<TABLE width=500>
4 r" a) Z. `8 @1 `0 F E<TBODY>
' n7 m4 Z* t9 |/ N# |( {9 H1 V<TR>& h- z4 z6 w; d/ U2 f
<TD><PRE>Method 01
9 B9 K) J5 j# w! ]0 r/ x* _! c=========+ Y7 O8 M9 Q* A1 L& B9 o# _! S
: ^4 {' J. l! x
This method of detection of SoftICE (as well as the following one) is
) P) n7 r( d' M6 K# N# Lused by the majority of packers/encryptors found on Internet.9 O: d8 U- A) I2 ~ C
It seeks the signature of BoundsChecker in SoftICE
# a+ r3 {0 T' S. G( O8 U% h9 ?4 K2 F, d5 O
mov ebp, 04243484Bh ; 'BCHK', x; W+ Q$ d3 [- B* C( e; X
mov ax, 04h
" Q6 _* q! P8 m5 m int 3
5 V1 s, e" p/ b% _ d* b/ I& L! q cmp al,4
- i" J/ a$ C& d+ S4 X) ^8 v jnz SoftICE_Detected
5 [6 ]$ ]' M: v- K. _" I( {% f( v, {
___________________________________________________________________________+ u2 H% z* b) ~' L: r
' E9 u: {. ?, | e, yMethod 021 I- c5 n8 E/ u
=========
. O6 W- ?1 i0 Z+ k
) F0 Y- \/ f1 o3 UStill a method very much used (perhaps the most frequent one). It is used
6 v8 v7 Q# ~6 V$ _' {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 e9 s8 }4 Y6 }6 s8 H+ B9 @$ [or execute SoftICE commands...
, t( n6 o* l9 W4 b: m0 VIt is also used to crash SoftICE and to force it to execute any commands4 b6 F1 ?8 E+ L" U5 @% J% D% ?
(HBOOT...) :-((
' C) N7 P3 u1 K7 |/ w/ i2 `8 M! u$ p1 e2 ~: G* _* b5 c
Here is a quick description:( d4 Z/ W) q; b" O# ~
-AX = 0910h (Display string in SIce windows)
( K, r ]& V$ D3 k' q9 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 y% o6 r7 w' n/ A! ~- u-AX = 0912h (Get breakpoint infos)
" O1 z: B& `, _, D/ z: P0 V5 x-AX = 0913h (Set Sice breakpoints) n/ I: e( j& K! E# q5 z$ \
-AX = 0914h (Remove SIce breakoints)
2 l7 H8 N: ]9 o, w" F J7 @7 B& D h/ J5 r- i+ B- u
Each time you'll meet this trick, you'll see:- ~" i- f3 r2 y
-SI = 4647h ^$ W/ Y+ R( j7 V
-DI = 4A4Dh8 |/ A( c @2 W h( ~ g4 ^* q
Which are the 'magic values' used by SoftIce.
; X# z' u L6 }3 b4 ^& L' a l5 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
@7 C+ [3 X) X& O7 _# o2 }" f* I' f; Y& j2 x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ P+ Z* n2 \+ S9 W9 T HEnvelope utility use to protect DOS applications:
% V' w+ y5 h4 l0 r: e1 A) L- w5 R" c4 f
9 w6 _; t9 D2 J- ~6 b# ]2 n( s% E4C19:0095 MOV AX,0911 ; execute command.
4 J0 b! o* R3 @) o; r* B5 r7 [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 l2 n3 e1 o2 G. X$ H$ F. ^ a4 x
4C19:009A MOV SI,4647 ; 1st magic value.
/ Y" M+ c! A$ m4 } u: a1 \- w4C19:009D MOV DI,4A4D ; 2nd magic value.
|* _7 Z8 o$ d( @' d# |1 ~1 _& A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 y3 l7 S# Z; h7 _* `8 F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 F7 w, n9 |9 u3 l4C19:00A4 INC CX" z6 n5 R/ F5 O0 {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" S0 r( X/ n* V! `! j
4C19:00A8 JB 0095 ; 6 different commands.+ L* s/ \6 [$ r6 g; v* d
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 h! d& E; N5 f; k9 n7 y- i: O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% L/ t+ f6 S$ @& ~7 n
- N V7 v1 b+ ~" D* q- E" s# rThe program will execute 6 different SIce commands located at ds:dx, which" k" u* z: y' |0 w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
c+ ]$ ~9 I) Y& N: R$ N7 y
9 o- {: ^0 Z/ s7 A5 q1 _* K6 g) R% N+ S: J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# S0 u1 H ] T u- k4 ]/ J
___________________________________________________________________________
/ x0 }+ v/ G) |; t+ g4 v! G2 O4 p
t& Q. X3 m7 ]+ s0 oMethod 038 V8 J' f3 |9 L, k! r# O4 l
=========) h. m. g/ Z3 p, @+ `
) o( x9 G6 g) i. \7 E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 u J5 ?' v1 u$ k u
(API Get entry point)
! Z. U5 O; z7 u( h# a
! d5 t: f8 d: P! |/ @$ |3 n" {" B u) O. f0 i6 E
xor di,di
9 \% o$ Q- N% V4 M; y1 B5 z( S mov es,di
" p0 Q0 x8 }. } mov ax, 1684h
2 g0 z# E/ i( e8 n+ f3 t1 N) q! E mov bx, 0202h ; VxD ID of winice* v' u: A1 u. V8 V" D+ d
int 2Fh# h, e0 G- v5 u; w4 m; Z
mov ax, es ; ES:DI -> VxD API entry point) n. M9 V& c5 @* H& H
add ax, di4 L7 `% s2 b4 u2 w6 R6 R
test ax,ax% L* ]6 g$ g* u
jnz SoftICE_Detected
5 D" q. S% C/ K
+ J' v. G+ c9 A$ {* a& Q- Z7 ?1 z___________________________________________________________________________% y3 D7 s: y, ?8 P& \* B/ |* j. I( K
/ d! X. z4 o3 a. F# M3 B( w3 lMethod 04( ~3 n9 U" E- k: D. p
=========
( `& I( s V9 t9 g& i- _
7 b; I3 J) y' Q/ _% IMethod identical to the preceding one except that it seeks the ID of SoftICE9 E* d R+ T i4 _% Y6 Z
GFX VxD.3 [- T9 n* ~8 f; j9 w; t, [7 @6 B
! k- d) j% J5 z2 `6 x xor di,di
, Y0 B! i1 r3 O3 \: ?" ? mov es,di7 D: `% `" T. d; C t( c
mov ax, 1684h
! U; f' B4 U; a* A$ K mov bx, 7a5Fh ; VxD ID of SIWVID$ Z. k+ c5 o7 S) Y/ T- P5 a
int 2fh7 }7 X5 d+ t; ^" j+ g9 X
mov ax, es ; ES:DI -> VxD API entry point
+ c; a$ U( d0 o5 @1 N add ax, di# ~/ ` c3 O) O( c$ O. k
test ax,ax
6 z; F3 J: J: \' B+ s6 ^, h jnz SoftICE_Detected% t) U v y% v- G9 R }5 T
' }9 V8 ?) `0 O+ o2 Y6 h__________________________________________________________________________
- ?9 l( B r4 N: y! ^( Q" u
G# {8 L* i$ G& j* {9 c0 A+ U! Y
Method 05
+ q+ G; M& O6 |=========
( M; h6 m3 w o+ h `' }% ^9 I2 B8 U# q9 s. V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 k3 F6 [+ i/ C5 J$ A8 a( wdebugger. It calls the int 41h, function 4Fh.
5 n) I# P3 b0 w) D" P( nThere are several alternatives.
/ U" K1 L/ D7 ?" L: o9 t6 @) f2 K _$ s% |" S
The following one is the simplest:5 z/ M: e% \: d1 Q2 n/ c- k
# g. O) Y. _6 z: A: }, { mov ax,4fh) [, o# n, b0 S& l# a
int 41h2 o0 o/ L# K2 f5 d J/ B2 {. U
cmp ax, 0F386
$ d8 M& x+ [, q0 f% p0 _ jz SoftICE_detected, A* A. h" T4 z" v k1 z! p
. ]" o w# s4 _' i0 B; T H
; _/ R: M2 t: i6 v. z5 Y
Next method as well as the following one are 2 examples from Stone's 0 z) b* ]+ l4 C7 Z
"stn-wid.zip" (www.cracking.net): w; k2 d) H) @
. S f( I- U1 h5 m. r mov bx, cs* W) N* m, d8 l5 u; S
lea dx, int41handler2
8 w1 l j- ?' e0 o o xchg dx, es:[41h*4]
+ z& e3 j. }: e xchg bx, es:[41h*4+2]! \ E/ ^9 g0 H* c: Z v! h0 y
mov ax,4fh
: D# e3 [) s- p0 m int 41h
6 H+ j( ~5 @$ U! J9 @7 E xchg dx, es:[41h*4]
% h1 L; G' D ]( {/ e* N xchg bx, es:[41h*4+2]# G$ s7 |+ c$ x5 z r
cmp ax, 0f386h
h; J7 X1 D; c% g1 Y2 o; s: g jz SoftICE_detected; j) i/ u T1 i
* ]+ c" W+ Y4 m' C
int41handler2 PROC
& ~' X$ V. a. F% ?9 p- V iret
; I9 y/ p2 y9 }" l; [int41handler2 ENDP
8 y$ @% z5 L9 Q8 Z- R( {' N7 T' w) _' x& M6 U
- k# I- O# v' x- q8 z. Y( K
_________________________________________________________________________% \; P- F4 H- q" p
5 K2 p5 P! L+ ?2 T* I6 ?9 z, e7 z# s- t" g( d d
Method 06
6 ]/ M5 U# N" U+ p* O* ?& Q========= X' w9 r* x0 y0 ]
# c8 N# ^4 f7 r5 M. Q5 ?
. d& R( }( M4 j, K _' m3 Q2nd method similar to the preceding one but more difficult to detect:1 d0 E8 g# ~# m" m# ~
1 t, d! E. x4 {* T# y7 U4 D7 G) ~8 ?
int41handler PROC: ~6 @ F& @/ D9 r9 U
mov cl,al2 ?( @# \) o& v* h& S
iret
# Q$ S7 H# a& d5 O4 V( {int41handler ENDP
5 h* H9 I9 a" s# u# Z: e. a
4 D3 O% b5 r4 r7 S; m3 g
4 ? R# s! U+ I- H* d, W xor ax,ax
9 N W' k( k. I& \0 O4 b" l* M! r; p mov es,ax+ X' P2 Z- k3 Z* d
mov bx, cs i0 k5 [+ u# }+ Z0 _/ m. S; y
lea dx, int41handler
4 o& z% \4 b1 C- q xchg dx, es:[41h*4]1 q; W4 O. m, D4 k ~
xchg bx, es:[41h*4+2]
. j1 G" i4 Y! _8 P# Y in al, 40h; p- l3 o* D5 Z$ `3 h( a
xor cx,cx
/ Q0 N: V% A8 Q1 C# b$ b7 } int 41h
! N% l7 k# D( w+ x) o- E xchg dx, es:[41h*4]
0 F5 I6 b7 `9 z) n3 `9 x xchg bx, es:[41h*4+2], ^* l4 |& L9 O: Y" V
cmp cl,al
0 M! a% \% r. | Y( w- T+ O e jnz SoftICE_detected
) ? A: }0 q. z- S& ~. p
# I2 {# |7 R: O& p; t_________________________________________________________________________ w. K* ]$ _/ M4 S0 h3 k
0 \3 f) l9 W, a/ p. J
Method 07
" Q% W5 i( B1 C7 m- R=========
5 ^! G7 Z0 c/ K* q) V) R4 q
+ f& X3 W8 u* q4 y% \Method of detection of the WinICE handler in the int68h (V86)
& `: ?5 I+ Y# V
0 t; H2 n z4 Z mov ah,43h
% F. e- i9 s: Z# R, f int 68h9 U/ ` c) o7 A" Z
cmp ax,0F386h W3 l D! t1 I( z- O: y. q
jz SoftICE_Detected
' x5 z' }# S6 c& p/ _' R
( ]* q# j2 {7 E w
: T' C4 \% f+ g" r: @ ]$ I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- I" O2 X+ ^9 z1 I app like this:
3 _7 l( X7 c5 e5 _# h2 [/ T3 P4 N% u2 E' Q( q/ {+ D! C3 X* p
BPX exec_int if ax==68* ~& f6 F3 G5 }) L4 G9 ?- f
(function called is located at byte ptr [ebp+1Dh] and client eip is7 r# M$ g; |1 C
located at [ebp+48h] for 32Bit apps)
+ y6 L9 ^9 Z" q! A1 `__________________________________________________________________________( y/ R$ T4 ~0 J. x9 E; O) p5 Y# A7 N
! _9 j* e, B" t; t( E9 d1 q
7 `% P% U) G4 J) {! M2 ~+ aMethod 08
2 `1 Q4 p( j2 c4 `' v* g=========- G+ U+ V) O7 |& `
( o& p( ]1 U, \6 _$ w4 i
It is not a method of detection of SoftICE but a possibility to crash the
& w2 b1 B+ @' m: V/ k$ L/ Xsystem by intercepting int 01h and int 03h and redirecting them to another
5 u/ ^" l5 j" F: C% g; Y/ M" u4 Wroutine.+ T. ~0 V, V2 M h( P+ b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. e0 C8 F3 b1 z! R
to the new routine to execute (hangs computer...)
# g0 D7 K, V+ P) E, a0 ^ t0 {( X2 z7 m, e
mov ah, 25h3 `: h( r6 |2 C" c9 |5 g. N/ ?* @1 Y, R
mov al, Int_Number (01h or 03h); ^$ v8 A) c2 o ^( Y. d
mov dx, offset New_Int_Routine" r# u q: Q: L
int 21h* a, d( O. v& _
( o+ s6 F2 Z* e2 E
__________________________________________________________________________8 G5 i( ~* ?# t z- G5 p
. @7 y2 r( V6 o' B: L; K" QMethod 09
! Y: h& b+ k5 w=========
* J' |- ]5 r0 l/ T0 |2 Q# U0 W
6 D0 Z7 A" O' T$ K9 ]" jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ I3 g ^8 w' C% w1 o4 Q, w# G
performed in ring0 (VxD or a ring3 app using the VxdCall)., `9 v! A2 Y) A: {7 { h
The Get_DDB service is used to determine whether or not a VxD is installed
+ K& X9 E: Z+ m; Z( Lfor the specified device and returns a Device Description Block (in ecx) for- T( x# c' f+ {/ \5 M& I
that device if it is installed.
7 C# t* ?) {6 O: l5 @" G0 Q- g" `! @. Z7 j$ f% p( H+ \+ V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' ~$ T6 I$ d6 e$ _# n1 b ^0 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. J9 w0 I$ U& u6 y( O* B$ |, h% H7 { VMMCall Get_DDB
, E% t- g2 |2 m2 L# b. f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 U$ O1 w/ @, p
6 m/ \7 \& | u" h% y9 j1 h8 RNote as well that you can easily detect this method with SoftICE:& _+ j% |$ Z# z: x$ v
bpx Get_DDB if ax==0202 || ax==7a5fh
, T% {- K9 q& D) ^: V2 P% c- x$ i! G% W8 w1 r @& }
__________________________________________________________________________( i, B! Y, B4 c) c% q- N, W
) z' P5 B; I" K; t" GMethod 10; Q, }1 P* ?' x" o9 e9 W" E: ?! u
=========: {& F$ s9 x2 h1 d& y
8 C6 r! y0 D( Y1 A2 r=>Disable or clear breakpoints before using this feature. DO NOT trace with. y) K0 q4 ]: L+ n, s
SoftICE while the option is enable!!1 T3 o9 r$ V7 f4 T
8 r# k3 R, n$ _7 q
This trick is very efficient:! W. v. c0 Z8 t1 L4 Z0 e. P/ j
by checking the Debug Registers, you can detect if SoftICE is loaded. ~* O3 D' h& P' _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 Y6 D2 M( O7 S& b! n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 D- _; |4 z6 n$ [value (in ring0 only). Values can be manipulated and or changed as well
! f: F6 s3 n; T0 q' z) \& d(clearing BPMs for instance)/ J2 y$ Y0 t6 C7 a9 ?5 t8 ]
8 m( c+ j4 B5 n/ d1 a8 r__________________________________________________________________________
# s' r9 g- U( S* } x g4 W" y. ^5 s+ u3 G
Method 11* K2 ? a2 t, `; U- Q/ x2 K
=========! x9 U( N* A& Y
! q: x+ f3 V1 U# }& zThis method is most known as 'MeltICE' because it has been freely distributed
1 c' @4 I' h2 S- jvia www.winfiles.com. However it was first used by NuMega people to allow
" O. Q, E# q% Y/ l( QSymbol Loader to check if SoftICE was active or not (the code is located. F( P( z$ b( P; l/ o9 q
inside nmtrans.dll).
6 T/ ?' P! U2 K$ B" r6 ^" b1 a j7 x: `0 j
The way it works is very simple:
! D" u9 c1 ?4 e/ x8 d2 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' {4 l& Y/ d$ ?: K+ L4 N% DWinNT) with the CreateFileA API.- U7 d, J* F+ p9 F6 a# m
( x, K& s. D- O/ u4 k5 o$ lHere is a sample (checking for 'SICE'):( i+ {8 a- c1 F' I/ H. p
4 S9 Q) O; f$ {, ~5 r8 v& u/ Y# K3 N( _
BOOL IsSoftIce95Loaded(): z! R+ j1 n# S" _" L7 I$ n
{
' ^" L# K/ m+ d U* S3 [ HANDLE hFile;
' j5 c% T: b! {! h/ t: Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- K+ ]# _/ B" ` FILE_SHARE_READ | FILE_SHARE_WRITE,
2 l: P6 y7 Z0 k, r0 T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 T' q, q! G) o' }- H: q7 h if( hFile != INVALID_HANDLE_VALUE )( ~6 A5 k) [0 P; Y i
{
" _! ?$ Y9 o5 m. x5 X* S( [! b5 [# G. D CloseHandle(hFile);
$ q7 |. H# m, {: d' d) p* b9 { return TRUE;" P5 W* x! ~3 E2 h. m3 Y* {/ N# c
}+ p [5 X8 M" G8 R0 _5 o
return FALSE;
3 {; l7 f5 J' j# w- X" E% O}
. J6 B2 f' Z) l# @& Z; s/ |
$ u0 E6 I" n% W& g1 t0 n' D `Although this trick calls the CreateFileA function, don't even expect to be: [7 |. W! a% O. r7 l6 c& L; r# [4 L
able to intercept it by installing a IFS hook: it will not work, no way!8 P1 k( u% Y9 s/ {. H9 I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- e1 L9 y' s t1 S. Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. g1 s# q% t" F) Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 j4 L! }6 U) B
field.( _$ K. g, ^0 [4 o
In fact, its purpose is not to load/unload VxDs but only to send a , |. n* P% T% q! \; J$ E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* Z4 X0 r" C8 b# Q! Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 S3 ?& F2 o$ S, z- j; ]) j" s% ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% y7 H, A* f$ w( w* C& v9 s, B8 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 H4 b5 V0 v5 D: r, J3 P- ?its handle to be opened and then, will be detected.- a+ V, H' }" _, h. u: T) M% s
You can check that simply by hooking Winice.exe control proc entry point& V" v" ] A+ p* v$ w- v e
while running MeltICE.
9 C( \( y ` V! B* f9 O. q4 @) c5 h( d& b9 S
" C# ^1 G7 } m4 e
00401067: push 00402025 ; \\.\SICE
6 U% R" R, Q1 @ 0040106C: call CreateFileA* x1 C% T' J8 U3 j1 L! E/ @
00401071: cmp eax,-001
* W% U( |+ e6 V: b w5 u0 C+ P0 D: O 00401074: je 00401091" D$ y5 w( `; E8 ^7 S3 T5 l3 ^' ~
. `, D7 |* ^& C7 O) o5 J
, p6 p- R- ^$ ]5 Y" H$ nThere could be hundreds of BPX you could use to detect this trick.
" H1 f2 m, G0 R& R) X-The most classical one is:% Y% [! R& `- e* e) R3 g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || J0 B9 O& y4 Q- |" w) I/ T
*(esp->4+4)=='NTIC'& a( u# L* A' L$ F
6 Z9 s' ~ E% R4 n4 T' r: x6 X$ \
-The most exotic ones (could be very slooooow :-(
. V. ~ {5 a7 } v$ W2 [# F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * v3 K! b& p' s
;will break 3 times :-(
2 Y4 c! v0 ~- F! [* v6 t4 L4 B5 j d* u. y
-or (a bit) faster: % I6 c. p) w! \. w9 @) c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" p. m( x. M7 \3 `' g) F5 E) T
# T3 s* r2 F, J- q& U/ ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ L% y; ~* p: ?
;will break 3 times :-(' `# e3 q! b4 u) F
! S) d" M9 O) U+ q3 ?
-Much faster:, C% }$ g/ o+ z, F/ V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ ^. M0 }2 ?& H7 ?# N4 y& @( `! n8 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ N7 i" _. w! I, I0 Gfunction to do the same job:
- H4 f _/ G1 e; K3 E( E
+ m) K$ N# P, V! D3 L push 00 ; OF_READ
% p, U; u5 R3 L3 P2 y6 }, y8 S mov eax,[00656634] ; '\\.\SICE',0
9 _8 H. p( X/ O h5 _ push eax
5 n- D- j) O! t: x7 c* C3 Q call KERNEL32!_lopen
5 @& [/ B* R. Q. [2 c* l& C% }" ^' \ inc eax) L4 x I5 g* \% h3 [' m
jnz 00650589 ; detected* r8 f: l: D" Z, s* n
push 00 ; OF_READ
- Z. M: x! t& H( G, D mov eax,[00656638] ; '\\.\SICE'
3 u9 q& i& ^! j- u+ l push eax
# G2 D' y7 b5 r0 @9 B! Z1 F5 _ call KERNEL32!_lopen( B4 X9 d9 L* R
inc eax3 U. j" [$ K1 \$ Z
jz 006505ae ; not detected
: Y0 l0 I5 D2 I* F' F$ N a3 q
+ H/ j! E0 G: ?& W/ ]% `
, D2 ~( v. Z: k/ s# _$ u__________________________________________________________________________
6 z$ W/ L) E5 ]( g; u& v9 U4 C: ?( b5 g3 z! _! o
Method 12# o% x( G/ c a: h3 Q/ y6 h
=========
. t$ O \) ^, a7 y: C% V' V5 u
2 Q+ j8 t2 ]/ x. OThis trick is similar to int41h/4fh Debugger installation check (code 05' v3 u9 N- g- {* O, e8 T
& 06) but very limited because it's only available for Win95/98 (not NT)5 C, N. A. A1 x( S) d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, _0 I5 I( e$ B: g5 m3 f7 h; W6 I7 z" n, q2 k
push 0000004fh ; function 4fh7 ]/ |8 g- b& g7 T, F) m
push 002a002ah ; high word specifies which VxD (VWIN32)
/ [6 \8 w5 Z9 V: M2 { N7 j3 | ; low word specifies which service& d% U4 v* |6 P, Z! P: w
(VWIN32_Int41Dispatch)
/ C) d+ P1 P" x9 s/ |' d- Q& U call Kernel32!ORD_001 ; VxdCall
! n( V) @: h9 |% @5 \ cmp ax, 0f386h ; magic number returned by system debuggers
, a9 e, M Y0 I* X7 g* @; A5 ?2 _) U jz SoftICE_detected
7 q! r% G: {- b! Z# b. Y8 k5 e0 x7 g! ?! e3 ]* B# j a
Here again, several ways to detect it:3 ]( K! b4 O' Y- ]& L
! z+ C4 x" I! {4 T3 {; Q' Q BPINT 41 if ax==4f5 L/ l7 h+ O+ f) o3 a$ l. l
3 v2 I9 S/ c; S" L% d1 K" I2 `# _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 _+ \( C5 i% s: u8 u# M
3 E. }" {8 ^0 ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& w, U& i4 @" _
& P) V! f) ~( t L6 g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& {8 f, u- B9 x8 Z! Z
" M* U1 _! O! E3 H) ^3 b4 x
__________________________________________________________________________
" R! V s+ d3 v6 O6 E+ K. y0 F
6 l" B1 q# D5 b& p: g- zMethod 13
! k+ r" U6 a5 \% K=========+ y3 S b; \- u3 J @7 t- E2 \3 B6 Z8 ?" q
- k# _% g3 E" e* z( H
Not a real method of detection, but a good way to know if SoftICE is
: m4 w6 I+ o( jinstalled on a computer and to locate its installation directory.- D, a+ I9 i, w3 N+ e9 G) r
It is used by few softs which access the following registry keys (usually #2) :
- Y: K6 Z, n* p( ~5 ~4 w: J$ t! v2 Z8 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 s2 H; F, H$ Q\Uninstall\SoftICE
& }; A, y2 n* H( X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* Q$ a! p" P1 ]/ U5 J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. t" `( f2 F, o9 L7 E
\App Paths\Loader32.Exe
* O- z! N) o6 w; F" w* z1 i* t
& E) t0 }% q% \0 b9 p, I- r( g7 }- Q/ n6 T
Note that some nasty apps could then erase all files from SoftICE directory
1 P* F \ m2 a' b ^(I faced that once :-(
. `# z, W2 s2 l& [% S! P8 }6 u
Useful breakpoint to detect it:
& T, z$ p' ]3 Q; A Z+ c- N+ M6 _( ~: v- d6 K5 ?- b2 }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 a3 S! t( a0 b" m6 V* L9 A3 N
A' D* `3 Y# Q, ]8 x# ]( l( M__________________________________________________________________________! P* g$ @* q' a% ~/ ]& U, J
9 t! _2 Q I' r; e6 f5 Z6 l( s! l1 x- d( C- u4 Q
Method 14
3 G- f2 j! a5 s8 I: U7 d=========4 L4 @/ X1 u5 Z; T0 m* \( X. A
4 r- w+ C9 u S% T6 Y) U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: [6 {* b4 Z1 S/ @+ @3 i; z
is to determines whether a debugger is running on your system (ring0 only).
" e9 g8 |; x a$ R5 V. R6 @4 m) |( _3 L& v0 K
VMMCall Test_Debug_Installed- p3 t( s" f8 q
je not_installed& E" Q. ]' e6 i7 L. `
( w3 B! K1 e1 A' }6 e
This service just checks a flag.
" R. J) m/ `: z# e</PRE></TD></TR></TBODY></TABLE> |