<TABLE width=500>% N0 n" U6 u& o. @' U: p
<TBODY>
' C0 W6 w7 I5 O9 n' P<TR>' Z7 A$ B" f( z$ ]) _- Z
<TD><PRE>Method 01 ( n0 L9 R( e ^: o, o
=========
5 a; b( X$ }" l+ H5 H$ Z5 h' N5 e( a* i
This method of detection of SoftICE (as well as the following one) is+ B) O5 n, i4 n$ i8 q
used by the majority of packers/encryptors found on Internet. b x t) u1 { t& Z
It seeks the signature of BoundsChecker in SoftICE
, V/ F9 O3 |; b; j
" R& Z) B! A4 M6 u0 B$ G F& L4 {* ] mov ebp, 04243484Bh ; 'BCHK'' y$ C6 g2 `& D: U( j9 ~6 q
mov ax, 04h
6 y4 v3 k7 f% a: ]( Z4 f# h. L int 3 $ N: J) | _6 Z
cmp al,4( O( O! p3 @" V. _
jnz SoftICE_Detected
$ v I1 ]% J. N4 ]+ s$ [0 t
3 s2 @5 x" g1 l9 G! B! }___________________________________________________________________________7 g3 q- W" {, u
* r: f: q( a2 D' N, A6 Z7 l, f
Method 02( a: c6 d6 r( F+ W4 B) J7 N, }0 q
=========
/ H0 e' C# Y! Q K8 v+ J* M, G+ ^0 ]2 q8 j i' y+ F
Still a method very much used (perhaps the most frequent one). It is used
1 q# o. A0 K" c* t ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 j- s a5 c6 |( H, g
or execute SoftICE commands...
, t3 m* J" v8 W% A2 i" [8 {! \It is also used to crash SoftICE and to force it to execute any commands
4 m3 G% a' ^/ d(HBOOT...) :-(( - j& r3 ]0 f$ _* R$ j
5 [8 E- }/ Z8 ^, v* ?. T' NHere is a quick description:
3 V0 u4 T; i" s. a6 s# a- ^-AX = 0910h (Display string in SIce windows)
# r7 U- W7 ?7 [7 E2 ^! c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' ]1 x9 e9 [; A% h; h
-AX = 0912h (Get breakpoint infos)4 Y4 P5 F9 O5 S- o) I8 h. G
-AX = 0913h (Set Sice breakpoints)2 Z) h/ B1 H# I2 M% ~1 O
-AX = 0914h (Remove SIce breakoints)
2 }% A$ G( E* R7 S" }, x3 @7 Z0 L, ~6 x
Each time you'll meet this trick, you'll see:( u- q0 X& }* i
-SI = 4647h0 K# K8 B" Y) y+ Y6 y( A5 o
-DI = 4A4Dh
/ V" K4 Y; w) i/ DWhich are the 'magic values' used by SoftIce.
! M/ P: n3 z' [9 a: ?5 i4 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h., Y7 p+ ~3 U p& ~) b
& p# x. i1 J- [3 h* v2 W4 d! uHere is one example from the file "Haspinst.exe" which is the dongle HASP
( ^* y3 h. Y* n6 I: REnvelope utility use to protect DOS applications:
3 ^% y3 c9 [% @. v* M) F, H! H
}8 @- \+ N/ c- F; e
& ~" ~7 `& l3 x6 X% |! \4C19:0095 MOV AX,0911 ; execute command.
! K! a' y$ p; z$ N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# Z8 S, Y/ t3 E- Y9 R D* y% P4C19:009A MOV SI,4647 ; 1st magic value.0 d5 c1 a! L6 C' t- K9 x9 X
4C19:009D MOV DI,4A4D ; 2nd magic value.
& Z0 j, H$ x+ ^# @* \/ y. E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 B1 `' B V. M; X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 q: {& J. D+ f6 `4C19:00A4 INC CX4 W' R+ S8 i* s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 C) B* t! d) e& r- M4C19:00A8 JB 0095 ; 6 different commands.$ J: Q0 b6 l$ ~6 ]& y0 F
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; i) [' |1 e: _6 Y/ e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( m# e) g/ C9 ^: T, a( \: k* |7 D: f5 j$ J4 Y7 O# h
The program will execute 6 different SIce commands located at ds:dx, which
Y/ n" A2 {. @: b$ b- care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 D0 L( h9 t* K7 f6 A
: x. u( ]4 v6 M- _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Y4 _4 B8 k% X2 g# G9 _- I
___________________________________________________________________________) I% _- i) q' {- ~+ y: M
' `/ f1 ~ i8 ^) q
X+ z+ j5 [6 L+ P+ g7 u* \
Method 03 T( q2 C2 \3 n5 W
=========9 w& v! c6 ~0 \+ \
- D5 D, \9 M0 }: ^: ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" O) m: Y+ N; r2 x
(API Get entry point). ^! y% v2 i4 f* w- [. D4 H2 \. {
3 h1 I3 ?" d6 \ K3 z f
8 g8 s5 B1 D! s' r' W7 [( N7 M+ n xor di,di& A( ]& t: t- v$ @. d' S
mov es,di
+ v( E4 K) p% y. E: j: s mov ax, 1684h 1 ~) F6 X. |5 l
mov bx, 0202h ; VxD ID of winice% v; `8 i1 d, ^* Y0 B7 _0 ^
int 2Fh% s" B; y8 M& p9 p% O3 a* J6 r4 Y8 r
mov ax, es ; ES:DI -> VxD API entry point4 U) `7 ^5 }5 [4 x' _# _ u
add ax, di
3 Q5 s5 u# z' [: w5 [ test ax,ax
) l6 v) G8 h& L jnz SoftICE_Detected
2 [3 r9 u" m ^6 S( F% g( O8 Y4 q& l1 Y `4 e: t
___________________________________________________________________________* L6 l/ c$ e9 _* Y; j
$ y4 s& {. W! a+ v" S( U$ W# [$ h
Method 046 g0 c) |# _$ D* e
=========/ P2 v, S: W- t, D' D
# w" _& i) `% RMethod identical to the preceding one except that it seeks the ID of SoftICE
6 q& R) g' F; N$ k' qGFX VxD.
$ x! b0 K, B" V4 q2 K
2 L$ @/ L! U# c8 y, a5 v xor di,di
% n1 R9 |1 ?7 X, B! r/ U2 W mov es,di. o: V( z6 k; F& o. ?! G+ R- ?. r
mov ax, 1684h
0 y7 |: {( ]. b& j% X mov bx, 7a5Fh ; VxD ID of SIWVID/ Z, w( R# X, I) u& @0 `' J
int 2fh( o* [% Z- p. X, g+ n% l8 f6 L+ c
mov ax, es ; ES:DI -> VxD API entry point
' |; K& _: V4 Q _. B0 Q* a add ax, di' K4 f5 @* L7 m' D5 m
test ax,ax
: n! e; u- v6 X3 U3 N o0 x jnz SoftICE_Detected
4 k. c; Q! u6 h3 B, h% {5 I, ?) V" E9 F# N# ^
__________________________________________________________________________
m" G5 r* `8 X3 m# X. m% {( Q. Z. S1 w a/ {6 G6 @0 ]! X
% m7 F- F, X: b2 R2 v/ H5 t. X8 aMethod 05
9 {1 H) r8 j& h& ?. _=========
a. w8 N0 C! m( `. d
" ~5 `" h; d& o7 R* sMethod seeking the 'magic number' 0F386h returned (in ax) by all system: z$ i k% f' ]' L
debugger. It calls the int 41h, function 4Fh.! J6 `7 d7 t+ D$ @/ n
There are several alternatives.
7 F3 t5 s- T0 z& ]8 _3 I% @0 b
) s2 F H; i0 N3 k- N" h! JThe following one is the simplest:
9 `, S3 X" l, F. I% }
- s9 T& E7 ~6 \$ F mov ax,4fh, D+ O! B3 ~! R+ x5 _
int 41h/ T" q$ t S1 Y" ]! C$ p, K" c
cmp ax, 0F386. I! |( B0 ^' v1 O% _ n1 F
jz SoftICE_detected
4 o' F2 h0 c" B1 @3 j
; |. V+ T3 O) S$ X, c- H1 w, {7 m* y
Next method as well as the following one are 2 examples from Stone's - ]" X4 z# N, m) `' M) q
"stn-wid.zip" (www.cracking.net):
/ m" ]- L0 \! O5 [4 ?9 w. K3 l8 C i2 _3 p3 a
mov bx, cs
, k8 k- f3 E8 M+ h1 P8 Q lea dx, int41handler2" c8 f5 d6 w: G6 o/ o8 K
xchg dx, es:[41h*4]
4 z0 P& u/ E' T2 z } xchg bx, es:[41h*4+2]
) ~: ]: u/ R" l: M7 v' Q5 C/ Q mov ax,4fh6 l% m- L6 y, ]' q" n. g: u* }
int 41h) T3 n& c U; ]; V/ E5 u
xchg dx, es:[41h*4]) R' D a) [4 O
xchg bx, es:[41h*4+2], e( s& Z O; q
cmp ax, 0f386h
# B( ? ]# @9 y( s% d, K) _ jz SoftICE_detected( g! A/ C& n. x
7 k! E9 \" v6 F
int41handler2 PROC) \* Z! s+ @0 d, w% Q( H: W
iret% J. e7 Q' p- c9 B: q- }
int41handler2 ENDP8 N; p0 o2 `+ F1 B3 ]2 g3 s
) T# G" _. T' G9 A3 W3 G D4 ]" P' | y
3 ]' l! e, @8 ^; g) ^$ __________________________________________________________________________( Z" f7 W3 h! F' C% J
' P+ Z* n5 z1 G, ^$ s# C
' M- H! C! p5 v" wMethod 06
- O+ o A# _8 f========= Q6 C: z5 J1 W) ^5 z$ V
# X. p( w/ ?/ U4 O& n
3 S8 }! J' i# }' O" g2nd method similar to the preceding one but more difficult to detect:2 W" o) S m$ j7 p
' e. v N+ e9 O: h/ M! ~
: o* `7 ?+ A4 L$ ~/ Nint41handler PROC' D; w0 z3 N; ?! k' x% I
mov cl,al3 C" Y7 C) X9 m% w
iret
9 A+ m. S8 L( M) t" |5 Gint41handler ENDP. T4 |' u1 L9 z7 h5 ^
- |. D' S5 t8 ^! D( U) N Z+ n2 ]
+ H3 B' K" a' v( D/ K" R xor ax,ax
! F6 i0 g8 z3 G# L4 G: Q7 B0 h mov es,ax
3 y6 Z. G2 R% E+ y8 x mov bx, cs, c- h; c. p7 o8 L+ W
lea dx, int41handler) @3 Y: w3 b& }% v) ?' j% b
xchg dx, es:[41h*4]
* D" N( B4 d2 P! T+ K xchg bx, es:[41h*4+2]
8 Q' y! |) d7 { in al, 40h
5 B+ E) E7 P* C( ?; v' A xor cx,cx' d. R1 [. N+ D; e; c* s M
int 41h
) ~, t/ e. B! c S xchg dx, es:[41h*4]: f! S7 f* m* H+ u& D& O
xchg bx, es:[41h*4+2]
$ e! U: l+ h$ j1 ?. z9 t+ f cmp cl,al
; w+ U$ L. }$ d) l- Y, [ jnz SoftICE_detected6 X( J, S: s/ c0 H
: z" y6 T$ s; k, ~# N
_________________________________________________________________________$ {. s1 c1 z$ B1 j) N( ]
$ q2 F2 ^* S: k( P* |* \' AMethod 07# K, A7 f$ e9 t# m
=========% }* b: u" {; D3 H( ]5 P8 n& o
& [' n8 h2 Y6 z, U2 m
Method of detection of the WinICE handler in the int68h (V86)# {9 j, C4 k3 |) A8 D
$ d4 ~9 p* L2 k mov ah,43h
) h& {5 j) n/ _4 R int 68h
; a/ Z' t6 E2 j) D. d) h cmp ax,0F386h
3 q+ b* @8 G" | jz SoftICE_Detected9 h" I, X6 P" l, `: }2 N; d2 t
* l% k u) t& M* w; T9 v9 }0 c! X- ]6 {$ [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit j" o% j9 q3 j
app like this:
; l5 z4 p& R6 x, B' Q
2 h f# t- J/ K) ?$ ^9 }. h BPX exec_int if ax==681 u4 C8 e# y; v; c$ C
(function called is located at byte ptr [ebp+1Dh] and client eip is: S$ U4 f8 z& k4 v, v
located at [ebp+48h] for 32Bit apps), }5 V# Y& W! K7 z" U( K, s
__________________________________________________________________________6 s( o( {; r* H9 p+ I
D" d* n% [/ {; r
/ e. a* P- K: s( \( W u3 L! BMethod 08
0 ^ T, P; t1 X! {4 L' g=========
. X ^9 j6 M G1 f$ z6 i- o" J! d/ A2 O. ?+ v7 Y. A5 P
It is not a method of detection of SoftICE but a possibility to crash the
9 ^( |/ t! K. Msystem by intercepting int 01h and int 03h and redirecting them to another
- {& x3 W- `2 d9 \5 Q: ?3 f+ Sroutine.
; D; p& ^; J9 B; `( Y3 T1 Z& dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 ? z$ }7 f6 D' G! pto the new routine to execute (hangs computer...)
/ {4 O0 f4 w' b1 z4 E" L: u. b. \# R* a- x4 b6 N9 X# z% I
mov ah, 25h/ C: r" }6 m' x7 E
mov al, Int_Number (01h or 03h)
, r4 X: X1 s( X% h7 B mov dx, offset New_Int_Routine
0 P2 {5 P' w! |: f3 t l; W# X2 [ int 21h
. O8 s- B$ L5 k% y, H2 r- {: \- x7 T1 b% i+ s9 T$ o
__________________________________________________________________________
2 z$ g8 ^6 Y1 Q+ Y/ }
" V' b9 p8 f7 ?, `5 ~* b) YMethod 091 u# _8 S; K P0 q/ h( h/ s4 j
=========
/ y* R* d% e, I n* _1 N* j* |2 n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" y' [* {( {" l+ k; l0 E/ Qperformed in ring0 (VxD or a ring3 app using the VxdCall).% h a. ]1 ~8 A% ^$ Y6 @$ I) \2 t
The Get_DDB service is used to determine whether or not a VxD is installed
8 g2 R6 l" u5 [for the specified device and returns a Device Description Block (in ecx) for6 v8 W0 Q+ e. t
that device if it is installed.- K3 M7 K- _1 r+ I/ {9 o" w: n
( g/ L" q. H/ q0 T( n J' ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ D. V: X- |/ Z. ?' l5 R) e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% k3 P( Z" R. I+ s3 e VMMCall Get_DDB; R- N0 j% z3 E! v# n9 t+ N# A7 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, y6 w1 } T) P" H7 e" F" {8 d% N* c3 j, x _
Note as well that you can easily detect this method with SoftICE:5 J/ u: _3 V# g w8 R! c/ i
bpx Get_DDB if ax==0202 || ax==7a5fh" s. p$ V6 \& Z+ w+ H
1 D* C5 h9 d+ S% G1 U2 ?# x__________________________________________________________________________
r3 D; N% h+ _* [ q+ w
* D$ n" P& ]+ S$ h$ B, lMethod 10
+ v4 G: q; i7 n8 E. W* y. l3 u5 y( _=========
. G" _ b+ T, K/ L+ z; K5 G. h$ {4 ] ^& z5 ~/ W( n- J+ B
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; u, m1 t" i' ?5 w5 M2 x: f. H SoftICE while the option is enable!!
: c1 f/ {) V3 X& _4 b- L* m! t$ G% x" j7 |/ o+ B* T
This trick is very efficient:/ m, C' ^$ h3 `2 c
by checking the Debug Registers, you can detect if SoftICE is loaded
' n7 s; G1 Z9 C, X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& }! X* ]9 i: B/ I% Q" W4 \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% I, ? J- s1 o, G4 _value (in ring0 only). Values can be manipulated and or changed as well* B6 c3 ~- ]2 G
(clearing BPMs for instance)+ ?3 q9 o9 W. a5 v' V4 J
' `2 M) X7 M2 }6 B: X2 J6 Y/ R# T__________________________________________________________________________
- E3 |$ m4 f% h+ Y' m) B" x0 i* Z* L4 Z1 N+ c8 [! s6 O4 K5 }
Method 112 t& ]0 t' j5 i% A& u" [9 {+ W
========= i" Q$ X( \: H
8 j2 J) D& l) ]' q% z4 n' t& X3 y# s
This method is most known as 'MeltICE' because it has been freely distributed W0 U! |" Q' ]% e# [. A/ A
via www.winfiles.com. However it was first used by NuMega people to allow
6 D2 F; g( y6 {2 Z" | Z+ KSymbol Loader to check if SoftICE was active or not (the code is located) Q9 k6 ^1 W8 G0 T$ }: j; `( Z( j6 X
inside nmtrans.dll).1 M1 L# y) I# M9 O2 h/ F
6 n. Q& \# ]9 E6 t0 }: i, {The way it works is very simple:4 a* N4 ?. M, ^1 a- i& Q6 K0 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 h7 I6 Y4 Q7 y8 d7 Z5 J
WinNT) with the CreateFileA API.( Z& Y* W+ O2 ]( M3 K1 y5 _, `
7 ~" E% x) d6 u( u0 U0 B% e( eHere is a sample (checking for 'SICE'):4 ]$ n' k) S ] {* p: c2 F6 F
/ o. `. c) N( w: A {( SBOOL IsSoftIce95Loaded()' b# p* `* b/ w6 @! U& |5 K
{" o1 b8 z D2 ?* h, N
HANDLE hFile;
; v0 H$ m, p i2 z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; R0 e3 Y: V2 M- Q0 E0 |. X3 O FILE_SHARE_READ | FILE_SHARE_WRITE, O, u ^" l$ _, p5 }6 @8 J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
H: E5 i7 i! z6 U2 b+ W if( hFile != INVALID_HANDLE_VALUE )5 P( M; L' O# i# A S) {0 r, ?
{3 }# L0 z. C1 Z5 |5 m, R
CloseHandle(hFile);, A: b5 M4 n& ~& }0 |6 \9 [
return TRUE;! T( P& D; J d& L7 d/ S1 o. a( {
}" m/ A; s5 D7 Q( m- a" l8 `0 ]
return FALSE;) W' W7 v' o& o1 b
}+ K# h$ k9 g5 f+ O
( t, M( }) E6 K, j, `1 \9 M( LAlthough this trick calls the CreateFileA function, don't even expect to be: x6 L) X a3 H! z1 z
able to intercept it by installing a IFS hook: it will not work, no way!. L+ G' \ o# D( e0 R" k, e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# f: `8 t9 {. ^3 G9 V! s: |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* T7 o; V& Q2 _" h. P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! O2 R6 r$ F8 G) b* F% p0 qfield.
* @) g3 N' o! P* T/ xIn fact, its purpose is not to load/unload VxDs but only to send a 7 {5 Z+ w$ z" Z' q: ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: i' A+ \7 I# Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 x, K+ E6 M" ^( k4 ~9 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 r+ `5 f! q" |+ T, |& R$ SIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" X4 R, I8 V% Y* Z6 `its handle to be opened and then, will be detected.- F4 H1 L9 V+ T
You can check that simply by hooking Winice.exe control proc entry point' [# @ F8 h' j( X5 P2 p
while running MeltICE.8 |9 ]' P- r6 O& D N" C$ s" N
3 n# P9 _6 v6 V. z; Z4 t: L1 M
; y3 ~2 [+ ^# V) M 00401067: push 00402025 ; \\.\SICE
# @$ ^0 x0 U- C- @+ n 0040106C: call CreateFileA
/ H0 W) T6 D5 ?: B( W( c$ F4 T 00401071: cmp eax,-001! @$ e# c$ m& k3 D1 I/ U# q" X1 x
00401074: je 00401091
: T( j. Z% i1 t" C* H4 Z
+ P9 \3 y+ B! S3 O' o6 G9 `% }
+ e8 w8 R7 m; ]8 a& a: }There could be hundreds of BPX you could use to detect this trick.5 {8 e: s. S4 J, p! v
-The most classical one is:
0 j- Y' E, k! s/ s; _6 C& V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 G) [$ S0 n# `2 Z( j# K *(esp->4+4)=='NTIC'
2 M4 K7 J, A3 `% f p, P
0 {& d2 h+ h) ?2 i8 q, }! N9 _+ T-The most exotic ones (could be very slooooow :-(
/ ~5 _; H8 T8 l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; ` ?- D3 @5 J7 ?0 r9 C
;will break 3 times :-(% |! m, {6 B! M- H9 p
7 u7 v# w( B: `% }9 v9 Q; _
-or (a bit) faster:
' x& ]; n/ {* k) g# g4 W1 `% ^* c( J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 P9 M$ P- d; B0 {. o7 ~; i4 t% j, E; j
; l& S9 R# q( ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! p* S1 ]5 N' ~2 _( I6 _/ _7 x7 J
;will break 3 times :-(
+ O* G3 [( V& F, f( m. T$ X* V% `! h
-Much faster:2 `0 [: W+ v# w7 c+ M7 W4 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ I, P3 h) ]8 \# M0 b7 ]
& F1 W. j3 ?. u* ?+ U1 HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ B, v# e6 k3 {# B1 x a6 gfunction to do the same job:. Q* T; B* G; B4 e+ f' h) M2 C1 u
+ z3 a8 l7 O+ d; F
push 00 ; OF_READ
) k- v3 E% W* o mov eax,[00656634] ; '\\.\SICE',0
2 F1 `! P w, P/ u0 P push eax
& j# d& I2 v7 i) n) f7 T call KERNEL32!_lopen* C" {6 n0 f1 j: Y, g
inc eax% G. }! H6 E- @9 Y2 F% P ?
jnz 00650589 ; detected
' b4 R; H' P* {$ _2 ~8 g3 T# u- g push 00 ; OF_READ
; P: g( {6 K8 |2 J- i+ V mov eax,[00656638] ; '\\.\SICE': h1 y, k' f& O5 a `5 F! @
push eax
# a( `5 y5 W4 W8 q$ u. g call KERNEL32!_lopen
: H, l, B" K5 L$ T1 O6 b+ c# ^0 E inc eax
7 b, g- q' o9 _" ^0 f jz 006505ae ; not detected
0 p# [( R0 T) `3 l% R5 _# v0 a$ M
6 U5 q% h( a9 t9 W- i& ], ~* i% }0 U% C' C: Y8 j" m- m
__________________________________________________________________________
! d. p/ f8 F4 y" f1 ~# ?# P& L
4 n3 C3 r# h+ B8 a, p4 {2 Y# o% rMethod 129 g5 N+ D) [) i# q& ~
=========' \9 i+ S, p# Q& {
0 K! y8 n! ?: e# D G6 _This trick is similar to int41h/4fh Debugger installation check (code 05& ?* j; s3 R8 O# X( t( I
& 06) but very limited because it's only available for Win95/98 (not NT)
: t0 h: v! B1 \3 {% [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( v) v' B$ q F9 y+ O
! `# @8 O5 [; ^2 \6 q push 0000004fh ; function 4fh
( B. _/ P- X5 k2 q% Y push 002a002ah ; high word specifies which VxD (VWIN32): b0 d0 B0 O& b. G: W+ f
; low word specifies which service" a3 g) b) M6 M+ V
(VWIN32_Int41Dispatch)' P1 D- M* z1 R) a B; G
call Kernel32!ORD_001 ; VxdCall( S; p6 @1 u; X7 I
cmp ax, 0f386h ; magic number returned by system debuggers N3 y7 p5 `' F& W$ V; j
jz SoftICE_detected1 Q8 Q" V) M1 G9 i& T7 M- f' n" v* P
, G7 M; z7 C/ M$ M
Here again, several ways to detect it:' q' N9 x' L0 v; ^
i- p2 _0 P9 I5 g BPINT 41 if ax==4f
: }) e- h" ^0 F6 k3 c9 r1 y' v7 i# |' s3 Y. Y7 @! y. i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 L0 K& ]: ]) q3 q- W( h" X* X" V
: K* c7 O( T/ P, P) r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ K3 @) k# B9 A& j# T: }: r
/ Y. {$ G) |: @" {4 \- \
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# J4 I, D5 V- U1 @& R% k* B$ k# ]* L9 N- a& M
__________________________________________________________________________
& @" ]- Y- b7 t& Q+ t' w4 V6 E( [5 D2 n+ }2 R' b3 |$ m; D
Method 131 g; V: Y3 C/ [1 j) G o1 }: F# |8 V$ K
=========8 \0 C4 H1 E! p5 R3 i7 m4 R
% B" V; Q$ l% m3 L. L" J
Not a real method of detection, but a good way to know if SoftICE is
( `% \% ~, h: W# Z; Tinstalled on a computer and to locate its installation directory.$ z6 k. P& n& m
It is used by few softs which access the following registry keys (usually #2) :8 J1 v* }. B/ J% F- \/ j9 s
' s7 L6 Y- g2 _$ H; O! u; C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- y. i6 L4 ~% f5 b; f
\Uninstall\SoftICE
$ L# J! J, F: C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- C6 F# N- C/ u0 i6 G0 o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, p9 s6 I4 w4 c' A U7 z$ O* q\App Paths\Loader32.Exe# Y/ _+ c" Q, M+ P
+ O( n7 j/ [& G+ x
" f" |5 j. Q) {- {( L7 [Note that some nasty apps could then erase all files from SoftICE directory/ N& x& ?& M+ x
(I faced that once :-(
' \' i* ^2 |7 U( r* Z5 @$ x7 O# I/ f( l: R2 _
Useful breakpoint to detect it:
! m# ?5 k1 M% _ P" r
8 ]' m" r, @: @% W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. \/ D1 R: h/ m+ }( J3 {1 n; Y6 m% m6 D$ h, Z
__________________________________________________________________________
/ F/ m2 E n" W1 z4 F5 c* D5 u% r! C8 D5 v0 y3 J4 [
6 s( q0 D) a/ I9 R0 EMethod 14 ( x8 ]9 A0 z" I& D5 c& A4 G# |( X
=========
: P' l I* V9 `* S* c1 Q3 ]$ v7 m* n* f6 k; W. s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ q& @( q4 G$ xis to determines whether a debugger is running on your system (ring0 only).
4 x+ H6 E4 O! E% \$ u
8 d1 I3 w4 P/ Z VMMCall Test_Debug_Installed) @6 U6 _2 j4 t2 p) D9 P) g5 O
je not_installed# q- l: p5 C; r6 f
" l/ \4 O4 S8 U) _7 h% |; w y/ tThis service just checks a flag." }; i4 \7 x! A
</PRE></TD></TR></TBODY></TABLE> |