<TABLE width=500>7 E' ?1 |$ g( |% o
<TBODY>
2 x' n) `, }$ Q2 z<TR>5 ^1 n1 D3 x4 A3 W ^9 {) s
<TD><PRE>Method 01
& X7 d' l- T' B2 @' ^: ^& Q=========4 T; v7 }$ X1 ^$ K* p& F0 g
& u1 l: T: t$ r- v! ~/ zThis method of detection of SoftICE (as well as the following one) is; Y% ]6 L+ o/ F7 {* n
used by the majority of packers/encryptors found on Internet.$ q3 L R h# H I4 G) T
It seeks the signature of BoundsChecker in SoftICE0 T+ S0 }) z; Y+ w7 f* p* x
. r1 c x8 X: |" U mov ebp, 04243484Bh ; 'BCHK'1 |, f' u+ Z3 W) z8 a
mov ax, 04h
2 ]3 X) f6 l& V2 j+ s( M int 3
( _7 R" Q2 x$ r. A cmp al,4
/ @. S& E: ~" A# m) T( i+ Z jnz SoftICE_Detected/ G0 Q7 K: G$ F) e6 O
" z4 e6 j o) R8 K___________________________________________________________________________7 E' b1 u* N* ]# X8 q; P
M" ~" R i Z' a' w4 A
Method 029 Z# S* j+ {' ]; O: x
=========
5 Y. ]$ K9 ~; F8 [8 P' R$ X5 h2 ^- l
0 g, D# d0 F3 T* l3 d! YStill a method very much used (perhaps the most frequent one). It is used7 v. o2 L$ L J; \" ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) G- V# o+ k( Q8 O7 j8 U4 c9 Ror execute SoftICE commands...
( z G1 q6 d6 }+ @It is also used to crash SoftICE and to force it to execute any commands
5 i- c/ m/ t: y. N! s(HBOOT...) :-(( ' A& G! \! U3 X( X! u2 {
6 q# \9 s8 g; `" Q& y* S6 g* }: HHere is a quick description:
! c. N: S. |, R, D-AX = 0910h (Display string in SIce windows)
8 a- \0 y1 _% D. W- w8 |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! t- Y4 D4 d. \8 T
-AX = 0912h (Get breakpoint infos)
* i- A3 J, v* }4 v. Q7 n$ i-AX = 0913h (Set Sice breakpoints)9 p3 h; O& E* [9 y+ K% P; r
-AX = 0914h (Remove SIce breakoints)$ |" D+ f' \* Q2 o8 t, ]/ P
+ ?3 B8 i( d- y! x6 T% L5 b8 s* eEach time you'll meet this trick, you'll see:3 ^8 g* v; |1 S2 X" M# `7 Q
-SI = 4647h
+ P0 l- L. ?- Q5 }, l" y-DI = 4A4Dh4 `6 D/ u/ |) Q' O' _5 P( ~
Which are the 'magic values' used by SoftIce.4 r2 J) e4 g3 F; N9 b2 g/ w0 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 O4 b) e# G* U$ `
/ q5 N) C. H) T# rHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 c8 ?6 T4 y8 Z: b- HEnvelope utility use to protect DOS applications:
* y! m! m c8 M9 y: ^1 X! O2 `1 n% O: ]; j5 z
$ k; i& }5 g( @8 ?8 i4C19:0095 MOV AX,0911 ; execute command.6 _; B# M5 E$ b# ^( V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ b% I1 b, `4 W8 @# u4 M d: W6 w4C19:009A MOV SI,4647 ; 1st magic value.
2 ^: p( O# A$ w" O& @3 t4C19:009D MOV DI,4A4D ; 2nd magic value.* W/ J; {/ S+ o: ?" m7 ^4 r4 B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% m; [$ B8 D1 s8 D( X! F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 O9 E7 o6 M$ {" v. j- C
4C19:00A4 INC CX" }5 ]) y+ \. M6 K. H5 g6 a1 l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% ?: F- P* x5 O+ ?+ v8 R9 D$ {4C19:00A8 JB 0095 ; 6 different commands.
& U0 t3 V; G+ \. W M) U4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 X; r% y) Z$ r% F/ t' ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), Y% R$ r6 y+ {3 f* j1 t V6 @
9 t$ b$ H# l j5 S! Z# U: l/ bThe program will execute 6 different SIce commands located at ds:dx, which
0 k2 m0 l, P' _/ V" Z9 \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: W0 S O/ D1 W0 X* m
* n2 H5 R1 l+ P% D* n3 A' |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 I! E! `2 j+ _1 V5 v! g% c" R
___________________________________________________________________________
% Q4 a% M* w/ Q* V: l; |9 j+ n7 L# z) X+ }, ^3 |/ I
( D: A1 e; H* C. yMethod 037 }# M2 S0 {. e
=========7 n3 f# R2 j/ b
0 x( n$ P0 Z: c% n# |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( U; O. P4 d# a! Z(API Get entry point)
8 g. j+ D1 h# }/ p! i 2 Q1 J) s! \6 F9 b+ b! o! m$ t
4 C) v& i' B: S5 r% R
xor di,di$ R( E: X+ Z/ G: r7 w
mov es,di! U/ m- g( y# ]' _9 J
mov ax, 1684h 0 u0 E# j' k! q1 f5 L( ]
mov bx, 0202h ; VxD ID of winice
; h {6 J" O; ?9 j2 J int 2Fh
& `0 @4 `8 H" A' R mov ax, es ; ES:DI -> VxD API entry point
4 G2 y4 x7 \7 m* V4 c4 i r; Z8 t add ax, di) o9 r. o/ `% J a5 l
test ax,ax& E7 f# A; W) t& w1 L( _3 @% A9 s' l
jnz SoftICE_Detected
) P+ [) @, m; B% j5 l S( c' y7 _; Q. X2 |( C
___________________________________________________________________________- S5 ]( N8 y* h, P
/ K1 j/ L) s3 F6 ?* N; [( D# U, `Method 043 h6 E7 O! k/ y. m D
=========, A p7 S4 q# A
6 i6 `3 T$ K, G4 }0 c
Method identical to the preceding one except that it seeks the ID of SoftICE
: b7 H$ @& i& L5 c6 q% z! O& W- P! [GFX VxD.
6 S5 E+ l' \8 i6 M8 W. B/ K
3 l# v$ ]4 v+ u9 @/ }$ j) t: q xor di,di
~1 n# D H8 E5 E+ s2 g+ A mov es,di. N5 o$ L8 c: V% h
mov ax, 1684h 3 s0 B7 F& F" T7 f1 ]1 F& P. B+ X
mov bx, 7a5Fh ; VxD ID of SIWVID0 m9 k: u( I" J+ }9 u1 ^
int 2fh
2 Q0 z/ r# _5 i+ A ~) T( f mov ax, es ; ES:DI -> VxD API entry point& l9 S4 Q3 x, c+ y/ C
add ax, di1 J! F; d: X+ v% v
test ax,ax
$ J+ \/ f7 f" ]# r: X3 I0 V8 k- f jnz SoftICE_Detected2 S! U( I. {" W/ e) r2 G
# `4 q/ ?, i! V, M" ?: r2 Q# I y__________________________________________________________________________" _6 R, F$ Z2 Q) z3 v
- t; ?2 `; W: p" ]$ m
6 l9 M& H' P; y. @6 V' ^: hMethod 053 D% Q2 p. e3 H1 t) S3 Z# ~
=========5 X. p# V( o! d0 ^' }) k
% Q6 g* r4 I& ]; yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 z+ C/ ?$ T+ r9 D- ^' r$ Wdebugger. It calls the int 41h, function 4Fh.8 E" O4 K( j7 {! R6 ~
There are several alternatives. 1 s- |% S F, w1 T* W5 ~
" p3 \, N- H3 v" R9 y3 qThe following one is the simplest:
- ]4 G8 x% Z7 s. e, X' k; v7 n- H; d+ P
mov ax,4fh
) o2 I. M4 S. [2 u G6 l& y int 41h" E. \ L" O/ k' S
cmp ax, 0F3862 E% [. L9 J+ z0 u0 w, {, Y5 @
jz SoftICE_detected
* D, P4 K+ Y+ z7 K& V
" n6 V$ }- Z2 m2 M
4 e, m b) B- u) n7 s, T- tNext method as well as the following one are 2 examples from Stone's ( A& D& P& h3 m7 W; s3 g# F
"stn-wid.zip" (www.cracking.net):
2 ?, N' d- a/ S" ^- {% O/ p
Z( o; x4 O/ `- d& Y# C mov bx, cs
5 e8 s$ y! a5 W0 B lea dx, int41handler22 ~" N j4 Y% \
xchg dx, es:[41h*4]+ V' f. W6 n* \* x" P4 h8 z9 ~0 r
xchg bx, es:[41h*4+2]' j8 K3 E7 e( t Q4 M" ], b: {
mov ax,4fh+ C0 D" B6 G1 @
int 41h
+ I; p. b {1 i& G2 ]2 N2 f xchg dx, es:[41h*4]
! d; H, F. z" V xchg bx, es:[41h*4+2]! H& ?5 H# E" Z5 u$ b4 i6 y, ~
cmp ax, 0f386h& m( q/ ]& K2 \! b
jz SoftICE_detected
/ y* `7 u9 o% t: \8 S) O6 L5 C& L! F6 ? \
int41handler2 PROC: X+ }$ u) ~4 m5 E* j( P/ s. O
iret
& ~' d( s) j/ s) @5 yint41handler2 ENDP+ I9 |/ W! I$ @* @! i6 S7 M
: m$ Z1 Q- h: z# R/ _
6 {) s* A7 K) ?
_________________________________________________________________________
$ L0 I$ a4 [) q3 b, D6 [
& N! k( I" ^% E; X4 B6 \; X/ v4 i6 C/ n" W9 O, U$ m+ }/ V) c9 Z
Method 06
7 N0 ?+ S9 z1 B, m4 D; W=========
5 M" g# O+ n7 N( k. m' I0 R# r
/ D0 b' k( D( q# z# \/ t
- N1 g5 I0 P) s* g2 ?7 W6 p2nd method similar to the preceding one but more difficult to detect:- ~6 B& P9 j6 k2 j& i
+ D& i( v$ m% ]$ {$ k- V$ F( _$ d2 l: H! b- x3 k
int41handler PROC% b' u8 }/ n9 q1 `5 K% p% T9 i. _0 L
mov cl,al( h l- V' J# Y5 L# K4 X
iret
2 L1 [ [& [: H5 D5 qint41handler ENDP% Q$ H+ O( d; f& B! @# N
! Q( `7 g8 A/ v) T4 p6 p
* k% Z7 l; U3 v; }. V5 a( v xor ax,ax+ ]7 b- n: V# T9 y [
mov es,ax
; x4 `0 x! A9 m- `! b/ \ mov bx, cs
) U4 m# c. i- |3 I' k0 Q lea dx, int41handler
8 }" l7 A' x& w( R xchg dx, es:[41h*4]! F; j& K2 N0 v* ]
xchg bx, es:[41h*4+2]
! d# \2 v" z% ^ in al, 40h I# n' X& j9 t
xor cx,cx
# l/ C1 b# \, t4 i int 41h
7 v( C" j3 F( B) V7 T# u; p4 V xchg dx, es:[41h*4]; m/ D7 R" h+ q! _# O1 W% G
xchg bx, es:[41h*4+2]% I8 [; o: b$ N) t# M: r/ F. O+ l, z
cmp cl,al# d4 Z+ S7 i/ u# p) v/ o
jnz SoftICE_detected# x1 f. I, h- w9 a6 m& B
. i+ l- X9 @3 F6 r% I3 d% T
_________________________________________________________________________& L l: _2 P3 V* u+ d( E& N
% l& `" ~! K' v: Z3 `, Q% c0 O
Method 07
( o, S7 X$ ^1 e( _=========
9 v; z" Z7 I0 @5 p4 a+ l& d
! T* }9 _( x4 ~7 U: M% ^: rMethod of detection of the WinICE handler in the int68h (V86)
; c! u$ X6 b' r: C. h1 m, f8 O; a& n- B3 h
mov ah,43h" ^7 b, D' D# W2 T, s5 ]: a2 ~2 ?
int 68h
' c4 x7 r6 _+ ~' j% D! \ cmp ax,0F386h
2 u2 U. \7 g! o- p/ Z4 u" U jz SoftICE_Detected
5 }! F. ?4 z0 {( ?' f- v' d+ r/ W& S4 Z7 r/ V" U3 H8 G
4 n: y* b7 Z9 g0 R J6 V U$ v8 V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% x$ e& |/ Q6 R3 r
app like this:
# }. ]# a" E g
% J* c2 s( N# F3 v" J BPX exec_int if ax==68
0 E/ [& c6 k9 {" ?( b' e; S( M (function called is located at byte ptr [ebp+1Dh] and client eip is
* v% j" U" J. i0 O% ~: O located at [ebp+48h] for 32Bit apps)
: P$ d2 x; m7 A( I: c' g; _+ H__________________________________________________________________________
, y: K8 C3 }5 F m! r. x+ X3 y" S: @. C
$ E2 W# y' p, t- B) `
Method 08- v: h3 ]$ i( H! K k
=========) R: j4 ?! ^1 P# a& i( U
8 m( O; H" |8 u" PIt is not a method of detection of SoftICE but a possibility to crash the/ E* k A' L6 i
system by intercepting int 01h and int 03h and redirecting them to another4 I5 h" {2 O$ X% I4 w
routine.
3 z5 G' \+ `2 p, l, Z6 o0 P! FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" H1 ~- o- z# B [% ]" ~6 L
to the new routine to execute (hangs computer...)2 R$ P) N' m1 d8 b6 t% x
5 |: }: r! c8 o3 H2 S# ~# G/ S0 I( p# M
mov ah, 25h
|0 z; g+ Z: W7 E# L" l4 \ mov al, Int_Number (01h or 03h)
6 m7 L7 }& G ?5 ?1 t8 h mov dx, offset New_Int_Routine
. P* R& x$ v& V3 N- M( Y5 m int 21h/ P5 Z' X2 _6 P2 W
, D; N% E/ G5 a0 v. n__________________________________________________________________________
3 R+ S) ?) C% Q1 k4 q
2 q7 t' @6 x4 {: c7 z" W& C7 TMethod 09% ^9 k4 g0 j `" w/ F- Y9 r
=========
! z) w7 V" A0 F/ B/ @4 B( Y* E. A- `' { z0 V' `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only [; \& f& X$ R. {9 P! D8 x/ K% O
performed in ring0 (VxD or a ring3 app using the VxdCall).- u6 i( X3 i5 l
The Get_DDB service is used to determine whether or not a VxD is installed
) t+ R" A. i0 Qfor the specified device and returns a Device Description Block (in ecx) for: i& {0 F% \! n5 ~ g& B; m
that device if it is installed.
1 w o% }! J4 ~5 i! H" f, \% A# _9 o* |5 t i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 z9 Z$ c# D8 Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 `: f& G( a( [* y# J! N: s
VMMCall Get_DDB
3 A3 N5 z, |$ X/ n9 ^: l' H: h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 G4 K- o% I. k% u- p2 I; A7 f9 D& g& X+ g1 M
Note as well that you can easily detect this method with SoftICE:
/ g9 X- A p! K bpx Get_DDB if ax==0202 || ax==7a5fh5 ?( Y. n0 Y9 Y" s) x1 `
! v% A6 _; X8 B! b5 P1 n
__________________________________________________________________________ u7 a& M C p( }
% W2 ]3 V u6 l% |Method 10
3 C% N. t q$ ~1 c=========3 [$ [: p" {1 h8 p: a: e1 _
" V1 Y; J8 ~: y
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ A/ P8 L- Y9 \+ X8 G$ }
SoftICE while the option is enable!!
! L6 ^, i- d" M0 M% X! A# o4 F& |* r5 Z9 Q' y4 S D4 d# [* M* m
This trick is very efficient:7 E8 d p3 o3 N' b i/ N
by checking the Debug Registers, you can detect if SoftICE is loaded0 F' R) p0 `2 t/ f) N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" }. O3 _! e& b, D1 t6 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their% A) K' L) l/ |2 S# W- ]' q% X
value (in ring0 only). Values can be manipulated and or changed as well
. j; n5 F6 U: g' T P# }2 M(clearing BPMs for instance)
* o" E) c- Y0 C0 x3 V/ t8 p$ H2 y# w: k- k; _
__________________________________________________________________________2 k4 f2 ^4 P3 Y0 e' _' M8 f
- o. T* ~" W8 D' V+ R
Method 11
+ c4 m2 L6 a* [! [% j=========2 o; S7 G6 z: g- s/ g
/ K4 p' @* _1 F9 Q6 PThis method is most known as 'MeltICE' because it has been freely distributed
& Q5 g6 Q$ Y ^/ x6 ^ }. Dvia www.winfiles.com. However it was first used by NuMega people to allow
3 g, \, N4 N9 | h; @Symbol Loader to check if SoftICE was active or not (the code is located& P! r9 M& O" K6 w' F/ B
inside nmtrans.dll).
2 X% L$ ]4 `) Z9 b
1 @) L" m6 A, F6 |. B; V% nThe way it works is very simple:
G+ E$ n2 R( X' ?' z; E# I6 D- uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ g2 ?6 O* c! a% _! O# iWinNT) with the CreateFileA API.
5 {3 i& n% D5 o+ J8 p6 L' g4 O7 ?8 u/ I1 R8 _; |
Here is a sample (checking for 'SICE'):& w' a4 s* p0 ]# R1 s
+ R# Y: N! [& Q& W
BOOL IsSoftIce95Loaded()
4 |; C/ D% e7 M{
/ ]# t2 {0 _. D. I0 o0 K HANDLE hFile; 3 T+ t( b0 C3 J# M& B* I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 Y% T& t" W) q! G$ |* _; G L FILE_SHARE_READ | FILE_SHARE_WRITE,$ w) [- `" `) T( Z( L- h1 t$ u$ X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 d$ Y( F% \! \2 r- c/ U, _2 F
if( hFile != INVALID_HANDLE_VALUE )
- s/ N. J' Z6 n$ e) e& ` {6 r1 s) D/ l1 c( b; B
CloseHandle(hFile);
( S6 ]% V4 E1 [) a. I) j7 W return TRUE;
. C: U+ C/ g* Q! \& h }( j$ n/ `; s1 S) f- j7 d' q; G4 r q
return FALSE;! X2 j1 L' P5 J6 w
}
. K' W2 v; i6 S
, t6 e5 I2 b# |9 d/ kAlthough this trick calls the CreateFileA function, don't even expect to be
3 T2 v& s! S4 B# q `: D: sable to intercept it by installing a IFS hook: it will not work, no way!
& \% C: D: j2 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( Q1 R4 K1 ~2 _4 m1 D6 i# mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 m0 @" t! i4 X3 A) V9 S& sand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 ]. d9 k y4 o- J4 }
field.! h6 W" q' `5 P- H1 }
In fact, its purpose is not to load/unload VxDs but only to send a
) H) W, L! c4 P3 S4 v. hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 ^0 g. a8 K, v8 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ ?7 F8 J, O( U2 E- f hto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 A% S) {* P0 S# W# _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 U5 o! w2 E7 \& b6 n* y" Z: Vits handle to be opened and then, will be detected.1 \" N3 O4 ]3 G/ u# \9 W
You can check that simply by hooking Winice.exe control proc entry point
7 }) x. c2 A6 F6 Xwhile running MeltICE.
: T) D" m# }( Z& L& d1 ^8 J; H, `* ~( G
2 m6 w: s; m8 H+ y
00401067: push 00402025 ; \\.\SICE& ^/ y$ F3 e5 T8 {/ G) R
0040106C: call CreateFileA
* R8 A2 F3 p. P8 J$ G 00401071: cmp eax,-001' K2 ?( n1 ^& x/ F# s
00401074: je 00401091) g& U. V' f/ K
( a- x& n5 ?9 J7 E. R9 d/ m+ @/ T
J: ]2 n) r3 g2 @% W# O4 o @7 H5 H
There could be hundreds of BPX you could use to detect this trick.8 C, _# p) o9 x' @+ G
-The most classical one is:5 V; i# H8 \* G; n/ M: I/ J+ g3 P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" O/ h' ?2 M+ k# j *(esp->4+4)=='NTIC'7 Z, B# I/ e. z D3 C
+ L+ B6 x$ B: J, b G* h-The most exotic ones (could be very slooooow :-(
6 b. G( ]; J6 k! ^# C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 D( g9 A5 D( L! v7 M$ }% g
;will break 3 times :-(
2 V7 F$ m/ d4 [3 u8 @. S
1 E2 K! l6 r5 A- D7 i- t4 o-or (a bit) faster: 0 B. @6 d' v2 t2 A& m* l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' c9 d) V7 j# P% {
9 t; _% |7 I, g: O8 M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / H4 D; O* o _' Q) O) ]
;will break 3 times :-(
, [) M( Z0 j( t. u8 d; M& n. L& D v$ Z8 W! `& O8 ]
-Much faster:
9 j& n# s9 y2 I& A: S2 y/ n6 t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 ]* n6 Z) U4 Q
$ a! Y3 _, J; a! wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 {* ^ c5 I y5 R B. I& ~function to do the same job:
. J) {5 O2 S) c" l# j! v' x; u2 j7 K1 o. c, ^
push 00 ; OF_READ I: h7 c) g4 B5 a- I
mov eax,[00656634] ; '\\.\SICE',00 c4 L8 _% R7 [; ?+ B% f
push eax0 F& a' x8 z$ b, U
call KERNEL32!_lopen! B' {/ j3 R# m" X. p" }
inc eax
7 `4 ^9 Q- `9 ?& R jnz 00650589 ; detected
- v8 @8 M& R' j. X. K5 Z9 [ push 00 ; OF_READ+ @- g) \, o+ h7 H" I: i- n
mov eax,[00656638] ; '\\.\SICE'
# t! n6 x5 `: X/ p push eax1 w: C; W) s% O( S, o# f
call KERNEL32!_lopen
7 n; Y: X1 H ^5 ?; L inc eax5 N5 ]2 \4 u. e- }( j( C2 W5 s
jz 006505ae ; not detected
4 u5 A, F" e5 y, [
# P0 y/ X p% z' P( n3 u' T$ ^3 P: [& y+ z7 r$ o: f5 {: d
__________________________________________________________________________
! G O! a( T3 t# ]& p
K0 o1 S$ }* p! ]Method 120 G9 _ T$ B( O3 Q7 b' }
=========/ h' U5 V2 ^+ ^2 Y( r" x
# D6 p/ Q. @1 BThis trick is similar to int41h/4fh Debugger installation check (code 05
+ k8 n+ ^0 c3 [) X' f& 06) but very limited because it's only available for Win95/98 (not NT)! T* N. w9 C3 z0 y' S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& M6 }& G9 `# K3 Y9 m8 F7 }* E( w
7 a7 }$ p# Y( B% v6 N$ j8 y3 } push 0000004fh ; function 4fh$ _! m6 P. d/ W) E
push 002a002ah ; high word specifies which VxD (VWIN32)) Y( E$ P# C& @
; low word specifies which service [ P+ W* {! ]+ r! {9 ^) h
(VWIN32_Int41Dispatch)
! x* m7 a- x u* O% x. I7 y* M call Kernel32!ORD_001 ; VxdCall
% M8 a& M: X5 j' N cmp ax, 0f386h ; magic number returned by system debuggers6 W# I3 @0 r7 u w! ]
jz SoftICE_detected
9 X& u' y- g6 x- H. K# V- X% ~$ a2 p& U& y) B; ?
Here again, several ways to detect it:! n6 V$ |3 Z& Y( l5 y
$ z$ ]4 O- j2 M w+ t2 D; l
BPINT 41 if ax==4f
a0 Q; T8 K& X1 }
# l2 f: u8 |# x% p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* f, p+ p4 q9 d+ y f8 i3 s
- x1 Y5 {( O" E6 x' ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% l7 v* ?" y: G `8 f" a9 F& w+ I8 e
" a, A* c, y# r$ w/ w6 z8 I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 u( [6 V R8 `/ \
7 u4 n" p6 L. q9 x% s__________________________________________________________________________
( e* b; ^ C% i; l- E+ U, q6 R+ p4 |0 U3 z; q3 F
Method 133 o }2 l% c& s% C" Z
=========9 |3 D- t+ b3 a { D" d( ]4 H
& H# A: T2 p4 M. ^& b* M. N% c5 ~+ Y
Not a real method of detection, but a good way to know if SoftICE is
& P* @1 g/ W, @installed on a computer and to locate its installation directory.
1 K& T0 B- `8 a7 sIt is used by few softs which access the following registry keys (usually #2) :9 a. }" E) O- Q4 k* |. Z0 W
. P( h* a3 g2 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! G8 q& h: K/ W7 b, \\Uninstall\SoftICE2 Z0 W2 q7 C/ c$ { c! o" {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 o/ g9 A7 a6 ]0 e/ ^1 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% a7 ~* x& m4 O4 b
\App Paths\Loader32.Exe% N' y1 f% Z# B! ~
" c0 M* n* J! u% r: K* O7 }7 s
) E( X% I6 L' N/ y! s0 TNote that some nasty apps could then erase all files from SoftICE directory" A% }5 E" ^9 Q- x3 j. l3 O5 B
(I faced that once :-() @8 p) F' v; ], u, t$ b
; @% V5 j& |8 T% C# oUseful breakpoint to detect it:
" d; W" v* g& w" d9 v; J
" H: j. c8 s4 K1 s: c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 Z. T3 q6 V$ D' v7 S2 @- @ e, l4 b
__________________________________________________________________________
1 L( Q+ h, Z! f: e- o% C4 ~; W$ O- p% j+ y4 e
* g+ a, F) h' F8 j* kMethod 14
1 l! G) M. U1 ]# `3 W% z=========
# z* H3 y _" U: ?6 g" g5 w5 m# C8 u; v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! ^. M) {, s+ | r( f
is to determines whether a debugger is running on your system (ring0 only).
% ~6 m' |- O9 l; Y7 `5 e5 b. u Z- T! |
VMMCall Test_Debug_Installed. |' ]6 k! }' p% O1 X
je not_installed5 s4 y( Z; t. Q3 X
$ [# D" |. q m4 `2 X! UThis service just checks a flag.* p0 Z' y, O. J8 L# H
</PRE></TD></TR></TBODY></TABLE> |