<TABLE width=500>0 V) e6 L5 ?9 w1 @! j: ?; C8 q* R
<TBODY>
' f8 e: p. G9 p+ ^% \<TR>. Q$ Y9 [% s" R. }' q$ o' L
<TD><PRE>Method 01
" Y: U7 N1 n) S; Q" `: P=========) L9 e( M8 j, r# x
% U! W* k" g* g+ `& B, u' q- ?! qThis method of detection of SoftICE (as well as the following one) is5 m5 A7 z" I; C0 J: p
used by the majority of packers/encryptors found on Internet.
8 A$ ~1 U! x: ?It seeks the signature of BoundsChecker in SoftICE
" P7 P" c5 {: ]( U4 {' c, w; ~6 S4 U" s. |/ v( P
mov ebp, 04243484Bh ; 'BCHK'
; A6 k1 q8 P& ]3 S+ A! o' T mov ax, 04h
5 {+ ~$ D6 q9 ]; e- G# F int 3
% p. \. l" e: ]# w5 U% p% m cmp al,46 W! t0 }; k; @5 w6 J& O/ `# r
jnz SoftICE_Detected) w: z* N9 P3 l/ E* i
' ?2 y3 e1 R- b6 o: _( ]. z___________________________________________________________________________( S9 M$ i5 s& K, h% p: ~9 z
* \6 t% N. X' x6 a ^Method 02
3 G: S5 M* Y2 F C- w3 H=========
, s! J5 t+ t7 P6 H3 c+ b$ u* ?
* s- y/ f. M& w8 P2 x$ c6 W* N' J8 YStill a method very much used (perhaps the most frequent one). It is used: q8 J ~5 c3 D# e# d# T/ b" Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 ?) t! L. G" _2 ]. Z% i" D
or execute SoftICE commands...0 w( P, v+ g8 x6 t9 ~
It is also used to crash SoftICE and to force it to execute any commands
. }) y0 B' Z9 h9 ~8 {( M(HBOOT...) :-(( 5 U9 g3 G( {$ L2 g( p) @
0 O$ x: f7 F( g* m2 c. vHere is a quick description:
4 u" D. x6 O! T0 Q-AX = 0910h (Display string in SIce windows)* o, W: y, M& _& a/ q, U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ {# ]" P# {2 x4 f: [5 i- b-AX = 0912h (Get breakpoint infos)
3 V: y! T: p" z% H# c-AX = 0913h (Set Sice breakpoints)& r: j: Q6 W% ~4 @- m5 u
-AX = 0914h (Remove SIce breakoints)7 [* m& k; H5 _' } Q% G
D( a0 y' f2 H t2 A Z" T1 n* V" p6 g$ cEach time you'll meet this trick, you'll see:' ]; _+ h- ^2 X* A7 f7 g( Q
-SI = 4647h
5 {0 z' ] a2 \/ A-DI = 4A4Dh
1 ^# H6 o7 U' ^1 F" o' oWhich are the 'magic values' used by SoftIce.
( v" D' {6 S, k, eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: C- _2 q; ?/ p9 t
/ c y8 E% e+ o) uHere is one example from the file "Haspinst.exe" which is the dongle HASP
) Z8 m( _8 Q0 O2 S( ]Envelope utility use to protect DOS applications:
, ^8 I9 R# U5 h3 A- \
2 D5 S0 J: y8 [; O% ]* `! D; G9 M" X' J/ Q, V
4C19:0095 MOV AX,0911 ; execute command.* |% X) K. _1 ]$ {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ r8 @/ U O e6 I4C19:009A MOV SI,4647 ; 1st magic value.
/ F% G' r) k9 E; h4C19:009D MOV DI,4A4D ; 2nd magic value.
3 ?8 ~6 |; `: j6 ?1 b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); X/ @9 h3 q: d" p1 l: J2 U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 K* U$ r2 t& g- U+ s4C19:00A4 INC CX
! p$ r9 F$ R+ D# E- Q+ {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 _' b0 D' R4 C% x4 ^4C19:00A8 JB 0095 ; 6 different commands.1 z. w8 F; X% m& C* }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ y/ m, Q( V$ M" O% N. y U: ?. v( H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- x/ E& E& E4 ?. Q# y* C" m" X) a' @- a3 h; n& _+ A$ Z
The program will execute 6 different SIce commands located at ds:dx, which
/ K# r2 P3 c4 O0 U1 _; tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% }$ l2 s. q# _, {
3 q/ J* e& z. h0 m" j2 P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; |! m3 z4 I0 w& |: ~6 O___________________________________________________________________________; w* [6 G$ r5 h9 r: s4 E5 }% g* u, w
2 i' B! F( ^- ?. W! F2 Q0 w; t6 L/ V, G& y) ]4 K' B1 _, D
Method 03
4 f3 X6 B! Z8 W- _7 [+ f=========4 P3 r5 W7 R S1 b+ U) K9 s" [
$ ?, Y+ `, y$ ]. l5 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 v) H* U* I- Z7 [* b; G5 }
(API Get entry point)
5 D& G! k- n9 H/ x: P y9 V
7 `& L. p! V$ U% c: Z; n& Q; x6 ^6 ~
4 c, |2 T6 w6 y. F xor di,di
$ P3 t% U# E( n h7 y5 ~ mov es,di+ |# t6 H! b v6 J6 V* Q. ~) {: p
mov ax, 1684h
7 E% p5 g4 l' V u& L, t" G mov bx, 0202h ; VxD ID of winice
8 `6 p+ ^ `6 g$ p2 b1 f+ C; v int 2Fh
: R" n* M) A2 f5 f$ ] mov ax, es ; ES:DI -> VxD API entry point
3 m* F }0 o+ |+ `" P; r add ax, di) g0 y8 R% u8 O* y' V
test ax,ax9 {: F, p7 u. b0 r4 o* A& F: S7 ]
jnz SoftICE_Detected7 H- C8 N5 _. i
) @+ O- k4 l; L% _3 e7 d: e# @
___________________________________________________________________________2 j3 @9 Z, k' o# y* ^- p
7 @2 j5 V; `: b% g2 `
Method 04
7 w8 T5 |* r: k% x=========
5 I+ s4 a% N3 o6 E4 c* V( Z5 Q# H0 g
Method identical to the preceding one except that it seeks the ID of SoftICE$ r s2 r! H; W) [( K! F- `8 ?
GFX VxD.
3 _4 M' A* l* |( s* n
, u6 D7 T9 S" ] xor di,di. t1 r4 D: H- ~
mov es,di
# l: P/ [! d( j/ h4 @ mov ax, 1684h * U! H1 D# K8 @9 G! @
mov bx, 7a5Fh ; VxD ID of SIWVID* f5 B% ?" l5 L
int 2fh/ o4 z1 m8 t3 W+ f$ y
mov ax, es ; ES:DI -> VxD API entry point6 N5 {2 |; c7 m/ L% b: P) }9 t
add ax, di7 F# A9 s4 ?" U2 d
test ax,ax8 O. p: ^$ ~- I p% Z3 @
jnz SoftICE_Detected: ]( p2 [" d+ V3 p
2 H8 F0 Q7 U: E
__________________________________________________________________________
+ ?/ o; H9 l: _2 k
0 C7 C$ m2 Q0 G$ s: `5 A2 R1 D8 C5 d& x+ t
Method 05$ c7 N. q; |" t$ @( k
=========7 ~! q+ _, [# Z7 s
0 P$ T( ] H3 r6 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system) e' C6 R: g) q* z* [
debugger. It calls the int 41h, function 4Fh.8 c! H2 g& P; i3 l' p. k M7 j1 g1 ~" a
There are several alternatives.
. \" ]7 O; h% C$ p2 v6 i8 b5 h& Y0 F% D1 s$ ?# [" B
The following one is the simplest:
6 k7 P' H. M# _" K7 {" j1 ?. A4 V4 q9 ?) S5 [; }, l6 Q
mov ax,4fh* U& Y- f! _) v( [1 M) O* t
int 41h0 _; l, I( B' X* L
cmp ax, 0F386
& s/ Z1 e# }) x3 Y/ _8 t' g jz SoftICE_detected6 [' u/ s+ |' J; c9 Z
" x7 F/ b6 S0 |2 ?9 q) d
; Q1 c) B( s+ j0 ZNext method as well as the following one are 2 examples from Stone's
4 \& B6 D& x0 d" E8 l& L"stn-wid.zip" (www.cracking.net):
1 ` v( U/ j6 T8 T: } ~% q- y i% V3 `2 M
mov bx, cs
* C# X( e4 A1 R: K4 E9 a( T, ~: m lea dx, int41handler2
: u9 n- S6 L) D6 R- _ xchg dx, es:[41h*4]
0 I$ m' T3 e& x; ~$ c' \1 p xchg bx, es:[41h*4+2]- ~3 L2 }4 }4 j+ x4 P
mov ax,4fh0 T, {; D4 X( e$ Y% f0 K& f4 B
int 41h
7 e: U7 r: Y8 y+ a7 u xchg dx, es:[41h*4]5 ~4 _4 B. T. i% L) H: {: {
xchg bx, es:[41h*4+2]
- T8 r# S& b/ ^/ h, ^1 B cmp ax, 0f386h
7 n( L( G% r9 T" L) a, C5 W jz SoftICE_detected
) t: c$ y' _+ f! n7 ] }
, U8 v( X a. l5 fint41handler2 PROC
. }# q; l0 p" ^0 R! H iret9 q; Q0 j5 k% k2 d" p6 a
int41handler2 ENDP: F8 ?* D% |3 v' j* o4 Z
7 O9 R9 h& y" i$ Y
6 P( A2 c, y, u& G0 ~9 y: g_________________________________________________________________________
* u7 Q0 ]8 d* A$ E( }0 y6 ]$ i5 a4 j
# Y: Y$ e, V0 Y# K& O& A- y& k9 P8 W% E1 H5 n
Method 06
' w. [* h D0 i/ A7 Z: L=========) t, t* {. @: ~7 \% q! p/ w
; _8 Q4 A$ u9 K# Y4 R/ l$ m6 {! Q
. u9 x1 W' A' u/ b2nd method similar to the preceding one but more difficult to detect:* |, s, ~3 t6 s. E+ t6 P
0 L: T0 N$ B* B' J8 X: s
* Y v2 ]3 @4 R/ x5 hint41handler PROC
3 m) T4 V/ F0 o- b' `# E9 K mov cl,al
) G+ E# A6 x. M- E3 ?/ F4 T iret
$ E+ {# H6 N4 q# H5 vint41handler ENDP
! ~ }6 q2 w2 A5 ?* m/ j o/ ^. Y8 q+ Y. j* U! E( Z
7 }) }8 X# B- U$ u, d6 N1 Z9 w B xor ax,ax
) C" c( v! ]( G- G! K ` mov es,ax- C1 t5 v* I: r% ]" ?2 I
mov bx, cs
9 u9 l1 F+ X- @& h( m1 x lea dx, int41handler
+ T2 z& V5 ^3 Z. q8 D xchg dx, es:[41h*4]
% U" Q/ R8 {8 B$ O' b xchg bx, es:[41h*4+2]
2 v+ H6 F1 n& F in al, 40h
( t/ F) ^9 i5 P xor cx,cx. h0 [ @1 C; B3 B
int 41h
& ?: N; J# S, m8 n t xchg dx, es:[41h*4]
. G, s4 _9 c3 {1 j! U' k% M xchg bx, es:[41h*4+2]7 o+ I; ?* r* T
cmp cl,al
6 |1 U) Y4 x$ w! ]1 |( _ jnz SoftICE_detected5 P$ b# I1 Z) u5 N( ^' _: L
8 z- Q& ]. b) I, [
_________________________________________________________________________
9 B9 B5 X* K+ z4 B
0 u1 U( W; y' k( vMethod 07% P6 f/ T, m. _5 _) t
=========
8 U' s6 k9 t6 B) ]
) c0 s* g# M, f& W7 W$ D* [: Q: lMethod of detection of the WinICE handler in the int68h (V86)
+ y" I2 q7 w8 D" E
5 n% y" Z6 E6 H1 v; [ mov ah,43h: m S, T7 `) \- m Y
int 68h Y# ]: J3 g* Z8 N8 n/ B6 U+ e
cmp ax,0F386h
: q% A D9 p) L jz SoftICE_Detected
& e( g( X5 G9 }& D2 x5 M8 R! p
/ [( K5 |4 C4 X. L0 L$ k9 L2 I+ T# ]
8 h# u: C8 g/ @" r7 b7 s0 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. {6 b7 T, n/ G8 b! N! h$ v, X
app like this:
7 S) n W: L, G. O( r
# X) F% a! l' L; T7 E ] BPX exec_int if ax==68. Q/ r) ^ A1 Z! |" G: a. x
(function called is located at byte ptr [ebp+1Dh] and client eip is
" p( `# M6 z" j; i7 l" e! T7 v located at [ebp+48h] for 32Bit apps)
9 i% z1 i; w9 X__________________________________________________________________________0 U" e' y2 c& u* k" ?% t) o! V
- O! v- Q; v* g4 l8 O( n; d: I& W
# Y! F! F/ @$ f, u* H9 n! T0 YMethod 08
& l' ]6 G' v6 T( {=========: E! B- C- e6 i3 U% E/ q# m' ^
; L$ R6 {+ H: y4 {; j- l/ n
It is not a method of detection of SoftICE but a possibility to crash the
d7 v) R3 \: ?+ B2 ^! Asystem by intercepting int 01h and int 03h and redirecting them to another
- j! }6 }5 n Q$ oroutine.* i" h! P4 u* U2 ~! `/ p% Y S- l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 a0 \1 `# n7 }. M2 y7 `to the new routine to execute (hangs computer...)2 y2 Z z) G+ E5 b( E; m9 d
& A6 q) T$ m9 E( c
mov ah, 25h
! c! E1 A7 k5 R; U" b mov al, Int_Number (01h or 03h)
. f+ F6 j) t# P0 C5 [. b mov dx, offset New_Int_Routine2 w4 @$ b4 [: O, @# R0 \5 W
int 21h
6 K/ t* P+ L" f' M( t/ D P
7 o2 u1 z! p" d$ l; h f__________________________________________________________________________4 T/ C. Y7 J# h) R! X, a( d% q: w d
D1 W5 _6 K# a% R. h, x
Method 09. ~) I5 q4 h, u" r* H; Z0 `
=========, {4 x0 ?1 p2 ?0 ?- ?
: k) n* _6 ]2 [ _4 a9 x. P N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ o2 O d* u L; y4 Gperformed in ring0 (VxD or a ring3 app using the VxdCall).1 J/ N8 Y G2 z( a' }1 s* v
The Get_DDB service is used to determine whether or not a VxD is installed5 i7 T: q( X( x- q3 F7 b0 k& Z
for the specified device and returns a Device Description Block (in ecx) for
) D' ^/ m X$ s4 L! {6 R) Hthat device if it is installed.# o7 P4 k5 ^2 H9 \ _
! Z9 l+ ?' [1 ?3 e* |6 } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% m1 b8 e& v: \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- a4 q9 f1 x' w" K8 b( B
VMMCall Get_DDB
1 N% ?( P* _7 Q L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 g3 e5 \ n6 S ^$ J) Y
( v5 j9 ]- y8 w# t4 pNote as well that you can easily detect this method with SoftICE:
" [9 t' I2 F9 Q) c% g7 y/ K bpx Get_DDB if ax==0202 || ax==7a5fh
# u5 K. z1 r! O( O
, c9 W, w$ P+ D a, Y__________________________________________________________________________: G) C7 I, p. |1 v4 J9 v. {
0 _* I- u3 Y$ h- G
Method 105 \" U7 T+ X, Q9 E6 l
=========
^4 I, H4 i5 \
( W6 x/ T: @! B, K- ]=>Disable or clear breakpoints before using this feature. DO NOT trace with& e- w6 q& p' R7 w
SoftICE while the option is enable!!
. ^6 L' e2 [, }* z/ u/ O+ j& l2 h3 y
This trick is very efficient:
. G, n; }' { K6 D% {8 }7 mby checking the Debug Registers, you can detect if SoftICE is loaded, D: I# @1 Q8 G7 v# f5 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 V' b+ j! k5 }, Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their" E' t1 ]" @; X3 F
value (in ring0 only). Values can be manipulated and or changed as well. \, }& X6 {8 j
(clearing BPMs for instance)- S- t* P" d+ @" X
4 [; T8 O( p1 [: Q
__________________________________________________________________________( @; f. A3 Y" o; c1 ]; n5 G
7 H' n3 \" h" V
Method 11
* G5 ?) a: X- Z" \' d========= V: Q& x q3 r4 W( T! g1 a0 Y
8 h1 d7 j9 A& [4 T! B) dThis method is most known as 'MeltICE' because it has been freely distributed. Q: J; l0 p' O, w& g
via www.winfiles.com. However it was first used by NuMega people to allow3 ^5 V V1 u8 T
Symbol Loader to check if SoftICE was active or not (the code is located
1 \/ U* K: G n& c8 `3 Z, Einside nmtrans.dll).0 V0 T( {8 k# L1 H- J
# D: _' g8 y* O* n! G3 r6 @
The way it works is very simple:# b' w. O7 {1 P# j. c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! I7 G9 w7 _1 `( v, H8 x' pWinNT) with the CreateFileA API.
; u+ Z/ z7 N$ B, k3 K6 q$ z( b. A, v+ @5 _6 B9 H
Here is a sample (checking for 'SICE'):8 L3 g9 l. Q( `# ^
: x" E6 }' p; F) pBOOL IsSoftIce95Loaded()
$ l' Q: W l$ n5 X2 d, a( G$ X{
, f! ~$ l' R) L! b% S/ m, O3 x/ w HANDLE hFile; : N. N+ ~# z& H, P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) A$ ^" S3 ?: E( L- j9 ^0 f: I FILE_SHARE_READ | FILE_SHARE_WRITE,
2 W1 f- S8 E$ r% b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 x8 W2 n9 j3 v( D6 v4 G' v/ o+ G L if( hFile != INVALID_HANDLE_VALUE )
% B* X1 N+ n( N) _: ? {
+ I+ } Z+ z4 d$ r) P8 l9 f5 Z CloseHandle(hFile);* q" e* B: ?: o& G/ ]4 K2 b6 H
return TRUE;
" P- p; `' E% d/ p }/ Z" [+ H/ ~5 ^) G+ H7 y
return FALSE;
1 J1 K5 z2 X6 w3 {$ s}
! k3 v4 k% _; Q, B3 B9 s
) r) x" I( `8 S; A/ C: aAlthough this trick calls the CreateFileA function, don't even expect to be, J2 l) l8 h0 }1 I1 ]' Z" N
able to intercept it by installing a IFS hook: it will not work, no way!
0 H, y/ p3 @: }5 K1 I" N7 v2 h& nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; K4 c0 m3 X1 w3 a8 P% j& Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 g, B& G2 Z1 p1 e2 Land then browse the DDB list until it find the VxD and its DDB_Control_Proc- ?1 Q3 ^7 V2 ?' W1 U7 s
field.8 w2 t7 j+ X! [3 y9 H* y
In fact, its purpose is not to load/unload VxDs but only to send a 9 \( \' K/ S/ U+ F# c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ Z3 f( ^ ~1 n9 E/ Q+ a3 p! L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* }8 g" r$ q: ]+ j9 {to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ \' {+ k& v5 Z/ _: q1 a2 ?9 E- r2 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ V& r) t6 R& P1 a2 z. |
its handle to be opened and then, will be detected.0 ^- l$ J8 v i; ^. ?8 c& D1 U
You can check that simply by hooking Winice.exe control proc entry point
) g2 E! t S2 J" q$ K3 zwhile running MeltICE.
' Y, d! I7 O4 u; E0 F0 `" M) U5 X$ L
0 `/ K9 }6 I! I- w& q6 h% j- j0 t2 E6 u
00401067: push 00402025 ; \\.\SICE
! ]2 S0 |0 `1 y% I. Z9 ? 0040106C: call CreateFileA: ]& I, q7 A8 t3 c$ L
00401071: cmp eax,-001
$ E* K: e" P( t* ]' E. ]5 _1 @ 00401074: je 004010918 ?" i j) s) ?3 s P
% i) E8 _6 ]3 E: ? o
T ?! F) ]$ V' N
There could be hundreds of BPX you could use to detect this trick.6 H* y# { o" V c/ l( O4 t, _
-The most classical one is:
- y4 v* _" F) l% `% w1 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 p' J) o8 y/ u0 S X! p *(esp->4+4)=='NTIC'
$ c- d8 c1 h! x5 t
( l% _) V( g* @# S& f. P) z-The most exotic ones (could be very slooooow :-(
N$ u a5 _1 w: \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; \8 g; A) _2 W; B2 h
;will break 3 times :-(( }2 c& A, j5 \- }# C1 e9 j# f
0 Q/ S P: y7 E9 o2 @- A) n( v y-or (a bit) faster:
: p3 {: ]" ^3 x1 y* |! S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# e7 L" o# |# ~$ a2 C V! p( V0 G* n4 F2 T: `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : A5 r+ X/ \: b2 x$ j$ h- y
;will break 3 times :-(. X) U# S( x& Z! o
- c/ [ D# u6 G5 s
-Much faster:
# Q z6 z0 \0 V, { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 x; s! G& _. H- D. b& M; Z
& ]8 Z0 |1 Y5 b% INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
q8 m; p$ @2 H! T8 Jfunction to do the same job:- F' |. d) g$ X) o4 `6 `
3 J, E* I% R& |- K0 r& A
push 00 ; OF_READ9 n" C1 `" v$ }! |, V* J
mov eax,[00656634] ; '\\.\SICE',0
?8 I, b2 N9 W# C7 n push eax4 f6 X/ I" h' b* J. ^5 K# s
call KERNEL32!_lopen0 Q& [( I( g R
inc eax p2 r# D+ l9 r* X1 t- e
jnz 00650589 ; detected
& \/ Y" O4 `$ r: {; Y push 00 ; OF_READ) `, t$ u9 ^9 g4 b) e
mov eax,[00656638] ; '\\.\SICE'5 E" z. H& m b+ H# w; B6 G+ W& O" F8 e
push eax7 V1 T# V% n0 }' B' w; ^9 J A' |
call KERNEL32!_lopen3 O0 Z: C% K7 M8 R7 X5 {
inc eax
$ S, T1 t. r2 L, Y& Y8 z$ n; b: d jz 006505ae ; not detected* ]. W" y+ f9 G, \, y; z; Z
6 j- o$ W' s" Z
2 e8 ^* H6 }2 `. H: k7 k__________________________________________________________________________: X! `; M/ [# R0 b3 u3 M7 ~3 E
% i4 o: j# I8 N1 k v2 t) z3 i; W; u
Method 12 n2 _3 y+ ]7 E" y: P& h6 V
=========
+ h/ C! K9 f) c% U/ X8 X7 B4 {+ |
; E& d7 i4 M% A. ]; Q$ Q& QThis trick is similar to int41h/4fh Debugger installation check (code 05
/ C/ ^$ R( t2 a5 \; B; D4 z6 A& 06) but very limited because it's only available for Win95/98 (not NT)/ x" X: q* @* l& U2 o$ j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ Z" c. ^& o2 J0 }4 s6 y
; t% ^5 U' `2 x! }+ J( X" `# X
push 0000004fh ; function 4fh
. K; H* f$ }. f5 Z7 { push 002a002ah ; high word specifies which VxD (VWIN32)
1 I3 K2 D- C7 C ; low word specifies which service! O& s' V# Q6 e3 L4 D$ l n* W
(VWIN32_Int41Dispatch)
' B" f% U0 [ ~4 h call Kernel32!ORD_001 ; VxdCall
f9 S; B* g* ?5 A: h4 ~ cmp ax, 0f386h ; magic number returned by system debuggers* M, ]; [3 n; T6 Y6 f: L5 d5 w, J) L
jz SoftICE_detected
; F0 d O" B3 B3 N" c1 P% \" I7 D* p- u
Here again, several ways to detect it:
- I7 p, ^7 t% x$ R V* ~& |- s5 B% L; b, L# I! ]5 X
BPINT 41 if ax==4f
* h" V. @ s1 O& C6 g3 m
* {* G& Y) L$ Y2 d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: s2 h }3 @. a. H# N4 e2 j4 M; l' Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A |) V) ]7 L3 _* d. Y
; h0 @/ y- F! W% \) v- e3 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- q: a. e& ?# B1 G
' T0 X ]: W2 k__________________________________________________________________________/ t- ]! Y4 ]7 k
4 o% y$ H% A& s3 HMethod 13# }! i& j* W2 S
=========
, Y) O3 a( A* {/ R
2 @3 u8 U& s r) u1 n- k- _Not a real method of detection, but a good way to know if SoftICE is* L& o& f3 u4 G$ w
installed on a computer and to locate its installation directory.
' e) B9 A& g \) v2 |It is used by few softs which access the following registry keys (usually #2) :* X4 a- v y% z6 @: {
; B" L6 ~5 d, }8 g5 N$ i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 P6 d' V ~) g1 @9 i4 i2 d2 C. }\Uninstall\SoftICE
/ B4 H' \2 F2 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
X) P3 ?) }2 S N ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% c+ X8 \$ j. c+ M. `' o\App Paths\Loader32.Exe
) {1 ]2 N3 W$ L. `
o2 r/ |& ^* h" G* s4 A9 Y8 e* }; H8 K/ q1 }% R( g- n* l
Note that some nasty apps could then erase all files from SoftICE directory
" n+ M/ q1 m# K5 ?* ~) Z& f(I faced that once :-(; ]+ d! [" h6 C4 W/ W# r
" g J2 E* m* v" y1 ~" W% m* iUseful breakpoint to detect it:3 t1 k' E! M2 U+ j/ R
9 w1 D o5 I: @8 N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: v' j- t; h# Q& j J$ q7 r2 Y
2 X7 N* g) L1 f" a" H. r__________________________________________________________________________
: p! N M+ b5 i) O
8 z& O* w$ K [" V3 K& k5 z5 ^. f2 c9 ~
Method 14
$ W9 H) _6 i4 R1 n=========1 c7 n( l- P9 V) G8 K" w3 k
7 s- l+ ~8 [" E9 @" YA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 e; r0 f% O$ N* i5 n9 R# m9 k
is to determines whether a debugger is running on your system (ring0 only).
5 C/ N' i6 j! S* J6 \& |
1 T. N- {3 V4 M8 l VMMCall Test_Debug_Installed) u" i9 j+ G* h0 C+ _
je not_installed
" _6 @& ^3 a* O* l* K" V# Z) l! U6 \& N4 m; ?6 i
This service just checks a flag.
( J$ T0 M/ Q5 ?9 E2 e$ j</PRE></TD></TR></TBODY></TABLE> |