<TABLE width=500>
+ z0 A. n, K! t6 P<TBODY>1 P! L3 x' a& o7 V
<TR>; W/ s8 u. p, P! @$ \$ O, Y# Z
<TD><PRE>Method 01 " |1 n* Q4 @3 l+ K
=========& G3 C G; A# t2 t0 D: U' M
- ]$ T+ i) X+ o: cThis method of detection of SoftICE (as well as the following one) is6 f) F" B/ W" x
used by the majority of packers/encryptors found on Internet.: k% S8 u9 I( _9 @
It seeks the signature of BoundsChecker in SoftICE b: `' ]) C$ t( m( Y: F
S* b; M% z) ?- U& ? mov ebp, 04243484Bh ; 'BCHK'% R- l5 V+ T' x* F* v
mov ax, 04h
1 I0 f1 k; Y$ {$ E3 d+ T6 _' r int 3
+ \- Z U, y+ k* s2 B cmp al,4
) S" Z4 T9 |5 l( |5 B7 n0 } jnz SoftICE_Detected; P" a0 Y( h- `2 z
. E+ p1 @ \/ I o) c& I# g- a___________________________________________________________________________
, j3 Q% M7 P. X/ o9 ?8 S7 d
* G3 O( G g$ M" D1 H yMethod 022 }% S1 ~6 O& z W1 }: N2 e) E
=========
0 |* T* \ B2 n& b& G# p
" ?9 ~7 J* n5 MStill a method very much used (perhaps the most frequent one). It is used; z4 I6 a, ~# w: o6 C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' F# r9 F- q1 o. b" g. N; O" ]
or execute SoftICE commands...* a* S$ \: a: T# W5 |
It is also used to crash SoftICE and to force it to execute any commands9 {& E4 u( P: g: | Z
(HBOOT...) :-((
6 W3 ]+ N {5 Z$ u. H' j* F( q) H, w& s. R( f% S$ u4 \
Here is a quick description:6 |' s! {8 v7 g% I7 |5 }
-AX = 0910h (Display string in SIce windows)
! }" j1 D% Q, `$ Q. f# z: X2 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 J2 P. U& Q' O7 n) s( K-AX = 0912h (Get breakpoint infos)
' |/ I/ _# ]6 J0 D, B* t% k-AX = 0913h (Set Sice breakpoints)3 z$ ~. t3 A) g+ V; h3 W
-AX = 0914h (Remove SIce breakoints)
/ r$ k3 ~0 ~$ f+ {
! u6 s- [# t1 |0 V0 g4 U" N9 C: k' rEach time you'll meet this trick, you'll see:5 _2 G! u* k; i/ u4 p* u5 }8 L
-SI = 4647h
: K# f% k6 R* l-DI = 4A4Dh5 B9 Y' R n! k* y
Which are the 'magic values' used by SoftIce.
0 f. n, ^+ x. \' v6 pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 Z$ H' [0 X4 ?1 Z: G" Y
2 S9 I6 c H0 F% f$ s' c* B- g3 NHere is one example from the file "Haspinst.exe" which is the dongle HASP) B; {1 X. J' j" ?! I4 h
Envelope utility use to protect DOS applications:1 _7 A7 l6 o( w @5 _4 d
: U, R& m9 c+ R0 } d/ l; Y$ `
, A3 Q, } X U+ R# p# W4C19:0095 MOV AX,0911 ; execute command.
$ k N8 X5 f9 w( _" Q! C \% @" U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ n' u4 |( @1 p, p5 H% g+ u! v% o; j
4C19:009A MOV SI,4647 ; 1st magic value.
2 E# G* b. ]' \+ u; w7 b, |4C19:009D MOV DI,4A4D ; 2nd magic value." g4 Z6 m% ]$ C: J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 P; V4 R7 W9 Q5 }& L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 T* G( z) u) F" ~! w
4C19:00A4 INC CX
3 F' N- B8 C4 h7 B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. @9 [: ^1 R4 G2 W7 ?4C19:00A8 JB 0095 ; 6 different commands.
9 u& @0 c- s1 _& C0 d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& Z( w; u+ I5 m q2 k6 a, s/ B* {( n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' D1 a2 N& `9 @- a Y( M5 L
* h$ @ g' K% ^8 T7 b; l; b8 V' |
The program will execute 6 different SIce commands located at ds:dx, which4 X# S+ ^: o2 W6 O& M" {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 Z I( ?; o3 S, I5 I( f8 g% u' [! O J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. X0 t7 P: E9 y% Y3 O6 P5 g
___________________________________________________________________________
* y _7 `$ d; \7 h3 n/ r: F* n- T o$ z/ t2 z* u# X
# N2 e* K' V L9 zMethod 03
# E# J2 u S8 ^; D, q) i7 ~+ j=========
5 ^5 z8 f5 D+ Y2 X7 [
/ L- p. @. C* y2 {7 x8 o/ M$ c+ {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ e* H5 A3 x% u0 p
(API Get entry point), p" c0 \) s& Q. g# h3 ?
~0 ]0 z) S; p. O8 g
. O: p( V7 s s) P3 j& e7 b xor di,di
6 r3 ^$ U& E3 f1 l% b+ C1 l- o mov es,di" R2 X# K2 y( U7 `' E+ c' T
mov ax, 1684h 6 Q) u: y" `$ B* X2 g1 W$ f6 w* o
mov bx, 0202h ; VxD ID of winice
! N" p, b! g; D8 |9 x int 2Fh
8 c% X9 e1 f4 S( G" {5 X mov ax, es ; ES:DI -> VxD API entry point% s8 ] v( J7 E2 X
add ax, di+ c, s0 n2 U' h3 ~- n1 [
test ax,ax( t. _) O" e, o
jnz SoftICE_Detected5 |9 M) o N; _ S* ^7 d
$ _% g: ~8 R* W- F$ d: Q
___________________________________________________________________________3 ^% \" O5 c' H/ C Z
9 m, g9 ~ k3 Q8 W1 k* q+ {Method 04. i. }7 J% z0 L) I9 O
=========. R+ x, J$ u1 X: O& r$ }# f- F5 @
- \6 C0 ]/ Z: ]1 c7 C m ?Method identical to the preceding one except that it seeks the ID of SoftICE% T3 k, _/ R$ ?9 Y" I" @4 m
GFX VxD.
8 l7 `9 T, F; i( ?" y( g$ m5 g, [* W& `# }, A$ n6 V
xor di,di6 Z5 }9 T0 D8 z# O' g
mov es,di; L& z! i5 U' J0 B0 Y) i( K
mov ax, 1684h
" K7 x& d/ J+ l; t, S: } mov bx, 7a5Fh ; VxD ID of SIWVID
5 _% [( |8 h' D( B- Z& T( Q+ x int 2fh: g: c/ n/ Y9 o! \) A- _4 u+ w
mov ax, es ; ES:DI -> VxD API entry point3 y @; o% U% Q: S3 l1 \) `3 C
add ax, di
! B% A. u0 }) M* k/ i! l test ax,ax/ B7 n" ?3 F2 \- l9 e
jnz SoftICE_Detected5 B4 h) S0 X, a- c( M$ S( i
* F( j- |+ @" N% ?0 I# @! m
__________________________________________________________________________
* q0 `; d2 F" J3 {& j- m' L) [1 N
1 o+ A# N' Y' I* a2 j g' g+ Y) u5 Y0 T$ w# N/ z4 ?; W
Method 05# R. Z( t4 w) z, q& k
=========! c+ K9 ?2 Q. V9 l0 p7 _
+ W0 g) r; t" ?- r8 u2 `Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 \/ R- V3 _" S2 t( f# m n' idebugger. It calls the int 41h, function 4Fh.$ q& l/ n1 c3 g6 T+ q
There are several alternatives. - i1 n1 r- }# U2 q3 s2 e# X# _
* }- b& s' c) Z9 V2 ]2 S9 eThe following one is the simplest:. N! }+ d. \4 R, a
5 s3 a5 V0 }2 G8 U
mov ax,4fh
0 F! n) i8 U' {1 o int 41h# c* c/ P! @& l
cmp ax, 0F386, n+ ~, @7 M: \! c4 W1 Y
jz SoftICE_detected
+ c: i% n1 U7 ]. ?! V% f/ x% u2 v; K1 Y& d* H
; z, i- x8 q, K1 T4 `1 W8 Q
Next method as well as the following one are 2 examples from Stone's 7 n, z3 I3 h, q6 k0 B8 t
"stn-wid.zip" (www.cracking.net):
! a1 \; f2 Y0 p( J# u
# n* i1 k0 K0 j1 U mov bx, cs
6 D5 `4 y, L, @& I0 r lea dx, int41handler2
. n3 E, o# `- c u6 {' d0 V7 ]$ a xchg dx, es:[41h*4]9 L& [& u8 H w( T. R$ D& G
xchg bx, es:[41h*4+2] B) Q o7 \! Y$ U- t
mov ax,4fh. m* H- k; w; g- G- ?( K) u, J
int 41h
; z8 }$ L6 t* Q7 d/ `) l3 o xchg dx, es:[41h*4]' A7 U- a! x9 u
xchg bx, es:[41h*4+2]6 P% c/ ?$ n9 {
cmp ax, 0f386h
8 V* j. F+ X+ n, `! n4 d$ m jz SoftICE_detected% v, @$ B1 Y! q/ ]3 D* P
9 ]: @, W* \8 ]- J+ h9 Dint41handler2 PROC9 h' }% N% B) J7 R1 M
iret4 ?7 s$ \8 N- E3 L6 m8 x6 K
int41handler2 ENDP/ Y' n8 c- y! l7 i, G
6 x8 _2 Z C1 z" q- _
7 _% P; I9 T b. r
_________________________________________________________________________
! l9 S) j, K! t7 a1 O9 L9 s! S: v8 Q: L
0 |5 K/ H/ E( Y+ ], `$ JMethod 06, [% F8 {) \6 L% M
=========
d- t, T, O$ j7 R+ Q& q8 w/ D6 g% i
. k! h b( ^* |- H/ H9 k$ P P3 f
2nd method similar to the preceding one but more difficult to detect:' n5 g2 Q- l! W0 E
' w0 g8 q, D2 M: u
5 u, d' R" I# R3 W6 e @1 mint41handler PROC# Z( a3 A) p( g1 d
mov cl,al) ]( N9 z$ J; f6 n
iret
) X* r5 l$ n, `# v9 J( X* Iint41handler ENDP
2 G8 J/ T0 j* L9 N: x3 n/ O( Y" \7 W/ ^$ N2 Q4 _
* T. h3 t9 g0 [& K7 t$ v- E
xor ax,ax
$ r. w' m6 |, d' d' t4 Z mov es,ax
6 x% S a7 K" ?/ F* ] mov bx, cs1 b: U- E9 O6 ?( M3 ]. Z& `
lea dx, int41handler' l- u. U$ O O2 z( }5 T+ ^% j
xchg dx, es:[41h*4]
; M; ~/ Y2 l+ Q( n T: v0 Q6 [ xchg bx, es:[41h*4+2]
( l! u9 W3 r: U3 {" x: q) i9 B* k in al, 40h- P, v1 [" N3 @3 U3 B8 _2 x; B
xor cx,cx
# d' I8 ]; R, v# ] int 41h
/ i) U; R/ \. P0 i* B xchg dx, es:[41h*4]$ v* N! p' n4 r6 N* T
xchg bx, es:[41h*4+2]
" v- B; q) }' C5 V$ s+ l& ?+ i5 X cmp cl,al
% J+ P0 g& o; X4 S! ^; h jnz SoftICE_detected
6 g; N ~- G8 j& I R, g/ n+ H
- B! |% ]5 z" S/ u* Q7 Y. t4 }% h2 I0 Z_________________________________________________________________________
, C e( |2 t2 e7 J/ k/ b# G1 Y/ O% O! P3 D8 @ \
Method 07
# g7 l4 ^" p9 K* w% I v$ x=========/ d( F+ j9 k. `# ~; i* m: d
: u" S: _' Y# A! k: Z2 l$ h6 H/ MMethod of detection of the WinICE handler in the int68h (V86)1 _$ ?5 e2 \2 v2 _: l0 m
/ k( y2 S& X0 K: N mov ah,43h6 C# L9 A$ o4 m
int 68h
! ^1 k. H) ]/ ^0 q$ o2 i cmp ax,0F386h
. u# h: h0 s$ m8 { jz SoftICE_Detected
# F2 F5 L: i% F$ U
a+ \! T* T# s0 B( _; v2 _6 Y
`( V9 {- T2 t: m+ S1 t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' w) A# M- N( c5 A app like this:
( l2 y9 m# T' {- `
0 o7 b7 u3 N: I. W8 t, U8 ~& @: d BPX exec_int if ax==68. l4 R: k+ F/ Z/ N2 }; y2 j. K. T; k
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ R# c% _ X0 Q2 D" K% U located at [ebp+48h] for 32Bit apps)
. `2 {2 m% i& ?+ W4 Z/ B5 i__________________________________________________________________________3 X3 N* t3 h) `% R) |9 [' Z$ H
3 F' ^; w, i3 }( }& ]- [
) e7 y- F' U7 g6 i1 o6 c( Q0 |Method 08! v5 }, ?) x- N" `
=========
, B* t! |/ K/ h S% A. w2 c; _. y# o. B& n7 \
It is not a method of detection of SoftICE but a possibility to crash the
X( p0 p$ F, asystem by intercepting int 01h and int 03h and redirecting them to another
& k g; _) E9 f9 ^" nroutine.+ ?+ |( D1 Z5 l/ H' f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! S! p2 T, N; M3 A* t# W6 ]: Sto the new routine to execute (hangs computer...). x d9 i% B( P: K( S$ Q" P
4 b3 g0 ?; G& U
mov ah, 25h5 W1 d3 s5 Q. j" v" b8 N& {
mov al, Int_Number (01h or 03h)# R7 N5 }. t! ]/ `9 m5 g5 W
mov dx, offset New_Int_Routine$ j. S3 D* N/ s/ p1 q
int 21h7 ~. X2 ?7 F, }: _
$ l+ x; K9 ` y" {. X% g6 a, F__________________________________________________________________________
/ g4 }' @) Y' W$ i- T
# F. S" W2 ~" FMethod 090 d( Q% L' s% O1 k
=========2 c9 G' B8 E9 L. R1 i
' _/ S1 {* v, w6 R# i) p* K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 l( M! k% O9 l0 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).8 M6 A2 V I5 t0 Y. X
The Get_DDB service is used to determine whether or not a VxD is installed
% L @; ` z) s& ^3 x, M* ufor the specified device and returns a Device Description Block (in ecx) for
% G5 G7 p$ R5 n/ q3 [; u5 t; gthat device if it is installed.
4 e' V( K6 _+ n
! _$ t! u! W Y0 s6 K* K5 ]. y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 G1 S+ n6 C4 A- @' } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), [8 t3 W% p& F
VMMCall Get_DDB& g0 |1 ~4 B, [8 @. q0 q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ A1 w: l: Y/ z; N; a* X
; r7 m+ R' ^# j& F( T
Note as well that you can easily detect this method with SoftICE:+ l7 I$ p5 [4 V
bpx Get_DDB if ax==0202 || ax==7a5fh
6 S0 r" Y0 }$ L( D3 O3 J$ k7 H
1 {5 ?* t; n% ]__________________________________________________________________________
5 L: V/ Y3 S2 U% U
+ E. W& u8 t) v& LMethod 10
) \* b3 `5 p" D1 H=========1 z* r8 O+ t- m3 z* S1 O7 r% t
2 E e6 \- i* }* A, L
=>Disable or clear breakpoints before using this feature. DO NOT trace with% Q4 F C5 U3 \: {' A
SoftICE while the option is enable!!
: T; A R2 L! e) D( g) e3 }; m ]' W' [, f* L# r" @) E2 v
This trick is very efficient:
2 I: D+ t1 d z6 I8 h/ Oby checking the Debug Registers, you can detect if SoftICE is loaded
- t' |& _$ j# T/ Q' R, m4 |1 h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: F/ Q9 T& M8 @2 @9 t' W- jthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 e5 B* Z" v2 ]2 R
value (in ring0 only). Values can be manipulated and or changed as well
3 a, Q1 b2 O* ](clearing BPMs for instance)1 U: `- M8 P. f5 ^' _
5 e9 Y& C* i, ]( H1 O* o' ^__________________________________________________________________________
7 y, l+ Z: `3 |6 q5 V, C, {( V$ v" V6 @) N, B
Method 115 l6 m4 u" k; W" Q) M: u' w
=========8 w! D4 ^% O; r! [
% |! p5 e+ V) a% v/ s9 ?& [3 _
This method is most known as 'MeltICE' because it has been freely distributed
, M8 |* u6 d( J# i3 \via www.winfiles.com. However it was first used by NuMega people to allow
) Z R; ]2 ] }, t0 wSymbol Loader to check if SoftICE was active or not (the code is located2 w- G" } \- Z6 W3 P, f
inside nmtrans.dll).8 _& |- y/ w' L0 O: Y
( t# g$ ~- C5 i1 a7 A. aThe way it works is very simple:
; v$ l8 y6 p$ y/ `" X' y9 E& x9 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# R' |) y x, v0 }: n- h# F/ s6 d* ]WinNT) with the CreateFileA API.
( c: N, x# G# w9 ^% F9 }& v9 ?
1 m! g2 U, x/ g( y3 l- \Here is a sample (checking for 'SICE'):
1 i& L6 [* U5 N% X- b, n% m h0 n8 N+ h. P
BOOL IsSoftIce95Loaded()
* v1 }% `- r! I9 L2 z{7 w# c% E- S+ [
HANDLE hFile;
. t! R" ` K+ N# M" |1 w$ W; p8 L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- p }$ x# u& e0 J- d
FILE_SHARE_READ | FILE_SHARE_WRITE,- ~6 |$ M! e K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* P1 p& Z" C- X5 C% a8 b+ E9 a if( hFile != INVALID_HANDLE_VALUE )3 L$ J8 F6 s$ s
{) F4 w9 X2 U) g% L8 G k5 b2 x
CloseHandle(hFile);
# P/ \3 n6 G/ n8 [% b# T return TRUE;
}' m5 N5 ~6 ?# E }8 X" w, b" m3 Z$ [ o# D
return FALSE;7 E7 N$ D# r$ t" O
}
* q }8 x5 ?4 C4 n0 i
; r! _1 g# J7 @; u/ D! [& }Although this trick calls the CreateFileA function, don't even expect to be
7 y, Z, j0 F, S9 Y3 L* Uable to intercept it by installing a IFS hook: it will not work, no way!, O. i% u: z) N9 ^% x% Q8 _2 ?2 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( ?5 Y2 B2 a3 }& H. D+ W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: [) C+ {2 b, b7 H; Z& X2 D5 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc( u4 [, I- r6 a' A5 d' j7 u
field." A L% J- S. H4 P
In fact, its purpose is not to load/unload VxDs but only to send a 7 U8 U: ]8 _% J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 Q3 s" ~" J+ u3 T. T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 K* i% M4 B' y s" y8 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% C$ `7 v5 z. d1 `1 N+ G: |* X
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 N( V: _- a j# C! K
its handle to be opened and then, will be detected.
/ U6 H: G; l& h& W3 C h ^2 YYou can check that simply by hooking Winice.exe control proc entry point
9 u7 ?1 J$ ]+ Jwhile running MeltICE./ W* f7 x; C# j- Y! N8 l
, B2 y# \# p' m' ]/ ^& f# r0 P; X ] y
00401067: push 00402025 ; \\.\SICE
! u- W. d1 ^+ y" ?6 ^; p 0040106C: call CreateFileA! l9 g7 ]2 I/ Y# j$ H6 x
00401071: cmp eax,-001
4 o' w9 g: S) E8 E: d% w! x3 u 00401074: je 004010918 P; f" H1 U" Y4 \
$ ?* j# s7 Q% }, v7 B4 f. b
( e& e! l: i3 KThere could be hundreds of BPX you could use to detect this trick.
6 F e- _# J( t$ h-The most classical one is:
8 I t; X. m6 w& A- B5 Q5 e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" q, @0 O1 F7 i6 S3 U *(esp->4+4)=='NTIC'
; l+ N1 Z- |3 a
/ {; Y) e3 E* [& ^-The most exotic ones (could be very slooooow :-(
9 M9 ]- f+ h' p5 \+ Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 }3 J8 K' S" N4 n7 t
;will break 3 times :-(
& a$ w" l: p- `9 ~/ k: W$ B* L* O+ I# v' ^3 ?. @
-or (a bit) faster:
: A V4 @3 X; k* ` S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# R6 A2 A( u) M
1 N# t" r) H' A1 \+ O9 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 R+ Y3 ]+ z/ n0 v* l8 X
;will break 3 times :-(1 Y" E# Y$ h& E5 q2 N
" t @7 i+ v0 m! T1 t; r) R-Much faster: E0 b) }& E) c3 {4 ?3 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, t# j6 d# x. X, j
B7 k& J3 M. \2 b s! qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen c2 D- h& @/ g7 h5 ?1 n5 s: X0 m3 y
function to do the same job:
5 W* h' A7 P, ]* V8 L) d
4 i! l4 l" t" s9 j U push 00 ; OF_READ+ h& ]0 J/ x. z Q0 [4 \
mov eax,[00656634] ; '\\.\SICE',07 C6 w' h* J% Y& L3 A$ v7 S& H+ T- ?
push eax# X, S4 W) L: ]$ l
call KERNEL32!_lopen2 ~9 `0 ~1 y# ~" O# ?) I: G6 l
inc eax
6 Y" ^ g3 c" U) @, a jnz 00650589 ; detected% s/ L$ Z9 H+ \! q; A8 Z
push 00 ; OF_READ
% g: U" K, v3 v2 H' N1 ^2 i mov eax,[00656638] ; '\\.\SICE'# G5 w0 E- ^1 V! @* p! Z) m" s
push eax
8 P# v# b& r. ~& i+ a call KERNEL32!_lopen2 ^1 l0 M9 N! `* b% e
inc eax0 T0 G1 a$ I0 N$ z; g7 ]8 V0 L
jz 006505ae ; not detected
! F: q/ K4 J( R- R/ F; V2 r' Q- ?: k
d# K3 a4 \9 }& g1 |9 A, M
__________________________________________________________________________4 ]! ~* u6 ?/ R0 `* f
8 ] E; X" v- |7 Z( kMethod 12
& g- t0 \$ ~3 G5 G8 W=========
6 {2 D: [* a' ~- M) T3 ?, W/ a! u# r# d; X2 x" e
This trick is similar to int41h/4fh Debugger installation check (code 05 e0 m; |. t( p3 |8 n. F! i
& 06) but very limited because it's only available for Win95/98 (not NT)
: @8 {* c3 a& W1 F8 H _2 L9 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 k* e2 E5 N- ]2 l- b9 G. y% @' Z
. G( z* P& c$ U$ G6 [ push 0000004fh ; function 4fh6 q/ U9 F" R0 h3 U' Z. W
push 002a002ah ; high word specifies which VxD (VWIN32)' O" ?8 k' C1 Z D
; low word specifies which service5 t3 W& B1 J2 O( N+ ~( Z
(VWIN32_Int41Dispatch): W6 P2 g+ C& q/ c, _5 m
call Kernel32!ORD_001 ; VxdCall
7 e; i' ?" a% v( {* R cmp ax, 0f386h ; magic number returned by system debuggers
$ ^: J1 V1 }/ x } v4 q+ s jz SoftICE_detected" _+ S$ i# p6 ? V* M! b
5 x/ a0 }& i* `7 S( W# lHere again, several ways to detect it:, ^- u2 g0 u/ Z/ k) l
: P3 U; p5 l7 o g! b+ K* ] N BPINT 41 if ax==4f$ B! C- D7 z$ b3 a l' l$ a8 E! v
3 m7 u4 v/ B# N$ s9 b% q2 A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 i3 G- f' F% f0 u: q/ H r+ r8 i& C- c5 j+ n" C2 E. {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) {, J; E: Y6 z& ~+ G; Y v$ G8 M
1 |! C( \4 }1 a$ y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- K' g# j6 s' ~/ E% [; O
- u& q' Z6 f" N( O# e9 d# x& D__________________________________________________________________________4 S5 O5 d6 X9 `5 y
. U8 |2 v* f: f6 R
Method 13
, l7 R Z. u% R& y+ ?, z=========9 A+ ? z& _. K2 O- B. X# k
. \% R/ D7 l# K% ]& p! t" `9 PNot a real method of detection, but a good way to know if SoftICE is2 L- y8 y6 a+ g$ z% H- T
installed on a computer and to locate its installation directory.
1 J. w$ e& f2 M7 ~5 E4 b' |$ ]1 zIt is used by few softs which access the following registry keys (usually #2) :
" ~" y5 U: k3 w. b! |: f% o# i7 n) {9 e9 e1 Z- [9 W$ _) s5 J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ X* V0 u) n1 {1 D\Uninstall\SoftICE n, _* f% C1 n( v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* A: K9 V- G- t% x* i! `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. G( M j! ^7 W- U\App Paths\Loader32.Exe
: A+ Y+ s* P# p! d; o) ?# J3 t! @
$ A7 {/ X x7 B, [7 z# Z
" z) R7 W) y z- B6 n0 BNote that some nasty apps could then erase all files from SoftICE directory0 {1 Q) [7 c, {$ u6 Y/ ^) {* N
(I faced that once :-(% e( E7 U" p5 d1 k
$ z' r! | X- O* g/ D9 N. b# m
Useful breakpoint to detect it:
0 G/ C7 c! g" M9 a* C/ h, l, _) k1 W! s8 k9 z7 E$ Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 F- K8 I- z1 f$ [& H/ I
% s8 |0 n" w( u; n4 N__________________________________________________________________________
2 `0 k/ P8 V* o2 L n0 O5 P+ j& [) e6 i) q6 `% Y' I( ?
. K- `8 H: b# A, A* l/ P+ L! U3 `
Method 14 4 s1 T- Q" Y! ?/ k
=========& Y$ p. z9 Q1 Q: x9 G: v; {- p# p
; P( b6 X4 P) S. F4 p S8 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* a, ?& }4 w' x9 N
is to determines whether a debugger is running on your system (ring0 only).' I' G0 O$ ?' S w+ f- a
0 Z/ X( g1 [& {6 z1 A VMMCall Test_Debug_Installed
( U8 ~# O G) e0 `! {2 Y je not_installed. t$ [% [7 h. z) q; R: ^; N y
: B8 C& T% B1 V+ K( YThis service just checks a flag.
" ^3 J: O! H2 L& R& Y</PRE></TD></TR></TBODY></TABLE> |