<TABLE width=500>! J$ d. @) i/ a/ e; f- H5 b/ S% Z
<TBODY>
) b7 i$ W$ B0 Q. O& v1 ]2 g<TR>3 o7 m7 S2 N0 s3 X# n
<TD><PRE>Method 01 + h2 w. _/ T: K1 I/ T4 Z; X. F
=========: h* R4 p5 t2 ^5 Q
) ]2 Z# ~5 a3 A: q, O- k
This method of detection of SoftICE (as well as the following one) is. E5 i; _% | Z
used by the majority of packers/encryptors found on Internet.
' i" P" M0 {) R) O uIt seeks the signature of BoundsChecker in SoftICE4 y) _) z: ^! z) b, I; ^
* l/ U) P+ ]) i) J- \- V+ T
mov ebp, 04243484Bh ; 'BCHK'
8 `7 ~. ?2 J( U3 M. `2 r mov ax, 04h
6 T3 c5 ^1 o/ R0 M; p8 M& { int 3
' v' I! C g: f$ A cmp al,4
7 v: }$ j, T m N7 E/ g7 X jnz SoftICE_Detected7 f7 T2 ^/ t3 E2 s" A
5 g- K. g: X: g___________________________________________________________________________
4 g( o2 l( R' u/ M1 E
: u; R- G# }* D* y( d7 UMethod 02
& Q7 {, b, G3 Y4 _! O- E- K=========
" a+ V: O! O) |( n
; ~8 H2 R* k$ `9 T0 HStill a method very much used (perhaps the most frequent one). It is used
! z. P0 f) T pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! P6 J7 _. t2 W0 c9 Q2 Z U
or execute SoftICE commands...
7 @, S/ {3 Q' \# I6 fIt is also used to crash SoftICE and to force it to execute any commands- Z# Q$ r8 \% `0 t' e5 v
(HBOOT...) :-((
* P/ V0 S: @, d! Y6 Z3 K* E: g/ B6 k0 n2 L9 l
Here is a quick description:4 b# M" E2 t6 S+ i
-AX = 0910h (Display string in SIce windows)# C; l% x8 s. M) |- C; E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# W$ U }+ n* N% s
-AX = 0912h (Get breakpoint infos)5 V, G2 p+ Z* u( l# T' [/ L
-AX = 0913h (Set Sice breakpoints)$ ~$ a9 p! Y1 P- O
-AX = 0914h (Remove SIce breakoints)& n V. z$ X/ I; n! _6 t
3 q' h; a1 t; Z
Each time you'll meet this trick, you'll see:
# S- S/ T6 E; E( m-SI = 4647h$ g6 r1 a; T, m) s; Q* H
-DI = 4A4Dh
3 S+ E- t. t- _. c7 V$ W/ jWhich are the 'magic values' used by SoftIce.
6 v' x7 |. ^7 R( cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 k2 J" j% o$ E+ ~9 L8 n+ w2 G! [* d7 N
# I7 ~8 w1 z1 M- |+ ~9 s) \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: U' b0 t; N' s% e7 hEnvelope utility use to protect DOS applications:
, u1 ~3 D# `* [# a1 z
7 b( u6 {3 E4 }0 p! j% V
# L% c- \4 X) S5 o4C19:0095 MOV AX,0911 ; execute command.9 }0 w) @9 `& g: z+ }4 y3 |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 C0 l* p: ?. b5 I4C19:009A MOV SI,4647 ; 1st magic value.
$ A% y4 E8 S, L+ l, J4C19:009D MOV DI,4A4D ; 2nd magic value.
; @4 M9 O% i+ i) A, _3 _* f% h0 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 y! w: X& k9 d! _$ q" S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 ]! y+ `, d3 Q5 |8 a9 @
4C19:00A4 INC CX" {* M* K7 s/ M! m6 C7 ^# U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 _$ G0 x% }0 _3 R+ m+ i3 c4C19:00A8 JB 0095 ; 6 different commands.
: z- K$ Y, c& I. c4C19:00AA JMP 0002 ; Bad_Guy jmp back.' K4 V1 d# y1 W* b- R" f0 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' ]! t( }, _4 b/ \9 y. t4 \% G
; _# V3 t; ]9 g6 Z& Q) tThe program will execute 6 different SIce commands located at ds:dx, which
" x1 F; i8 ^2 q4 f2 [+ Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." Q @' d2 b& [4 u+ X, d/ n- b
/ p& A( } d5 J* |& H6 x. B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; d- e" F6 C1 V( L3 L___________________________________________________________________________
/ s2 p* A$ B1 p5 U- F6 c. x+ }
3 I" ?# H3 n5 A3 ^, C! L( K3 Z$ W& C& F/ \6 f
Method 03
6 j7 Q- ^0 R2 a- N' m2 V" c=========# p$ T( |8 d) u: P$ X
, C: @9 M! K0 n6 A( }) y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% V5 F4 u9 _% f* |
(API Get entry point)* |+ x7 X! ^% z* G
+ N: T7 _0 q: c) T/ C! g9 d; P1 q( s' n7 ^3 U" Q
xor di,di: C# m3 X- S j/ I
mov es,di
% v: z# l& j' g+ W mov ax, 1684h
) r6 @3 n% N' S* y/ B! M$ G3 ` mov bx, 0202h ; VxD ID of winice# P- t: m ^ L {% _
int 2Fh
1 d" |9 W v5 V" j: Z% [ mov ax, es ; ES:DI -> VxD API entry point
6 L9 D9 g5 K" r; L5 F- e add ax, di
c- L# v- d5 L7 F4 F1 g% J* N% F test ax,ax6 Z- o* Y5 Z4 |% N
jnz SoftICE_Detected
2 e3 ^9 r3 C6 |' l7 M% q3 I, _! `9 l( [$ ]: L) m* y1 b. t
___________________________________________________________________________8 `' ? J7 M! t0 R& c5 i' n
* o8 H1 x `; U) _7 M6 L; X. _Method 04
( E! j3 \" s: P/ m" ~% x0 T=========
7 t2 q* F$ I6 l( s- I7 r7 C9 q5 D% Q
Method identical to the preceding one except that it seeks the ID of SoftICE- \- B" E% n) F: c
GFX VxD.
) ^: P- a! P9 \6 ~1 S. t6 C# f; }
. q. P; o1 A8 ?+ s6 `# U xor di,di
/ J# v8 R4 E p# u" B8 S. I9 Y& k$ N- S mov es,di
: Y$ K- w: ]2 h. ~% H k mov ax, 1684h ( U/ U3 |, {5 W$ q: J! i0 ~
mov bx, 7a5Fh ; VxD ID of SIWVID
' f5 N! ?+ |" U; ^% `, e8 }* F8 [' G int 2fh
6 u) \1 d' G1 ]' f) X mov ax, es ; ES:DI -> VxD API entry point" x5 P$ A: e5 ]1 h K5 k
add ax, di0 r+ I2 a. _' ^5 Q2 g$ t" f$ n
test ax,ax8 z W5 r7 m. D' O7 P5 i" w
jnz SoftICE_Detected% `7 z( z5 ^7 N- y8 s0 Z7 l0 S! j2 v
! H6 B) i: I5 T% A8 E__________________________________________________________________________
! A/ i, d |9 K" w/ B% J1 ?" J) b+ W, L" ?9 `# N/ |" K
~! d, d; V5 MMethod 05/ _7 K; e* Z; E7 L' w1 i
=========
/ `, H9 f8 g( S- f; C; H) A" M2 [; C' m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
U$ p; a- l& e9 E4 rdebugger. It calls the int 41h, function 4Fh.( M H; x9 [( \* V5 l$ s. m
There are several alternatives.
+ {1 w+ e+ k& D6 r0 M# T2 k; b* x3 r& \2 P( s# U' b
The following one is the simplest:
, z1 _2 {' `2 F9 D+ m( |* J
& Q s+ c6 x* ]* A, m mov ax,4fh0 l7 |6 Q: z7 v" c$ {* X+ X
int 41h
. ^& |) s4 _) m6 Z+ F8 a/ \) n+ ^ cmp ax, 0F386
3 u6 E: W N4 @' j. `. p jz SoftICE_detected
8 f: B F" m6 q1 ^% G) P
, K2 d3 m% ? y5 l" D4 d3 j/ S" B5 i# S* z, N
Next method as well as the following one are 2 examples from Stone's # b, t) v% I6 E1 H2 Y1 P5 j" m
"stn-wid.zip" (www.cracking.net):( \- p' l+ W, ~( P: \" l2 d
3 L x* y/ b( W# e4 k" C8 A
mov bx, cs# E+ H \- h9 E! G3 x6 B( n7 @6 R) z
lea dx, int41handler26 H6 n; r1 q: b7 L
xchg dx, es:[41h*4]
5 h I* J6 r l+ y' u5 S xchg bx, es:[41h*4+2]
5 @ a5 W' K; K z" A8 P mov ax,4fh6 b2 _3 {- C* T" G% l1 [
int 41h
x z" h. u1 a0 j0 I xchg dx, es:[41h*4]3 x( v6 m$ _% P& Q& G& x
xchg bx, es:[41h*4+2]4 y7 Z; ? ]" ]' T# _9 ~* _$ k" G
cmp ax, 0f386h
$ r, t" Y- ^$ ~( h, }4 k; x jz SoftICE_detected
3 |9 X) f( P8 @. z: `$ @. {3 g+ R6 w* I# N
int41handler2 PROC8 {. q O( h6 @) G" u6 R$ f
iret
2 N& }7 P U0 C2 D5 e; z8 Aint41handler2 ENDP
. t+ C. K% N+ E4 ?8 }2 J2 L% q" N: s- q7 B- g
% R6 ?4 o- _( w' X
_________________________________________________________________________
% n( V7 O" I$ c3 v
2 O1 H) K/ S) l0 U6 a: g
, _/ m. C: n$ [Method 06: c$ A! e$ B' s
=========6 p/ c% m/ U2 G
+ h5 X, k1 l4 O+ I$ N" N/ K/ V/ V2 o7 q% x- U$ ]: P
2nd method similar to the preceding one but more difficult to detect:6 D r. N/ y& V9 G. H0 o
+ g" U8 J5 ?2 V( a% |
! k9 P1 H- S6 y
int41handler PROC" x# `3 G: W6 g* _3 W
mov cl,al! A l2 H1 `: \
iret
6 O+ d) u/ X6 b8 Q% m l/ uint41handler ENDP
0 q0 u) E3 t) ?6 [, P3 W" @2 ?9 |; ?+ v6 g! `( J
. M# C+ U% o0 i xor ax,ax
Z1 T: C$ I# W8 Q; \; s0 x. C% w/ K mov es,ax g# M$ a( [9 h, k* t- A |
mov bx, cs
% ?/ r: O9 g6 ?& e4 n. O7 G2 ^ lea dx, int41handler5 m- l2 a2 x1 _! n q4 e: e
xchg dx, es:[41h*4]
! T$ Y4 V4 U% A1 s! a' l: I xchg bx, es:[41h*4+2]$ I6 d2 T9 I! {" G6 B D
in al, 40h6 y( A; H, S- l
xor cx,cx/ t% K8 S+ H$ p3 B( L% p
int 41h
% f4 I5 s3 D! i+ A% d5 \ xchg dx, es:[41h*4]
1 G9 i/ Q- c- ?6 S* s' ] xchg bx, es:[41h*4+2]
9 N5 e' \7 ]1 x1 x( \4 P cmp cl,al- u5 g1 U! T! l* g/ E, I
jnz SoftICE_detected% @0 c3 L; S8 }# M! R; e Q
9 q3 J% U. z5 r5 V
_________________________________________________________________________+ T. r1 S( Z1 N( S
# _. Y; E3 `1 D5 D. c) u- I9 @Method 07
+ s# H! N* R3 O. @% l2 m& k=========/ s/ |7 p) ]/ h% h
. M" E8 K) X" M8 }5 `- D: Q4 e
Method of detection of the WinICE handler in the int68h (V86)
1 ~3 ]$ ^# U' d$ y6 ~. G0 z; W! c: S" W F
mov ah,43h
' [- B8 ?1 V% b1 O+ O* o" d3 r int 68h7 r- a& I$ K8 Q) |, j
cmp ax,0F386h& H4 I G: o$ ]6 U: `& h0 E
jz SoftICE_Detected
0 B x$ d; ^/ E* O B& @
9 p* W/ R) C/ M) U# H6 P7 |% F" o/ \" l- U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& t) V: h0 o5 l4 L" M) b/ Z, Y app like this:
7 T, @; V) u& W5 a# ^9 a$ T {% Z
BPX exec_int if ax==68
" v$ h# Z. u9 l {/ l$ ]( r (function called is located at byte ptr [ebp+1Dh] and client eip is
, s- O9 ]1 K! m! _ located at [ebp+48h] for 32Bit apps)
1 ]- c: S/ K5 Q. m+ N: T* l& o__________________________________________________________________________" T, ~1 ?& l: C$ m) F
5 Q |5 [2 g% H
: g K. e% v1 j/ t( F, R' i& e, P
Method 08
; C9 L: J# l' Z2 C5 w% ?=========
4 X/ ~% h( ]3 m6 z% d
1 ~5 u; q$ T. v* C- u8 `% sIt is not a method of detection of SoftICE but a possibility to crash the1 m4 ]5 ], V" f$ g0 H0 E
system by intercepting int 01h and int 03h and redirecting them to another
( t; I, v! `" B- _+ C4 y4 y6 lroutine.
n2 ], g! D ?; B2 }4 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 G+ Z5 ^' G& B6 z" e4 w. r' r9 mto the new routine to execute (hangs computer...); d6 c' B. t3 o+ s: C
3 Z4 Y) F' V% \# c! z' \4 h! n
mov ah, 25h
2 s- W: ?- F! Q0 S2 b2 C4 ~ mov al, Int_Number (01h or 03h)# O; {, b2 P# y9 f7 g4 N
mov dx, offset New_Int_Routine
9 `: O+ ?' n m4 Y1 | int 21h
7 e: `1 U3 z8 s, X* S: V& |. v
& D- T* W2 \, u. A; g__________________________________________________________________________9 B% @; X% _$ f) W2 g
9 n9 M- C/ _2 n) N
Method 09
" I5 p; d3 v2 G* Z; x3 T=========
# S1 a4 {( ?3 s
3 X- D2 H7 o# q5 B2 O" h/ g; `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% V& t+ ?! T0 W
performed in ring0 (VxD or a ring3 app using the VxdCall).4 |& o( U2 g' a- c/ o# |2 i! l
The Get_DDB service is used to determine whether or not a VxD is installed
6 d6 q: `6 C8 a: F5 t- Y& |& Hfor the specified device and returns a Device Description Block (in ecx) for9 X& f! X2 u7 w: @# F
that device if it is installed.
3 F1 T# v, K/ R& s' ?1 _5 x/ a, d
) o6 x( Y: y3 P8 k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ J7 q6 \! x0 l! B9 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
k- B, E7 G0 F" f1 T VMMCall Get_DDB- q7 X! M8 K& f- |) ?* r, {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* L: D) Q* {& s& Q. y/ l
' b# z7 X4 ]/ p) G" s" }Note as well that you can easily detect this method with SoftICE:
' ^( w( m" A4 P8 h1 W2 T7 w1 Z8 e) ` bpx Get_DDB if ax==0202 || ax==7a5fh
2 f7 w1 Y2 p$ A! H& f, d5 p0 t+ \; Z, ]% @9 [& e1 ~" a
__________________________________________________________________________
7 W! z6 v+ X8 `( a: b1 ?1 P; F- o s- D7 R
Method 10
5 f. \. F8 `% h$ B" Q=========+ q, [4 ?" X5 D$ k- |
! }5 I6 c+ |) w I1 A% }
=>Disable or clear breakpoints before using this feature. DO NOT trace with* q i0 i7 {6 T" q$ G; i3 q
SoftICE while the option is enable!!) }; Y9 v8 ^ M5 x1 ~7 Z* ?$ N% V
/ Y( [' O) t8 c
This trick is very efficient:) q8 ]/ g6 b, b. ?. [/ a1 q: X
by checking the Debug Registers, you can detect if SoftICE is loaded+ m- m' B7 z5 U$ M* h, j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) @2 w! |2 `: R4 [5 Z4 a S0 j
there are some memory breakpoints set (dr0 to dr3) simply by reading their( @: V8 H2 I9 S' M2 i- p% Y
value (in ring0 only). Values can be manipulated and or changed as well. v- ^; |) r1 w! r
(clearing BPMs for instance)' D, m' m" V! w: C
7 R2 y$ Z' C3 Z& z: B/ F__________________________________________________________________________! V* W# Y* W3 I
' w9 l* G p- w ?' [( }Method 11
: C$ m( r1 ]0 w, |! ^4 q=========' k7 k- f& D/ Q6 q$ [" o
& v) l0 L& c) G" m }/ R
This method is most known as 'MeltICE' because it has been freely distributed0 T# R0 N: A3 e
via www.winfiles.com. However it was first used by NuMega people to allow1 O4 [; v. Q1 ~* [. u
Symbol Loader to check if SoftICE was active or not (the code is located; @( X4 x) Z. ^% W4 v
inside nmtrans.dll).
+ o5 i y5 I$ P' k$ P
; Q+ W- ]4 ]/ W$ f3 P; ^The way it works is very simple:, ^0 ^( h/ @& D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) S* z* K0 u6 R7 x1 a5 g* TWinNT) with the CreateFileA API., ~ W. d! O! D' u$ \
) J* J# }7 J* d" O$ H4 L3 M
Here is a sample (checking for 'SICE'):( \2 i1 a5 U+ _" ?+ d
$ {2 t: h+ {) UBOOL IsSoftIce95Loaded()
* {* ^! `$ r, Y' @+ Y- z{' r( M6 p1 e4 ?! S
HANDLE hFile; ) K$ l4 B- _+ [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 a4 L( t! x+ q/ o5 q+ t FILE_SHARE_READ | FILE_SHARE_WRITE,
( E4 s/ Q( v* u- a# b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# \+ K' ? p: X( j+ f4 p% ?
if( hFile != INVALID_HANDLE_VALUE )
: [, D Q4 N: ^8 S* X0 l0 q- X; p {1 I1 |( A+ K7 Y& V- x, y8 `/ }
CloseHandle(hFile);
/ c$ R9 W+ {2 k! [6 C return TRUE;
% w* X2 Q Z8 g5 z1 K/ T }5 v5 ^* B3 S+ g- N
return FALSE;! t a/ ]% d) k/ a R
}
, h, E7 z% J( d; f& x5 P( i2 v: d% w% O- X* }
Although this trick calls the CreateFileA function, don't even expect to be+ u. e: ~6 o X
able to intercept it by installing a IFS hook: it will not work, no way!! \. f) A" s* W! j! b2 c: q p- X m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: p5 e* \$ S, G0 v" D9 L2 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% l, p# E+ I. m8 L5 y2 Z& j, O9 k, v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( P L. s3 j5 @: A, lfield.% P% }+ S2 L5 X5 O( @
In fact, its purpose is not to load/unload VxDs but only to send a . k% i6 f8 p3 K6 t. O, L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" O# @1 {! A) B5 ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) N0 L: k0 k4 F9 m9 xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 Y4 y* M$ t. Y, c/ g# EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ { g7 y g4 o$ }6 Y, ^its handle to be opened and then, will be detected./ n2 A( }5 D9 k& R% n4 Y6 K3 k6 m
You can check that simply by hooking Winice.exe control proc entry point& u- _' o0 u8 \% n
while running MeltICE.
" m8 H9 A% Q F4 M. M6 W9 x+ {) o
5 c+ `- ?. x/ B
4 I7 P- V) W t( G" H6 u: J: n; E 00401067: push 00402025 ; \\.\SICE
- o/ Y" _% N1 h, J 0040106C: call CreateFileA: C% @9 q6 h* b8 D) B
00401071: cmp eax,-0015 V) e6 ?+ H; v4 b. y# a, ]& F
00401074: je 00401091) R/ y2 J% Z" o3 R5 I
' p# f/ \3 q5 P. Y% j1 Q
- v- X+ W% ~) {9 J! x4 r/ K) jThere could be hundreds of BPX you could use to detect this trick. I& x" A5 w* a0 k& l% B
-The most classical one is:1 \: e% e1 A" Y. v2 B& @" `3 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 V1 S9 j' p4 X2 {" D9 n9 p
*(esp->4+4)=='NTIC'
& q. _" t3 T1 j' o2 u: }
; h) v6 Y2 P% F4 P-The most exotic ones (could be very slooooow :-(
" H; {0 o7 t6 ^! l, p$ j$ I/ ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! s2 t3 y$ |+ `1 x& [ ;will break 3 times :-(
- p, k; a# x! C0 N" ~+ y6 V5 f4 c6 T+ Y7 n$ j9 e6 K. y
-or (a bit) faster: & }, U, M6 S$ M: z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 f& y* ~# e0 q' w6 t- T6 k- ~& t0 X2 h) a3 M- l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 f- C# Z1 c& q, Z ;will break 3 times :-(
3 V! c [7 O7 W4 N9 u) F M& R0 S& ?3 B8 _2 W+ U
-Much faster: C+ h0 v" d; o0 k1 ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 W! K8 {6 U% v- Q) {: |5 e
( F. c" r1 G* V: R2 e, ~- }4 e" }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* E7 ^3 a& p; v) h- y0 d+ h' f
function to do the same job:" ]& g0 E( L! {% M* y1 ], L+ N
: U5 R1 I7 Q5 c% L5 _3 s% Z push 00 ; OF_READ4 F8 q9 v( h$ A! Q9 E7 ]
mov eax,[00656634] ; '\\.\SICE',0
# \8 w5 K6 A( K1 N: Z( g# L push eax; \" N, j( q% J; E3 y4 P
call KERNEL32!_lopen
3 f4 j# N1 |* b$ ?% C$ y# w# Y: ^ inc eax' y% _) H) V6 \, k5 t
jnz 00650589 ; detected
+ c; d5 q+ t \. w1 h push 00 ; OF_READ6 [( a) D( G6 y
mov eax,[00656638] ; '\\.\SICE'4 `- M4 |8 ^/ ]7 g7 a2 X
push eax
. L" C/ e; p. j; y/ q3 D call KERNEL32!_lopen
8 a" E& p/ P4 s* R; Z `5 u3 { inc eax. T W" f+ I% ?- o* c- n* a5 W
jz 006505ae ; not detected" s5 l9 K0 e7 F: g; n5 {4 y: L
* x3 s# ^2 a3 m y, a5 F% i% {) k2 g' A5 H6 ]) A5 q, W
__________________________________________________________________________) w M4 x3 K$ ^# o0 t1 N
( f N# E/ o( @0 ^
Method 12; z$ G5 l& _6 Y# q: K
=========7 Z; e/ m* _1 ^7 u1 j1 |7 W5 G" ~- P
! v5 z) f3 m& J) mThis trick is similar to int41h/4fh Debugger installation check (code 05 z0 W1 u- W/ \
& 06) but very limited because it's only available for Win95/98 (not NT)
' i& E& `8 q& Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 G! z0 ^: S- |' l; b( b7 E
% t& m6 P* L P4 i" e8 l push 0000004fh ; function 4fh+ @/ w/ }% B" ]% C+ X
push 002a002ah ; high word specifies which VxD (VWIN32)
% D# b, D0 {( d* h# ` ; low word specifies which service
. n2 Q# e1 w. K+ l/ k (VWIN32_Int41Dispatch)
6 H" y, T3 C3 t call Kernel32!ORD_001 ; VxdCall
" l; h& O& F" ? cmp ax, 0f386h ; magic number returned by system debuggers6 q( Z, P. m5 I
jz SoftICE_detected3 Z$ }/ r2 s8 k- e7 n0 d& C9 c3 i. f
$ v8 |- c% ~5 e8 S
Here again, several ways to detect it:
- g# `5 S" E! n( q7 w
. g6 \7 a, l1 p# R6 Z- z- U$ @ BPINT 41 if ax==4f# \8 H& h1 U% S
2 k( H3 ]6 a; l9 o9 M0 d3 W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" K, Y- V6 N4 n9 u3 a
) M# m, M4 J7 e; F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% Z2 U3 s4 A* n( F, d
* ^3 h& T$ \7 V7 a) B. B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 r6 D2 S P A7 d0 h& `5 N, I& o
2 {. n6 _2 g5 d. M! ~) B9 ~
__________________________________________________________________________' B1 T; m0 Q8 `6 G1 i
/ c" Y" _ o' E0 v$ c+ A
Method 13
, X6 F6 O8 {; G6 o1 l' M8 t=========9 w b9 i [/ B' E; O1 L* S4 a
% L% e2 f: k0 x* Q+ E$ ~( ]
Not a real method of detection, but a good way to know if SoftICE is
- ~8 p3 B5 h& H3 pinstalled on a computer and to locate its installation directory.
# ?3 l2 C: w6 L) \It is used by few softs which access the following registry keys (usually #2) :
& N) R; ~3 U& ~) A* {3 z, m; h* z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 k/ a8 c7 y' J8 ~, \* b, b
\Uninstall\SoftICE+ Y% V. K u6 ~; ?# N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 T' Q( i$ L" i! E4 O- Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, ]; Z) X# O5 {& y: b\App Paths\Loader32.Exe
# {8 ^& j+ j4 t* O" F$ \# @5 A4 D( h0 j
) l$ y: J8 }' @. J
Note that some nasty apps could then erase all files from SoftICE directory
& S2 m6 \; z0 ]' N R4 p(I faced that once :-(: S' p; [ ]& y8 }) g
# t4 T' q/ r( L' T# h) U9 HUseful breakpoint to detect it:4 f& w3 w! r" Y; K2 k
( w% W) d* S' w; m. c7 _8 Z. N- j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" A- F# x6 `) L9 W; {" p, o( q+ q! a8 m) c% L
__________________________________________________________________________0 G! b$ S$ }6 `, z3 R, ?
2 C* `1 H* ^0 r9 Y6 i
# Y6 F ?3 Z- | q" `- B5 `
Method 14
; g3 m/ J B. Q9 @=========
4 U) M( @( |# C8 U0 S, \& C
" [: `7 q6 i, n1 AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 Q' t+ D; r) o1 Vis to determines whether a debugger is running on your system (ring0 only)." P$ I: h4 o! W* t# M" Q# X- M
" B, ?. m& l, F% } VMMCall Test_Debug_Installed
9 T! {* O# J8 t je not_installed
* f/ c2 { ^4 q- l& q# D
5 k! |7 I. {' ?8 YThis service just checks a flag.
5 A8 M7 ^9 J; e; `+ U* N# y% i* r</PRE></TD></TR></TBODY></TABLE> |