<TABLE width=500>" K2 h: A0 s& p! d, n
<TBODY>+ b4 I+ D1 l7 `2 e6 k8 r
<TR>1 @; f) A* C( c
<TD><PRE>Method 01 ' i7 X/ u( A1 U
=========" h* M% M& q9 h l2 A* E
" A" W3 J. [7 Z6 k0 M' L9 E1 _) qThis method of detection of SoftICE (as well as the following one) is# F5 u+ ^' j- ?, h. k
used by the majority of packers/encryptors found on Internet.8 n- ]) y$ p1 ]+ G( f$ t
It seeks the signature of BoundsChecker in SoftICE7 L2 A$ t8 \5 R; V/ T- O p5 ]4 C
* x3 n$ `- {# J( q2 b
mov ebp, 04243484Bh ; 'BCHK'
4 Z& z) N) m) r, k* n2 w a5 @ mov ax, 04h% S" M: u5 |) r
int 3 9 d- e" z- ^# a' y8 }3 i/ N& c
cmp al,4
6 L4 B! }9 J0 J8 _' W jnz SoftICE_Detected
7 z0 |! @' T r- P% L
3 D/ f5 r. d$ }___________________________________________________________________________
9 Y! p$ i* e0 r, a4 ]
Z+ _, Z$ b- C oMethod 02
! _) z& ?- _& _ r=========
5 E* U* |/ ]) A# z# U7 V7 ~& Y+ v2 m- s1 N7 @+ ~- [
Still a method very much used (perhaps the most frequent one). It is used
+ L3 e' ?0 Z3 a% D. z2 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 _* x1 |) T9 @, ]0 u* D+ A8 H
or execute SoftICE commands...
0 {% Q- }! n' a+ N, Q" R' [2 w$ jIt is also used to crash SoftICE and to force it to execute any commands
9 V% ?) m# V. n(HBOOT...) :-(( 7 Q" T5 G# @8 { f+ ]
1 b# r, ]. O3 i7 V( ]Here is a quick description:
& I v4 n2 t( L5 b3 [-AX = 0910h (Display string in SIce windows)2 p$ t9 D/ J: e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 X) z2 }# r- k4 n2 j, m: ?
-AX = 0912h (Get breakpoint infos)
6 j: e. T6 v; W+ f6 [-AX = 0913h (Set Sice breakpoints)* |" v2 {5 q" A$ F$ z- x5 d; [7 k
-AX = 0914h (Remove SIce breakoints); ~7 M+ b2 K: t5 X* t. f6 U
; t6 L; L0 n; [' s/ c2 T
Each time you'll meet this trick, you'll see:
. t9 T# }7 {1 o/ X, m-SI = 4647h7 m i' E7 ?1 Y
-DI = 4A4Dh! Y- A+ S; H; e. c7 \# L2 m
Which are the 'magic values' used by SoftIce.# e1 x$ c$ z: t8 o* t# e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) @7 v3 l H6 U( H" `% O# B
0 i- F- s( b" N3 O* p; yHere is one example from the file "Haspinst.exe" which is the dongle HASP
& P8 t: e0 Z! f, c! AEnvelope utility use to protect DOS applications:7 N z: F7 X* J
( N) N& p" K' X8 d1 S
8 j- p. u) \& b# Z9 t Z/ p1 U3 Y4C19:0095 MOV AX,0911 ; execute command./ a* `4 Q1 I! `$ z* u# t0 J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! j6 X& f+ b# l/ c7 b% J1 N
4C19:009A MOV SI,4647 ; 1st magic value.) D- {/ ?* _+ k1 F- k% P
4C19:009D MOV DI,4A4D ; 2nd magic value.4 l) Y* {' `- ?9 u+ n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ C* Z Z$ S$ }) w2 C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 d9 g6 U: r2 i6 a5 N0 G3 z% v
4C19:00A4 INC CX
, u' I: D; \) ?# h U G' h* m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 m: h @4 C/ H1 R, f
4C19:00A8 JB 0095 ; 6 different commands.
6 f# q0 r/ k: Z5 J7 {4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: r; I" }, k$ E% G7 S9 Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 o' h& R; G4 @ ?
: `5 [/ d) V. ?8 CThe program will execute 6 different SIce commands located at ds:dx, which
! I0 k, |8 Z0 Y% A Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 O, [5 n( g8 Z( I/ L! b# c
) [- B3 {- U0 X% Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ d0 q% s8 d4 G" O; Y___________________________________________________________________________
( L7 I2 j" T" B% t/ j2 A2 B( v& \; q" F0 b
, l# Q* ]- |2 N {6 y
Method 03
3 X7 r: w& b* Y9 X4 ~' A=========/ y7 l' f# @% A' Y8 k
, d' N0 H, X3 ]2 K; J! sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
v/ @2 q9 M$ s# H$ v9 i8 g' ~(API Get entry point)$ T% g( Y% P& w: J9 w
+ t7 E, I$ t5 s$ O. u
; L! E* ]8 n8 v: s( Z2 _ xor di,di# ?6 m8 x0 _3 U5 {7 Y2 \/ `
mov es,di
$ X1 I5 Z4 q0 p1 I mov ax, 1684h
2 K. j, U& C: x8 J6 K7 Q2 g6 i mov bx, 0202h ; VxD ID of winice( Q* x5 b# Q: j
int 2Fh# A. Q4 @) |7 u: C+ i4 c, e3 z+ B
mov ax, es ; ES:DI -> VxD API entry point+ B; b/ \, i+ \" c T( ]! N
add ax, di. u" {; Z8 i ]+ P. v6 V
test ax,ax
4 `: [* ^' \* u O jnz SoftICE_Detected8 ]7 r$ d R( p, }' m- L3 D
- q: b2 ^9 R: c( `
___________________________________________________________________________1 ?; m9 \" l( [& \
( U* `$ K0 T* {6 W4 FMethod 04
' B2 l i/ B) Z========= a! q3 n) M9 U5 t) X
0 k; V& i# Y" n6 y* m! p( t
Method identical to the preceding one except that it seeks the ID of SoftICE' W4 n: C7 i+ m) i, k9 O0 d! h
GFX VxD.; j- ^+ P2 ?1 E9 `. V+ J/ W/ l- w
# A1 ]3 d8 d% E2 I J$ f xor di,di
/ T2 X/ G2 o9 E; V# x mov es,di
5 n1 l% c4 z( n4 N2 H# y mov ax, 1684h
/ A$ R/ E7 z. z. o: P mov bx, 7a5Fh ; VxD ID of SIWVID% [0 g! f; n4 b* l: }
int 2fh( K/ p2 q* Z# B' w
mov ax, es ; ES:DI -> VxD API entry point p4 Y. M' z/ _4 C- L* v
add ax, di) s; W) g% @5 d1 s' ^; I& S& Q
test ax,ax
" g! T$ e2 m4 M jnz SoftICE_Detected
" |8 w' l( u9 |; m) @: e: U( v
) p0 ~7 S! F) r2 G1 B* @__________________________________________________________________________
1 p V4 x' n$ W( P" J* |2 ^; S& A) P' F% z6 A8 ~
# |! ^* r0 ?# Z# a0 s1 R: j0 L! J
Method 055 v6 c, K) R; C7 x
=========" ?7 W4 Z" V5 u6 ~# n/ u+ i; I
" N* ^" g0 X0 i/ ^ ?* c* KMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 A- Q6 C, Q6 j+ J) G6 Z1 F
debugger. It calls the int 41h, function 4Fh.5 O( F g3 a8 j' l6 H
There are several alternatives.
2 `, p- L% k3 x3 r0 g
6 s" A+ s4 \; `8 \+ x5 [The following one is the simplest:' E3 x* [5 I+ |5 g" X/ F
9 t* S2 s5 D) Q$ t1 C' c: h
mov ax,4fh: p0 F0 X H0 f. U
int 41h5 d$ i$ R0 p0 E8 S: b, u
cmp ax, 0F386
: g4 R8 S1 s6 q! `1 N1 [ jz SoftICE_detected
5 O/ Y! V& ]" Y( L+ g; ^, l0 t8 a4 i( a
" s" R4 p! _5 e( ], E1 y
Next method as well as the following one are 2 examples from Stone's " Z% s3 O. K2 }3 s2 c2 B' U
"stn-wid.zip" (www.cracking.net):
. e1 L7 R7 f: y7 I
1 P* l! _% A c/ G% s3 U1 G' ] mov bx, cs# E; r) q: c; A: U0 a
lea dx, int41handler21 z7 m2 N5 t/ J( I' |) a
xchg dx, es:[41h*4]) x3 Q) {" x2 S8 U- P, N' L5 w
xchg bx, es:[41h*4+2]$ g. {1 ]9 \ c8 V
mov ax,4fh
7 E, ^6 j G; O4 k. |: { G int 41h) j x; c; C9 ]5 H" w. b! ~2 w
xchg dx, es:[41h*4]0 n' U8 Q2 E' A
xchg bx, es:[41h*4+2]
: Z2 ?: S+ } i8 [. r4 t cmp ax, 0f386h; d; ~) A! h0 n' M( D; e* P z
jz SoftICE_detected
' j" J' \! s, g( R# R' `3 ^; V( F& v1 ^: ?& E# i
int41handler2 PROC
5 J3 K1 x+ U/ ^1 K& F3 X iret
- {- t: U2 o/ t( c- zint41handler2 ENDP
/ H$ f+ R7 M4 Z1 t( F, A+ F8 t5 J! X% a( J5 m3 q1 h! J' S' i: A. F
3 E5 ^3 O) D( H; Z( `- e: O_________________________________________________________________________* G0 _' T% @& S% E9 d! u" e
: B; A7 i1 w! k1 f; `: [" C% ]$ M3 b( ?! J" |
Method 06) P! w& b b* T8 A2 }: \1 ~8 |
=========) F, k3 h$ w- a" Q9 X. N
; Q. A: b5 J% ?5 N: t& A& \2 ?
& ?( o2 o5 d/ B9 d& y( e3 l' l2nd method similar to the preceding one but more difficult to detect:/ Z. O( l8 v5 v/ P/ K- o% _
, y r4 l( K- k& L; X% }* b/ f6 q2 M$ r+ G; i
int41handler PROC. c( A8 V, x- _) V. G% x5 N
mov cl,al
; w2 ]) }# a0 N+ M iret
' m6 L5 e7 {( xint41handler ENDP
* K" q7 z/ U( U5 y, ?
) ]% U, @4 V+ k: f
0 J& `- G1 e0 {. M" r' o' k$ S xor ax,ax
9 e f. w% b+ d9 h" y# ^0 @" O* d8 q mov es,ax
! [7 a$ W) x. M4 D4 c9 c mov bx, cs# X: z4 ]% ^/ B
lea dx, int41handler
O& r2 a5 B& E( ]/ g: l xchg dx, es:[41h*4]1 N. q' g; s$ h8 N: q% P
xchg bx, es:[41h*4+2]
( X3 E9 m0 ^/ A* C& s& n- a, y in al, 40h
3 d3 o. v) a2 x6 s1 k1 U xor cx,cx
- J& ~& [& @+ D( _$ N int 41h# h/ N2 j x0 r l# R! Z6 V' r) R
xchg dx, es:[41h*4]
+ @: s2 I8 ]+ ~: } xchg bx, es:[41h*4+2]* r ]& i* `9 [5 e D+ a# w1 W: u
cmp cl,al
% M. w- T7 b W7 ? jnz SoftICE_detected& [' |- y; w2 e
' P1 V3 @) a( K5 ^" W
_________________________________________________________________________ Z7 W' P& V. t+ Y; |8 v
1 J$ i8 w) g w0 ~! D+ u4 t7 n: w
Method 07
T5 z9 x& N' T$ u/ l' v=========
' W. c8 N( ]- l( J0 `
* v0 F7 W) J# s, b' yMethod of detection of the WinICE handler in the int68h (V86)
" r, P6 P' C& F6 K! e! G, L( k
- d4 ?; C: j/ Y* G) ~/ c mov ah,43h
; \" J7 D# h* Y E" g* w int 68h
: x' k4 a+ d! A: J' ] ~4 j, ?- O7 k cmp ax,0F386h
0 ?# ?, F+ B& b jz SoftICE_Detected" @/ Z5 e! h; H, o, P
2 l* X! r' i! ?0 s: [, D1 @
* j( H+ S, g, Q4 p: A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( y* j, ]- G7 R5 D app like this:% o- \) C1 u# D7 M6 P: Y
2 f- J8 U0 w1 }8 R2 J# s t9 n BPX exec_int if ax==68
1 t. ~, \3 {4 r, l (function called is located at byte ptr [ebp+1Dh] and client eip is/ H& F8 A% A# S5 J- u: u
located at [ebp+48h] for 32Bit apps)
3 a3 i( p3 ?+ ~' S2 M! y0 ]__________________________________________________________________________
8 E' n9 ] | P2 f$ o% |! M6 Q
, D$ H% ?2 v$ B5 _: g
- O, _7 X; }7 s" ?Method 08
1 o- r1 k* V& B2 R3 a9 @=========0 e8 K) z8 s+ s% q3 x( O( I: b
# N! F5 M, {" d7 K9 S: U& T$ @
It is not a method of detection of SoftICE but a possibility to crash the
& r; o& I: I) Q; asystem by intercepting int 01h and int 03h and redirecting them to another. T6 D& Z4 |* Q1 g
routine.0 y' @/ e$ R- y. ^; E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) T% t' X( W2 B
to the new routine to execute (hangs computer...)
2 R0 W6 S2 ~2 |" y* r' j5 B+ q# `% O. Y6 }
mov ah, 25h- ? k4 C3 X& T0 n2 Q; [
mov al, Int_Number (01h or 03h)3 q6 `3 [- q& t/ R2 r4 G/ e
mov dx, offset New_Int_Routine2 s0 e/ S- r- w+ M' d/ {
int 21h
. z8 e' q/ A! p/ j; @0 l1 s" j, V8 `$ t+ V# M
__________________________________________________________________________
4 u5 H- z( ~8 f' l _; a3 u* u9 s3 K" `( |/ a( R2 o3 Q/ ^
Method 090 s) ]; M0 P' f1 P0 q
=========; M3 Z, R0 D' _
6 V9 N( D, p) G1 j# B+ n) gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 `6 f) d5 ?' o$ Q t% N
performed in ring0 (VxD or a ring3 app using the VxdCall).! {% w* e7 T! F! ~
The Get_DDB service is used to determine whether or not a VxD is installed
3 B& j5 P7 q; W7 B4 Z: a6 Tfor the specified device and returns a Device Description Block (in ecx) for
% H% w& y1 F) i) X7 Wthat device if it is installed.
- \% \" p) {* I7 {# J4 d! z* E1 D# h6 B9 F8 |+ G8 x7 W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 e7 j: f9 Q' C0 Y; M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( E/ O2 q: x& {* ~1 r VMMCall Get_DDB
# v! R1 c7 g6 M& a; J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( X) w' H* A @/ s# z2 v; U. o+ |) g. a- g- {1 T& R( G. S7 c, Q
Note as well that you can easily detect this method with SoftICE:
0 A3 a, m& N5 J$ I* J bpx Get_DDB if ax==0202 || ax==7a5fh
* ]7 T) M$ ~# X* g& l' h4 Q- u* T+ v' s, f4 q+ k) ^% T Q
__________________________________________________________________________4 R0 K: K6 S0 b+ ]: B! p
' B' _6 a6 c& x/ }* v: O( D1 X
Method 10
7 N1 y+ e: [' m1 t% }=========( l2 {6 X! J! j0 I+ h
/ e- o( e# j" H5 h1 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 f$ d, s& P5 E2 ?$ L. P6 J; P( A SoftICE while the option is enable!!
' S7 j4 ?. j, z8 f7 O2 v: a4 N3 G. D6 w8 m9 ~" c
This trick is very efficient:
8 G5 X3 B* [' B: u" m" \' Z2 B. fby checking the Debug Registers, you can detect if SoftICE is loaded# p% x L% G Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if g9 Z3 e4 K, h7 I. B* _7 g; L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 @0 K1 v, G4 @! N8 M; J& [value (in ring0 only). Values can be manipulated and or changed as well2 o- p/ ~; }- J3 g8 S3 l
(clearing BPMs for instance)
0 |9 B: ]5 i" m4 v1 u
, f- c' H2 R( J__________________________________________________________________________
( V; R5 u: t) u7 c& P- o
# w3 \8 F1 U m4 j, O4 hMethod 11' {. v- T, P! [( n4 W1 ?
=========
3 v2 y5 K5 O- q, k: f* f; @
+ U' n/ U6 T a5 s) }This method is most known as 'MeltICE' because it has been freely distributed
" R" v0 s0 y! z2 H0 uvia www.winfiles.com. However it was first used by NuMega people to allow
* z+ L3 S7 b4 ~* v+ J: `* ?+ ]Symbol Loader to check if SoftICE was active or not (the code is located3 k" d0 f4 [# I' ]5 n
inside nmtrans.dll).
6 x0 ?( u, D8 L F( _0 ^; X5 a; n8 L' N3 s! a# ?9 r' [/ ~: \+ J
The way it works is very simple: y5 K2 z e3 O7 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 q3 h9 Z$ a* P! F- N# UWinNT) with the CreateFileA API.% P9 I2 s/ B8 a) V R2 _$ V! y
7 e. G% {8 L% J/ s5 C' ?, C
Here is a sample (checking for 'SICE'):! q/ _0 [' K" s# M+ N/ S9 d3 v0 N
7 c, |; G/ d9 j: |5 sBOOL IsSoftIce95Loaded()# }' O( [2 p" Z: r' x! H3 W
{7 d6 p' {5 V3 ?' V6 B& c C3 S7 Q
HANDLE hFile;
9 Y$ o6 B& z0 s l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ G6 v K3 V$ s
FILE_SHARE_READ | FILE_SHARE_WRITE,7 w) m7 @3 z# d' s1 R8 f9 R" p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 G* _0 q3 H& u5 ?% b4 e; i
if( hFile != INVALID_HANDLE_VALUE )
! ?' Z+ D. K2 i# `7 a {
Z1 }, |2 w5 o0 f% J CloseHandle(hFile);, P8 A V/ [ o+ l: A3 @
return TRUE;
8 |* n$ Y# s9 ^ z; A+ q0 E# V }, a( j6 V- s' A# s) h9 t3 Y
return FALSE;, `$ l4 i" k: \4 S" T& w* d
}. ]4 c- n2 x# [) R. ^3 H* R
& D8 I; k& l" ]7 OAlthough this trick calls the CreateFileA function, don't even expect to be
8 i j+ N& L0 m0 g6 R- j! Bable to intercept it by installing a IFS hook: it will not work, no way!2 G+ g! G6 z5 u1 M7 _& }6 p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 _1 H# h+ C/ i+ i4 T% n# Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& @2 C: C0 \: c I+ o% f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 d4 w* F: p- K, k$ ^
field.
L8 `, F2 a) R. E2 gIn fact, its purpose is not to load/unload VxDs but only to send a - V" r5 h% y8 s0 F8 q, @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! F+ W1 y6 a) \5 m) R) Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try( Q4 \' H: F* Y" a0 X3 B/ |9 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
^! S, K7 e2 i4 l! J5 ~, LIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 H, ^1 d! N7 K- o5 S# \ P: T( E
its handle to be opened and then, will be detected.
" K& T* {+ l3 mYou can check that simply by hooking Winice.exe control proc entry point" K: O) {& e& ^# q- y; ~/ g6 c
while running MeltICE.2 V1 z0 h! \2 w8 q3 c
# x- R. x' T5 |* ]
' X* y6 M9 t% w6 a2 x( T 00401067: push 00402025 ; \\.\SICE
5 w+ I! _! |; H6 x4 G6 u; m1 o 0040106C: call CreateFileA
' G# i8 ]; ~! q( A8 C 00401071: cmp eax,-001
9 n. |7 N9 q) ` 00401074: je 00401091
* ~! m2 A( n* I; G+ L" V* Q% S( H; }+ }2 w
8 ?, ^2 k O$ A$ H- E- a {
There could be hundreds of BPX you could use to detect this trick.+ e4 j. y, p" h
-The most classical one is:
# f) E0 Z2 ^- {. Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 J/ x" b$ Z% u" y5 u *(esp->4+4)=='NTIC'
! t. e2 r1 U+ r9 t' X% v3 M8 V6 d' h" h! E
-The most exotic ones (could be very slooooow :-(# |+ f! X# g2 R1 }3 r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( N) N1 U% N: P# o7 j. S
;will break 3 times :-(
. e; ~7 L% K' L, ^- ^( J
5 d3 [/ E& n8 k' V% H4 z-or (a bit) faster: , N! \) P2 K6 Q9 D; U0 L; O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' b0 S: C; Z3 @
. ?, E3 j2 U- w8 g2 e# j ^4 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# a' y4 j& b! ^1 \2 j ;will break 3 times :-(: R/ \/ b, V- W5 @0 J) e8 Q
+ G L( q$ p8 ^* z7 c# w
-Much faster:
, A! [# w$ p t$ q1 _2 u3 i" S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ w6 \( U8 M) L3 z' I
& q( y% V" i/ d% i+ Y+ FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ }" L* w, C& K! E% |0 k1 lfunction to do the same job:
9 ~+ {/ F& k7 `2 o& I. N8 |$ b
l$ v; g) ]6 a9 y3 G+ o push 00 ; OF_READ
, f7 ^# j1 V$ K mov eax,[00656634] ; '\\.\SICE',0
9 E0 M* h1 t6 m0 H& C, d0 G push eax
; F, d& ~- v% |5 `8 m call KERNEL32!_lopen
0 C/ `7 m: `# }, _! k inc eax
( U# C! K! g3 K: b7 B jnz 00650589 ; detected* Y5 D2 e4 Q6 |3 C
push 00 ; OF_READ b* z- g& d; ]) Z0 Z, P3 e
mov eax,[00656638] ; '\\.\SICE'$ t" c& i+ v4 X N
push eax4 C( x% C1 y+ f& R1 U
call KERNEL32!_lopen
( _2 R U9 F- X1 }5 S inc eax2 i* |. \6 Q. I9 Q4 b% P A
jz 006505ae ; not detected
; X. L2 L' j4 J/ \5 q7 a
* M& D2 z0 v! @0 _7 d% z
: P" F* v" Y2 @0 ~5 ]% [__________________________________________________________________________; W. ~# V! V6 O3 q9 B
* k6 x4 M9 ]" m6 ?Method 12
$ Z' s: `7 ?/ P=========# r& p, U3 M' F/ V( C* Q2 Z. ^3 O
" g! b5 ?& k# }" a3 w+ BThis trick is similar to int41h/4fh Debugger installation check (code 05
) ?9 b4 s6 \! `7 m! O R& 06) but very limited because it's only available for Win95/98 (not NT)
6 A d1 U" }# ?6 H1 E4 B/ d( das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ t6 E$ p, s( G, f$ O7 _* j, k. C l
push 0000004fh ; function 4fh2 H% U% y( x: w) y
push 002a002ah ; high word specifies which VxD (VWIN32)( J9 v4 G8 O* V
; low word specifies which service
, R( ~$ m Y9 h0 Z. N (VWIN32_Int41Dispatch) P/ e, }( W+ b/ f2 k$ F6 i" r
call Kernel32!ORD_001 ; VxdCall$ z+ u7 F1 q |& h
cmp ax, 0f386h ; magic number returned by system debuggers+ c/ U( {4 k. `$ P
jz SoftICE_detected
& x/ y/ G) K- q! D6 e9 s* H) e) T# Z6 q. m
Here again, several ways to detect it:
' s% u2 q$ `* H6 V- s. H; Z* K" W( Y. h$ U
BPINT 41 if ax==4f
; z0 ~9 g. H% I* n) T
4 A7 T; E$ l! p1 ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& _* N0 H |" G' U" [; H) D
) d5 C/ ?- y/ Y; {6 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" p1 G6 D. m+ G% V! X# p# ?' j3 e" t# f) [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" G7 \. A/ |. s* R0 @! D1 W# i) h, i% s7 Z8 j$ b
__________________________________________________________________________8 W) W: l/ p4 B& l0 ^( M' j1 z$ `
% Y, ]6 W9 C" U& O2 [/ P: u% q
Method 13
: u) o# u" R/ D/ I J: ]8 J=========6 J$ H3 P4 z) V g( X/ r0 [: ]9 `
" }- I2 O6 W8 e5 U
Not a real method of detection, but a good way to know if SoftICE is7 ~: O) R& ], e1 q. l7 a: e
installed on a computer and to locate its installation directory.7 g) `% c! V" v; M8 @
It is used by few softs which access the following registry keys (usually #2) :- y7 [4 \2 X& w+ q. x& ~* D8 D
- p: U: h, j2 l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 \3 E% x- c0 |$ k\Uninstall\SoftICE6 E E [3 i8 X, R9 C, E9 g) o2 i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 V, y8 b4 p* H3 \2 Z9 g, @! d) Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! A( W" \; J, s+ G6 l) u+ J- l6 q
\App Paths\Loader32.Exe& v7 X# a8 Y$ m, F: b+ q
/ v( q8 r( R5 y) y. N, E
- [/ Y9 E8 C1 A& o
Note that some nasty apps could then erase all files from SoftICE directory& M# T6 @# }% s% N5 z/ o& x% l2 l
(I faced that once :-(. c! P+ A$ u2 b! q( L$ Y8 a4 C
3 W" E) ^# x1 b5 f$ G! S6 F0 rUseful breakpoint to detect it:
9 v+ \; o# V+ x6 [; d' e/ F
( y8 A# e& n. V) o! r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 I$ p& t$ P% @0 ]+ @& j0 Y
1 G6 Y o- H3 I* X- [) |
__________________________________________________________________________$ A. P5 [+ `* s7 g. r; C
3 J1 t1 P [# n1 y# o
1 b. |$ c, A5 IMethod 14 7 O# ~0 R5 G4 @1 t8 w: ^# w, v% a
=========
* _8 |3 ?7 [1 n( o9 d C$ [3 M, \ o3 A; n& g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
O' k# @8 {& d! c- P; @is to determines whether a debugger is running on your system (ring0 only)./ e- D/ q& O) |' G/ y* r
* p; ~& g* _9 s1 L) I VMMCall Test_Debug_Installed/ c# k% {; g x* r1 G
je not_installed5 y Q+ `" z/ q8 | D5 U3 X9 l
$ a9 H: f) m8 ~- \This service just checks a flag.! X b" m4 b( c, Z2 a
</PRE></TD></TR></TBODY></TABLE> |