<TABLE width=500>
( _7 M6 ~: I* N% I( r<TBODY>7 {( q6 T6 y+ ]
<TR>
, r& B/ f! }; d' f( N8 s Q% u5 L3 z<TD><PRE>Method 01 3 g( L0 r T& |
=========
" t, i, l, l7 G, m$ B7 Z0 F4 A6 H8 P, `# s
This method of detection of SoftICE (as well as the following one) is$ M7 `" o- q( [( f6 F' N
used by the majority of packers/encryptors found on Internet.+ l/ I2 K) S+ Q* H0 {0 y
It seeks the signature of BoundsChecker in SoftICE+ H) k- G% w% t
! F% x+ l. \5 o: S& U" @ mov ebp, 04243484Bh ; 'BCHK'
$ T" q4 W7 i6 V: c& J" W' {% C mov ax, 04h
9 x/ M' C* H4 M' v. k2 _ int 3
- Z# v6 @% g% X( \5 w cmp al,4
! d) g( k3 ^, o# ~' b' V jnz SoftICE_Detected3 V! R2 c; i4 i' h" H8 }+ V6 Y, W
: k$ r: Q5 O0 U7 _9 ? v1 }___________________________________________________________________________
$ W7 n: j7 r/ O8 b
# _9 ~# p {; }* ]% E( HMethod 02
7 _$ Q8 U* h; W: \. X=========9 o8 ?" d* d6 p& g* c+ [
! d S' O9 r( b3 N! xStill a method very much used (perhaps the most frequent one). It is used
$ w4 Y; h: ~+ |: \9 ^2 T! ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 C2 S2 v% s Vor execute SoftICE commands...
, \2 p9 s0 ? H, PIt is also used to crash SoftICE and to force it to execute any commands
& S% x& Y9 S/ @' F8 F" P3 ~/ K(HBOOT...) :-((
* A3 F2 [ }. o0 H
8 y1 V8 s7 K/ i* Z6 _+ c' q% U; U) nHere is a quick description:
) j* R& i3 L* {' W# R-AX = 0910h (Display string in SIce windows)- A/ b9 H* M$ w4 F4 y. V8 c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* \5 C) M) D" Y. R: F-AX = 0912h (Get breakpoint infos)% F& [4 H8 P2 p
-AX = 0913h (Set Sice breakpoints)
3 |8 v, q: F& x5 o$ o0 F+ n+ S-AX = 0914h (Remove SIce breakoints)( h# C% T X8 Q4 C
) b7 D, k& C; K$ H1 nEach time you'll meet this trick, you'll see:+ |# r' ~- ]% c5 w8 G: ?
-SI = 4647h; a6 U8 b1 K, X* y% @" R
-DI = 4A4Dh
: Z: L" z% M1 a# b! vWhich are the 'magic values' used by SoftIce.
: I' e$ i& N5 ~ A2 _1 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 c' i, B- I: r; [- T' L7 _9 @* |3 B
0 z9 e" f7 [# j* zHere is one example from the file "Haspinst.exe" which is the dongle HASP' v% M! ]' c% s
Envelope utility use to protect DOS applications:
" C7 r# k! P+ S% m) @- Z) g
1 E$ b1 J, D: J9 p6 B# j# E% H e$ q2 I& ~. T. W
4C19:0095 MOV AX,0911 ; execute command.6 Z9 p, `1 A/ b; {: @' Z" C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( Z/ W' q5 n" P$ T5 e3 j
4C19:009A MOV SI,4647 ; 1st magic value.
. Q6 S7 |! a) L" O, a; x& l4C19:009D MOV DI,4A4D ; 2nd magic value.9 Z, N; r) r6 `0 V* }0 f9 L( C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 d) k$ w6 L9 T9 i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 }! T% r7 |; X2 g4C19:00A4 INC CX5 y& s- @- e3 s2 H/ L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 C# g t% z7 i/ e) \$ ?/ H
4C19:00A8 JB 0095 ; 6 different commands./ r0 p4 D9 ?5 y. Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! [2 L5 a% g0 y0 S# z# W5 V8 O1 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 j' ]6 b0 q# a u
( k+ h6 o( j( I5 L; D* gThe program will execute 6 different SIce commands located at ds:dx, which2 R# o- B$ F9 P/ n9 ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- c) m$ O/ e2 m- z, d3 I
. w/ ]9 M: |; D8 I5 Q" @# T4 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& Z; H5 j' {$ |$ E: S. I___________________________________________________________________________6 a m- K5 n( C2 `5 G1 X
- k/ O/ f: w5 v& i0 n
. R- A0 K0 M& P# K6 v1 h8 uMethod 03! r+ S Z: ~- k4 Q* D! |
=========
: b2 F$ Z, c9 \9 z& I- P1 k, ]9 {; k3 g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: K$ H1 b& {; C' R
(API Get entry point)
( p6 V% T$ Q: K% Y6 \ " u% p( K# O2 l' ]
* C! a, r$ K- V/ d z; {, |2 O+ C xor di,di r9 c( A7 f3 U7 w4 E
mov es,di
6 _8 g# n7 G+ X% W) k mov ax, 1684h . |3 V" {: a- ?5 v$ K* J8 v2 l
mov bx, 0202h ; VxD ID of winice
6 S/ ^( `0 M9 B& G; Y; A' a, s1 Z int 2Fh L) j* d, v( l* p( W- I
mov ax, es ; ES:DI -> VxD API entry point
8 O' O2 F& a" v9 p& d7 w add ax, di
& G+ g# y0 H/ a3 p; q2 B test ax,ax) y% ?0 s7 {- X
jnz SoftICE_Detected6 q: D' B( N5 U- o, [6 N
2 L) t1 C, ]; H: b, u& o% U8 r___________________________________________________________________________- L( w; E" d& y% p/ n/ B* t9 W6 _9 d
/ j$ U5 z& e; Z. K) L/ A7 J2 J$ Y
Method 04( I1 \% |7 d/ U5 u( o7 G
=========
3 s% u' H$ s$ e: U8 \7 ?2 N9 K+ g2 s3 `! }9 P* ~: o) f
Method identical to the preceding one except that it seeks the ID of SoftICE5 b! F& p! Q4 M+ K6 e+ @7 n
GFX VxD.
( j, k o2 k/ U* ]0 [" ~
; G( N6 @& [* E+ Y+ q9 | xor di,di0 D1 W( y0 l8 M& ]9 z& H
mov es,di
- a1 P! G; Y# R mov ax, 1684h
7 j4 q$ q* d$ \$ l/ P3 X2 B4 } mov bx, 7a5Fh ; VxD ID of SIWVID2 c, B, @" T( N; j
int 2fh
7 v7 `- H1 Y5 r mov ax, es ; ES:DI -> VxD API entry point
! h" g8 {- a; Y- A add ax, di
. A$ `& v! n: r7 N test ax,ax. G, _+ t/ j- ^5 {- K% e) R
jnz SoftICE_Detected9 I4 v1 S# Y" l, o: ~
* P; d8 ~5 B2 U9 h& Y; f__________________________________________________________________________
2 R& g& t2 G" Q% j! ~) ]: s \& h" W7 t: |( j; {1 o4 M+ O9 L
$ I B( w& Y) m& s* fMethod 05
9 ?/ l1 e% X7 X=========/ [/ W! S3 h! t8 d6 C9 Y$ d
; X8 A' ^; |" K; d* v6 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system, L5 o* l6 p$ a }- b1 I, V
debugger. It calls the int 41h, function 4Fh.
/ \7 B5 }# m/ j. G' ]# e9 @% d. fThere are several alternatives. ( z$ \! m% d3 ^
3 Q! t, K8 K( F; J0 YThe following one is the simplest:
; x6 G; J( v' t8 o0 d; I: L% j% n+ V4 }3 H
mov ax,4fh
. D6 A. O1 D7 f+ W/ P* U) [3 ^# z0 h int 41h' A0 N6 S$ [9 {) _7 c9 d4 F
cmp ax, 0F386! E: s# N2 }9 _1 t- o# ^& s l: p
jz SoftICE_detected. \) X# d' M( P# a! C! b6 @- [
9 `( M/ b& S& k- a$ ?1 b& `% D1 r$ U% {1 [8 C
Next method as well as the following one are 2 examples from Stone's
+ t5 V A, K: x3 C% Z"stn-wid.zip" (www.cracking.net):
d* f0 W) ?- o; {# H# k, l9 Q
3 r c1 q) F2 U- t* O) K3 D mov bx, cs) c; _7 R. {( w9 f5 X0 Y& S% ^
lea dx, int41handler2+ _$ ^/ k# g m- Y# U \
xchg dx, es:[41h*4]+ l! I/ @ {1 c, k: _! T
xchg bx, es:[41h*4+2]3 Y( q0 U2 _* T( i" F$ w4 o
mov ax,4fh
% J' m- w* d# N" G int 41h
+ n4 ~. }( {. ?; q6 h4 v xchg dx, es:[41h*4]* L: F' J# H3 A; k: [, \! Y
xchg bx, es:[41h*4+2]7 P; z/ R; A2 O! K
cmp ax, 0f386h
" E. E& [" O% |: Y2 v( g& X. i jz SoftICE_detected$ } K; `1 A0 C6 M2 T5 Q5 R
: F/ {( \( w( e4 e6 P+ w
int41handler2 PROC. l8 O' X+ b- u9 V/ ~
iret5 G: A! s, l) H6 R1 G
int41handler2 ENDP
6 T4 D' @! [% k N D: J3 h' Z- |5 i0 q
' {( n3 F8 E( O$ a. c( ?
_________________________________________________________________________
( k: X2 L! e) F* [" {% E; |
6 J" Z/ ?2 ]2 @; p
8 r0 C9 {0 i H& ?/ F- BMethod 06( P9 c$ n; a" [, B& H
=========' u& d7 c- L/ r& ?5 r
! m% }: ^8 t4 z3 {) e' W; B4 P1 u
6 R: R' Z2 @/ j4 g2 C; Y2nd method similar to the preceding one but more difficult to detect:
) [$ p0 R6 p( o% Q6 E+ b7 {* P0 f O& O$ T
# e% i9 i2 S) ]# O$ [8 y" N
int41handler PROC! c; c0 x- N9 M' l% ^
mov cl,al
" L, f! i4 E3 y: ]9 x, ], e6 N! q q iret
- l1 C3 _* |0 B1 ?4 W4 b& yint41handler ENDP
% b0 |, Y6 h" P. j, Y% V3 p$ S, R; o" c$ W6 L, ~
2 P1 n$ V5 C0 ?% A" h! X
xor ax,ax: i( Q r+ l. P( U% ]8 r
mov es,ax' r r' q2 q& i* s' c! v5 N* L
mov bx, cs6 N/ ~6 C$ O7 e' Z4 p7 @2 Z
lea dx, int41handler! }% T. `8 U# ^2 n% F% a, G
xchg dx, es:[41h*4]& x* g! n8 |* e7 y, i$ g
xchg bx, es:[41h*4+2]
5 g# |' J5 ^8 _' m0 R2 c in al, 40h
3 z, m* e- P% o$ ^8 Q xor cx,cx
, c6 t4 h; w+ Y- P5 }3 v- L int 41h
- c [ x: @( p- F( Z$ b: M xchg dx, es:[41h*4]4 o' L$ l/ Y+ i2 i% Z
xchg bx, es:[41h*4+2]) w/ o. j$ g! V. j a4 j3 {. ]
cmp cl,al4 l3 v, r1 d5 E1 T2 ~
jnz SoftICE_detected
5 {: C. m5 O4 Q$ ]. J
: h1 Q6 y- b9 _; L8 t1 m_________________________________________________________________________
7 P' V+ s" l2 x: {/ }# n. I$ X" g* n/ V& X2 J5 U
Method 070 @ P; ]8 i: y' I# m6 r
=========* k# i' L' @1 D
, d9 _; Z6 u% c3 Q1 L$ I: }. H
Method of detection of the WinICE handler in the int68h (V86)' J# v& T2 c) x' j- N" ^' Z
! _ H7 }( T' G1 n* L. Y mov ah,43h" O- C& n8 J! P! {3 n
int 68h
2 v( i& ?) H! T; U cmp ax,0F386h
5 W2 u3 v* U) p" S* }7 x: k+ @$ @ jz SoftICE_Detected$ o; d# M6 m8 v% \0 w+ j& r
/ ^( o, R3 o* s9 P! B) S. N( S3 I) K1 j& X2 W4 v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 O( L/ J6 A9 |. T% d3 n% ^& s4 o7 ]
app like this:
- F# B( ?3 M0 f+ j; h+ V8 _5 r6 a) w% }
BPX exec_int if ax==68
; n; U, V% Y2 Z8 t" U' x (function called is located at byte ptr [ebp+1Dh] and client eip is5 j+ N& G7 p9 L8 z; B* e R
located at [ebp+48h] for 32Bit apps)% b, S; }; X9 w, H; D+ P
__________________________________________________________________________
# a6 a; \' q% d4 L* F" x2 z$ o( s) t, ]$ b5 P9 P1 G8 C: G- I5 b( {
8 r7 \9 P) @1 N$ T# \1 VMethod 08
7 P" q- Z% z: ?! {+ C! @=========
' L+ E! z6 h6 A+ `5 i5 X2 }. p" L, H6 Q; Q
It is not a method of detection of SoftICE but a possibility to crash the
8 z: m% U, K: ~( Tsystem by intercepting int 01h and int 03h and redirecting them to another
* H, v9 X7 O4 x2 A* d5 Broutine., p( k8 C1 Y# Q' z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% M0 n8 b/ R( H* S- rto the new routine to execute (hangs computer...)
4 g: m. }/ v2 Z; g
3 v: ?$ W+ t% Y: w mov ah, 25h
- H/ R3 g1 }* B9 Z# P( w mov al, Int_Number (01h or 03h)) E. b* |( x& i
mov dx, offset New_Int_Routine9 Q7 f/ n [- N3 ]: j/ N; I0 S& y1 l0 Z
int 21h
1 b) \& x% W. m9 k, N$ W8 F. ]1 X, d. H. ?# S/ W; U/ o5 P
__________________________________________________________________________
3 z6 A$ b) a6 M; ^3 ]2 f
6 U M" |7 ]/ E$ J; K- t2 b! PMethod 09. |. Y. @0 x' {3 Q$ L/ i P7 f
=========: }- o2 O E6 G, Y/ C
- {) ^1 P) y( H1 t- [7 H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 x/ ?, u9 T7 Z* ]7 W) h* a9 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ _; M0 [; u- S- P; h' L1 wThe Get_DDB service is used to determine whether or not a VxD is installed- ~8 `* ^6 V+ q @! J
for the specified device and returns a Device Description Block (in ecx) for; o0 t+ [: C m" @6 K+ g
that device if it is installed./ Q! R0 _7 W: e q8 ~ @1 |! A0 y
1 [. h2 b% T& m* T( Y! p: m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& U; _; ]2 p& H) o9 n5 {; p' D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% H: [! G. A9 G0 K! F4 [ VMMCall Get_DDB6 b8 _! I0 G! V c2 k C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& K% X6 Q ?* U; {
7 r8 ^' U0 C: }6 u. P6 W$ FNote as well that you can easily detect this method with SoftICE:
F3 b" [/ l6 }. Q0 V( J bpx Get_DDB if ax==0202 || ax==7a5fh
- z9 W# L& s1 v( y! W7 l# u6 F. C1 {- }1 l. R0 z
__________________________________________________________________________; H. _; i) ^% U/ t- a7 f$ l! m$ E
& f* y, o8 v5 a j+ B
Method 106 g- p/ j( R7 V$ J4 d
=========
4 a( }+ U5 _9 |) O
# j' l* F; I$ B/ o* c( r=>Disable or clear breakpoints before using this feature. DO NOT trace with
' I. l7 r2 c/ F4 i( s* ]/ @ SoftICE while the option is enable!!
! I0 b1 B( f" M0 s6 M1 ?9 s4 P# O' r- c2 W6 C7 i0 D3 h
This trick is very efficient:
! b6 `6 [2 l0 _( nby checking the Debug Registers, you can detect if SoftICE is loaded# l+ @0 _& u) r8 E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ R- K# v; }4 `. [; Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 c- I, L+ _$ r6 O4 n8 K5 [4 Y
value (in ring0 only). Values can be manipulated and or changed as well
6 ?+ F1 a- _; } i4 X(clearing BPMs for instance)) s: A% V: U9 t7 {" s# t
9 T1 G# Q2 J& c' d( q- j__________________________________________________________________________
1 i. {2 {9 z" v, r$ R
! ^( f' f& w* g. n- Z0 e8 ?Method 110 J( d5 [& v0 Y5 V- s
=========
" E% S4 a5 K8 F4 A) `+ e( J
4 T- l5 g* P4 n+ U6 vThis method is most known as 'MeltICE' because it has been freely distributed
- X1 e! |$ ]! g- T! {9 O! uvia www.winfiles.com. However it was first used by NuMega people to allow% E7 X O! J* H
Symbol Loader to check if SoftICE was active or not (the code is located
5 J7 n5 j1 V( j+ K9 D# H# n3 H. rinside nmtrans.dll).( f6 B- w: `) u6 h; K5 W- F
- `7 D8 V& i) u ?1 P& |. p P9 xThe way it works is very simple:+ _+ g) R( l1 n; J" w3 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% @) c5 x$ S, s! r' o9 Q& V- `9 i/ WWinNT) with the CreateFileA API.
5 |7 z2 W I. q: a( d& f4 B* w+ l5 k, I1 W% `: O% ]# C
Here is a sample (checking for 'SICE'):0 Q& l, ~$ y+ n( T5 r4 \
1 ] G. s* f5 t& S% D& r) z2 m$ h
BOOL IsSoftIce95Loaded()* N* b* P4 \9 C- |! G" Z; y
{
, C6 j# \. j& c0 ^ HANDLE hFile; ) a n1 F& D- Q" Y' W3 ^; I- i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," B4 t# P, O) a6 O4 w
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 P+ Q4 U0 J7 X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 b, J( w% x9 e* y' e2 K
if( hFile != INVALID_HANDLE_VALUE )* {. ?( `% ]5 O3 p" Y" M( L
{
5 t. @! P( z3 A) y CloseHandle(hFile);& l* C0 d' `$ W3 X, t [7 S8 S
return TRUE;
4 |7 _5 ^; m8 m }
+ e6 z$ m# O, |3 \/ g return FALSE;
, E8 l/ Z, X3 Q}
0 J. n6 M4 z) z, S/ B+ w( {, a7 M8 h/ Z: X' R& @$ q
Although this trick calls the CreateFileA function, don't even expect to be( c4 i/ F& K- N2 D4 L
able to intercept it by installing a IFS hook: it will not work, no way!
$ D) x. z: |7 y! i; t5 lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 f! S. S! e3 H& Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 p4 U/ x. O5 t: T1 t7 o0 W6 e. U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 ~: E0 Z+ w. ^) S9 u2 Gfield.
, J1 c* A8 u4 I$ }' m& Z$ UIn fact, its purpose is not to load/unload VxDs but only to send a ) p5 B. U: L% `2 M7 c' J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 M1 C: g2 z. \! ^- j; U. E) k; e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ k3 k# x! S5 N, x) f: k1 a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 J( g0 `7 ^! K% V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 m: J! D @- b+ M: T% C3 E0 `its handle to be opened and then, will be detected.
) `- U7 C) i0 y0 P9 T& w& n2 XYou can check that simply by hooking Winice.exe control proc entry point
8 A% q' @0 E5 y+ Zwhile running MeltICE.# c) i( S* I4 `9 G+ p2 O% P
S" i* H- a$ Z& r) M' W7 e, y
: e& F5 G" W j0 z* ~
00401067: push 00402025 ; \\.\SICE/ f- H4 y. n+ x k
0040106C: call CreateFileA5 p L0 N+ z) Z) o0 Q
00401071: cmp eax,-001
% J" I1 P& t3 l9 Z- N 00401074: je 00401091
+ Q+ B5 r- L2 ~9 Y/ c5 @$ {. v& q9 M: N( ?* j
8 P' n& I! l# s( L9 H+ D
There could be hundreds of BPX you could use to detect this trick.- c2 {& A. b; k- e) O- l9 |
-The most classical one is:) V& j$ t: S ]( M0 M% o* p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- y% `1 _1 d+ `' l3 U *(esp->4+4)=='NTIC'2 Q* V) G! Y' M
* T7 d$ u5 _' I- p( c
-The most exotic ones (could be very slooooow :-(, ]$ H9 y+ ] q# K- q$ G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - b" R$ f6 v/ K ?6 E! T/ n% h
;will break 3 times :-(
( l5 h" {9 F0 M& W8 M% c% K: g2 |& g9 k, l7 c
-or (a bit) faster:
) R# \ _4 d9 q6 @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 J; Q8 Q! G: B' g
3 J X4 Q+ b- l4 \7 q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. U. g1 B, F8 j1 i, d; B0 A ;will break 3 times :-(* H5 e: y( q" u, X3 N$ }
9 Z& u: o- a+ \( Q; t! W) ?-Much faster:. Q: ~$ O8 l5 J8 _9 I Y. f2 S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' L q1 { z: r6 T7 X! }
/ A3 {8 ?9 }& k9 m5 N* }, WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* z" V) R0 P& W
function to do the same job:& e8 g/ ^3 U9 \, r. B
) l, M4 o P& B4 @
push 00 ; OF_READ7 Z$ S# [ p2 c6 N& t( u
mov eax,[00656634] ; '\\.\SICE',0" g0 k0 e9 J9 I% Y t
push eax6 L6 F9 _# }' S' k1 |1 i: E( }2 Y
call KERNEL32!_lopen# Z8 d7 B$ l$ ?
inc eax
8 C0 t* R4 Z$ y' Q jnz 00650589 ; detected7 _3 V/ s# } o
push 00 ; OF_READ
; _2 O' O0 K0 V/ @$ _ mov eax,[00656638] ; '\\.\SICE'
' ?; m9 n, Z9 \7 H" g push eax
; }, g2 o. k, A# i7 _; c1 O call KERNEL32!_lopen
* k/ w8 }4 q$ u inc eax' u' e# t3 V8 E( m, ]# o
jz 006505ae ; not detected
, U+ M/ \9 N% \0 } z' G# t( t- r* _* A1 [
& P1 X* v$ z! G' ~" f1 d0 s. ~__________________________________________________________________________' N$ [4 X+ A6 |" d6 `$ `4 j
( J1 T1 Q( t9 N/ u- DMethod 12; P* P9 j# W5 B. H
=========
" L, p7 o" U1 r( L% f3 V" t) q' `5 E: f# U7 v
This trick is similar to int41h/4fh Debugger installation check (code 05% y# J0 [" R5 w% V% L; C
& 06) but very limited because it's only available for Win95/98 (not NT)
- y: K! d- ?5 ^/ `# l5 n, i( cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' I+ W- k% {# \1 N, M m
+ ^, x3 Z2 w, o& B. W; u
push 0000004fh ; function 4fh
' \: l8 W+ H# Z9 g5 f5 _; _ push 002a002ah ; high word specifies which VxD (VWIN32)2 X' S! N" A6 ~# C0 N
; low word specifies which service6 K- `3 w8 D9 N7 r4 |
(VWIN32_Int41Dispatch)* i/ Q( G8 E6 s
call Kernel32!ORD_001 ; VxdCall
: Q" f4 j. ]; s- ?9 f y9 H cmp ax, 0f386h ; magic number returned by system debuggers& g* o* Q) k: Q. J
jz SoftICE_detected7 Y0 J7 o; W, b V+ K8 Y
9 E7 N+ Y2 F+ z; Y
Here again, several ways to detect it:, v9 ~% v: ^3 u3 y& o
* D& H- k" z' l$ u' t3 C9 e
BPINT 41 if ax==4f. Q6 h$ i: m7 C6 ^, x- z
, C5 ~2 C$ ?; j1 C& ~9 m, | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: M2 I3 h" E& O& y. ^9 ]# K
M9 D0 L' v1 Q( s( K! b2 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 E4 r/ Z$ M3 p7 a
3 D$ h. u8 Q( I0 _9 S' u' T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* u. ~$ |5 j& U+ d: x; z" X& v
6 G" Y" f0 e7 v/ S C! F K__________________________________________________________________________
. o. C d& R, R$ \ F0 f& {/ d( B
' J4 o q$ Z* N6 h3 w0 U$ {Method 13" Z1 i7 K+ F1 S+ i5 C
=========5 |; z* l" A7 n+ ~0 u4 a
) o* V& P0 S& y# L9 X
Not a real method of detection, but a good way to know if SoftICE is
3 E. v& h5 G5 w+ F6 e" xinstalled on a computer and to locate its installation directory.
6 }; M* B2 m% A* h9 j6 TIt is used by few softs which access the following registry keys (usually #2) :
+ q# c9 _1 h# p' a0 i( J+ r( h) {; O' b: |2 U& o4 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 p( w% X3 O0 s" h4 d" k
\Uninstall\SoftICE
4 L7 i+ d D9 X+ y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 W% {# X, N& D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! L+ J/ A6 X6 ?: B
\App Paths\Loader32.Exe
5 a+ T% ]' k* ?8 c3 ^, Y( ]* Y8 @ w4 f4 U$ p q0 S$ b
2 h4 }! n7 Q, kNote that some nasty apps could then erase all files from SoftICE directory
: K9 z7 H+ C: k# }: N' D- M(I faced that once :-(
) a3 K9 p) i4 v. z* J( h5 n2 o5 h7 ^2 i' e! u
Useful breakpoint to detect it:
+ `6 `( g! V2 q) B' E
* ~0 v3 v& b6 s$ c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 S4 Q9 t, Z* ], U7 n
3 ?2 }9 n7 y1 f$ R5 I
__________________________________________________________________________
Z& Y5 e( J5 O. l9 E! X
* j' n9 {. y& J9 ]: u# P% Z. R- J
Method 14 9 v1 D' U/ a0 E# `) M
=========
! E7 g& U! h+ G
. d6 G# I0 s: C6 K* LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) Z+ N3 ]- x b" O9 N% @9 s! Pis to determines whether a debugger is running on your system (ring0 only).+ s' P: W# r1 a/ S- [/ ]5 |6 j
1 i6 h! a* N( f8 c9 V
VMMCall Test_Debug_Installed) C$ V. [7 i N8 A) o; n# m' R
je not_installed8 R; U9 H W1 i: i$ r+ [6 ?
! L9 {9 K+ o. `! l* ^. Y
This service just checks a flag.# `# u- z" {- s# V
</PRE></TD></TR></TBODY></TABLE> |