<TABLE width=500>, W9 Z4 _& y) o$ ?5 ]! V0 f5 L) @5 W
<TBODY>
J5 |0 u; k) x' e; P8 A<TR>
% ~% t; K2 L( t/ D$ o% T<TD><PRE>Method 01 . c! Z$ r( Y, N1 j
=========
! y# C- m: x- A, V# v' {6 @1 Y; O
, ]" N% P/ \' L* u! ~# B! UThis method of detection of SoftICE (as well as the following one) is8 q; Q. h ]5 W
used by the majority of packers/encryptors found on Internet.) W: ?$ o# \8 c: ~6 {' A2 t( U; |
It seeks the signature of BoundsChecker in SoftICE
5 E4 t: o* E5 o: c+ x* K6 o2 b0 H* A% S8 \2 y" _1 T
mov ebp, 04243484Bh ; 'BCHK'* Z) h$ d5 o9 y( q+ Y9 x
mov ax, 04h
7 R( `1 d* R( k1 J8 w3 M% H int 3 1 O/ |" G6 w m1 V J5 a
cmp al,4
/ b: B; g' W* C! ~$ c, B8 I: ?) M jnz SoftICE_Detected' X, P, I2 K3 A' t9 X$ ?$ b
+ L, f! v6 `8 X
___________________________________________________________________________
o! @( P P$ p: r6 [! V& v7 i9 w( `- A9 Z& M l) t3 f
Method 021 J% i3 ?) T" B" P4 A
=========
6 J& {6 z" `* ]- G7 x- f5 b' U. I1 i6 M- a% q
Still a method very much used (perhaps the most frequent one). It is used5 I, P( u* e& y1 F9 F: X5 `9 H4 V6 Y+ ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# C7 k; \% U# Q0 C. E4 g3 Bor execute SoftICE commands...2 M% i* z5 {' M1 H/ u: X
It is also used to crash SoftICE and to force it to execute any commands' Q& t4 I6 r, o- A* V& @3 }, L3 c
(HBOOT...) :-((
& X( h: p$ }3 L8 T+ g8 E
/ _9 V; i" x% ?Here is a quick description:. T$ `! g. N4 Y
-AX = 0910h (Display string in SIce windows)3 I; n" g: r& B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' m+ E& e0 s4 |4 f4 P9 X-AX = 0912h (Get breakpoint infos)" K: D6 }9 L. R+ J" u% x
-AX = 0913h (Set Sice breakpoints)
3 h" p j4 ]5 ~; H2 w# Z-AX = 0914h (Remove SIce breakoints)
1 ?' i. [+ k f4 Q! h. I. P. \+ J C6 P! v& N+ d6 @/ @
Each time you'll meet this trick, you'll see:1 I7 r4 {, \8 f \; F8 q
-SI = 4647h& J1 M8 i/ c" c; G( w
-DI = 4A4Dh8 s# G8 p/ D1 y+ j
Which are the 'magic values' used by SoftIce.& I' S! d2 P3 a5 Y* ?) p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 K0 f( P+ k: z1 p3 W" ?2 A
4 f9 o4 C% u- ` A: z% {
Here is one example from the file "Haspinst.exe" which is the dongle HASP* Q3 T f3 ]9 l! `, o! c' ?
Envelope utility use to protect DOS applications:( ]0 @3 H) J/ C: P6 z7 f4 B* S
6 q8 `: F. V( X( k8 O! ?1 O
6 X% t& d6 M4 w3 O4 y4C19:0095 MOV AX,0911 ; execute command.
. j t4 I2 A, r5 t6 C& a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& F3 g; d! H3 S1 D4C19:009A MOV SI,4647 ; 1st magic value.
, z! X' A9 o ?. E4 p& w# Q! X) p4C19:009D MOV DI,4A4D ; 2nd magic value.
2 j; e" b4 L+ Y! \/ G9 s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- X: v* H2 _3 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% W: Z; b3 A1 w
4C19:00A4 INC CX
. I4 M' s1 v5 S" w& O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ ~! ~0 r- N- |7 p# } p2 M& G- X# R4C19:00A8 JB 0095 ; 6 different commands.2 z. Y0 e0 M% }- b) b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( H( p" z0 M, V. ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( v& v% ~& X a
# j8 b+ Y2 `* \: {The program will execute 6 different SIce commands located at ds:dx, which
# `$ A# H/ `0 D7 fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. T/ ]$ F7 M& B' T6 o, m% M1 {# k/ }0 U' ~1 o( O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ s# ^" d" O% P) ~0 h5 M8 t- j- x
___________________________________________________________________________
. L7 t; C7 w! P$ |! D; @
" d- X. Y9 k# d, N& c0 y
+ C, f2 t' L& X, j% ]' a Z- XMethod 03
) H6 t1 R! E# h% z! }=========- {# m! d1 d m$ n* B3 R
" P+ N, ]: ]* l, x/ N; `$ u4 o. c# V7 hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" B7 q4 W! A0 J' z/ d2 y* S
(API Get entry point)+ C" x, e2 }; @7 n2 Y
7 V* S: R6 F5 ~% i" r
, C7 }4 p1 ~( h" P: B xor di,di
: ^1 i2 u; }/ y/ P" i! {4 m' ]5 I mov es,di
& i! O7 V1 L6 }) y+ U% X: \ mov ax, 1684h
8 i! m: }5 {+ |" b mov bx, 0202h ; VxD ID of winice3 j0 L2 K7 F2 z0 k
int 2Fh
2 }; z6 C/ h, \1 X1 t mov ax, es ; ES:DI -> VxD API entry point
% ]0 h) b' e$ w6 o7 c' M0 K/ T% g add ax, di9 ]$ \5 M* J0 Q: V- ]) P
test ax,ax
# @7 \% {# g9 c& E jnz SoftICE_Detected! c, ~0 g* w- J. \6 K
. S9 @6 U3 [, ~7 n0 ~) S. \/ h
___________________________________________________________________________
( }, p- L% [1 q1 i2 u. s& a/ l; R7 Z$ x# X
Method 04) r6 g7 p' K! `' q- W s: a z
=========4 ]* D3 a# @; D/ R* G
" k g9 G* j; h" lMethod identical to the preceding one except that it seeks the ID of SoftICE$ j1 W* n0 J+ Q! M* ?( P w- s
GFX VxD.
( `' X2 D: I5 X' ~! o& L* y4 C8 h: D) o' k# o! _
xor di,di
% @' M! p6 j2 a: a! ^) i mov es,di
' G0 l) v: _3 c" x mov ax, 1684h % n" T: ?% R8 E: o* N; O4 s) r4 R, \
mov bx, 7a5Fh ; VxD ID of SIWVID
0 M! P! U) e! p) E int 2fh
$ L9 o' H. j$ b" u2 \ mov ax, es ; ES:DI -> VxD API entry point. S U! R$ }# W: d
add ax, di
) ]8 S% L) e: D test ax,ax
; X4 b5 {3 `1 G% Q F s1 |6 m8 D' n jnz SoftICE_Detected
$ g: ^% h3 v& e" d% h! G- \% w- P9 q! \! N- H* c
__________________________________________________________________________
9 i2 d( v& L4 k' G# A' n0 n. H2 V/ J! z" [) ? A: G6 [" R
# x3 u6 g' l. j/ ~+ \( b" @. V) rMethod 05
/ l+ e: @+ C/ J$ c& e% F=========# J7 q# Z* {! N' s) T6 I
* V. o4 r% d+ J( nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ G1 ]3 G) {5 [ j, N) X! t0 idebugger. It calls the int 41h, function 4Fh.. @: d9 i1 R3 U7 S) U: m" o8 _
There are several alternatives.
& |9 U- ^7 n% T- M$ g% ?! u7 D' l I% G$ p3 Q& x: d
The following one is the simplest:
. u- u/ x$ A5 t4 E- d1 F; Y6 I1 }2 G C% z- u) a
mov ax,4fh" l0 q, d. g- [" l s( \# w$ @
int 41h
) l6 l5 F" X" ^0 d; z cmp ax, 0F3865 m \+ i- e9 U/ i9 p
jz SoftICE_detected3 d6 V: H N" P
/ e" x+ L- i& w( a! O4 K9 j8 L/ r& ]
0 m% R }7 E; G+ b g) S; aNext method as well as the following one are 2 examples from Stone's
, w; ?4 Z) f# D) y7 _"stn-wid.zip" (www.cracking.net):
5 y" Q$ r0 b* n& w( z% m
% e2 p* C- p4 y! E m mov bx, cs
4 v! \: G$ C- F m4 z+ [ lea dx, int41handler2
# ?" \6 x" e: A& E xchg dx, es:[41h*4]
0 F8 J3 A+ a3 D" Z& D& A xchg bx, es:[41h*4+2]
* U- X4 [& q4 D* ^ mov ax,4fh
3 g- E: [) j% c- _3 {! x! F% f int 41h
, n* u ] t! A* J2 c xchg dx, es:[41h*4]( \% T. m* g! c6 F! S( b6 }' N
xchg bx, es:[41h*4+2]$ N2 D' J; t% [
cmp ax, 0f386h
1 Z0 F r4 F T7 d) @/ ^ jz SoftICE_detected0 _! D: F) ]- j: {: |/ c
/ P0 m! y- e* a2 n6 m |
int41handler2 PROC
; |) j" k$ j% r, s iret
a& a) u9 V+ O1 q+ [9 O- eint41handler2 ENDP
' d; n9 J; P( o) C; Q q, {: n# S# t! X+ D
0 ^6 ?+ ^+ {8 v g" ^0 S: G& f
_________________________________________________________________________* k' |9 O9 H9 U' g t5 u
% [& j5 M, h% A# L$ b1 ]" `+ I
0 Q% \" y+ Y" wMethod 06 M- L& |, \; \. v; ]- L( r
=========, O' k* t4 O# i
: H: V2 A i, s
* x ?. r" V2 Q& k6 w2nd method similar to the preceding one but more difficult to detect:
5 m& ~+ N$ q7 ]: g% J
' i" H5 F4 U) O* N- }: a- B; f8 J9 @+ _( K9 E1 \1 W/ v
int41handler PROC; m2 \( M6 H2 M N' [" e% K
mov cl,al
" i8 `1 E& g+ u$ k) ^, q iret( A! Y5 h9 |/ P# ~
int41handler ENDP
4 U8 s) m. j( W: i& p( I3 J: L$ m- c# Y. Y: o
3 c. |. M; y3 f7 T xor ax,ax
# j2 H' R) x; y1 \( W2 m# { mov es,ax2 v( O$ o7 @. J4 i3 ]4 O
mov bx, cs4 j# c$ \- p8 f2 g2 U" [
lea dx, int41handler
5 x4 e7 m5 x. g' [- n, q xchg dx, es:[41h*4]
6 s( r0 t, P4 f9 F. \' x xchg bx, es:[41h*4+2]" ?: q* Y2 x/ g* I3 A4 J
in al, 40h
# `5 h( ?, p. d1 O3 q xor cx,cx$ ^0 w( h; Q/ J6 K# }
int 41h3 F: l! L- q. v* x3 `) X# D- L
xchg dx, es:[41h*4]6 B& `9 [, S& `+ T( b2 Q8 z) _
xchg bx, es:[41h*4+2]1 ~, g1 e2 f$ p( a4 m
cmp cl,al/ [) C1 r% _, Y. w4 i/ x
jnz SoftICE_detected+ X3 p v$ A% A) b4 T, q
' z) `9 Q; c1 R1 t5 g* q, i
_________________________________________________________________________
" a' v9 t0 D+ I% X; B9 w" j7 l( ^6 x$ J3 ?/ ~! E0 E# ^, m0 T
Method 07! V' H0 K5 t+ t) k3 Y+ u
=========3 b ^5 ^5 [) S$ k ]/ j- S
% g' f" i' S" T+ n2 N( p
Method of detection of the WinICE handler in the int68h (V86)% H7 q! M* t9 |/ i$ X7 f7 r& U
1 E' t& ^ r9 ^% P5 x- R- _
mov ah,43h- v" Q s6 A& J- k2 u# ^% e! ~; E
int 68h
: u1 d( l, r2 T3 H cmp ax,0F386h, g# ~9 O- z; S. C, |- y; v
jz SoftICE_Detected# R6 A4 N) ]: ^( Y# L
S4 o$ \9 X- Z1 I: Q& E
# `3 Y3 ~- p$ W8 U. ], ~3 B0 b) H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ I% m- U2 J( y8 S app like this:+ c1 ?8 T T6 F+ V! M$ l
+ G' ~. O, h' I" w: d$ O6 v& r
BPX exec_int if ax==685 l& R1 h* N2 q; l/ j0 i
(function called is located at byte ptr [ebp+1Dh] and client eip is
" y4 ?* ^* w1 m# o5 V0 \3 u' j. |0 J* l located at [ebp+48h] for 32Bit apps)
& E4 ?, ^4 Q) ]5 u+ A) Q4 [# P; o1 d__________________________________________________________________________
H% M% C: v4 I3 z, n% {3 t6 t( E% [( _& L
` J: C4 E, {2 A! j
Method 08
0 O" c1 b$ [: @3 i }- y=========; p; s+ K8 v- ?3 n# B) S. D& n9 }! A
' M* l% D* R; \, I4 \It is not a method of detection of SoftICE but a possibility to crash the7 L2 q% ]+ I1 R$ _; r
system by intercepting int 01h and int 03h and redirecting them to another
8 h3 M$ W) F, z4 ?" i) s, D8 U2 D1 ~routine.! E' X d/ F( O v! m7 Z( e, ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: L7 Q4 W/ j9 ~0 D* @3 a) @0 ?* h
to the new routine to execute (hangs computer...)" ~2 I" F* o/ o
5 }! }, f7 c- t' r
mov ah, 25h
' k5 \0 \( }- Q' D. s4 U mov al, Int_Number (01h or 03h)
& s8 J0 x% H! e8 M$ R4 G mov dx, offset New_Int_Routine; I% i. L* h4 I, K
int 21h8 Q& T- U t- c' T9 X
- u0 v! @" _% ?
__________________________________________________________________________
- S6 [5 |% L9 b4 b$ v3 H4 \8 Y+ b
4 ]: M3 S* v) {& P6 U3 @Method 092 O$ Q) b$ k! Q% t+ \
=========
5 g+ [# |3 x$ m) |
8 w! k. D3 ^. DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ p( K0 }' t, k' T3 {
performed in ring0 (VxD or a ring3 app using the VxdCall).$ s& P9 g$ w; H, x
The Get_DDB service is used to determine whether or not a VxD is installed
' R( t: d z7 U; Hfor the specified device and returns a Device Description Block (in ecx) for
3 y/ c* y* b, Xthat device if it is installed.) }8 m7 L4 z. s7 f. q
7 C! {3 t0 ^5 H8 a0 p4 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 O. ^8 Y' }9 D# G; t; J0 z3 i: } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ n/ i' C+ H8 l u' `* k VMMCall Get_DDB
, E) G$ ?$ c! ?3 L' @: Y0 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 [- x/ C3 d/ F b; u5 \ u! u" _/ U3 ?/ v! l" T
Note as well that you can easily detect this method with SoftICE:/ e, H0 k/ ^9 Q( v$ j5 A
bpx Get_DDB if ax==0202 || ax==7a5fh
( C" I) I5 F% L# K1 p8 t5 w2 X
4 ]9 x1 H( M/ b8 b' Y__________________________________________________________________________' c! _) e# a+ u
/ n! L, i) u2 {, _! ~/ RMethod 10
& o: ]. T5 M' B, |+ r; S8 q=========5 |' O C0 e3 v. Q
5 T1 v. w) B! V; B
=>Disable or clear breakpoints before using this feature. DO NOT trace with' B5 Y, \1 x% A/ O1 f% b$ q
SoftICE while the option is enable!!" [! k, \- ^4 v; [
9 q, F5 F" `& c# a2 j
This trick is very efficient:
8 K) G1 c1 [0 Kby checking the Debug Registers, you can detect if SoftICE is loaded
% \, p8 {& z! ~2 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) g! M' k+ C3 \9 s8 n" P
there are some memory breakpoints set (dr0 to dr3) simply by reading their" O9 g+ X! Y _! L/ ] c* R9 F
value (in ring0 only). Values can be manipulated and or changed as well$ G( H! D9 j/ ]8 e
(clearing BPMs for instance)
" ]+ o4 D1 f! W7 P; [7 X- q: |
5 x& T7 w$ K: g" x- V% |4 m__________________________________________________________________________
Y- ]( s& R' B3 [0 t7 J, x( A, {8 U. Z/ f- @9 j. O
Method 118 M" I7 @8 Q2 x- L; R4 m
=========
- G7 W$ \+ H0 [& x
; @, k7 _0 W( S) w# L xThis method is most known as 'MeltICE' because it has been freely distributed
; g3 j$ @4 O0 N1 M* X- i! Cvia www.winfiles.com. However it was first used by NuMega people to allow0 R7 \ s- F, @) y3 M) B9 z& P9 g( x7 h+ \
Symbol Loader to check if SoftICE was active or not (the code is located
$ L' C! X# v) g6 binside nmtrans.dll).
: D) z( u% o- `4 \3 G, i* j0 m' e" K3 q& O; H3 A8 {7 b
The way it works is very simple:8 d4 m6 ~' c5 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) o% F- A6 J& ?3 L' p
WinNT) with the CreateFileA API.
3 f' B' G- z( ~5 b, @* H9 A
H9 L4 f* y6 W5 HHere is a sample (checking for 'SICE'):
/ B/ o. y* H M4 A; K2 S; Y) W! U2 [* y
BOOL IsSoftIce95Loaded()8 V# O, R9 y4 F% C" F7 [! B
{
@! u E8 \8 c HANDLE hFile;
' \- Q, {! r& @+ g1 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# H1 R8 ~ T+ C- ^
FILE_SHARE_READ | FILE_SHARE_WRITE,9 L$ J& g& F9 P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ E1 L! {( T2 |$ _ m" Y if( hFile != INVALID_HANDLE_VALUE )
! X. y6 B- C" j/ d& v6 T {" d* c1 I7 h* X0 \8 M6 b
CloseHandle(hFile);
- \0 H) p" z( k! i# Z2 d$ F; | return TRUE;) ?- ^% b6 l2 }% `( t3 ?$ _
}1 B& S0 H! F% c
return FALSE;
" M4 O; L1 O# P5 `- |- w}. C7 F9 V. {+ [( n5 J ^; k
( J$ k4 |9 J5 S5 c: O0 U; k Z, L% xAlthough this trick calls the CreateFileA function, don't even expect to be' A3 J. ]5 R5 V5 q" U
able to intercept it by installing a IFS hook: it will not work, no way!" [8 R: V6 D" C. Z/ M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 Z0 _% g+ R! e4 r9 b* p; M/ W7 Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ ?' d u" _7 ?0 c" P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 f7 w3 ]1 n! A6 g8 K; s% rfield.
! T' | |& @% u$ H" e2 x2 K. ?2 bIn fact, its purpose is not to load/unload VxDs but only to send a
, c+ N; L: } N! s/ B0 fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' Z0 q1 m+ T b9 W3 \9 i1 a4 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 R6 H+ w# e( h7 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; B6 ^6 j# x0 T1 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ W# @. O5 I+ M4 h7 v
its handle to be opened and then, will be detected.
8 x+ y6 O, Z! jYou can check that simply by hooking Winice.exe control proc entry point$ O* r9 o. S* j( P" H0 b) r2 c P
while running MeltICE." \6 C5 r% L; E: s5 D
% k* \3 B5 Y2 D6 R F7 e, Q- r! Y; n* x% S H0 Y& o' e5 ^1 D
00401067: push 00402025 ; \\.\SICE
" P7 m p5 _0 Q, ^. n5 | 0040106C: call CreateFileA, s4 @. s0 B+ X0 ~
00401071: cmp eax,-001
% f8 e! p! ~) K6 o. B 00401074: je 004010913 i, b% ^1 ?( c1 @! E. f
$ \ T- J8 E# c9 c. l( u( U
3 h: o4 g( l5 {6 j7 g k. D( a
There could be hundreds of BPX you could use to detect this trick.
) h+ g; u* A' w6 V# U-The most classical one is:# X, _! b m, U6 K5 n4 G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; X; p; o. N3 [# T3 W' Q6 ?8 @ *(esp->4+4)=='NTIC'3 ], C8 ~3 F: { ~9 c
) I2 z2 w# O0 a0 T' n$ L-The most exotic ones (could be very slooooow :-(0 V1 l+ @ ?9 u+ `1 D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- [' ^. n' S* R0 h$ M2 o: {+ P6 I ;will break 3 times :-(
! \! |0 ~$ h+ G3 M
$ y- \! b, j4 \% K! a1 R8 Y+ ~- \* p-or (a bit) faster: ) A% t5 _! X* o- Z9 J) z& O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& t9 n7 O4 u1 g& X: ^+ {) P, X0 I/ B: D2 V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% u0 d* k0 P3 P1 l" v- ~$ a0 ?+ S ;will break 3 times :-(
1 y5 z; K8 E1 n- D% |; ]5 V( c- }7 x4 O0 O
-Much faster: L" Z) _2 P. J, i9 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 F5 F. K$ H# ^/ d G+ e% p( x
1 h1 b) H1 U h) X t/ \) d+ KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen Q% x; s* T4 @2 F. Q: B
function to do the same job:$ y/ n# \" B% R* a+ u2 K9 O6 s
( Q7 Y4 B$ i, w& X; e push 00 ; OF_READ
( n2 |4 l- `; _8 |( ~/ C mov eax,[00656634] ; '\\.\SICE',0
( B% ?. n: h8 l# e" R5 P5 A$ @' Y6 H8 w/ b push eax3 z% H9 }- J+ ]+ X. A2 ~" x
call KERNEL32!_lopen
* w' ` }& `* W, K1 y( s1 y inc eax
2 x b7 q6 |. ~# g7 b+ p jnz 00650589 ; detected/ y& R u) Q) m. Q; `5 w* G
push 00 ; OF_READ
[5 X7 i; P w {( a1 z! A mov eax,[00656638] ; '\\.\SICE'
& b- C; d" a$ Q3 H/ T9 L) n push eax
: _6 }) D; _9 Q' w call KERNEL32!_lopen0 p" {+ `3 v2 x: _, Y
inc eax
2 F8 m7 J) J& `) p8 \ jz 006505ae ; not detected
, U' I% ~2 f. W& c: N0 r. p0 a# d' i
8 Z2 U8 N* g2 d* y2 n, \( g__________________________________________________________________________
* g* f n4 y: A7 x$ D% _$ W; N9 E3 D
Method 124 [' g1 ~% a9 U8 _+ f6 Y
=========- E7 i1 o0 e5 _) i$ P0 ]; [4 k
2 ~- I* F8 Q( M4 G# u! K; }5 AThis trick is similar to int41h/4fh Debugger installation check (code 05
8 @' E# L* F% V+ J1 I+ y6 [& 06) but very limited because it's only available for Win95/98 (not NT)
! \* ^* c2 t2 K4 G% Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 a' }( j3 ?* o" p _: H% r7 M; D3 e) S; @& r5 [
push 0000004fh ; function 4fh; g4 O8 ~5 U& x
push 002a002ah ; high word specifies which VxD (VWIN32)/ y/ g0 f8 b: O2 `( r) j
; low word specifies which service
% V6 ^) I$ g, K! { (VWIN32_Int41Dispatch)! q b1 ]6 c- b- n2 S
call Kernel32!ORD_001 ; VxdCall' j9 M( O1 E: B5 K* B+ r7 Y) j+ D
cmp ax, 0f386h ; magic number returned by system debuggers
! F1 u! P4 x, i6 e! f jz SoftICE_detected7 O+ Q9 _, W3 M& P5 ]( e! e- y6 h
- o; r6 v+ {) o5 r( ~6 pHere again, several ways to detect it:0 x5 g: F1 e* Z! o" P# b! o- F6 ?7 W
" g$ ~, o! J! Y6 q1 f8 ^4 Q
BPINT 41 if ax==4f. }: {7 J: U% n5 k' D: p7 x
. Q6 N; D% z7 a$ Q9 C6 J% G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- S' ?. K+ F1 j* r; d5 ]' L) R
) o* l W& c6 _1 Y& {/ t9 _; Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) I# n) h) B5 T3 x# R, B+ p- ~$ f4 u7 A; ^0 n9 X- a) O8 V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ ` j* I7 u3 b% [' u# P8 J6 e/ G
0 @3 R0 P7 }- P* T6 W9 {; g$ t
__________________________________________________________________________- r |, f9 W- Y% P a* n
! O7 c. [$ r/ t7 x8 }3 ~2 T8 GMethod 13( j3 }3 P7 {5 p
=========
% [. l# Y8 a2 i k8 m; m! Q' V, F" `& m: Z
Not a real method of detection, but a good way to know if SoftICE is
# E$ H/ v- g3 a. r0 D2 |installed on a computer and to locate its installation directory.
" y* q/ P# P V# K. }It is used by few softs which access the following registry keys (usually #2) :9 @' o& e" U0 l2 j" G' j' p
9 @* L# O) m0 `) Q9 o6 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! T6 ?, v7 X* ^/ J\Uninstall\SoftICE
( S- C6 a) I! K2 X! y, j2 ^7 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. K, E8 n. o6 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 j5 A( K9 b4 A1 q\App Paths\Loader32.Exe
2 a2 N6 L* K7 g) _/ o, T" x" h) J) h- A& s0 a
, k6 Q- _/ z4 m- x5 N7 Q$ e0 X, A; SNote that some nasty apps could then erase all files from SoftICE directory
$ S3 B+ A! r& ^+ Y5 c(I faced that once :-(
, _, B+ A% K, u s9 _4 x
) w2 n; n" g9 d4 `Useful breakpoint to detect it:: L" U N& h0 S$ M* ^9 [4 o0 ^, G* o
6 a- _ N, W: T& s3 V& h3 m$ { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" F& X0 ^$ s5 X: _' \/ M; ?0 ?
# l* u' \# Z- Y' [! X K; r. l__________________________________________________________________________7 }/ r4 ~7 I: U# v5 O6 o( f
3 K$ h" {! {/ n# i0 T2 _( q4 Z
- ~6 j W0 ~9 D2 ?Method 14
' a5 d' \7 ], `; v. l# G9 L=========
$ [" h n1 V# Y
3 m" W( r- k, P) L' sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ _4 l/ `2 L1 y! a6 C/ Z
is to determines whether a debugger is running on your system (ring0 only).
2 X7 z0 e8 \2 {; n# k3 x. X+ z* m4 |
VMMCall Test_Debug_Installed
$ I* K. B: |6 A, O& b4 ] je not_installed
: g: n4 e. l, _7 h0 c$ Q6 x
" r( k! {. |( }; ?1 AThis service just checks a flag.1 G! ?3 H7 S9 v+ Z, j M6 e
</PRE></TD></TR></TBODY></TABLE> |