<TABLE width=500>
+ {" Q! l2 i' {. s<TBODY>
2 P r. Q' m. n/ b& ]<TR>+ {$ `# e& k0 `, S+ `$ i
<TD><PRE>Method 01 4 z" W5 L1 o8 i& m4 [( n" r4 Q
=========/ x+ p& O6 E8 f: z; v
8 W/ X% H* f5 d) W+ S) \; ]This method of detection of SoftICE (as well as the following one) is
2 h; J) y/ _( {$ Z9 H$ ~3 Wused by the majority of packers/encryptors found on Internet., ?' U$ Y7 f. m, m/ g: w6 ?
It seeks the signature of BoundsChecker in SoftICE% M" o* I5 P7 G* b
4 ?' ~- J, @* v1 P4 f' ]! b# b
mov ebp, 04243484Bh ; 'BCHK'
; t2 F! n! W: N7 P8 E3 c( b mov ax, 04h4 d ?1 S# O( g
int 3 $ f& Y. F( n J6 A6 y8 b! n/ [2 T+ H
cmp al,4- e8 W. ?) D! n$ N2 p
jnz SoftICE_Detected$ ?. u; ?; u/ T, b: P( `$ b9 n7 W
- j/ s' i, U) ~ ~8 ^' M- ~
___________________________________________________________________________/ S8 e4 d6 x. |" w3 k
; o6 l- l0 E% a' w
Method 02
* q3 U1 W" e E/ d=========
, C1 k) K( J$ ], U9 @# |) U
% t7 h0 g$ H" M) g: O' V1 b( e+ _Still a method very much used (perhaps the most frequent one). It is used$ m9 g |% Y$ l. d: c9 Q* ~8 i" j2 q/ A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, X8 o4 n2 _3 B
or execute SoftICE commands...9 p" C5 @: ?/ N( H1 r5 j7 y% F* V
It is also used to crash SoftICE and to force it to execute any commands
* h, h3 }" R8 q: y6 W(HBOOT...) :-((
. ]3 y, r3 v- p
3 J2 c) {9 U0 r6 }& F P5 e; ?- S! BHere is a quick description:
! h" A& \7 M1 J, n-AX = 0910h (Display string in SIce windows), S) z- K/ ]) A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# G5 A/ Z5 V; r5 B- J r( A4 @. @8 q' @-AX = 0912h (Get breakpoint infos)
$ S$ c( z2 k. `6 ~4 Q( P-AX = 0913h (Set Sice breakpoints)- C0 b8 ~. p( s r4 l9 h5 B0 I
-AX = 0914h (Remove SIce breakoints)% [$ \% R+ J F Z
. x2 t& u z9 K' o
Each time you'll meet this trick, you'll see:
! e. B% X H9 y0 N' }# H6 u1 f-SI = 4647h/ p/ k: {4 I. Q* m
-DI = 4A4Dh8 R" m2 z H2 X- A |6 L
Which are the 'magic values' used by SoftIce.0 N& ^* F/ C( w1 q$ _5 N0 A9 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 _4 P( B1 k1 y/ P9 T3 U* N" p8 x/ i9 T8 z6 _0 V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) ~# L% X: B2 }/ }2 mEnvelope utility use to protect DOS applications:
+ z8 y" ^9 }! P& Y# v9 f' @) b8 h( D& F
& P8 [, a0 n( R7 a4 b# Z4C19:0095 MOV AX,0911 ; execute command.
& G* y" K( @3 R- @0 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ U. a5 {$ x J4 S$ F
4C19:009A MOV SI,4647 ; 1st magic value.
4 {$ m2 A3 \+ Q! {4C19:009D MOV DI,4A4D ; 2nd magic value.
4 N1 T* J2 t; \0 z# Q: S2 Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). @+ m+ u+ f" Y+ Y! M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 A( E, _, e7 E2 n$ Q- V w) p
4C19:00A4 INC CX
8 A. ^' X, }5 s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! `" ?( I) @% U j
4C19:00A8 JB 0095 ; 6 different commands. }2 a( b% j* m0 |& A4 a: Q8 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 d/ {/ c& n# U4 f9 C- R/ I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 b4 ^1 E# C) [4 a% K
& {% v1 T. K! C, f, vThe program will execute 6 different SIce commands located at ds:dx, which
- _3 H* o9 _( Q/ B2 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% j* C8 g; {( m$ q4 g* K
* Z$ p* Z a$ l3 J8 s* N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." T! v; I* [5 Z! A: o0 L k
___________________________________________________________________________+ q; H$ e5 `# L
& h9 `7 V+ }8 l2 E! f% @6 S* X
1 Z n1 I% C# L7 FMethod 03
4 s0 l7 m1 h* V |% m k+ o! ?=========! B/ \+ q2 z f" n- X
1 g7 i8 b) R- I9 Q1 g7 uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ @. b, z% P+ @7 N
(API Get entry point). G1 }2 P2 W/ O T F
6 g# R; d$ c3 d& J& h' t3 X, E
1 ]) a- Y% Q3 I) C xor di,di4 d! K O8 u0 q& d
mov es,di
# J( Z# c8 P2 ]# A mov ax, 1684h
# E [) p+ g% o. `1 ? mov bx, 0202h ; VxD ID of winice+ e/ J9 f+ h/ D( b0 E8 [& v
int 2Fh& @* c- X! l8 q. e. Z
mov ax, es ; ES:DI -> VxD API entry point+ w! A9 y7 T; q& n3 f! b% }8 u
add ax, di& P7 ~# g* K" r. ^3 g u
test ax,ax! G5 Q4 x M6 ]* h$ D9 I
jnz SoftICE_Detected
# n8 p- W# y0 ]; ?5 s7 M1 z$ I1 b. n3 O' G& w9 N$ U
___________________________________________________________________________
& [" x, U5 T( ^0 u! e
0 |; f- I+ i8 N: K X6 ]Method 04
! [5 k$ c& a0 _. q# N* p=========
3 \0 T, [$ J/ ~. l; E9 B' w: q+ U- Z/ d" m! ?. v6 ?* ]8 N
Method identical to the preceding one except that it seeks the ID of SoftICE5 G5 d/ k. s& H( z* l. t ~% r( F" L' |
GFX VxD.
; k7 b/ k* t0 ?* l) ] R
% z7 B5 F1 U# m9 ^ xor di,di
* G) y' h( s- U- T1 N mov es,di
; f3 e- g A4 b! j mov ax, 1684h 0 S) p' W9 [# ?. D) h5 v
mov bx, 7a5Fh ; VxD ID of SIWVID
: [6 m& m8 A, W' u$ U int 2fh
1 _; x9 ^# _" g) w mov ax, es ; ES:DI -> VxD API entry point
9 v* T5 Z* u! o' J1 {& Z add ax, di; n! }$ f# V% w. A# `* o
test ax,ax
. _6 G# T1 C$ W( ~- l: j# T4 R9 U jnz SoftICE_Detected2 n+ B9 X- `& \4 L T7 w
4 \ |; E% V5 b' y% g
__________________________________________________________________________! D+ U0 h( z5 |; T: Y; X
' @+ t5 n/ @* V* Z5 Q; x: L; @8 Q8 y+ f
" y6 z- U- ]7 E \1 F$ U
Method 05& {. J; [; M X
=========
5 ~4 A8 o0 B: M0 O2 W
8 z& f3 _& v* K' w9 K& Y- N0 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
$ n: ? p( D, ]0 W, b1 rdebugger. It calls the int 41h, function 4Fh.. g! f3 Q; H5 m/ v
There are several alternatives.
9 D" q4 a( e: o- k7 {0 J1 a* p; p+ T5 F3 N/ k
The following one is the simplest:7 g; v" y% E! U+ a& C5 j
2 |2 ~3 ^6 n% Z; ?- _1 `/ d
mov ax,4fh
[1 b0 [2 _0 Y int 41h8 y% T. L# h0 _2 w. T4 A
cmp ax, 0F386
6 {' I$ V2 z; s' e! G jz SoftICE_detected y( x7 t: a' K( s \& ?' K+ M8 P# E8 N
1 ]/ _4 W# J% V( E+ u5 M h* U7 F7 a3 M5 {; c' G7 P- F0 a
Next method as well as the following one are 2 examples from Stone's ! q' P, R5 [3 o* ^, J- p
"stn-wid.zip" (www.cracking.net):
# L- g% A1 ?: i' J6 O! E* Z9 p5 B0 [3 r9 v8 {( H0 c* K
mov bx, cs
: K: ^! i9 n/ K' V lea dx, int41handler2
2 T5 P- L, E# }5 E1 z) O xchg dx, es:[41h*4]
( f8 M' L V1 Z9 O6 Y4 R9 M xchg bx, es:[41h*4+2]
' f7 l7 O% N( h* s. T mov ax,4fh
3 A0 B5 O/ I! n: ^& a! I; ? int 41h
$ K" e8 B3 d: M0 t3 K2 I( b) t xchg dx, es:[41h*4] S- Z* R# N1 Y) N# c
xchg bx, es:[41h*4+2]
" H) [: S) h: c cmp ax, 0f386h
1 _" M) R+ ^5 F' b: { jz SoftICE_detected
+ K- |1 B* s$ t* ~* t
6 G+ x$ c. N7 z V/ ?* yint41handler2 PROC! q9 _, X& O) A X# K7 @- G/ q
iret
+ o3 V3 _5 P$ M7 N, R2 eint41handler2 ENDP- c: i! _8 m2 B+ k
" x$ Z+ F1 M( q2 K, F$ [
/ F1 k4 R* g# o, U( g" D_________________________________________________________________________: [; R2 N% y( N# |" z
6 I" N3 d; [$ d" `/ K) u
- O7 F7 l# Q _& S4 k! rMethod 063 {1 Y) Y( Y; D
=========! ?4 g4 `+ R- k
5 w- r$ I" F8 n) S2 ]+ L. D$ E
' ~& @5 D5 ?# M( k- }3 j, T2nd method similar to the preceding one but more difficult to detect:" s I: ?& s+ M5 r' E& r4 b
+ D5 l$ d8 R; ? }; `" j
2 `9 P" m4 ]% Z8 N% X4 z* Bint41handler PROC7 V4 r) K9 w' t3 ?/ \% l
mov cl,al
9 I& k$ W% e& b5 l$ e) o' v iret
0 @- M, e5 E5 |9 I$ [. Kint41handler ENDP ?& S! u1 }4 B6 V6 S3 X
( ?+ o1 i% [; `- u, W1 P. c8 R3 o* V( G
xor ax,ax
$ ~9 l8 F, |6 [9 M; z mov es,ax: s6 J. b8 y' ], l
mov bx, cs
- ~3 n z% z9 M8 p lea dx, int41handler" A0 K% _/ i* B% Z" r6 I
xchg dx, es:[41h*4]
" ^; ]; W: W% t1 L9 d4 o2 V' A xchg bx, es:[41h*4+2]
8 Q7 @, z! U/ H' ?- k0 f in al, 40h
; k8 C; {/ u7 g9 L9 }0 c5 W/ n xor cx,cx" k+ D: e$ O2 p5 `8 F; x9 y% n
int 41h
- |. r: \% [8 B$ ?) G- \' Q xchg dx, es:[41h*4]
. ^) a4 p) i9 O: I" X, l, c9 u xchg bx, es:[41h*4+2]' y$ l+ h( I" r
cmp cl,al
5 f+ X4 n/ L: u: A7 u jnz SoftICE_detected
5 L* z- A: P9 a9 H' s, h2 Q& J
. C) q$ v5 e0 {. c_________________________________________________________________________
1 M+ c1 v6 R$ S/ J0 |* m8 y4 u
: l o% O2 V0 Y0 I0 F0 l6 pMethod 07 ^! c) b$ U: m m5 L9 Y. {
=========
5 L8 ` @+ A0 G
( f. _; y! o' M( @3 KMethod of detection of the WinICE handler in the int68h (V86)
) A6 A0 Z! r2 d' [3 A L* U( G+ U- I
mov ah,43h: y) u4 G' k+ Z0 F6 C' E" n
int 68h& H+ o) m% @0 A- j( l9 _" O
cmp ax,0F386h7 b1 p& _* y9 `: d
jz SoftICE_Detected
* p6 V& Y# ]9 Z& s, t3 N# i6 o2 A; }
- B6 `# l [2 a/ l( j+ z3 ^- U
; w9 m( A# M# m* |5 `- d0 w/ `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, W8 p d, B k P' l) t app like this:6 X0 r; B8 E l% ^
7 @+ b; N, f0 L1 b BPX exec_int if ax==68) |, u2 g* n0 e2 k, t7 {
(function called is located at byte ptr [ebp+1Dh] and client eip is
' h+ o) P9 L0 \, G: \) f located at [ebp+48h] for 32Bit apps)* k- |# J3 f+ v& ~# [
__________________________________________________________________________; c7 s6 { p4 Y2 m7 l. i6 x- H" U% R
* w$ ^9 `+ X. [, F6 d# t$ R
* K- q( _' V% UMethod 088 |) G- o+ [3 b( G0 m
=========+ Z" D: C+ C, H+ ?
' N, Q1 i* F4 A' hIt is not a method of detection of SoftICE but a possibility to crash the8 N' S8 c" j* v/ y9 T: y. `6 E d
system by intercepting int 01h and int 03h and redirecting them to another
3 V+ @$ l- D2 P& P9 K. Hroutine.
6 Q5 q' q% z# Q4 d. @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ U7 u+ y& t. U; Pto the new routine to execute (hangs computer...)
+ P- ]+ L0 c( H- G3 w- O% @4 f
+ C M) {. S' I( ?' ^! u mov ah, 25h4 Z" h0 y! m' ?# Z7 l
mov al, Int_Number (01h or 03h)
; U0 ]0 b- \/ n6 l; \1 G5 d mov dx, offset New_Int_Routine
! @. b& H. A2 H7 R! e8 Z int 21h
V) _) _) g5 Y
+ K. T6 Y1 T8 X__________________________________________________________________________
* M' k8 K0 ~8 w) ]5 Z7 G
$ K2 c4 I' i* z* TMethod 09" Q6 g4 t3 d# E5 T) D# L; P" y
=========6 y; R) d/ k+ P0 J0 c. k
7 t$ Q: v6 r0 ]# YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 u& Z D; G( l0 R" L
performed in ring0 (VxD or a ring3 app using the VxdCall).* }1 n0 @, }* x
The Get_DDB service is used to determine whether or not a VxD is installed
. ?! t/ s8 p1 Wfor the specified device and returns a Device Description Block (in ecx) for( E: R1 `1 a& p/ I& Z b5 H$ J
that device if it is installed.
$ W9 P M% h+ K0 z; J% I
* i: f% P( \% ~; _- a: C- A. ?( q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; I6 X5 B/ }+ w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 F$ G+ q: X V3 u! H' d
VMMCall Get_DDB. t, ?: Z( R# _7 r1 F/ X. z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 R3 W' A' x$ T, D/ d) M) x
/ {3 C8 q4 N) p* w( A, V
Note as well that you can easily detect this method with SoftICE:
& k8 Q; S, \, `+ C3 l8 t% L$ n" R bpx Get_DDB if ax==0202 || ax==7a5fh
3 |% s5 g& q) C/ V; R8 Q! o1 ?- n, k4 j
__________________________________________________________________________
* ?3 O) M0 R* q0 G- K3 i
! g4 q$ U- V3 }# r, I) y% s* ZMethod 105 q O" a/ X/ M7 u, [9 }
=========
% a# [- |0 j+ R5 \4 }
/ b: B4 x, [9 H* }( E* J2 v=>Disable or clear breakpoints before using this feature. DO NOT trace with+ Q1 f" J: ~# p; p3 w: o. W
SoftICE while the option is enable!!% ?. o% C" p1 L# y" A2 S$ _3 ^# E# h
4 Z" q- N2 G E; k: B# \
This trick is very efficient:
' `" l8 C+ {) _9 o& w) a9 d& dby checking the Debug Registers, you can detect if SoftICE is loaded! h9 @& p! k4 u7 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ F4 h$ b- t `" c3 f* ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their# Y0 v# c7 d6 l8 D- c% Z0 H3 t6 Q
value (in ring0 only). Values can be manipulated and or changed as well# d+ }3 ?9 m' ^7 T
(clearing BPMs for instance)
+ f% s( A" }5 N, B9 D: `9 v
3 @ [( L; d/ x+ V9 Q7 c6 ~7 F9 ___________________________________________________________________________
9 |+ @/ z9 \! ?% |7 b1 H9 d
6 F0 e. D. ?! O0 K3 l) M0 | ~Method 11
3 I8 U8 ], d+ x1 q# T& a=========" @+ n8 d8 b, T
1 {5 m3 D3 o; Y( w8 P8 r2 M6 PThis method is most known as 'MeltICE' because it has been freely distributed
( N. H- v: q3 ?3 C$ Pvia www.winfiles.com. However it was first used by NuMega people to allow
/ X% J0 e' x3 y# i% S- {Symbol Loader to check if SoftICE was active or not (the code is located
5 G2 v6 n- L vinside nmtrans.dll).3 i5 H4 h1 l9 H' d5 j1 W
5 j/ l' {) `" d- G+ S7 @+ d$ f: QThe way it works is very simple:% q0 ]3 p$ f/ c5 U6 [0 q, T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 r- n. ]: N) o+ q; K
WinNT) with the CreateFileA API.
# x- \- q8 K( j/ ?2 c
9 w6 p7 i0 q" ]! k% tHere is a sample (checking for 'SICE'):
8 D* h* D6 s9 b0 `3 o" C" ~$ k1 {5 r, V2 @( Y
BOOL IsSoftIce95Loaded()
0 B, |- Y, \3 B* k0 ]{
6 i+ k. p% _& X% s6 Z$ { HANDLE hFile;
6 s5 }+ @# }; ]+ \% o* Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 [5 Y' l" ]0 Y; T FILE_SHARE_READ | FILE_SHARE_WRITE,
7 z- j4 ?: W3 Z+ z! K4 U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' }& m- {; A$ d$ i# t+ y
if( hFile != INVALID_HANDLE_VALUE )
( D3 H0 K7 w# F3 ~' p {- E. d# X1 T1 y6 G3 D) J8 l
CloseHandle(hFile);% @, G9 M0 G5 V9 ]2 E* P; h, I3 [1 a
return TRUE;
/ ~: ]5 v% V. f( k" w }9 c5 p: M" e3 m
return FALSE;
' @0 t! T* `& e" r' J5 X}
; r( ?1 m* t' i$ E! O( a& K9 y0 k* ]" e; l
Although this trick calls the CreateFileA function, don't even expect to be
+ n5 L [2 I2 [8 w, cable to intercept it by installing a IFS hook: it will not work, no way!) h- b$ W1 G( d% P) C9 m1 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# y6 z2 |; y/ E; I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 o8 ]- W7 o$ u, S/ a T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 z8 C$ y% @2 }6 @) b+ C
field.
0 f0 u% e: r/ N1 ~6 sIn fact, its purpose is not to load/unload VxDs but only to send a : q5 o! s4 j+ s8 @6 Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( m) C; u5 ?8 |# oto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ O7 Q4 t/ I% I( J5 a7 _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% J& w7 _* N) W2 R) b7 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 w" c, t0 T+ |5 E$ Wits handle to be opened and then, will be detected.
# m# I' C- P. c6 s5 VYou can check that simply by hooking Winice.exe control proc entry point/ O- j# Y& ]2 |9 ~9 `$ Z
while running MeltICE.
, {$ X0 x: v, {3 V4 c$ F: i9 o. b# E8 `
& h' {2 m4 G7 i d" Y 00401067: push 00402025 ; \\.\SICE! i, F$ p3 ]% _" |4 W$ y
0040106C: call CreateFileA6 ~( U" R0 ^. s: p5 Y
00401071: cmp eax,-001
/ ]9 ] l6 e7 k) w2 s$ W4 ~ 00401074: je 00401091. T" I4 u( j) p0 p
/ n' k$ E, X* P9 Q, h
2 V$ T1 Q5 B$ i; p: AThere could be hundreds of BPX you could use to detect this trick.* ] \( I- t3 I( Z5 T
-The most classical one is:% D$ ~0 M+ A5 w3 r3 S' M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, |8 M5 ?1 ~4 g* A) F9 G *(esp->4+4)=='NTIC'
5 V7 |7 \- t; f- V
7 Z2 T- U- B( S; r2 ^-The most exotic ones (could be very slooooow :-(, y' p% }5 U' W! |" U# Q" X; M7 R: r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + W6 P, s4 {, X3 o. L' f ]) a2 s
;will break 3 times :-(
, S" H' d7 |; F2 N9 d% _" d
' c- P( C; q( w& x-or (a bit) faster: 1 E6 X. @0 @, h1 W3 \, o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- Q3 e4 ]$ ]( n: H9 Q- D/ X
. w, w/ {5 N% R/ Z4 D0 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 H# c+ e. l. A" h
;will break 3 times :-(; E& B5 M5 ]7 G) _0 c$ Y" @
8 ` @% Q/ h& J( C-Much faster:
$ }1 f y8 ?% m# Q; @# R5 d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( [) l) f! [# k1 q3 [( M9 a& f. Y3 C
3 S8 n/ A& ~! ]4 v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" x9 T$ o. J& b& O" D. efunction to do the same job:
2 |& \4 C, ?" `. q$ c& {( K3 K! l. s' @# W& Q' D5 w
push 00 ; OF_READ
# j% j) ?8 `+ u7 ?7 q1 q$ D; a- O& S mov eax,[00656634] ; '\\.\SICE',0" I% _6 R u- Z
push eax# R# h" g3 Y& F: V* D: ~1 r
call KERNEL32!_lopen
1 L/ \( Z/ r% S. F7 N4 ` inc eax
8 u2 l8 F3 d u! y; g6 a( } U3 C jnz 00650589 ; detected
( b$ I6 K3 x; J* [: k# S+ y push 00 ; OF_READ( g7 r: q5 E5 }6 l8 ^$ A5 L2 c
mov eax,[00656638] ; '\\.\SICE'
0 b) v9 M# U# Q push eax
5 U5 x, i9 r3 d* x call KERNEL32!_lopen& d! v8 J* B# a4 E. Q; x* ]
inc eax
+ y* K. I& Z2 v6 f5 J jz 006505ae ; not detected4 c# M3 ^; V5 L& I R- k
/ f$ `, F( J- C; \. W! b# V& j8 w! v$ @$ B4 W; m% J
__________________________________________________________________________
6 y, r3 k# Z1 d2 i% F3 ~% |( W& X
Method 127 o3 ?% |& Y2 _$ M* _! G
=========* ?! ]. I( S* Z* s$ Z* Q
" k! L, ?. z \% a/ j) ^This trick is similar to int41h/4fh Debugger installation check (code 055 q8 [3 |2 b3 F6 ]+ D" x
& 06) but very limited because it's only available for Win95/98 (not NT)
J$ w& [+ ~2 J/ t3 r6 r- pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ k" \' g3 k3 M0 O
9 D% ]! p2 G' d# S: L# {" \
push 0000004fh ; function 4fh
9 u8 q X" G" `* K2 w push 002a002ah ; high word specifies which VxD (VWIN32)
h8 H& o8 V( D9 P# y/ Y4 p: [) ?, B# _ ; low word specifies which service" Q, O7 ^' r6 M( t2 ~$ z
(VWIN32_Int41Dispatch)
7 ~0 L9 \; x3 q- O% j1 }: J2 i1 ` call Kernel32!ORD_001 ; VxdCall
d2 Z* h' h0 J# S3 L cmp ax, 0f386h ; magic number returned by system debuggers& a3 ?" Y" }& _ o7 s; ^) ^
jz SoftICE_detected
. O, g# o! \" u) R% H4 x( b
, `8 N) ], l/ q/ Z3 xHere again, several ways to detect it:: @- L0 M# y- [
6 u% Q, D9 k' N( |( y. E7 L BPINT 41 if ax==4f6 q) f3 B, o; a$ D# D4 ]7 ?2 P3 w+ ?
1 t/ E5 G" D- ^2 i( S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 L L6 |# H" S l9 u
1 r7 p. e5 h0 y: P, f* G, `6 y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 s4 {! U# a; V6 G$ ^7 }
% t6 m( n* m% v8 ^* L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: u0 g& j( @' V, }$ a7 N& c# d p, M* x: h
__________________________________________________________________________8 G" M: F. R, H# ~
% P- _0 |$ i$ ]% a. [" R6 ^
Method 13
' I9 u8 ]1 n+ l8 P6 M; q; _=========. q) A0 a4 [) n! |* L
* p v3 W8 u/ z' t- `0 I& oNot a real method of detection, but a good way to know if SoftICE is4 `: g' @% B4 _" k0 D V3 G
installed on a computer and to locate its installation directory.
) v2 ~, o! V0 D2 v' K, CIt is used by few softs which access the following registry keys (usually #2) :1 j+ F/ G5 V) W$ P
! D6 v, r& E# Y- V7 J3 `! }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ W% [& X2 J8 P4 u; B+ c. ]1 p% K\Uninstall\SoftICE
8 D, Q% B' S9 B: t$ ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' @5 Z5 t% _* U$ Y8 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& E& h% x0 N# i: }, W
\App Paths\Loader32.Exe
# x. J. ^. @. x: Y; X6 \, y, [$ I3 @& O% _
- Z$ D8 H1 E6 x# ?Note that some nasty apps could then erase all files from SoftICE directory( y9 D$ l, N. d7 _9 E* b5 I& E4 [
(I faced that once :-(
S7 U( A8 s( {7 N0 w( q8 y
1 k2 {3 }0 ~; `) ~! yUseful breakpoint to detect it:
8 S( P* Y1 }, c% `2 _
8 I7 q/ J/ r2 z# i5 Q! A4 _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& {0 T0 T7 D/ A! Y8 x5 Y5 R" a! [, f2 S) ?4 b3 ~. w0 A
__________________________________________________________________________3 @* ?* v" g7 F' j$ ]
# P9 q1 q& t$ q8 J
* d8 X- L# f& x8 ~- p3 L' VMethod 14
/ L- F2 v9 |; N=========
. V7 Q- |4 p2 c7 F7 a) B8 }: E2 @0 a
6 ^6 a8 V; U+ Y5 @8 n6 bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ s8 s' X+ v( R! Nis to determines whether a debugger is running on your system (ring0 only).7 | V- p1 _5 @8 n& r0 \
3 R$ p: @% ~$ ?9 L; V VMMCall Test_Debug_Installed
( Y, W7 ]- H; y- i% T& U je not_installed" r; w% U4 F/ z. d& z
\ O: k! ~, e2 N. G) rThis service just checks a flag. Z$ E+ j- E; F3 S0 a3 k2 y. d
</PRE></TD></TR></TBODY></TABLE> |