<TABLE width=500>) N# t8 X6 V2 U/ J
<TBODY>
7 A& i9 q5 o7 t<TR>
( U5 J* v- L0 K<TD><PRE>Method 01
* i: U! U% L% p/ G* A2 a1 o4 b=========0 i. j8 l! Q& C7 M9 [: i. N
3 y9 l" s; o5 c" d- I
This method of detection of SoftICE (as well as the following one) is% M7 G. N& x2 ?+ T1 m, l8 P
used by the majority of packers/encryptors found on Internet.* l* @' g* O7 f$ H- [4 D, \! W# `
It seeks the signature of BoundsChecker in SoftICE
4 `" D: {# c6 U) m- b/ w' C1 e1 H7 p5 Z |
mov ebp, 04243484Bh ; 'BCHK'" q% o m7 Y5 N' X+ [% Q
mov ax, 04h
9 k+ S0 F6 ? [, r6 X) G int 3
6 a E- y8 A' Y3 ~/ J& m) W1 Y cmp al,4" b: @0 m7 Q' N. N/ o G* T2 ?: H
jnz SoftICE_Detected9 x2 ^0 D! `: l, t8 S
5 [; }, p" g& ?8 q) @1 Z___________________________________________________________________________! l7 |3 g) A2 V
$ Y& Q0 [$ m9 d6 {' p/ e+ ~Method 02
2 c( _& q- |8 H=========+ V+ T; c/ q, Z& Y5 \* k6 w, |8 T
" K. b& u0 r \0 \4 Z* `
Still a method very much used (perhaps the most frequent one). It is used+ a% D2 F$ ^$ |& _" s; ]1 U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# `" t' F* E+ [& n5 Eor execute SoftICE commands...( W8 s# t7 ]+ C5 n6 b# u" O5 T
It is also used to crash SoftICE and to force it to execute any commands; g8 X7 m$ }0 m$ m7 f
(HBOOT...) :-((
, J3 C8 D$ ~$ k8 X6 o3 ?" w3 B: K! A! I" e6 F' a9 N' t# P, j
Here is a quick description:
+ R) Y- p( j7 A2 p% b" \' |& W-AX = 0910h (Display string in SIce windows)
! ?$ O7 m/ [6 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ L7 V5 Z3 F C7 g" r2 y% Q5 _
-AX = 0912h (Get breakpoint infos)
+ M U4 T5 ^- R5 p O-AX = 0913h (Set Sice breakpoints)) N$ u: q9 j( @
-AX = 0914h (Remove SIce breakoints)9 s* I/ B# U: U
+ Z4 @+ c* R2 {& S w% C3 q! xEach time you'll meet this trick, you'll see:! v% m; j& |, ~$ {8 H
-SI = 4647h
% V( c; ^ }. f7 I: o7 R p; p-DI = 4A4Dh
6 s% U3 N; B# `5 Q/ W% P0 LWhich are the 'magic values' used by SoftIce.+ v0 q* \( r; O k& p, @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 D- Z2 G, ]9 T' l) P, x* a" [# N8 g; H( a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! ^+ N- j: H L$ M+ CEnvelope utility use to protect DOS applications:
/ A1 R) X8 Q2 \1 }" H. H
: G% H, E; g% P9 }% P+ X: i! g% Q# J& g+ Y/ T/ x' p& k3 W
4C19:0095 MOV AX,0911 ; execute command.
/ ~$ v( S" m7 W# A' {6 T* Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! A8 t8 v$ \+ @, h% W: C, u! A
4C19:009A MOV SI,4647 ; 1st magic value. W h4 A( C: W$ s9 [! c$ o/ ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
) U1 Y4 o/ g2 h, x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# ?3 k" v" ?2 [% j$ a6 [# \% B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" G X/ {6 R; u' i; t3 q$ e* h9 F. D! n$ A
4C19:00A4 INC CX& `4 Q8 l: c+ Q! L3 L1 o2 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, p- M: ^2 Z& ^9 h; f
4C19:00A8 JB 0095 ; 6 different commands.+ _6 u( i# }) N4 @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 {0 n- h' `1 { f1 J4 \6 y; D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 U" n3 o7 k5 F1 l
) r) K) O- `; Y' z; [The program will execute 6 different SIce commands located at ds:dx, which9 ^* Z% _2 o6 f! J% L/ c6 \+ g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 }9 M' b2 K5 }5 L9 G* ~" `$ D5 X& |& X% v: G- F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., I& u% z; U. V" v( I2 y2 q
___________________________________________________________________________
- X0 _0 m7 R; O1 M {9 m& j, k$ V6 r; c) J& Z) m
- j1 Y1 w" m# I& Z6 P0 d( z/ S5 O
Method 03
# L+ |/ A8 c+ T- c7 ?5 n=========) ~3 ^4 v' U# m5 w. J X Z
" ]. \( }3 T3 cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. O9 K" t5 g! [; M/ U% c& @(API Get entry point)% `2 Q+ v* a) Y# s7 R2 _3 K
/ e5 s C% @7 B5 X* Q2 Y+ l) }! ~3 x
0 I5 |6 w9 z5 w
xor di,di
% v4 ?! O- F4 E2 }! ?% e0 N% R! z mov es,di1 T& R4 q- Y' X% [7 t* o5 E
mov ax, 1684h # i e$ ?( c; ?; r8 n. b! b0 @
mov bx, 0202h ; VxD ID of winice
4 Y6 u+ p/ ]) G0 N int 2Fh
$ K( ^" N5 G+ F1 M/ | mov ax, es ; ES:DI -> VxD API entry point
( g4 Y- B L' K5 N6 H7 H8 W add ax, di0 _% u2 i8 s8 a7 h5 m: f
test ax,ax. V7 }2 o/ O" ~- t$ q
jnz SoftICE_Detected
7 G9 A/ c3 a% y8 s8 U
7 p+ L' B: R5 f___________________________________________________________________________
1 x( U: t6 z1 o) f. L( L# D i9 Q/ L1 p. d! b
Method 04
5 {3 G5 l# _( X [! K- O=========9 e, z3 o$ C) y) G0 u
% k( |4 w1 B* R) cMethod identical to the preceding one except that it seeks the ID of SoftICE' U9 o, S+ b- `6 I
GFX VxD.) U% z: J- B% f5 d2 d1 Y+ X1 @
! {9 X1 L8 x/ ^5 Q
xor di,di
7 j* }5 t% k* j8 M5 Y! Q6 V7 `) ?6 V mov es,di) e8 P, c9 H' C0 L
mov ax, 1684h . L2 Q3 ~: u9 e9 g
mov bx, 7a5Fh ; VxD ID of SIWVID
6 G. R, G/ q6 \& ~/ s# C int 2fh
% d' u3 v# E# a: [) k mov ax, es ; ES:DI -> VxD API entry point
; K# V5 |, Z4 q# ~' n- w add ax, di
1 e, R( i4 s% N1 g4 S x test ax,ax
# q( ]5 h7 l' Q/ g jnz SoftICE_Detected
# q% E4 C# O+ m6 f' B
0 d1 q4 C4 O% G5 a% t W__________________________________________________________________________
2 C3 y1 C1 d1 H: n1 y2 J( u6 o) K3 z# l# T4 U
; `. v3 Q! Y8 m! u+ r2 R
Method 05
) U( F6 G" I- ?- t+ Y. ^0 c' G=========
' a2 s9 z. q% b: i2 e, R' a# C
9 ~5 [8 X* ]- L9 |; LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& K' B A4 K1 Edebugger. It calls the int 41h, function 4Fh.! F/ G3 B8 Z' ^9 x8 J& P5 i
There are several alternatives.
0 N. W* ~' h) d4 T Z6 A; Z$ I5 N' [. S% w+ h5 V7 D
The following one is the simplest:
3 v/ R4 Z% p. t
( M5 b; B0 d, r4 O8 `3 p mov ax,4fh- }$ }+ T5 m/ a! O7 V
int 41h- `4 \! X: \3 U0 O2 J# w" d
cmp ax, 0F3869 C+ Q* d! I/ D/ q( J
jz SoftICE_detected
# ?: v p# H5 J4 |: Y3 t8 Z
4 v5 `4 t) u7 G3 e/ T* K1 x4 g/ L9 f! h* ~( [. _ A
Next method as well as the following one are 2 examples from Stone's # d: X9 G S4 d! M2 u
"stn-wid.zip" (www.cracking.net):
( g Y; a$ q4 H+ P
) z4 V' b V' s* `" k. I) }. l* K mov bx, cs
- b. B: P* i3 Q lea dx, int41handler2
; Q+ ]3 B3 u& z D6 B xchg dx, es:[41h*4]6 Q3 \. W- v- X9 ]( h& D
xchg bx, es:[41h*4+2]
, k" m. u2 g2 q7 V, m9 {1 G3 h mov ax,4fh
7 [' Y0 x9 }! S int 41h
% |1 j( @8 e7 e1 H0 P xchg dx, es:[41h*4]2 Q) b3 H( a i8 B& t
xchg bx, es:[41h*4+2]$ K& K3 p0 x& A4 W9 @; Q9 P
cmp ax, 0f386h, C" M, s( |+ w& u8 y# [% j
jz SoftICE_detected& B0 [& I, F- w3 W
( y, b4 I6 @ Q" |! C6 `0 k
int41handler2 PROC
) Z3 o! P. A: D; x* H6 e iret0 u6 U" v! c1 v, X; T0 ?! X
int41handler2 ENDP" q' Q0 |0 Z: ~' s) \" n* x/ y4 O2 h* D
* o2 j- e! |7 [9 {! b
" H2 ?8 R" M& V/ `0 F: l* ]7 j_________________________________________________________________________) G& V# E9 g$ @! @2 O5 ^& i) E/ S
+ a, X# z2 R3 k8 e
" P0 l: W2 T: W' \Method 06
. t: W: D. l/ F5 V" G=========& A& f- w8 q5 Z' S& A
, |5 _! c" }: n# ]4 d2 h" S) [) g+ I! f) O) d8 F' A, K
2nd method similar to the preceding one but more difficult to detect:
3 f8 U1 I( a" s4 {& Q% D6 H' x( J- L7 G7 ^4 [& G
8 u2 s0 x% c6 \. N I
int41handler PROC2 N; |8 |$ T ~9 s+ _3 d
mov cl,al
6 I" M, e j5 J# r' R1 c* o6 U' ] iret
' c$ }0 B6 V7 D8 h9 i% ~4 \: bint41handler ENDP
3 v9 a3 k/ p! x' X* F" ~& e
v# V4 J& S. I1 p! t0 _ P7 ]' Z' i& D
xor ax,ax
6 L- s5 C, ]6 J8 V5 H, E3 U mov es,ax
% \7 C( H; }% A$ p, n3 B" P% o mov bx, cs
% u% @2 g6 U) g" z! { lea dx, int41handler
' S3 C% U- {3 L1 G$ ] xchg dx, es:[41h*4]( c! [8 v r% M* `& _6 b$ w, C
xchg bx, es:[41h*4+2]
) O3 r& M" S& ] in al, 40h6 H# W7 p2 f6 e6 V
xor cx,cx; U, B4 V) ~" x4 o! g
int 41h
0 P$ o/ D; O7 {1 H6 E1 A9 O- Y' j xchg dx, es:[41h*4]
# r9 o( g- \ Z0 { xchg bx, es:[41h*4+2]4 J _# u- X9 E' k, r F# q
cmp cl,al
; x: s I' ^2 }* `4 e/ l jnz SoftICE_detected
% b8 x% W2 \$ d. l+ Q y8 [+ k: J+ @4 Z
_________________________________________________________________________
7 ^5 U0 {) p& K" Z$ Q" T! a1 i- }2 P- z
Method 07" Z- D5 S5 S1 {! W+ `0 V
=========7 Q! w- [- e; o, Z( H l
* w1 q& J! U4 U8 d$ x; a
Method of detection of the WinICE handler in the int68h (V86)) f, o( r* N$ {% f5 [) {" q
, L7 p& J7 P. W# W k$ v9 F6 V/ O# k6 [ mov ah,43h
6 S. d0 l: Z3 d+ i+ [ int 68h- j. y0 z2 ], r6 ^ t: L
cmp ax,0F386h
% p/ j# u' {2 \) ~. R2 A jz SoftICE_Detected: ~9 H$ F1 R) I6 Z# B% ~+ ]' Z
0 w+ @+ r2 `7 Y& E; C! g* |0 b' c
8 y) S/ i& x1 Z. w1 [4 S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ t5 j( r- c* m/ W% N6 Q; U$ u6 \' G _2 _
app like this:
; }- y; H6 q- C* _1 b* V" m5 t; D5 o) D, A
BPX exec_int if ax==68' i5 j0 Q. E" h- }. {( j
(function called is located at byte ptr [ebp+1Dh] and client eip is t7 F% ]5 l1 Q" A
located at [ebp+48h] for 32Bit apps)5 u" L8 I6 y, [4 a9 ?* ~* V
__________________________________________________________________________
( R! h) D! E: A3 L( ` o, _3 V
* @) C* [% [1 r) J+ r2 ]$ k4 W0 Q2 C2 @; m- s0 g
Method 083 J6 I: o- `8 |9 a1 K$ F( T. f1 M
=========; G% A8 A' F6 i& Y% v' T
3 M% r3 [) d1 e- Q9 T, @3 MIt is not a method of detection of SoftICE but a possibility to crash the
& k9 L |- K: P0 A- h/ w) vsystem by intercepting int 01h and int 03h and redirecting them to another8 P! P2 Z- z( a+ V. w
routine.
( X1 [9 L4 B9 _. v6 ]: Z" [/ oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( z) H, H$ s- u2 i5 E( B! @0 Nto the new routine to execute (hangs computer...)
$ H/ d, `! s6 j ?4 J+ C5 S5 O0 j( ~4 [" [0 a
mov ah, 25h
8 ^, W/ K& v: O5 G. G mov al, Int_Number (01h or 03h)
3 }' C/ z( F7 _7 i mov dx, offset New_Int_Routine
: S* y% I2 ?5 w# u5 u int 21h3 `6 Y$ X' |: c7 }) X
- y1 L: E! O' {. Y__________________________________________________________________________
9 m$ S' ^, g1 O' C0 F8 m
/ W ?9 g8 ?$ H1 a& rMethod 095 [- E( \) U0 f* Y' c) S
=========& G$ B2 I/ i( A; B
6 |( A4 k6 s9 P4 F' l' n) T' k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only h# J+ I- F! q5 E
performed in ring0 (VxD or a ring3 app using the VxdCall).; N3 q' H& U5 n
The Get_DDB service is used to determine whether or not a VxD is installed
2 _4 N7 e- l. dfor the specified device and returns a Device Description Block (in ecx) for
- m/ `& F2 S" P! T Pthat device if it is installed.% h/ k& d7 [' @, Y+ D# X. g) Y
/ ~) ]5 _) J) s) j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 J2 g1 z5 P1 P, ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 u- m0 i9 q; m VMMCall Get_DDB# s3 J1 k" b- S# [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 U3 h x; \+ P2 y. \( ]
, F2 B' F3 w5 D9 g% eNote as well that you can easily detect this method with SoftICE:* X, V* {( g) M
bpx Get_DDB if ax==0202 || ax==7a5fh' n( }+ I4 N! ^* p4 @
" k* B' p$ ^+ A% t: q5 H
__________________________________________________________________________
?' ?5 S4 p$ S7 p" i7 e# a! W
4 O$ q4 Y- [( N5 |1 L' ^ CMethod 109 n/ e% S1 ]# s: _: c6 Y, }6 q7 {
=========
! }; X$ O; C2 y0 E3 C) f
* n4 y/ f% k2 X, A=>Disable or clear breakpoints before using this feature. DO NOT trace with
% P& u% u7 v* v& j SoftICE while the option is enable!!
( ?/ ?3 Q, w8 B4 M8 D: X: o; E5 L: J. s* ~1 o% h
This trick is very efficient:5 V5 W8 d4 B# d+ u
by checking the Debug Registers, you can detect if SoftICE is loaded8 }% r0 Y9 ]' c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: A4 G# g5 t- tthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 R. f5 a$ s6 T( z- `3 G
value (in ring0 only). Values can be manipulated and or changed as well
- `5 w6 B& c$ t/ l* n6 N(clearing BPMs for instance)
7 Y0 W/ ~/ z/ U U& D; w2 g. D9 |6 m' m( \8 ^+ w
__________________________________________________________________________
. X: R T! ]% ^' w. `* P% S+ c1 R/ i0 s, w- q% O
Method 115 n# f- i5 a* Z+ `8 E. t
=========# }0 o7 g1 K' Q) K# o5 r- r$ X! P
; T- t/ r' C3 aThis method is most known as 'MeltICE' because it has been freely distributed" I# x- n$ |. c, l- G$ ~+ g
via www.winfiles.com. However it was first used by NuMega people to allow3 u- V: B9 c9 W F2 V R- \
Symbol Loader to check if SoftICE was active or not (the code is located6 J* ]/ c9 l2 X: o
inside nmtrans.dll).# [4 m$ {: a6 V, e6 `: }2 i' v( M3 r
) A0 m& k& t1 j% |! A4 O: q# K& k
The way it works is very simple:3 z. J1 }9 X6 E- r9 o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% B! ? l/ a6 ]
WinNT) with the CreateFileA API.
: \9 i. L. B- w9 {$ n% {2 r2 A f, k6 @
5 B `9 |5 V9 {9 S" pHere is a sample (checking for 'SICE'):
4 `, d6 ]" T( q. I$ ? q+ h. K2 n8 M; T/ y G& L
BOOL IsSoftIce95Loaded()
# w G/ y. W3 H9 P# K{* c5 ]! c5 ^- A
HANDLE hFile;
' R/ | X5 P. k+ A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- @" S: [, p% L
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 q3 e, r2 a H( ~4 N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 a" t, V: A6 W8 v) d
if( hFile != INVALID_HANDLE_VALUE )7 P5 k. T( e/ {# U
{
- J# W/ u* Q! C/ e) b. h CloseHandle(hFile);
h4 S. J- D$ f7 P2 `8 D8 O return TRUE;' `+ m$ q( x; E1 x3 `1 a
}
! {0 w5 O% E( P' D6 p8 v return FALSE;
. X' w+ M/ P5 Z l6 s3 S5 N8 f}
9 T, p5 {' x- I/ l5 N# ^* N% r2 r1 g, }
Although this trick calls the CreateFileA function, don't even expect to be
# n( W( G) |* |* n" Uable to intercept it by installing a IFS hook: it will not work, no way!
3 \ M5 ?" \; ^& D; E" A! BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# `4 i" c# T- c& g; X( b) ~6 |& w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 E5 y; x: F- P7 p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" f" s$ k2 S- I, H- Zfield.
- i4 Z A7 B+ m% s2 N: xIn fact, its purpose is not to load/unload VxDs but only to send a 4 ]: B. ?( O6 x0 v) W! b6 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& p2 Q7 G7 |8 f* Y+ d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 I) A4 I9 N d( U1 P6 O6 ~4 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
' r8 J/ ~& X, J% M$ o, S( |If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ c2 m4 g& s8 F7 a6 c0 ^" Mits handle to be opened and then, will be detected.9 y& M" Q; _7 }
You can check that simply by hooking Winice.exe control proc entry point r; F, y* ?8 g5 C8 Q8 y& E
while running MeltICE.( m/ }2 z: N; [5 \
) `+ p# r. z) c
- {8 Y9 B- ~% r/ Y) s 00401067: push 00402025 ; \\.\SICE
6 T7 K" G; W: B6 ], r1 s 0040106C: call CreateFileA3 h% l( z1 B+ N& O4 d. y! O- z
00401071: cmp eax,-001 K B4 m" t- u4 o# j$ z
00401074: je 00401091
7 R( k% w. [( h1 w% d" R: h, ?5 B$ K' e
7 d5 r$ r( I! t, |
There could be hundreds of BPX you could use to detect this trick.8 F& ^# O8 X4 o3 \, }. J+ H
-The most classical one is:4 K2 B. g# `7 i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 S3 j9 v' }3 x
*(esp->4+4)=='NTIC'
4 I8 C) @( O X' A* [3 _$ t# p
# m- c6 `3 c, ]1 b, H! U-The most exotic ones (could be very slooooow :-(9 w8 r& n) e1 r2 u. Z) S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 @0 P, M, T3 G5 v& K2 s ]
;will break 3 times :-(
% R+ S# M" }8 C. ^$ l0 [8 s9 R4 _; l
-or (a bit) faster:
# ^; q6 U8 x4 O# M4 Z! i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* H" r; `/ ]; x: B3 U
- l- z, f0 h# a0 h4 d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & ~1 j. L( a, d% }6 j. c2 B
;will break 3 times :-(
/ L0 j5 y$ b K0 E! X3 d+ R# _: T7 l1 f6 P8 J) B% l
-Much faster:1 P T/ c6 v+ j) F- \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" X0 g0 G. K0 y; S* T0 s
. f* q, ]! z$ V3 M# w* iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, x4 \4 {; J! w- F! wfunction to do the same job:. g7 _6 Z% ^* k- H. S' ^# ]
, e! F7 [) Y/ Y1 K; O" p! C6 @6 e push 00 ; OF_READ8 n( k$ O0 k# h0 C$ \4 Q6 {0 g
mov eax,[00656634] ; '\\.\SICE',00 C0 w; b' T ?' D
push eax
2 ~! k+ w" W# Q3 x) i( J" [8 X call KERNEL32!_lopen% g& W' ^; T9 L# {/ V( ^+ E' }
inc eax
" l: I& d" J4 M# a9 w. j jnz 00650589 ; detected
. d) W/ }; ^0 r* I V push 00 ; OF_READ8 _9 N, m: x% k! }& M
mov eax,[00656638] ; '\\.\SICE'2 b, n3 S* m4 \1 C0 O* {
push eax
& a2 c1 ? p5 x5 ? call KERNEL32!_lopen
1 Q. X6 }' V* ?# o0 g! I( _ inc eax! U6 W1 L- b% w8 j9 U1 _8 ^
jz 006505ae ; not detected; Z$ `5 ?+ t# n* E0 {7 q4 i
" s! [# i- d. Q+ V- u4 ?5 S
% H: H9 v; r- V E! A3 j__________________________________________________________________________* z+ `' N9 U! v7 f7 j7 Y
, \6 _' f$ p* Z, F! fMethod 12, u2 J/ E, ~6 b4 L* y3 j Y
=========7 E# P' n$ S/ ^- e+ y, O
6 P/ G- b, T* y; S8 \
This trick is similar to int41h/4fh Debugger installation check (code 053 C+ H# B; [+ d% D0 m
& 06) but very limited because it's only available for Win95/98 (not NT)! j: {( S# s4 v. s8 R" {+ z' z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." t5 X6 `& ~7 }; o: z0 C% Z
, ]$ I- C Q% ?* g( v$ H. i
push 0000004fh ; function 4fh
. y+ n. Y- I2 v2 w U push 002a002ah ; high word specifies which VxD (VWIN32)
7 Q) G' s" T" U. J; u ; low word specifies which service8 T! G9 L9 l" r, g: }) Y! g) g
(VWIN32_Int41Dispatch)/ S! ~! B3 c% p# t X8 S% V
call Kernel32!ORD_001 ; VxdCall) X3 D* M/ z- x |1 H( u: N
cmp ax, 0f386h ; magic number returned by system debuggers
, a* j5 A6 O$ ]) g4 @$ Z3 ^. I: l jz SoftICE_detected$ T& m& b* K2 M2 A" t
8 Y8 i) g% ~- f* w" n& d: g$ JHere again, several ways to detect it:% e# A) u0 U+ y, x8 Z( d: M! W9 Y: J
; {9 b: z5 O( N4 g% z+ F BPINT 41 if ax==4f( L/ t1 o( {( ?
. M, d, m( m1 ~3 Y; G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, |& `4 S$ W: f, T: s+ g0 n
0 W9 ^6 q& k* c; `. |( O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 _6 c' E$ H& M, P6 y
( @. ?8 P8 [7 ^& T+ x3 }" p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 p# w- z8 o, Q% P5 s
; i+ ~8 J* L5 Z2 D/ I__________________________________________________________________________
8 r, X8 c1 }& ?2 s! @; _! w' O2 J& i3 Q. G: W0 X% \& Z
Method 13
. I* V3 t. T5 W% ~9 {) d0 N=========
2 _% t3 n) A+ l8 r& Z( u, s% g8 R, ~3 C$ s' {8 ^
Not a real method of detection, but a good way to know if SoftICE is5 z, l) v' S3 w, @5 w1 [
installed on a computer and to locate its installation directory.! _& @2 T6 H* d6 A4 Q' z
It is used by few softs which access the following registry keys (usually #2) :( }6 @# T0 T p3 Z: s
4 f* D& o* u; G: e2 v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; I8 D) a1 k5 A+ H$ Q! }4 B
\Uninstall\SoftICE
; V$ f2 h& k/ ]. G" u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 r6 K; j |6 H0 A: Q- @1 [* x& {5 z# r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( v e- f( I( j7 }, a
\App Paths\Loader32.Exe
* }' B5 ~$ \" M- [4 C' D8 {7 q$ W. e$ J" }$ R# f
0 V1 P! z7 |8 l; B+ o; _' Q
Note that some nasty apps could then erase all files from SoftICE directory1 k0 j, i+ i5 u! T+ a' E7 y7 \. K
(I faced that once :-(4 w% s/ k+ L! Z% {! o( i& [/ c
l0 r8 n& @7 m4 ^4 ?Useful breakpoint to detect it:- D* ?3 n- m) [0 J) E7 m7 o
. n+ Q/ w* i8 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! u- G- P) {. w' P
1 [5 V7 a; q: Z- Q& F__________________________________________________________________________' X$ b; I- u$ H8 Z P
1 i& J; D/ b' \) U2 n/ |0 l. J$ f9 K% s: @; e( S
Method 14
& Y# [! r. `9 w/ B. T+ b; y=========! E/ B( X3 E. h6 z5 t) b) u
?. A) q% p2 f- w3 i, S: D) j5 H+ e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ ? e0 p% o1 d' [6 I1 Q
is to determines whether a debugger is running on your system (ring0 only).
O. a' ~7 N/ G m) r4 w% E
9 j* C: v3 f) b. e: o VMMCall Test_Debug_Installed
/ F' b) Y: A. d je not_installed) T% E, j% ~8 e5 i% F, [& |
" w# M# v( L8 ~This service just checks a flag.
& d8 P8 ~- k, ]& s! g8 h</PRE></TD></TR></TBODY></TABLE> |