<TABLE width=500>
/ ~7 M+ V' N- k8 U) v1 ?% L( a<TBODY>4 G2 k( o7 Y+ O" [ I0 V t
<TR>8 F1 M0 }- A( s: I. S: Z
<TD><PRE>Method 01
! ^; H; z0 K- Q4 p9 D8 y=========
8 F* }5 ~9 Z0 N0 Q6 b0 H
+ X4 j9 C5 ~1 V% \6 e! qThis method of detection of SoftICE (as well as the following one) is
' `0 q% A: B$ }: z7 k, Hused by the majority of packers/encryptors found on Internet.
8 [, |3 v* s, f7 W) z4 MIt seeks the signature of BoundsChecker in SoftICE
& ]# z0 g. u" I3 r
6 G* H! H1 ^' K$ f mov ebp, 04243484Bh ; 'BCHK'$ Q7 I' ~1 _/ ]7 v
mov ax, 04h) C$ U4 v+ B: Y2 o0 ~( |
int 3
! P# C% u$ N8 D0 k7 d: F cmp al,4
4 a {' i4 G2 U1 h7 o* p! u8 J jnz SoftICE_Detected+ i$ m# L$ Y3 d5 z0 C4 Q. w
- N- z# G% B+ ^/ H
___________________________________________________________________________
% _$ Y8 t8 O V
) ~# ?4 U- F( r/ Z8 QMethod 029 X' S$ ^, |, N8 ~: o6 n4 c/ d8 V6 x
=========! |4 V5 n( o+ z u1 q
X9 M# E" ~) a7 H2 ^4 Q) I7 mStill a method very much used (perhaps the most frequent one). It is used
% A6 `2 K+ [ Q* c) k D/ v' L0 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- O( H% `1 S7 B; F- e4 n
or execute SoftICE commands...% i3 [8 Q) z& ~9 T, [7 p
It is also used to crash SoftICE and to force it to execute any commands* t9 x& D" l I" _
(HBOOT...) :-((
" |, s6 h9 Z2 m& @2 f, V" s Y- c1 L+ l% T% t
Here is a quick description:
" _3 }# h9 ]6 f2 r-AX = 0910h (Display string in SIce windows)* M$ d& h3 M+ t; ?* a' m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- C6 h; F' N' x# e2 G-AX = 0912h (Get breakpoint infos)
( e& ^. b' y, Y-AX = 0913h (Set Sice breakpoints)
5 E- ?: z t7 V2 b0 ]- j-AX = 0914h (Remove SIce breakoints), W' I' N/ r4 C+ m& p6 Y) q
; i2 e, g6 B% X/ u) T3 E# E. ?6 T, hEach time you'll meet this trick, you'll see:; e2 ~. b5 I2 ]$ l$ ]
-SI = 4647h$ U0 Z& d* r2 s( g/ a' |
-DI = 4A4Dh B$ {' b1 k! M" f0 ]
Which are the 'magic values' used by SoftIce., n+ U1 K Z! t f# ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ V3 T. m5 ^9 y7 R( n( x
$ V# S- X7 X9 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP* K; V( k+ U0 ~4 H c! P
Envelope utility use to protect DOS applications:8 `9 H+ [( H- l; c$ t8 Q* `
1 J' x1 x. l. v; K* `! ?# e3 T) S( e' ]; d
4C19:0095 MOV AX,0911 ; execute command.1 _& [8 ^ Y' E0 F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- X* f4 L' b0 U- U$ E9 Z4C19:009A MOV SI,4647 ; 1st magic value.
! \( v, j0 F3 s, W; t2 O8 }* ?( r4C19:009D MOV DI,4A4D ; 2nd magic value.2 p4 B, ]8 l# x/ k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 z: C9 Q4 d- a4 T/ l, T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 i7 [1 p, z+ {" q3 y* n4C19:00A4 INC CX
l, s4 t$ d0 G* W# U* G, e1 w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" M& \$ l; X- x4C19:00A8 JB 0095 ; 6 different commands.; d( A8 t' o. m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 B7 D; S, n+ H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 n5 Y n4 l1 q; p7 s7 g
& Z8 {7 N. r# ?The program will execute 6 different SIce commands located at ds:dx, which
0 y* D7 X2 s T# ^: T/ x; T1 `$ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 u) r) a% i d2 L0 ~
, B1 I$ K8 o# G! ?" n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., t4 f1 j3 w" f) Q3 H
___________________________________________________________________________
$ {3 q" D1 n1 \& t. L+ S {" z4 R' J# u/ j9 g* Y4 L$ f3 W
( M2 d! ]4 Z( X1 ^4 d1 oMethod 03
) e) j3 h$ _* l! T+ I=========
0 y. b9 N& m, \' X# }6 L. L0 r: x1 B3 s) T/ A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ K& c7 w l3 z9 x4 d; h7 }. Q(API Get entry point)
2 A1 ^& g6 `" l% s C l5 m" H( }" H 5 v4 V1 l1 V w" j( p+ U, L
) y. D7 s6 j1 `9 U- N
xor di,di: v! Y' A2 k. K; X/ {7 H4 }
mov es,di3 y$ M$ }( t# A* w8 U. }) g
mov ax, 1684h 4 c8 y/ k% a! e6 `( ?& @; I2 `! }
mov bx, 0202h ; VxD ID of winice- O* i6 B& B; h0 L- Y
int 2Fh
3 q* T6 W1 x/ H r4 L1 C- \' `3 ^ mov ax, es ; ES:DI -> VxD API entry point
A& C7 {+ m! J( Y6 a; Q9 h add ax, di3 N: @& [3 ^+ V; y7 y# e! e) `
test ax,ax- t3 b/ o% O4 N0 D3 o9 ~% U
jnz SoftICE_Detected
- Q- a6 j) \! `) |6 O2 w$ ~
" T0 J2 c1 i$ o3 K___________________________________________________________________________- }, j0 z4 y O. D6 @
* w# y+ m- F# t9 W1 v5 u$ YMethod 04
2 Q0 {7 E* |' N, v8 e" D; D& f=========
' g6 e9 M( q# H& R% ?
; `! p2 M; d0 f. a4 LMethod identical to the preceding one except that it seeks the ID of SoftICE& g. k( R1 y+ T6 M1 {
GFX VxD.
6 C. _, v" K* G# l0 N" r. T5 E! _; |; o* J, N: W$ h2 [ V2 L
xor di,di
- c" H ~8 H- S% B" ~8 ~) w, L5 {0 A mov es,di: C% j' f& @% g2 t+ O& V
mov ax, 1684h
! O6 l$ @* h+ B7 t& V3 w. _- M mov bx, 7a5Fh ; VxD ID of SIWVID( U# P3 ?. }8 j8 z( t4 ]2 B C
int 2fh/ w% @; F' E1 z2 D Y: v
mov ax, es ; ES:DI -> VxD API entry point/ ^( `1 X/ ?# @4 i) m* ^
add ax, di7 Z6 r# G2 z, D1 K" k) z& ?2 Z% N
test ax,ax
0 u$ D& {2 O) D" e jnz SoftICE_Detected
. g: p1 V7 P; m
! c* y+ u+ P$ ]__________________________________________________________________________, ?6 L% _4 @9 T$ ]# D v3 Z; x
/ Y0 f1 j6 F9 w& N% Z6 n
! \& l1 {" u( Z9 [4 J
Method 05
+ N- `/ |- M0 p' X" _ i=========0 c- `# S1 o; l7 s @* Z: Y
! _$ \2 T) k( _# zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 A N; Q( e {6 B/ kdebugger. It calls the int 41h, function 4Fh.
* N) {) B5 }2 T9 u, E4 |There are several alternatives. * c" |, u9 R. f0 k* I1 u7 k
0 z0 s( _" c% V/ b9 pThe following one is the simplest:
+ R/ ~: y! o" i' s6 G" q. R& Z4 d" E! d9 {
mov ax,4fh' H/ c! o: Y8 U# D
int 41h
4 M- t, k3 l2 u cmp ax, 0F386. h: {( f, r% l4 n7 [8 D* {* L& t
jz SoftICE_detected3 {* b8 K4 Y" ~% \: F" v
- v) S( x4 W2 l, {6 ]* A4 ?) u* p
Next method as well as the following one are 2 examples from Stone's 1 a a) @# {! b% k/ y( Q
"stn-wid.zip" (www.cracking.net):
0 n1 q! `8 |/ K9 v) P! B, I% { ~5 f1 g. M5 y$ C+ x( @ C
mov bx, cs) e! B _, s% n
lea dx, int41handler2
7 x7 {7 n$ k' R xchg dx, es:[41h*4] Q! o* {$ [1 e) @/ q3 h( C% r
xchg bx, es:[41h*4+2]
: G+ ]6 @) ]7 U( C$ j- G8 I" [# X mov ax,4fh
4 e' p/ I$ l6 [0 v* T H int 41h
0 u3 Z! c2 j, w& x xchg dx, es:[41h*4]
3 V1 _2 E8 p D( K; t$ u xchg bx, es:[41h*4+2]
0 _, Y5 X8 E) [0 O" f' l7 ? cmp ax, 0f386h
% ^7 E7 k5 |3 K9 f n( U" e/ F1 k jz SoftICE_detected
5 s! ^; n: x) M2 d# G! ]. M& e+ {$ n- @7 e7 {; G
int41handler2 PROC- f0 [' T8 t: h- b& q' q2 }6 S" h, S
iret
# Z7 [7 V( B( Q( X: Vint41handler2 ENDP
2 d& u* G- o1 b; O; ?8 ?* _$ [$ [& r( b# M' {8 F
0 m' Q' E* V+ J* G_________________________________________________________________________
9 u5 H$ u. `6 m+ }6 M( x( ?" x3 m8 H: Y) v
# g. d) `" J3 c6 X7 ZMethod 06' z9 K! T5 @$ H$ [& A6 G. m
=========
- f( V0 s( B2 \1 N/ f( C9 u7 V/ K3 ]$ c$ b6 u0 f0 ]
" V- L' D0 J3 S; c8 {
2nd method similar to the preceding one but more difficult to detect:) W% {" F; p5 O$ ]( T" J; z% W$ ]9 O) N
" a! J6 d2 v* O4 P4 w/ M5 `9 V% T$ F. Z" k) t/ c+ ~- o# O
int41handler PROC
, k9 l3 m3 a. C! A1 T mov cl,al
0 S% Z l6 ^ ]3 ] iret8 T- x$ v- E5 R9 C' F" y; H4 o
int41handler ENDP
+ l6 s- U7 p+ Q' ]9 y! c
6 ]1 g# s) ~8 r8 \, d0 i7 h& m" K! R, [* A) k6 @$ e
xor ax,ax
- _. n( W- c2 E: {( c: u mov es,ax: J" M( r+ B# g: K& E
mov bx, cs* _4 c/ @0 a3 f. N1 @
lea dx, int41handler/ H; t- X* F! m/ {5 W7 O9 M
xchg dx, es:[41h*4]- E1 i8 A& V! q. @: a4 [, q0 j( h
xchg bx, es:[41h*4+2]2 Y5 e" O2 H# q7 E& C2 Z2 |: p
in al, 40h% x$ f! T6 v7 Y
xor cx,cx, ]9 `+ u8 l" H$ q( M$ @# r
int 41h
7 V1 m" c8 A) d/ w xchg dx, es:[41h*4]
5 E+ }- R( Z! H- D0 C; f* N! R xchg bx, es:[41h*4+2]# a& k9 g! ^! X! `! E
cmp cl,al
# R' b6 ~- Y. H" D$ h jnz SoftICE_detected5 _5 f" b/ L4 f4 e
* W+ C$ Q* Q# H& v
_________________________________________________________________________
! v- l8 }8 L- @4 r" ?0 O2 W, s2 V; P7 q1 R" P
Method 070 H/ a' x5 h' p! v! @
========= R2 v, M8 |: @4 {1 t
( F5 Y( m' f3 _* ]2 vMethod of detection of the WinICE handler in the int68h (V86)
) L# Y. t& K+ P9 Y
4 L9 s. N; x4 f5 s) | mov ah,43h
: |( P; L0 ^, N+ b int 68h9 d+ z3 O9 r0 R1 w# M E
cmp ax,0F386h/ o& q: N; C; s9 e5 _3 O
jz SoftICE_Detected
2 w4 k5 {3 O {; o* O. X
- ]" v' h8 L6 G3 g' ^( c% z3 x T% U9 f% V8 ^, L5 E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 S5 t: Q; n# w( ?% }2 r2 m1 ~8 \, L+ i
app like this:9 R$ e- A- [: z8 `
6 h2 K7 A0 z- {
BPX exec_int if ax==68% k# a/ J3 Z0 r0 v4 }4 ]' r
(function called is located at byte ptr [ebp+1Dh] and client eip is% N, R, k: o# q3 k. m
located at [ebp+48h] for 32Bit apps)( I$ J- V2 N/ {
__________________________________________________________________________
# }! p+ A+ }, Y! p! h# }; j* I( S- P, h5 [0 b9 W
0 X* h+ I/ `- K( M; C
Method 08
( t7 H7 r/ K" u; _$ A/ G=========
% m, i9 u# r6 l" ~- H
3 b# h3 I) P8 W/ p# xIt is not a method of detection of SoftICE but a possibility to crash the: {+ h) j7 l, A! Z% B2 ?
system by intercepting int 01h and int 03h and redirecting them to another
. H: H( ?3 w8 mroutine.6 R+ V- Z! ^& \& M& [' _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 t$ A# ?3 h6 g b2 G' ~
to the new routine to execute (hangs computer...)
* k0 W# V N* ?% S! f- Z) C9 f ]% t) c% n# j
mov ah, 25h$ N" V+ j% H B1 O
mov al, Int_Number (01h or 03h)2 p$ _6 y4 }( K1 @' p
mov dx, offset New_Int_Routine
1 ]. f6 G$ j- [7 G; X: h1 } int 21h6 L$ |& K* b) [5 ]
" @9 D# Y: x! s/ z! }0 q__________________________________________________________________________
6 P) B+ M) l2 \8 g, h$ O" o% Z
" D. {6 s. T4 t+ ?Method 09
" s% R# ~7 O- x8 t( A# u( k# ]=========' H. a" G5 @9 M$ g% ~
: F" f! R8 f; c, d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- V5 Z& q' j; W7 E; d/ pperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 R! E5 X2 V# ^( Q& pThe Get_DDB service is used to determine whether or not a VxD is installed
6 b4 j2 V) @# e6 o3 w2 c% \1 i$ ^for the specified device and returns a Device Description Block (in ecx) for5 J m" v4 t$ t9 t; a1 P, d4 s
that device if it is installed.
5 A6 k0 a" }7 q* \3 p Q5 b: f, j7 \. I9 S) `0 w( p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& U5 c6 [' h& Y1 y( L& F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 ~, R: Z# V% f9 G* `" U
VMMCall Get_DDB: M/ g. Z& i* h" d6 R! r. u9 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 ^" k5 @1 v8 R& _
$ o/ P) V! y1 j, C
Note as well that you can easily detect this method with SoftICE:" x5 |- f" M) Z) L
bpx Get_DDB if ax==0202 || ax==7a5fh
( D6 f0 C7 [+ f9 g
) @( W% k h0 q# j3 `; P__________________________________________________________________________
% ?. `0 q2 G% E- |1 d- j; \2 K
# m4 {. I3 H; v. l4 N. c( Z" K# EMethod 10) a# x6 X! a& T: w: g- e
=========7 B: s4 P8 C: t+ z5 M
9 w4 T7 f/ R& |/ P
=>Disable or clear breakpoints before using this feature. DO NOT trace with. J& f6 Q" @8 f
SoftICE while the option is enable!!
7 r' h# t1 m* S/ ~" o% e
7 l, p7 x( h2 hThis trick is very efficient:
7 v; e# _& ^; A1 W" C) J: }% M( G; nby checking the Debug Registers, you can detect if SoftICE is loaded
* i% ?* \8 p" W1 j, F* z% d4 a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 }8 H! Y- g. {0 T7 i; uthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 M( U/ `2 s! l& k' I5 W
value (in ring0 only). Values can be manipulated and or changed as well
* ?* Z+ q6 }& p- B(clearing BPMs for instance)3 N+ f7 y$ Y4 W: U* A4 `; g% c% q- ]
- q, N2 P; K/ l5 R, g% X- m__________________________________________________________________________% Q" O6 b2 W, b; @" w
; s5 A. N8 g# x1 J$ [! P! jMethod 11
, Z9 I! A5 x7 f% U* U=========- C& }4 O& b4 A; h1 p7 r9 ^
$ `* P) r; I3 I7 C/ ^. r$ m, DThis method is most known as 'MeltICE' because it has been freely distributed
6 g* T3 O2 C4 Z4 [5 A/ ?via www.winfiles.com. However it was first used by NuMega people to allow
, D' X7 s& c5 P1 W& y6 H$ P$ oSymbol Loader to check if SoftICE was active or not (the code is located
+ Q' l6 z) ~' g% z5 Minside nmtrans.dll).% G0 s9 U, l( ^7 k
# @7 K/ e1 E6 W$ [' p' MThe way it works is very simple:
: R7 Q& b" P4 v- E$ aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 {3 l8 `; H) C4 z! j1 ~WinNT) with the CreateFileA API.
3 y1 a% [4 L0 o3 s) z$ w3 t P8 P, L
Here is a sample (checking for 'SICE'):
6 Y, }$ O+ i' k- @: V) a
6 T- I9 f: E: B; G1 k: E1 yBOOL IsSoftIce95Loaded()
8 Q& Z! @5 X! s' B5 e{( y+ w( h! l1 {( \1 ~% E3 L
HANDLE hFile;
& h/ G$ p" l- }; K4 V: _$ h+ B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# d. c! Y8 Y5 ^+ f* y
FILE_SHARE_READ | FILE_SHARE_WRITE,
; X& M1 | J4 W" g/ f5 v" H7 l) l8 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 p, q) I7 f& U) {7 u if( hFile != INVALID_HANDLE_VALUE )- k# p a8 K2 \3 h
{
5 R- r! e2 \+ F6 K CloseHandle(hFile);( B# S0 j& e# o; z0 W. l
return TRUE;8 c% F, s3 a. Y
}
* a; N) ]4 E2 X* t& A return FALSE;# q8 m/ J4 f: v) P
}* B$ U& a/ G, b3 V& A0 ]7 |
1 a" ^: q0 G# U' L3 kAlthough this trick calls the CreateFileA function, don't even expect to be4 V5 @1 \8 n6 B# b) U a
able to intercept it by installing a IFS hook: it will not work, no way! F/ a @6 A c4 X8 V) r! n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F O' Y: o8 D2 o/ A3 ?% T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
@" F# J# _1 H1 Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc) k% l/ g1 `* C" w5 m- n
field.
6 a! n& E# |+ }8 q. xIn fact, its purpose is not to load/unload VxDs but only to send a
7 u+ _0 L. Q7 }1 f4 T6 TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- a% ~$ g' b! N4 a" u5 K, o- Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 _, n/ ~* \ y( N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ t: `) S* w I, D: o+ [9 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 n6 W3 R. m- x8 f: F) t+ o
its handle to be opened and then, will be detected.
' j. I! Y( @6 n( [( r; K BYou can check that simply by hooking Winice.exe control proc entry point
$ E. @, B- F, S) E5 n9 X5 t. qwhile running MeltICE.& C7 b( u* R2 p- T, Q" ?. ]
+ X/ X2 X9 j$ u8 m# L- T
1 N: p% q: }) W" R 00401067: push 00402025 ; \\.\SICE+ s) f! k) o) r9 I: R# Y4 }
0040106C: call CreateFileA: J0 K5 }! g" D
00401071: cmp eax,-001, c J8 J6 |7 P- _! z$ q' S1 |
00401074: je 00401091. n" }0 o- u+ C
9 P4 H3 S/ m- b& O) K
0 y K: P! E# u; W/ ?There could be hundreds of BPX you could use to detect this trick.
, h- l9 Y v( m9 V( k; b-The most classical one is:
) x: [ N+ F' l9 h3 |' |; K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: [) Z/ C2 F: H, B
*(esp->4+4)=='NTIC'( U' J7 h% O X6 R% i+ `
! u7 G" h4 I4 o9 U0 r-The most exotic ones (could be very slooooow :-(
/ }0 `! z; s4 z* h& |% p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, O2 g* g) m; E% Q" o+ x2 s ;will break 3 times :-(
8 d. ?9 Z( p, ^ Y4 W9 R y2 `4 ?/ |& e
-or (a bit) faster:
' X" O8 t1 h' \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ [. _* ]2 w+ f5 j9 o
3 ^7 R2 L, \) F! L( g' M6 {. _: o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 g9 a) E! j# q" U7 e# c' f' ^ ;will break 3 times :-($ m \' @: ^0 E1 s) ?
" w( A4 ?$ I9 O1 I( T6 I- J
-Much faster:. s. \. M( b$ D! m7 n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* O0 `* J; R! _5 ^9 {) S
# i$ q. z& Y* X; z% N# E8 S! B* \8 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; ^4 R7 m5 ]4 X) Ofunction to do the same job:
: Q$ e6 c. H# f2 ^* ~/ b5 `8 X/ J1 T. M8 Q4 ]: b0 K3 E) K
push 00 ; OF_READ
! A9 n9 C9 W3 w$ e3 j' X' C; z mov eax,[00656634] ; '\\.\SICE',0
7 ~2 z" f$ ] ?; j push eax) l. x1 u! y+ g# q. o
call KERNEL32!_lopen! Z3 r6 z: ^# O- y( c( Y
inc eax$ p3 `7 Y: b0 b9 e8 h) F( n
jnz 00650589 ; detected
2 `# l% a$ {5 Q% r- g$ h9 c3 f push 00 ; OF_READ
4 [2 v3 ]6 a- m& f. [( r: D mov eax,[00656638] ; '\\.\SICE'
4 v+ {( G9 m9 [ g push eax1 M8 T" _4 U' d; p4 V# p2 B
call KERNEL32!_lopen
9 L$ f+ A( \. o% N0 W2 F+ x1 d8 J inc eax
6 P* O' S4 F1 K# m1 X jz 006505ae ; not detected
8 B9 b6 D/ R, J
2 D J; z6 C; F0 ?4 g
# A' {. s6 e# a0 w0 U9 A9 O0 U2 f__________________________________________________________________________5 g/ D+ t+ r0 U. m W6 V _
( X/ S) V$ X2 f3 P/ s: f/ Q. w
Method 12
% a1 K" g* Y1 V N=========+ ]6 i2 H2 {6 h7 P
! n5 U9 }; E4 A1 q6 }0 y1 z
This trick is similar to int41h/4fh Debugger installation check (code 05' k& J: z: D, v5 e4 S6 J' P
& 06) but very limited because it's only available for Win95/98 (not NT)
5 N) o& S+ Z: q% d! s$ s+ bas it uses the VxDCall backdoor. This detection was found in Bleem Demo., h4 W0 F7 M# h$ B$ _' R" G
" T6 a+ n$ i# i* O4 q# ^. L
push 0000004fh ; function 4fh
, N* x' [) K7 K7 P* A push 002a002ah ; high word specifies which VxD (VWIN32)
: [ c0 u5 y" J8 n) p ; low word specifies which service
. L: t8 Z/ O8 m4 L8 T (VWIN32_Int41Dispatch)" m: g1 R$ ?- }7 p
call Kernel32!ORD_001 ; VxdCall
9 S: k- J0 i5 A cmp ax, 0f386h ; magic number returned by system debuggers
, H8 p' p3 t/ ?8 A8 h0 H jz SoftICE_detected; I% ]7 W5 p) x
0 a% f& {6 y$ y" ^. }+ {% d4 fHere again, several ways to detect it:
* v9 q1 o# [1 h6 Q( E( g( R) s2 v- b/ ]
& F8 `( h0 Q1 u4 T BPINT 41 if ax==4f
8 ~. X& M+ {1 d0 Y, U N" l9 g7 H6 \: N/ A& ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 O0 D- |' M ~5 V1 p* V* M! O
# l5 J4 V# w5 } e6 O3 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 O% ^- e/ Z2 ?8 L+ B8 i+ I. e$ Z- ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! U4 L- F9 K9 [0 m# x& g$ W
4 T9 L3 s$ X6 [) k" V# o
__________________________________________________________________________7 a7 `% N' L; d5 B4 g) A" B7 W
4 ^4 ?( y! c# z0 g( W6 @; }
Method 13# ?3 O0 c$ M4 u' L$ X8 ^4 M
=========1 D6 j& t7 n" P! E3 z7 T: M5 S( \+ u
: V( [, m1 V& s4 VNot a real method of detection, but a good way to know if SoftICE is
% i( `2 B0 H: I7 Vinstalled on a computer and to locate its installation directory.+ S0 `, [+ o4 k' g
It is used by few softs which access the following registry keys (usually #2) :: ^/ ^! v0 H5 t- c( y& l: u! O
4 t, N8 B. [8 P5 A$ Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ~2 P4 Y& } [7 v" q
\Uninstall\SoftICE4 Q# b1 ^9 @; r- T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! J. |$ d; K3 r1 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ w2 M5 W" {# l- h( A2 a5 ]% d
\App Paths\Loader32.Exe
0 B) J9 V6 A$ Z# p" j/ v" d" o6 O( z* |) i% i$ e
% J9 G. t. J; Y1 xNote that some nasty apps could then erase all files from SoftICE directory4 w$ U8 p' i/ Y; ]+ u
(I faced that once :-(
" Y( y5 @2 y" k; C
( T/ K4 H# X3 ?Useful breakpoint to detect it:
1 ^2 Z" k V$ y3 ?' c F- b, l8 ?6 y3 _8 C/ g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. z @) ^$ F3 @" r
6 P" D1 ]" \4 a, H__________________________________________________________________________+ [+ U" `6 K+ X$ m4 g
2 x" |( e: W0 w9 P$ N- {# q/ ]
. ^# N8 Y4 n Z( K
Method 14
. @$ V! F* |. u! d' s! X" n=========+ T W0 z% j/ I* e3 T f
9 `# {" r6 Y, P8 L* d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 t) @5 c8 _" r1 Z' ]1 z% Tis to determines whether a debugger is running on your system (ring0 only).5 V1 N8 `, z3 F: z& L
1 r9 [& p1 K" F* M8 i! ~* E4 S5 } y VMMCall Test_Debug_Installed% u4 p3 j& W8 k9 P. e
je not_installed6 b* }% U' U0 |* Z( _" o' G% g
5 @( h! d% V1 H3 }+ @This service just checks a flag.
% O2 Y h: e8 y6 j/ H</PRE></TD></TR></TBODY></TABLE> |