( X1 d( Y" Y7 o" L
Next method as well as the following one are 2 examples from Stone's # t% i* z& x* v; s2 t
"stn-wid.zip" (www.cracking.net):, j& o- P+ T: I* Z; o6 |2 T+ C' \$ ^
) ~% M9 q% e3 R Z5 C' }, z mov bx, cs1 f; K8 [3 y& V
lea dx, int41handler26 R* p, r$ b! S+ @' E/ N
xchg dx, es:[41h*4]- e" U p5 ?1 a+ W, Q* J* l
xchg bx, es:[41h*4+2]
, ]9 ^# D; m0 O, r2 a' V' g! N mov ax,4fh
6 D) w+ j, e2 I& `2 @9 w& f* P! K int 41h
/ v- c0 x R6 {0 p" R* r xchg dx, es:[41h*4]
' q6 X" p+ a) t xchg bx, es:[41h*4+2]
( g) t+ Z5 Q- b9 m cmp ax, 0f386h" ~" h! Y0 q2 w
jz SoftICE_detected2 m8 S* C8 m* G" _: {# j3 O
3 u- v" i( ]" O' O0 sint41handler2 PROC$ s. `1 A3 Y& F% w
iret
* t' V6 r) S( _$ G, F, C9 W b( dint41handler2 ENDP% k% n2 i0 g, @5 w" C+ M0 F1 P
/ j- O+ ~9 N; A
9 ?$ a3 _: d1 S' B_________________________________________________________________________
+ w4 S4 x+ f7 b3 W, v$ W( O
: a" ?* X# K5 V# B$ h% I# V; |1 Q" h! M5 I
Method 06
; X+ j& q9 Y& L+ x# h p$ {6 K=========
$ k' Q$ I A+ e/ V( {+ b* n
2 q' V0 z0 l/ F3 a, z0 D3 C0 n0 L5 x. I$ w6 e
2nd method similar to the preceding one but more difficult to detect:
& U% n/ W4 J- [+ z! F/ `3 D* O8 ?5 y) ?8 x! H
, e$ @" w4 w+ G' n; ?/ p; a) uint41handler PROC+ i$ r/ E& H) t3 _8 d5 B
mov cl,al/ }/ ~& t, S; X# [' g$ b, k5 d. i
iret" d& r$ M t( Y6 c2 a; u; l O
int41handler ENDP* s% T( g/ F- E' M
/ p& d# \: g8 o" ~
8 v6 V) C" J' [9 }# G/ i6 O3 p r8 @ xor ax,ax1 @6 \, V! U1 q% N8 ] ]
mov es,ax
( q1 D4 M$ {# n; T @ mov bx, cs% P0 n. I. K9 f$ I
lea dx, int41handler
4 u2 Z: }0 Z3 ~) B: E xchg dx, es:[41h*4]6 T. w5 Z7 W F1 x! w
xchg bx, es:[41h*4+2]& Z; ~" a( n; Q$ y& @* t
in al, 40h# [: s" V; v3 D4 I
xor cx,cx
( X' u' u+ j& \) Q8 z; A; x int 41h
, w& @/ X0 s& u. G, L xchg dx, es:[41h*4]
) [# v% b* l3 Z; Q! h3 r: V: g. ~ xchg bx, es:[41h*4+2]
; R* m5 n" g1 l% Z" N% T) r+ s cmp cl,al% |0 x8 y1 {+ k( u3 A3 H7 H" o+ X; e
jnz SoftICE_detected/ Y i) k; q+ P& ~
# r9 G8 Y$ a' O% h) O1 M
_________________________________________________________________________: g4 D; I& j8 k& F- ~ h" I
% a4 ]- U$ ~' l" | @* L! j" R
Method 07
/ T' A% W2 F6 t. |# F& n- [9 y=========
- F; R6 n* ?9 @0 q
" { R8 P0 j, o- h8 qMethod of detection of the WinICE handler in the int68h (V86)
# v4 y" C! i5 n+ `$ I( Z$ C9 _7 @% L, T6 m
mov ah,43h
# O. z( M2 [$ e1 \/ z int 68h
, r& O8 m6 N: W. a cmp ax,0F386h
5 |$ N- k' ?/ _! {& I; c$ L, d jz SoftICE_Detected
; M4 E3 j! Q" V2 y
r) v! t- p% i9 n6 c$ a6 \# W* O0 [) s: W* f/ k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) f' y/ b: g, w" J" \. z
app like this:2 b4 Z/ c0 X! V3 e1 e, g) T
3 M3 k& l9 H& {! o0 u9 {, C7 W BPX exec_int if ax==68
! x% S2 S9 D7 ? (function called is located at byte ptr [ebp+1Dh] and client eip is- P9 a- d* s+ V6 ]' u
located at [ebp+48h] for 32Bit apps)/ }# p, {: \2 u$ Z
__________________________________________________________________________& d/ k$ k( w, [, n) U
6 R$ A, n- z% f% B4 X& I0 X) Q
5 d0 w2 ^2 B7 p0 A
Method 08+ j2 d0 Y+ N, q) H8 o9 S4 v
=========
8 ^- ]2 w* L) B- O8 G
* ?6 z& f+ G7 oIt is not a method of detection of SoftICE but a possibility to crash the
+ `/ @: a) Z+ C" P0 }/ r/ F% ~system by intercepting int 01h and int 03h and redirecting them to another
2 j. ~/ T3 O; Z5 v7 E q$ Troutine.' @4 N1 R" x# |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% D# ?* m e& P7 P$ Xto the new routine to execute (hangs computer...)! s8 {* E) Y' R+ s3 c
# e+ k4 s% K7 ^
mov ah, 25h! `0 k+ G3 @5 i' f8 J2 d3 o
mov al, Int_Number (01h or 03h), B& [; r! @ {) Q, I' g o
mov dx, offset New_Int_Routine
5 i# R* m2 Z4 h2 V# _0 c int 21h
' e5 x+ N7 `. f- H6 {4 l" X* Y, L7 b H
__________________________________________________________________________
" Q; b) B% ?1 h- R4 t- k0 M$ l- g9 X5 k6 m: ]1 Z+ s+ O
Method 09
! {# [- Z: U* N3 |=========0 I; F* O7 X: f% ]- b
0 ~; `+ a$ u) HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ i- ~1 T8 `/ t8 iperformed in ring0 (VxD or a ring3 app using the VxdCall).
# w& u$ e8 w5 GThe Get_DDB service is used to determine whether or not a VxD is installed4 P# j% t, n' [4 W! _4 h4 x
for the specified device and returns a Device Description Block (in ecx) for
2 z8 m( d) |8 H, J% U, G- zthat device if it is installed.
& _! _9 c* W( s$ y* l: s& p
: [& H b/ }2 m, d, j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# o8 u; M# W# _" O, K$ Z4 ~: K; q5 l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ]2 @1 r4 `' w& L1 e
VMMCall Get_DDB/ W6 B v% V5 `* h& r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 u+ o" p! J% t3 B
% c% a1 n% o5 [2 E" d, B# f3 i$ ?Note as well that you can easily detect this method with SoftICE:
) F0 I; s1 R* o( q5 i bpx Get_DDB if ax==0202 || ax==7a5fh
$ T4 r0 T( V6 h4 Q
- M/ O2 ~0 D4 `$ ^* p( _. q__________________________________________________________________________
; J- J+ ?" K; i7 o" v$ H, d
6 x3 x4 D0 r* E, z0 Y4 OMethod 10; {9 p$ y5 j: P# H3 |
=========
+ ]: V! q3 }# v" a
# E! n1 ]4 V) _% i=>Disable or clear breakpoints before using this feature. DO NOT trace with
, ]+ {- Z1 v6 p, e' t) c9 o SoftICE while the option is enable!!, s% v) J7 f5 N7 ~# B( F
; g7 T" m7 z1 d) ]This trick is very efficient:( @9 o* c8 q+ ~: u' j0 {
by checking the Debug Registers, you can detect if SoftICE is loaded/ ?1 M8 {3 d2 B! S, v% @4 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 X* @+ Q) R. o
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 Z( \# F8 s) ^; J) [3 Ivalue (in ring0 only). Values can be manipulated and or changed as well) O+ m8 d. q2 u1 p8 h r' u
(clearing BPMs for instance)( k% P2 \; E( r% ^! _9 J3 R* a
* @/ s3 E; K& {# C6 s__________________________________________________________________________( R: `4 l* V2 H7 U J: M
6 _: v; N$ x3 U
Method 110 [/ |* K2 S6 w' M) @0 Y6 \9 v
=========
% s0 {# R5 Q- B/ l0 r3 Z$ M3 D
& c4 ^/ M- L. h/ H9 i- ]! CThis method is most known as 'MeltICE' because it has been freely distributed$ ?9 t7 m" |3 P3 H; O- L* f$ B
via www.winfiles.com. However it was first used by NuMega people to allow
0 Y9 z; U1 L% p' }Symbol Loader to check if SoftICE was active or not (the code is located$ @4 k2 l) p' P! x
inside nmtrans.dll).
% K: h; C6 P% m/ f% o& e
" b0 o$ x" Z' V' d9 |" _7 k" WThe way it works is very simple:
. v& F( a0 x7 t, r" r( ?$ yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 Y- s1 z1 b6 w& _# pWinNT) with the CreateFileA API.
. V" c# u% e3 t3 J6 o) ?* Y3 G0 t, ~; N8 V% }* h2 A5 H4 y! H
Here is a sample (checking for 'SICE'):) a6 q, ^- |8 R6 s" V" l \; V2 U1 ]
3 o) \3 G' c6 l# S' h+ jBOOL IsSoftIce95Loaded()7 N6 i, s3 o$ W3 K' B
{# g1 G& @8 w$ }3 c4 C2 ]
HANDLE hFile;
2 N) m+ h; ~4 E1 u7 z3 g4 Y3 } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; W3 z- u9 F$ S3 Y X: C FILE_SHARE_READ | FILE_SHARE_WRITE,
3 `6 T0 f8 @" D$ k+ _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 o L3 a7 l# {5 J+ ]9 P- \2 @ if( hFile != INVALID_HANDLE_VALUE )+ z) R; \! L |& p
{ r, G# Y, ] i& h& K N
CloseHandle(hFile);) p9 }, b$ V/ O- V5 E2 p
return TRUE;
0 _1 c) Z6 r: p/ d5 P) z7 q3 |& T }
) w7 I( I7 |! X' g1 D4 H return FALSE;
. t/ ^7 B! B, C- X}& q& d3 T$ A/ ? _$ w
$ G" D4 u2 b$ A) D- ?# i: AAlthough this trick calls the CreateFileA function, don't even expect to be4 p7 T' a# c4 h
able to intercept it by installing a IFS hook: it will not work, no way!3 S( n# W6 O0 X+ r6 L/ U8 R# a$ Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: \8 P; W3 O0 o, e1 F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), n7 Y% C5 |; h% F% y; {% ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 z o2 a' S/ }field.
# r" G F* ]2 I9 x K* OIn fact, its purpose is not to load/unload VxDs but only to send a
* c) S5 r T) {( G6 eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. ^2 N% C5 o0 E8 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ {, r8 }* @4 u0 d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 ?0 M3 G, U( p: V$ XIf the VxD is loaded, it will always clear eax and the Carry flag to allow: v6 Q: i1 ? D9 S1 _* G: L
its handle to be opened and then, will be detected.
$ j1 W! p: `5 p L& Q& aYou can check that simply by hooking Winice.exe control proc entry point! U- L( s* Y% P# H/ b
while running MeltICE.
3 x7 I x' q, [2 K. P# a; C! l+ G5 a/ ~: J! A, d$ t
7 G1 b; }: @3 ^+ ?6 h2 w
00401067: push 00402025 ; \\.\SICE
& \, m$ h" K9 O 0040106C: call CreateFileA+ O0 t$ I- U2 g
00401071: cmp eax,-001* G, k4 s% w9 h- a- D
00401074: je 00401091
$ W- _- @6 z) x5 Z: N/ B7 g
# L4 ]+ b' ] o% m! o& r, I; H* f) l4 {$ P* N; C% j3 A/ _
There could be hundreds of BPX you could use to detect this trick.% P J( U0 G6 ?; \# {
-The most classical one is:% v9 _! L% I# S! j, M& P; X% H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( X$ W7 X* q* C% q7 I
*(esp->4+4)=='NTIC'! ]2 v+ ~/ c6 W2 g& n
0 Z: E; ~' X. Q# {; R
-The most exotic ones (could be very slooooow :-(% A0 r4 _! k/ P- p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. ~; c, G9 q3 S8 _ ;will break 3 times :-(/ ]) g8 ~) }8 n% ~2 e: H
4 Y0 U2 M, z: K' }
-or (a bit) faster:
! L5 s0 o/ P, w) S" P* V' J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' O/ ?) q/ ^7 `# r3 P/ G7 ^" }8 Y! l8 c' C9 L/ I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : G8 ], d2 V; }' i. c' |6 ]
;will break 3 times :-(
! N( P3 k9 e( ~/ i5 c& F' Y
& p- s% j5 d# ~( |-Much faster:
) |6 t$ j, X$ b1 ]! E' I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 j4 F2 t0 m0 l+ N2 g* e/ S0 k/ a: Y; u0 r" T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 z2 u7 _) C" U" w- p7 F. Z
function to do the same job:
- l4 x0 c, I3 T" A7 R! m+ h/ V/ E- J. F) G# B6 y2 ]0 y( d+ {
push 00 ; OF_READ p- q9 H' n# G4 ?) z
mov eax,[00656634] ; '\\.\SICE',03 U+ E6 X1 G$ w$ c
push eax
* ]4 V9 G) ]+ |! ^2 C call KERNEL32!_lopen' X: T6 T; z1 E8 D/ h
inc eax
) K1 B7 F3 Y7 X! D6 f jnz 00650589 ; detected
3 H5 I/ J2 n( o8 H push 00 ; OF_READ
9 e- `7 r1 n# H mov eax,[00656638] ; '\\.\SICE'. ^2 T q8 Y2 B3 g- z0 y) b
push eax) ?& B1 ~3 q4 R
call KERNEL32!_lopen& r$ R% a1 g3 o) K+ S! N6 V
inc eax% Z7 w7 H( B& T
jz 006505ae ; not detected
% ^9 ]) s8 I, W1 i+ G; T9 T0 m
6 H) D R( z) v1 s- f& z__________________________________________________________________________
+ {" N" t6 r7 E# }/ ^) H
& Y; G! G7 z) m) E2 uMethod 12. q9 ^3 Z+ Z/ _- U
=========; P1 G0 d! L n. g
$ ]4 u( c- j' j& k$ s; {6 `This trick is similar to int41h/4fh Debugger installation check (code 05
; ]7 T6 j2 |' Q8 f. l4 c& 06) but very limited because it's only available for Win95/98 (not NT)6 e0 t# v" s, c: _0 q/ e5 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! `, e! [& B% p* l, W4 F) |1 f. ?( V0 L" \
push 0000004fh ; function 4fh
; R. T9 l' r/ I& M% m push 002a002ah ; high word specifies which VxD (VWIN32)
* `% P% i* K( j7 J( B3 W8 {! U ; low word specifies which service
# Q' S& p. L' O" \" n% i9 z (VWIN32_Int41Dispatch)
: z8 V- E3 W! P3 S call Kernel32!ORD_001 ; VxdCall {' s& M7 c0 g
cmp ax, 0f386h ; magic number returned by system debuggers( B! D) r6 R, Z8 _
jz SoftICE_detected
0 J! X# i4 l* i. t1 d, ~% l
' h% G0 B3 V& K9 t. O1 P& s X5 sHere again, several ways to detect it:
5 q, [8 x9 }% m9 Q( l; Z t; K5 i: P/ E& a9 I8 `0 G6 ]3 G! Q
BPINT 41 if ax==4f
! L' v* {+ \4 }. g. x+ t+ l7 y8 f8 V; L: u, E8 s; T4 o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ b3 K/ h' W2 r$ _* I7 m
2 |' G* G( _# T, |$ L5 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ h, e0 b7 F4 A. m0 p6 D$ u
8 d- Z" w0 r$ j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ B2 n; [- @0 w; d0 \5 [
' ~6 v% e; {7 t: s* e
__________________________________________________________________________
+ I+ F# D% o. h7 p& C g% z2 T8 C; W4 Z3 d, v! O# O! _
Method 13; g" w( V4 e H L+ J3 a
=========
6 d2 M: l* X- e" Y7 V7 o. n; y7 s8 f) B4 v4 l% x
Not a real method of detection, but a good way to know if SoftICE is- C, @6 h7 `2 z: i5 l: h# M$ E6 @
installed on a computer and to locate its installation directory.
9 {3 F0 D$ Y O, ^* J% kIt is used by few softs which access the following registry keys (usually #2) :# Y7 x7 }5 a- A$ v7 k, V
$ F) z7 c3 e, M- e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 f( o( [. L; n2 p K\Uninstall\SoftICE' v+ S! d9 E1 _% L$ _# w, G) t6 F/ Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ l% O3 V9 E Y3 J! L& Z: |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) I6 z9 M/ t6 V8 @" c' d\App Paths\Loader32.Exe
7 j' o( y& r j) |# ~% _4 y$ K. b( A; Z
9 l/ M- M1 Z, N
Note that some nasty apps could then erase all files from SoftICE directory
. m( A" U0 i8 ^+ d(I faced that once :-(6 C h% K8 D. n9 }
5 E: z- B" R) E7 S! P6 H _4 p
Useful breakpoint to detect it:
* L1 n# p& b% {& q; q) }& ?) h# `& T# P, C. s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 [. n4 _) E; j$ I
) P$ ^' l" Y0 P \/ D2 m9 l X
__________________________________________________________________________
- Y/ P$ L9 t- d/ P& x
( J$ r1 g8 u9 ~7 h6 P/ a4 T$ p y* G. |
Method 14 # e2 o7 n# Z" D4 D1 a8 b
=========4 Y/ }+ O) N# W u
" z3 ?7 w+ v% T8 W ^, x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# s0 f4 l% _% U3 t. I. qis to determines whether a debugger is running on your system (ring0 only).
. P6 s7 C& Q. b4 w" {. j& @! N% ]7 r; z
VMMCall Test_Debug_Installed$ k5 X1 ]) l/ s& W0 [
je not_installed
" X8 w) n4 l3 _
% O. _0 ]; _% Y- yThis service just checks a flag.
: P2 w; `2 L2 z- e</PRE></TD></TR></TBODY></TABLE> |