<TABLE width=500>: Q3 j$ O4 O/ z8 X
<TBODY>
1 |/ S$ c6 b( f' z<TR>! q: Z/ M, ^4 g: V3 \6 K5 j
<TD><PRE>Method 01 4 i7 ~8 `% F# l' M! H0 f- g
=========5 b" }% K8 ^. X8 D% Q4 i8 w
0 ?5 Y! R5 m/ L* _/ `4 _7 O% S; l
This method of detection of SoftICE (as well as the following one) is
1 |& m f: j: N" U& Rused by the majority of packers/encryptors found on Internet.. ] c1 o( [; V& U4 F
It seeks the signature of BoundsChecker in SoftICE- C- E6 l. K4 d6 ^1 G' z6 j; f- q1 _
9 T; y9 _3 Z- a9 B+ o! j
mov ebp, 04243484Bh ; 'BCHK'
: ]6 o1 W: n) ~ w& o3 U; F% |4 I mov ax, 04h1 l# C( T3 D8 f( {' N' y
int 3 6 r% i3 [- T& [9 _- @8 E7 i& i
cmp al,4! M0 s% E, f* K; ?; O3 z4 y
jnz SoftICE_Detected
/ s6 d6 V" P1 \* a( c8 @# C8 q8 E6 A+ H- y7 T2 S
___________________________________________________________________________
+ n9 ~! w3 e/ l3 `; v' }- S& x' \7 a* W2 p" k* m5 s) v7 `4 F
Method 023 p1 L, l: d! [, c8 ?/ x& {
=========
) x, r- {6 _) W3 N! [8 o5 |
/ r5 q% ~/ i: }/ H5 p2 Q3 GStill a method very much used (perhaps the most frequent one). It is used
, m: J3 t9 k6 J" Z* e8 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. z# y/ G6 [/ F" l
or execute SoftICE commands...
/ J+ z( [ _2 l( Y8 H; ~It is also used to crash SoftICE and to force it to execute any commands
+ L; l7 V& U/ q% Z. `& Z5 k% N(HBOOT...) :-((
/ s: d7 P+ H) A: t1 s4 `* P' `. r' \: h6 {
Here is a quick description:
6 x& W: E( V, x3 k/ d. e-AX = 0910h (Display string in SIce windows)+ @0 Z3 q. b2 s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; J* L1 }$ X, x% i, I% ~% b-AX = 0912h (Get breakpoint infos)2 J }. ^; }1 z; q$ Y
-AX = 0913h (Set Sice breakpoints)" s" Q' v2 x$ G
-AX = 0914h (Remove SIce breakoints)
& J. v* a9 w U( z2 s2 y6 L9 ~! x
Each time you'll meet this trick, you'll see:
# t/ Y- e+ ]* j# Z. b-SI = 4647h5 J7 E. W' U( \3 w
-DI = 4A4Dh
: u8 Y: {, q) Q2 V- d. oWhich are the 'magic values' used by SoftIce.
6 {9 b- D3 B. yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; j1 R5 |3 l2 j1 }. @: K/ D$ ^2 L' g3 O4 n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ N0 P2 }8 y' c WEnvelope utility use to protect DOS applications:
" t( Y- [1 m3 b& x/ f( u
# {! n4 q- x2 K' @* u/ k
! _: E% {# n6 @; t& d6 N% [" P4C19:0095 MOV AX,0911 ; execute command." G+ I: C' W/ H$ z) k; L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 d( p& L' A# i+ }9 V4 ` f/ x$ b
4C19:009A MOV SI,4647 ; 1st magic value.
# s2 J5 ~ M9 K8 H4C19:009D MOV DI,4A4D ; 2nd magic value.
5 _+ ~- Q. R2 Q$ G4 k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, P' g" B* t. f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; z1 Z6 |% E3 o. o
4C19:00A4 INC CX" c: J8 _0 C0 V5 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 T0 E6 O( K: _# S% P! P
4C19:00A8 JB 0095 ; 6 different commands.
/ K" V' x: _* q4C19:00AA JMP 0002 ; Bad_Guy jmp back.) ~: z+ h; [" l' f% e# k/ Y, ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" o1 T/ r" \/ x+ p, v) v) V/ X' L! F1 J- P* v6 G
The program will execute 6 different SIce commands located at ds:dx, which
7 L# N3 G0 K/ G; n# X( ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
x3 n: K$ r7 @' c5 W$ ]
- J$ L/ @; d' |& G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, i) R0 n8 l0 p' C$ Z" n) B___________________________________________________________________________4 c' y& j R0 q1 B8 J$ x: F
" U% a8 p$ }1 W8 Z8 z' m* l! O2 x, w. x$ K" `( ~8 G: U- {
Method 03, c: E1 e- G; l4 m
=========1 x* t. q* p; _# A
. [7 [; j1 O; e/ ^2 j. R1 fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
l( Q9 @+ K- m9 F, P(API Get entry point)! h# r- I' H0 M3 X4 @" X1 N
6 J5 i' p5 b. F1 u8 q6 z, N) _/ D& u& G# s) y
2 q9 [( n3 L! W( \8 S0 t( W xor di,di
) ], w) z. E) o5 d6 k" G mov es,di
, K' u& J: W$ F! `8 F1 L+ G: W mov ax, 1684h ) m& m7 u3 c7 @1 W# {5 E2 e& U
mov bx, 0202h ; VxD ID of winice" @8 I+ C! z2 s8 d* ~& G
int 2Fh
- T( P' p7 b; u* v8 i" Y& K0 h mov ax, es ; ES:DI -> VxD API entry point
3 p$ I0 |5 o, K+ I( Q; `2 R add ax, di
$ y5 Z. R3 y3 C7 h) B test ax,ax
( u% W6 J6 q+ l% d2 R1 ?$ P; F jnz SoftICE_Detected
6 f, }0 _% m0 { B( y V4 [! t) [! Z6 k% e6 v8 d
___________________________________________________________________________% U- Y/ ?1 v# O( g; t7 n1 F
$ _4 v3 `* V$ T- y7 k: l. bMethod 04
: S* X0 {9 K# F( i=========
% d7 f8 O" O, y$ _
. o- L1 K+ y$ j$ p' Z+ f. GMethod identical to the preceding one except that it seeks the ID of SoftICE
% ~9 H1 B W6 [8 A* L( Z8 L$ \GFX VxD.: b I/ ?6 U4 t/ B7 g- e$ a
5 E$ Z! N- ^% ?; E. D- C) c* O! V6 t' X
xor di,di, f i/ E* B7 X5 K
mov es,di
. C5 v3 S* f3 H; k) x) ~5 R mov ax, 1684h : ^ g# u0 M- r% Q7 `+ z
mov bx, 7a5Fh ; VxD ID of SIWVID
, j/ g6 M, I1 e5 B% G int 2fh
# e' y1 `; U [* ` mov ax, es ; ES:DI -> VxD API entry point9 R9 V* o) ?; \- E" _: T m
add ax, di
6 q: P' _5 I. \3 M9 s( f8 ~ test ax,ax3 ~) M+ C7 g/ J% G& P
jnz SoftICE_Detected5 x+ s- U$ {- z3 r0 q' P& o1 L
/ W4 Y8 r" N4 r, o
__________________________________________________________________________4 P4 I' }" a0 H
( P4 h) W" p5 q5 Y2 ?+ ?' q' x
; ^1 x/ B" I- X" o" t/ m8 gMethod 051 l2 x: h$ u e' ~3 Q Y9 a
=========$ N5 m, `. I$ I, W
9 j0 v7 K$ ~$ I$ DMethod seeking the 'magic number' 0F386h returned (in ax) by all system* J# {0 b o9 ]4 W% e7 I8 k
debugger. It calls the int 41h, function 4Fh.3 t! F2 E2 y* V6 @1 j
There are several alternatives. * N1 V+ O- t* x2 V d$ `* g7 _5 t
* ^+ J$ y0 n. V( W$ t0 z- ?The following one is the simplest:4 v9 D; c/ [2 g6 J' j U
1 ?& N! D( ^" F! f a' k& a mov ax,4fh
! F% w( d+ ]( m( B6 s int 41h
+ Q9 ~+ r" K W, q8 E cmp ax, 0F386
, X* @; A% @9 r& D jz SoftICE_detected* L6 V% c2 s+ M9 N
9 ?# I2 ?% @+ q
- V; N8 b0 D* D. |+ b" J9 p( |4 `
Next method as well as the following one are 2 examples from Stone's
" }& ]1 b2 h# Q: l) _7 b"stn-wid.zip" (www.cracking.net):
4 I, ]- d, L/ T6 N: Y$ ?: D: O8 V( l6 G/ D6 N7 [: Z* O. ]
mov bx, cs
/ A5 Z/ g2 n6 D+ I4 n: D3 w) \, r lea dx, int41handler2
@$ n6 w' Q3 e3 k" y xchg dx, es:[41h*4], N# i. S @- B' G8 `, f
xchg bx, es:[41h*4+2]5 a4 I! X) v- @1 }1 c4 [5 A
mov ax,4fh
$ x" R. T! B9 l( a* }3 O5 G4 p M int 41h" {, _2 s6 X3 r0 p, p
xchg dx, es:[41h*4]2 B* q0 t! p$ T6 Y+ s7 a9 I
xchg bx, es:[41h*4+2]
0 n C- h) _1 a7 J4 j" H2 Y; P& S8 @7 A cmp ax, 0f386h1 ?) D1 M. n) g9 c6 `" ]
jz SoftICE_detected
0 W. B/ Q/ g; Z: l% t4 O- g7 v& ^
5 L; k. [4 K( W# aint41handler2 PROC6 S, Y5 r' n- K0 Z& M
iret
- W( \) f4 v$ W3 ^int41handler2 ENDP
' I) ~5 q$ X( `* O
4 \# P& b# z! y3 O/ d4 q; }2 a
6 f, v4 p+ w5 u! I* o$ j7 |% X_________________________________________________________________________
4 p; V8 ~, W& Z. s `" O- `- H+ s) k* ]
* S: z; M% w3 M/ e
Method 06" W" Z& A3 W' }8 M( s
=========$ M, G8 }* O- z B Z
# G; g6 ?4 l: A2 _* {0 G
& @4 G9 j8 ~3 @' i, X# o/ u/ v, J1 V9 [2nd method similar to the preceding one but more difficult to detect:
2 n" T0 p/ P, T9 s$ |$ C
+ M& h% C& l, q& d0 ]; @1 z8 W
) s' Y. \% h+ |4 _int41handler PROC
# h# c/ z, t! g1 Q mov cl,al8 E: j' ^& B5 {8 j3 z7 u; H6 G% a
iret& ~$ l6 J7 c! I( e4 |' t0 E5 [
int41handler ENDP
+ Y; l: X9 F2 s* T, a5 u! @# g7 ]
* [& d2 s3 [, g$ _$ x; a
/ _. Y' J* I0 b7 K# g# X xor ax,ax$ f/ P5 l0 ^0 e+ D
mov es,ax) @+ ~. F. q. Q- N+ {
mov bx, cs
5 O) M% n7 y- x& \1 Y& W4 R lea dx, int41handler* K# M1 q! F4 {
xchg dx, es:[41h*4]" d8 G" W6 w& A/ m0 W+ @! S5 a
xchg bx, es:[41h*4+2]8 q9 T1 x/ ^* a/ c- y# R
in al, 40h: v) c; d- u+ ^8 F2 i' B
xor cx,cx3 ]1 ^; E; ]9 `
int 41h
5 y' a+ ~1 R( i, m/ d; p xchg dx, es:[41h*4]0 Z8 v- Y% a1 Y4 z* L
xchg bx, es:[41h*4+2]
# @ A% D2 u6 k( x1 o cmp cl,al8 X( Q9 P3 K1 w- Z! C
jnz SoftICE_detected" K9 Z) Q( ^* b6 e4 g" q
, {! ]( o1 k. ^) y8 o8 m n_________________________________________________________________________
9 o' d9 p& ?$ a& r2 E' x, r! n- Y( Q$ L0 T
Method 07
# ~% P% Z2 H& O; J- f. N=========
( ]' |1 P1 |7 v8 a5 |
$ l' L6 V# Y7 o6 ^5 a- E2 s) U: CMethod of detection of the WinICE handler in the int68h (V86)1 W5 K. E4 W9 `. F3 l1 A0 @
5 e3 C& T% s, ^% w mov ah,43h
3 T4 G* m a- W. b k int 68h
0 ?; a2 }+ x1 p: j: d$ a cmp ax,0F386h3 M' \* u0 X$ e" u8 U
jz SoftICE_Detected
! w7 O/ }; ]6 l3 @- O. f, \5 N1 F8 J! d7 Q' A$ l1 ]; Y& O
4 N3 U/ p/ V1 [/ O2 r, E K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# O' q: a7 F3 [, x% y' [, j app like this:2 v' r0 I: w$ P" I5 J" M- h
- \" I4 W9 {6 Y4 U/ S BPX exec_int if ax==688 O( C7 u* J" [3 t7 v2 K
(function called is located at byte ptr [ebp+1Dh] and client eip is
. U9 W9 L0 Y& Z located at [ebp+48h] for 32Bit apps)! ] I# S: }+ c* J7 |0 P6 }
__________________________________________________________________________
/ o2 B d1 o' p% e" r$ s# i) V( s- |& |8 X
( r/ V3 ?, p4 ]' p' t
Method 08% `8 ?9 Q2 U- X; i
=========2 A8 h4 c, H3 H F) ?
) Z7 \ ?1 K4 \) a
It is not a method of detection of SoftICE but a possibility to crash the( F- P! X- G4 \
system by intercepting int 01h and int 03h and redirecting them to another
. v3 D m6 q/ I Iroutine.) I# W m/ }8 L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( I+ `5 K3 J; k' s6 E
to the new routine to execute (hangs computer...)7 [2 n: a% V" U" Z3 N
) R7 o! d1 r* K w4 | mov ah, 25h: Q6 {* ?, b1 X3 r( i4 ?- C, L0 `
mov al, Int_Number (01h or 03h)* n. c, E& c1 a x3 Y9 L
mov dx, offset New_Int_Routine; |2 D6 }2 E; L+ r* A' c8 C3 K
int 21h# Y/ ]( U2 M7 C9 N# V
* t- @# y4 K# S' t" X
__________________________________________________________________________
9 S0 |0 k- P" J6 V3 {$ S F7 {. f, |% ? ~% K7 M
Method 099 @0 f" {+ o7 J
=========6 f) `. M. [: J4 n( U3 y+ e
# P9 w$ n: ?8 E9 c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, p# }. |+ m1 u7 y' ^& M \6 I, Operformed in ring0 (VxD or a ring3 app using the VxdCall).
! Q% ]3 |$ s) M/ W( X% |The Get_DDB service is used to determine whether or not a VxD is installed# B5 U) e+ p* t2 }. i5 W
for the specified device and returns a Device Description Block (in ecx) for
5 k& C6 z" A) f: Vthat device if it is installed.! M( h. c1 v B% |
' O) |4 A0 D; @% S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 x; m4 e( C: a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" k( x% u, R8 v; I: |& C
VMMCall Get_DDB1 {1 \/ o! x8 l: j# c' c. b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 H7 ~/ f2 p$ {0 w! N
/ m1 P2 Q/ ]7 q1 f" i+ z7 c
Note as well that you can easily detect this method with SoftICE:
2 k2 l# ?* j( N5 C. P) V/ o1 M bpx Get_DDB if ax==0202 || ax==7a5fh
: P' @6 A$ ?5 E$ Q. P7 S- q" m9 h4 r( Y7 l, r7 v# g9 T# F
__________________________________________________________________________
8 l. H0 u/ F$ I) }( }% F
/ ^% i, E9 {: SMethod 10
2 k6 }' ?) ~/ {: c* G=========
& o7 h" D$ x6 O) f5 U6 f: b7 P' q# ?, k% ~9 |) Q1 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with( j. `; }& }: Q$ f5 G
SoftICE while the option is enable!!' r6 s8 z% Q2 I9 J1 o, p x% w
. y% s4 Q% x# s; a) kThis trick is very efficient:
2 V) f2 s6 v u, O% R5 Qby checking the Debug Registers, you can detect if SoftICE is loaded
2 f9 G g& q. r5 u! w1 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 {2 L( B0 o# y& ?- ]& G8 a- V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; g, c D+ _" x) g! I/ jvalue (in ring0 only). Values can be manipulated and or changed as well
b3 E4 K( o' E(clearing BPMs for instance)
6 ?# {. ^/ g& g# H
+ _$ u; f+ E1 j3 n/ W__________________________________________________________________________
+ N& f( G' c7 l$ Z' i+ f4 G/ z# d/ z8 \
Method 11
% [& ?& I q- H# r5 L. @=========* @! K e! d0 P" |4 J! I
, E$ v* o6 ^1 w# @, m! ]5 Z* h
This method is most known as 'MeltICE' because it has been freely distributed+ p4 s! ~9 Y5 g5 X+ S, f7 ]
via www.winfiles.com. However it was first used by NuMega people to allow
% [9 _ ~7 K: T. RSymbol Loader to check if SoftICE was active or not (the code is located
' L) x# C k! A, p* W8 A5 \! O5 J: |inside nmtrans.dll).( M: \7 k1 C9 {. F* H' y& U
! J+ ^; f2 S$ t! E& ] r, aThe way it works is very simple:
" f0 N$ W( a) K/ e3 @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
H+ i# S5 \+ y2 }* \0 O; ZWinNT) with the CreateFileA API.
6 O; y8 P8 \: Y8 m- l8 _: w" ^+ w0 V+ T; l
Here is a sample (checking for 'SICE'):+ h: I t& Z0 O' e- _2 v- K
2 E+ g: X1 f* E8 PBOOL IsSoftIce95Loaded()) C" v$ W9 d3 ?# W0 |
{5 a9 o% x7 G& v7 F; M
HANDLE hFile;
( T I {1 D' F: F* X" U6 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% U8 r' a4 @. J$ W1 J FILE_SHARE_READ | FILE_SHARE_WRITE,
+ ?, u" a- l0 S- o* c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 Y( z' S8 k: B4 H, m8 B
if( hFile != INVALID_HANDLE_VALUE )
) Y& J) v: n/ }1 E$ R" M4 l$ T {: h' u* y" l/ n( l2 w$ s" c" ~
CloseHandle(hFile);
5 M' w6 Q. [3 B/ I, n+ W return TRUE;
+ C1 I( [% }; Y [0 I9 P! o6 H" t6 } }
; L5 b% J5 G$ @4 _/ |( } return FALSE;
1 e& ?$ @. P) d9 m+ w- B}
' ~4 G, z3 Y( W
: |/ w* N0 U; _) PAlthough this trick calls the CreateFileA function, don't even expect to be
: v: C6 m/ F$ ~, Wable to intercept it by installing a IFS hook: it will not work, no way!
7 c' x) `% d7 M+ V# f' @) C6 ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ F* D2 p- F" \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& e6 G4 v# |- E+ c) F9 H4 wand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ `" \ y8 `! S
field.) r' T9 ` S- l8 s: n" A$ y
In fact, its purpose is not to load/unload VxDs but only to send a 6 W- \9 b1 m; m' d$ l5 [6 g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ }0 E7 `/ } [5 g, N5 ^; u2 q! x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; u6 S5 v: q2 p, ?. C& N- u2 ^3 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-)., q' {+ O: S1 W" L% k
If the VxD is loaded, it will always clear eax and the Carry flag to allow; [( { g+ k9 }: t
its handle to be opened and then, will be detected.& o* r* L; |# f l8 S
You can check that simply by hooking Winice.exe control proc entry point! y7 w7 c" n* D" N& b6 ?
while running MeltICE.. q! i( C2 w: A# p
. g0 o4 `# R0 f+ J' [4 @
8 i, X7 w8 D4 m) b$ T 00401067: push 00402025 ; \\.\SICE
j t' f, _4 i9 k; C 0040106C: call CreateFileA) h9 i6 p5 D9 |% }
00401071: cmp eax,-0017 e! j+ e9 b2 j0 }: p4 O
00401074: je 00401091
- p s! G% ~3 f7 H- w% N* Q# T& J) j. N6 G* t8 L
. _: U$ F A4 N, T: M8 U; I
There could be hundreds of BPX you could use to detect this trick.$ Q* y N9 ~' `. O
-The most classical one is: Y2 a6 M& t1 {$ B& ]$ F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
Z/ R& h* B) i$ m, ^ *(esp->4+4)=='NTIC'( v/ x6 A1 }2 Z, N' g
- b m% m7 _: S# _! u0 K) z& N
-The most exotic ones (could be very slooooow :-(! {& A. b) s9 P$ E2 _5 S. `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) U# k- O; a* `, D! t/ X/ N ;will break 3 times :-(& [; o% P- l) p0 B" o9 N) X1 w
6 c5 ~& V# ~% r
-or (a bit) faster:
5 N* c1 T+ r* v: Z2 b$ i1 }+ ~/ A- P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 E' W+ Z* a8 b' K5 f0 z: T
* K* c9 {5 A! Q/ S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 I% s$ H% x9 C3 y$ |) r ;will break 3 times :-(
0 y; T) M3 m; _7 b H5 \+ L: c. b' p5 f( d: h
-Much faster:2 Z9 R; V8 ~: q9 G0 r# \" V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; K [6 v+ x: i1 g k+ ?
) n& ] [9 j$ c% K) eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# m3 |3 s, N. e# ?* H7 s" f/ F# a$ E
function to do the same job:
2 p9 q6 z9 N( b' i R0 M' o& b2 O
h! E1 a o! w, {& N: ]5 d push 00 ; OF_READ" c2 L+ Q) b1 D, u- u
mov eax,[00656634] ; '\\.\SICE',07 ?9 v- D& [) h. @5 @
push eax
$ b+ z2 P# x9 y4 K call KERNEL32!_lopen* v8 Y4 b7 t- m3 p. ^. R
inc eax
. V& Y* S: p/ D& F+ g% B+ s- X jnz 00650589 ; detected+ ~0 Z! j2 O1 R" h
push 00 ; OF_READ% Q% K4 c7 b6 ]& e7 ]
mov eax,[00656638] ; '\\.\SICE'$ G8 l& \, A* U. o: {9 M
push eax
% ~6 \* @) i8 \ @ call KERNEL32!_lopen
- [" C+ [! z; s. E' | inc eax
) Z1 K$ i3 u0 T* s, H jz 006505ae ; not detected# E- f k% ]; L& J6 n: X
& c: `" U" w( \4 h3 r8 X! ^' F
& R% }6 G$ @+ _3 ^0 D2 ___________________________________________________________________________7 ?; e/ l* p% @$ o7 Z
7 x: _+ D6 H& D+ g% D! L) q
Method 124 I; \, f8 D. q+ e
=========
0 f6 S6 b& c9 M' \: K5 U& l' A4 x0 M" R% `2 p$ b9 P2 i: _
This trick is similar to int41h/4fh Debugger installation check (code 05& \" ?* K* i& j7 A9 r; S
& 06) but very limited because it's only available for Win95/98 (not NT): i9 [& z* o" C/ e& P; k i d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% v! J- J7 x% G- p5 N. L2 E# U1 | J; }
push 0000004fh ; function 4fh& F; A- v- C0 ]- f9 i
push 002a002ah ; high word specifies which VxD (VWIN32)
9 @+ g% c0 l8 n7 ]+ E# Z8 A ; low word specifies which service
* j& U7 u/ x0 D& e (VWIN32_Int41Dispatch)% k$ {+ m0 ^$ ?2 J5 m
call Kernel32!ORD_001 ; VxdCall# r" u) L u( K' w8 u3 R t
cmp ax, 0f386h ; magic number returned by system debuggers
7 A8 @' C8 Y1 W% Q jz SoftICE_detected
4 l) m2 L( g6 g2 }( c! X; J' C
/ u& B/ H: }1 n" _: t* gHere again, several ways to detect it:( |) }4 t0 Q5 @) A
6 q' y S' U! w& ?; X* w: E
BPINT 41 if ax==4f5 B+ j& e$ J: n+ w- F9 O
! I& z s( n/ s+ F# w6 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: I+ H, ~7 L; s% U5 ^
9 x( P! w" w7 z6 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 k F! n7 D& H* o$ k
; C; ~ M6 } Q% t1 E% N. W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; @4 @# }% F$ W% ?
4 n6 }; W! [) E# y3 h. W
__________________________________________________________________________
1 I6 h% S- `9 P0 v; ?: e; {7 e2 N1 ^ M
Method 13
3 G* E- h! o2 @* n" ^=========
, z7 N0 u: d- H0 L5 Y2 R; H D# M* d" N8 F" g" N
Not a real method of detection, but a good way to know if SoftICE is
& ]% \/ d0 L5 L0 Binstalled on a computer and to locate its installation directory.- }0 B! O G! O% z* V
It is used by few softs which access the following registry keys (usually #2) :5 w% B4 W& J4 N
$ b/ a) r ~' ^; A# ?+ ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 `! o5 X8 r5 ?8 Q4 o+ ^* f
\Uninstall\SoftICE
/ D; v: q1 }2 C, _( i3 t; i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 a6 V, Y/ h; ^. u# J1 L8 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' Z- J) ~: }# c* r# E
\App Paths\Loader32.Exe
: R. f4 I! a1 s
$ |+ @2 n- V4 w% i' f3 U; E& m: T2 P8 \
Note that some nasty apps could then erase all files from SoftICE directory
' B& H4 `% |' j4 N4 R(I faced that once :-(
- L3 {' T a! `! J# {* s% f! e0 B& l, W% m8 @, a
Useful breakpoint to detect it:
: b) U, c) E I+ A
, w* I$ e1 c8 ^9 J4 [8 d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% P- T1 A8 i3 C( y& K2 O6 a+ u* A! Q: c! o5 {" e1 {6 `- Z! Y% [
__________________________________________________________________________# ]0 v/ K" b- L2 h% ]* d: _
; _" T+ F: W j9 M
1 H) I, \3 s v6 L/ R
Method 14
) A0 h' G6 P. P& R, i& Y=========# G$ u" i: M$ y* V4 H- h
5 K' |/ |3 F, L3 `# r; s+ N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 x& @) d" l$ ]& lis to determines whether a debugger is running on your system (ring0 only).
; y- m$ e& h$ t& ?" l
! Q0 v0 f: R/ e) h' R VMMCall Test_Debug_Installed- @4 |* z1 P6 B' V/ y; a
je not_installed
( T5 q9 ?- B; ] U
5 W# a9 `' x$ z r: b" L* j3 k, GThis service just checks a flag.- H1 Z5 A6 i% ^7 `" S- i6 l
</PRE></TD></TR></TBODY></TABLE> |