<TABLE width=500>
" U8 Z2 T" _! a) w, z<TBODY>
d3 ^! l: y; i3 Q<TR>
1 X Q3 `. }" E, ]% b6 R<TD><PRE>Method 01 , C: Z! i3 P t2 M! J
=========
6 c4 B- u. z0 K3 H( X; a! O1 [7 j6 L5 C Z: \1 U
This method of detection of SoftICE (as well as the following one) is, c ^ k' _3 y7 D
used by the majority of packers/encryptors found on Internet.
/ y( h) c3 Z$ n+ E8 CIt seeks the signature of BoundsChecker in SoftICE
' ~8 a9 u! J0 v) S2 _2 l) g$ n
# j" u$ n5 f: G( `7 o i mov ebp, 04243484Bh ; 'BCHK'
9 Y5 \" a, P" B- r! g mov ax, 04h4 U+ A( u/ l z* a+ f! _0 v
int 3
' J7 ?0 U3 H: K0 Q$ M. ? cmp al,4+ _* |8 f/ p; l9 t" G
jnz SoftICE_Detected! e0 `. b" ^+ l/ G5 ^7 s/ }
8 \6 u+ i0 ]+ O$ n+ J. l
___________________________________________________________________________
. l2 S" c) _- ?4 |( M: ~/ m9 Z
$ Y4 K3 u. \. s' I( ~* H2 e2 M+ `Method 029 x1 q! k5 r7 c3 |! I
=========
" {7 l3 ?2 }2 R3 S& {/ y
# l: f/ G9 j2 S* a1 E8 z. u2 ZStill a method very much used (perhaps the most frequent one). It is used$ H4 B9 X' g( o# \9 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ O# g/ m, e0 O) W3 v$ z
or execute SoftICE commands...
4 M; u1 t) q! D9 E( U, p/ N2 z( \! VIt is also used to crash SoftICE and to force it to execute any commands! M& O- W8 }1 s5 S
(HBOOT...) :-(( - z+ M9 J* |/ z0 {& j4 P8 X
0 [, I9 }7 h/ r9 l& r% O) T- w7 rHere is a quick description:
+ A, ?( v5 [& T ^, ?5 m-AX = 0910h (Display string in SIce windows)
+ V9 I' k+ e; \0 ?5 \3 [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 x0 I, ]1 O% f; K4 ]4 }8 K
-AX = 0912h (Get breakpoint infos)# w: ~5 K8 c4 L4 l1 j5 C# ~& q7 v
-AX = 0913h (Set Sice breakpoints)" A% a: m. h/ B# Q P5 O
-AX = 0914h (Remove SIce breakoints)/ T& w" A6 I! c `
# s" w4 j7 q" x* k+ Q
Each time you'll meet this trick, you'll see:
. r! \- u x+ J3 w; R; U7 `2 X-SI = 4647h
1 g+ }+ \/ B! L0 L k-DI = 4A4Dh
6 [+ n& P; r2 p- N7 `! W! O8 m* TWhich are the 'magic values' used by SoftIce.' V) W5 Q" [8 B5 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- c5 _* N6 F: w2 j5 r" E9 b( J6 k6 [2 c( b" _+ l4 L9 D: x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 ]3 Y5 Y* f/ [' EEnvelope utility use to protect DOS applications:, U: ~. x2 [) {# e! z4 B. z' G
% E$ o9 s! s( `0 j1 ]; t. n( q- E- A
* v5 \. b& o7 ~$ L: b4C19:0095 MOV AX,0911 ; execute command.9 h8 U' E( f+ T$ R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# q# T3 T! j6 Q$ p9 L9 [
4C19:009A MOV SI,4647 ; 1st magic value.
. n7 B; I2 _* Q3 B4C19:009D MOV DI,4A4D ; 2nd magic value.
9 e1 n l X( }8 n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): C1 M% W" v& U! j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 U% [. u: l* F! x( N l! w
4C19:00A4 INC CX# h# X% J, @4 N7 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# q/ P4 b8 e: C: T# V, h' h
4C19:00A8 JB 0095 ; 6 different commands. w5 r M; W1 s& a6 W& S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: s+ [' X8 B i3 _8 r( O0 ] T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& I+ |0 T# p9 Z; k$ n9 y& h4 {: \% [3 w
7 n2 b- ^" u t
The program will execute 6 different SIce commands located at ds:dx, which) F3 T% B) l$ g& P' X4 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ^2 M7 ^1 O- g+ `
% I& F$ u2 r9 X) W4 h3 u/ H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' j! z# q) t: `& I
___________________________________________________________________________
0 l; Z* }. D6 s* r$ G& z
1 [/ y, e. L, y7 L" \2 m+ O% b2 E' c; x1 F8 \) M
Method 03
5 K7 W( V7 k7 [ k R5 e1 K=========5 \* b- y/ v* J
3 O* M6 c+ v) [: }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 F" k2 O8 V9 w$ F0 b(API Get entry point)- d5 @7 v7 V% M4 }. _ x
9 Y1 N# b! R6 x4 t: l% S: r8 i
* h! b, c0 e7 d& j! Z xor di,di
7 r2 T4 K2 o/ d) I% O1 x; h8 X mov es,di. h$ U3 @; P5 w6 T
mov ax, 1684h * s) B" U1 y1 q: m
mov bx, 0202h ; VxD ID of winice& T. g- W5 U6 v; W+ \! C
int 2Fh
! D$ U9 F6 u/ P2 E& F9 X: z mov ax, es ; ES:DI -> VxD API entry point
( [6 N+ B* {. C7 Y- d/ S& j2 ` add ax, di
. E* P( t! j4 r: P1 d test ax,ax
% U" h h. R1 F3 B- Z$ x jnz SoftICE_Detected
; G/ A9 p/ m! Y2 k: k ]" k/ e7 W# z
___________________________________________________________________________1 K% O! I. n" T: ^0 k- I
$ y+ N! i6 d4 _8 M# q6 u$ I
Method 049 d6 `7 F* q1 R) s
=========
$ h: W1 J# ~" W2 P' n' F, r& a4 d3 @ a* l4 j
Method identical to the preceding one except that it seeks the ID of SoftICE( @: }& |6 |: M: i" v- Y4 G% F. c8 f
GFX VxD.
' i% p$ |0 A" A0 {: K4 g* n# j8 k+ ?( P
xor di,di
* y5 ^) G9 w7 Y* t, Y0 q mov es,di9 l) N( g4 y4 Y
mov ax, 1684h # Y- `3 ~- }; O4 ^( o$ E- |1 [0 q
mov bx, 7a5Fh ; VxD ID of SIWVID# v) Q: p! U$ j
int 2fh# X( }& U2 O: Z, s/ t1 C) U" D
mov ax, es ; ES:DI -> VxD API entry point" g" u7 _; o+ M4 ]
add ax, di" i& Q k5 a# J0 O4 x
test ax,ax
" \5 y& }% w% x B& ]0 _ jnz SoftICE_Detected2 |5 u2 U3 z: r
. X% I9 e0 e8 g @3 S__________________________________________________________________________
+ o4 |' G) P7 ]. o9 @. l& ^% S6 P/ \$ j$ R
! `1 _# o) _9 ], Z/ a
Method 05
+ ]" H( Z2 @$ G1 @5 P; s% l% U=========' ^" g) K: v3 k8 w6 K% h
) I W: c }- q# H' ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
) V* {' q0 N; Ydebugger. It calls the int 41h, function 4Fh.
* I( [0 J/ ? L% I9 d" eThere are several alternatives.
* j! [0 d x8 b5 a8 r
4 H* F @" {% o4 _/ i5 A1 [* `The following one is the simplest:
) \$ y1 K: B; u/ e# N& Q5 X* ]% H0 [6 W& Q+ ~
mov ax,4fh+ f, ]% v/ w/ W8 U" Y! f
int 41h
, P& _0 k) G1 e) H# c cmp ax, 0F386
% r, g8 F0 B* Z6 G* U jz SoftICE_detected
3 g/ ]$ L C+ ~; U d" m* o9 p$ ?9 r" C# \
1 K" w2 E: w' C2 V2 hNext method as well as the following one are 2 examples from Stone's
% {0 c; J- ?2 Z"stn-wid.zip" (www.cracking.net):5 m$ J9 ~8 x4 l# X; M! P" V' \, [* g! }
! a; w2 u' Y4 w7 l/ p: Q
mov bx, cs
6 p' ~% L3 B8 Q7 J" M; | lea dx, int41handler23 x/ U8 }) N, J* X7 e8 U
xchg dx, es:[41h*4]
; C9 r& f0 S. i) {* s( e: p1 \ xchg bx, es:[41h*4+2]% g7 Q8 y* b& M' m4 u/ v
mov ax,4fh
: ? I! j) H4 |$ `. ^ int 41h$ v4 t1 n+ x. M6 v
xchg dx, es:[41h*4], q4 k. t, E# c5 ~) w; T8 x
xchg bx, es:[41h*4+2]
% l- O( c% t9 \4 b8 n5 }% S cmp ax, 0f386h
! x- o( ^. u$ p% h" i jz SoftICE_detected
% p( | T( ?+ b c1 Q7 S ?
5 ?6 d# q2 L2 v! t! Xint41handler2 PROC; {) K* u# j7 P. s# \
iret
+ }5 s7 b! b) [# |& sint41handler2 ENDP- ~6 e2 N/ M+ k1 {8 H0 O
# Y7 v7 P7 H) `) `
' t3 r: R2 r0 g6 V C+ k_________________________________________________________________________
/ s9 D; H; L3 q% z) C! J( H, E$ B% c* J, y( ?) I
, e5 z; n- P$ G/ Y: |: |
Method 06; s1 ^- i. S9 q6 }5 v# D! d
=========
! L' l+ q/ s' R. h' N' I3 S9 W- S* S8 \5 W1 t( G
; X% f" J; ^8 v, G7 V: z$ K1 z2nd method similar to the preceding one but more difficult to detect:% I5 P4 P( d* l; j; s. g( b
7 i: @- I4 w! e; G5 z3 D- J* O8 W. `$ K4 j P
int41handler PROC9 I1 ]9 g5 t9 C3 r' n: c4 b6 O
mov cl,al
0 `1 h% S# Y1 I0 i$ c0 K iret
, E1 R- }1 U: ?- R* m0 u4 tint41handler ENDP
: b+ Q, j& [1 [- x) _& K- ]$ s1 z2 n. D9 J, V
2 _' w. M {: w6 y s' Q
xor ax,ax
3 C' b, s, T; ~) o$ O$ J* m8 \ mov es,ax
; F; I1 B) A/ k( V mov bx, cs
1 |6 b. N2 }$ f( S- B ~ lea dx, int41handler; v9 B1 ]" o; K% S! O" E1 A
xchg dx, es:[41h*4]+ t1 d7 |# E( a4 D7 b/ u
xchg bx, es:[41h*4+2]+ A6 ?9 l' W4 E" U9 P5 [" {
in al, 40h; ^+ g# I" ?2 o; M* V% x0 _
xor cx,cx0 {7 Z8 V/ D+ s, ], O8 r
int 41h& N2 b, j* H0 l9 F& P ` F. _# Y
xchg dx, es:[41h*4]
7 z# Z5 C' ]3 f3 t: z xchg bx, es:[41h*4+2]
$ g( z0 N% R! a cmp cl,al
& T d0 W+ T3 s! @* Y8 d9 v( e9 D jnz SoftICE_detected
2 @; @" a; r% |$ j% W3 j) d( d+ {# t6 S. ?, }: ^( b, p
_________________________________________________________________________
* M, C! m/ z$ m/ S* r5 F8 S8 V* n( d, J6 m1 \) q
Method 07
! D3 _' ^% L( L=========
( B: t. a5 H: R6 u* C; G" X
& N9 J; O4 m% Y& W. NMethod of detection of the WinICE handler in the int68h (V86)
) ]! F' z1 b% W7 y; H# t* d0 r; _& l2 T8 ]
mov ah,43h" m m' s% { x2 K% o* ?
int 68h0 y5 Z# ]/ E- F4 b) d" y
cmp ax,0F386h
2 p5 g; d+ N2 V! @7 E jz SoftICE_Detected2 v, m3 ~2 _/ n+ a$ z- X
% l1 Y2 _" H3 M% ?4 O; p0 G0 K& Z) {; I' a8 G. B3 A" s) z2 X$ v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 m+ d J" l% f: X" m8 c$ A, ? app like this:
* E- ?. o: F) k3 f! H2 d$ G
( `2 w+ S) L- S BPX exec_int if ax==68# {2 r+ A! x& Z! z/ \6 {5 Z' I
(function called is located at byte ptr [ebp+1Dh] and client eip is
( e+ l( {5 q" m( b4 }8 { located at [ebp+48h] for 32Bit apps)5 x/ J4 K" p, [6 p. e; f6 {( u5 n! z* p
__________________________________________________________________________
: C' Y2 Y! |7 Z! Z8 q5 u0 ?, A- [2 Z( s5 I F* y
0 M8 y5 L* A/ a4 i8 @! q% W/ k1 ?
Method 08
) R& C& H6 g1 z# u9 e! W% y=========
; @6 ~7 _1 |1 v! o! a) @2 v% H3 _7 l
It is not a method of detection of SoftICE but a possibility to crash the
# \, {- r, a3 M% ~+ j9 w3 ] G; {system by intercepting int 01h and int 03h and redirecting them to another
6 W# V& S; ~& X$ [( A2 Iroutine.$ R1 f/ {- o8 o: c: P/ I/ `9 D% |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! R$ ~- Z* k* S, k. H( ^to the new routine to execute (hangs computer...)$ r# v9 N. c; Z; W
, P5 H! z" T0 Z# Y mov ah, 25h; |6 g+ m' t$ f+ }
mov al, Int_Number (01h or 03h)0 u6 e- W# d2 \* z' O; L
mov dx, offset New_Int_Routine9 V) m1 |6 P- p' C$ k+ w
int 21h$ k* ~, Y- _( L" g
) R% U* M' [/ L- X& |" F+ }__________________________________________________________________________
6 w$ @0 x, m0 B0 S' ?" N& N
# C f/ D, b4 ?) d3 ^' f4 j- m9 FMethod 09% e+ f7 e" }5 R* z' c
=========
t2 g1 D, n4 L3 J7 G! s6 |
6 i2 @3 s" y0 S# K. b6 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. o; D7 Z0 d( I4 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 `0 p4 V* f: TThe Get_DDB service is used to determine whether or not a VxD is installed" J6 ]3 L* b4 T
for the specified device and returns a Device Description Block (in ecx) for
8 j& M4 h, X8 y# k# @6 E9 othat device if it is installed.* i* w3 e) b; \( P x
0 F Q3 j1 O/ {( R: @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% D: l0 u0 Y/ C4 J" [: N8 | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 G9 P. P! q6 W" D/ H7 C
VMMCall Get_DDB
4 Z# P" Y, Q( n2 k3 F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% S& Q! P" q% \% c
0 z/ |1 b6 A ^ QNote as well that you can easily detect this method with SoftICE:9 a& j" u+ A; F- C# H# \
bpx Get_DDB if ax==0202 || ax==7a5fh$ F; X6 y: y8 \% G, R* G o; M
5 x, F3 p' @* k# S__________________________________________________________________________4 f' E: _' P& V; r7 q9 R
' V+ C! S5 k7 F% ]" F. p* W$ AMethod 108 \8 k" S. M& o8 R
=========
' ]# l: Y, [1 `+ B* Z. A
) V( P/ T2 f9 H7 Z8 C( H" q=>Disable or clear breakpoints before using this feature. DO NOT trace with g0 h+ G, I* U8 L/ A) R7 y+ [
SoftICE while the option is enable!!
: e9 \, B+ i9 e: H" A. g7 B
i" R) S& u& ]* ]0 SThis trick is very efficient:* N; w7 Y; o) M5 }$ A! L. b9 E
by checking the Debug Registers, you can detect if SoftICE is loaded! ~, ]* ~, P* _% Z; X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if | C' y1 \4 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ {1 n+ V) i2 S1 {1 M L- I( Ivalue (in ring0 only). Values can be manipulated and or changed as well
6 i- f6 Q. Z3 \ Q: C5 a# S1 x, X3 g(clearing BPMs for instance), M! {% x" b2 T( U0 e6 g) a( [
, v g& J0 Q1 a
__________________________________________________________________________! B: \- K7 \ P+ v8 N
. n6 i3 F7 t, Q1 m( l7 A
Method 113 P' V8 D7 O ?8 ?" X0 N
=========5 b: S3 I4 O" p) ~+ ^
; j( N: v* }/ v0 I `( {# XThis method is most known as 'MeltICE' because it has been freely distributed
" w; {! D- \- N4 T8 Rvia www.winfiles.com. However it was first used by NuMega people to allow
" t d: ]0 w0 l# n0 tSymbol Loader to check if SoftICE was active or not (the code is located
D' x; ?" t# n5 h( M8 o4 O1 iinside nmtrans.dll).; M- t3 ~/ b, Z
0 f! B1 i) l) CThe way it works is very simple:
) M. g, l# j$ y" P/ WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* Y6 ^6 J9 O$ J7 R `7 ?WinNT) with the CreateFileA API.
. w/ g2 t5 N+ {; y M
6 k$ _, D' h2 P& k1 k" THere is a sample (checking for 'SICE'):0 \: w+ f: J6 K2 D
! o# f6 H/ F2 C7 QBOOL IsSoftIce95Loaded()
7 }! r1 G4 L$ D9 Q4 [/ u( d3 Y{
G3 G) ^) E3 r! X. V" O9 r HANDLE hFile; . @% {/ r& M/ O% D- f9 T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, P7 @. @1 i2 }9 }! s# s FILE_SHARE_READ | FILE_SHARE_WRITE,
8 G4 w; q+ w; ~4 X9 B: w; l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 j7 f% B9 \: `7 a/ L, w$ W3 v if( hFile != INVALID_HANDLE_VALUE )$ L* s8 L @1 u% |) b
{
9 O6 }# W3 \% C" D- r" O1 J& L CloseHandle(hFile);
' d3 ?) f, L/ z: G return TRUE;
" \7 F. {$ i: n2 U) m8 Z' | }# f. _4 M# M, q% v2 ^
return FALSE;0 }$ ]: e" C: f: \5 R/ q
}
, ?+ R: ~. L$ k+ {3 M+ v+ F
4 z* J6 i: I. MAlthough this trick calls the CreateFileA function, don't even expect to be
4 J. Z/ F3 |1 Fable to intercept it by installing a IFS hook: it will not work, no way!
7 u% R: N2 l2 B( ~0 g3 x/ R' @0 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F; r, Q" V. o1 S9 A% J4 x' G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 B$ q0 @* W4 y& j/ yand then browse the DDB list until it find the VxD and its DDB_Control_Proc, c) w2 m4 e% L( A# G( z$ ~* o
field. N" E7 A; B9 X2 P
In fact, its purpose is not to load/unload VxDs but only to send a ; T M: w, D1 l6 c2 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* D* h; o- G' m7 x& c8 n( f- ^' ]( R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! U m, N4 Q$ Q3 ^/ ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 O! y0 v* C: T2 \" D& q) CIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 j, U b4 h3 R- l$ J4 |9 bits handle to be opened and then, will be detected.$ S9 F, n: q( e# a9 r
You can check that simply by hooking Winice.exe control proc entry point, e, X6 [3 [4 B0 |6 [# u- ^ c
while running MeltICE.
. @! R) W, b8 _0 W; c- H3 A! X" f9 r: H8 Y O2 D
6 @& ?3 x/ Y; ^! Q% Z4 g: l# \ 00401067: push 00402025 ; \\.\SICE& j8 }5 r+ {* _2 L5 C6 x$ L8 b6 T
0040106C: call CreateFileA0 P$ L9 H8 K/ K! m7 @# @
00401071: cmp eax,-001
% k! o# r. \. W: s/ \# B 00401074: je 00401091
3 b% A, G9 w4 i" V$ Y1 ?" O' S& g4 f7 H2 C
0 X T$ M& f# D
There could be hundreds of BPX you could use to detect this trick.5 E4 C! u* c9 V
-The most classical one is:
- f/ |5 k8 K+ f. `$ L7 p- P: a" U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" {9 S' |8 I9 X: N, R *(esp->4+4)=='NTIC'! H' F( Y8 y' ]2 _
0 i$ B+ ^1 o( c) h: x) Y8 \/ o4 p- v
-The most exotic ones (could be very slooooow :-(
: r% S! A8 i5 T( n. Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; v8 D3 T1 O5 X- ^8 T. G ;will break 3 times :-(
& ]* ]! h' f/ j8 o7 R; R; d: N i2 `2 g
-or (a bit) faster: & c s- E, a7 w# R+ e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ l: p7 d8 _+ r) _% e" p$ ^9 ~6 S: \- T* y; ^. l# U' e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, u" m5 v3 ] l& p' I! ~ ;will break 3 times :-(
9 T: t) V3 T- D( n5 e8 s: l3 c( B8 X. x& j# O
-Much faster:
8 t' r9 X- j6 Q. K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% Z. h$ K6 l- g0 u/ z7 }( x
8 c' u8 X, G! [* k4 |* l! i+ l" w5 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 Z k4 _ v6 f, `1 Qfunction to do the same job:3 Z* k; l& [2 g9 I7 q- m
: \. S, Q# |9 |. G( I$ l push 00 ; OF_READ/ H. b ~' n1 A+ G: R; B7 V7 r
mov eax,[00656634] ; '\\.\SICE',0, E5 n; L- D8 a6 [2 B/ n/ z' [# j
push eax
5 y$ E3 \- c4 A7 q+ W; ` call KERNEL32!_lopen# ^" Y7 a" Z6 Q, w: ^
inc eax0 L5 Y2 D6 o3 @+ g/ U
jnz 00650589 ; detected
; O- Z7 q) q- {7 f: k* Q push 00 ; OF_READ
/ T# g6 q L6 V. r3 S0 w3 K3 } mov eax,[00656638] ; '\\.\SICE'
, L8 A# e9 ~/ c7 V; o push eax$ C/ N% y2 r. p) z4 ~, ]3 O4 \
call KERNEL32!_lopen: ^3 L- ~6 I) y( {6 Q# T
inc eax/ a& t! w' f) A# ~( `; {
jz 006505ae ; not detected
9 p; N& U, ~0 F: x1 a3 _$ @# U+ W$ K* {, y" W* {4 x9 a
2 W) i& l, J+ R# D
__________________________________________________________________________# U: C2 b+ c' u9 y/ f& t2 I
X5 k2 ?/ l3 j. @9 yMethod 128 W* m! h9 H6 j6 P1 |0 k
=========. t0 L3 `+ N1 m5 e- _, \0 [$ B
5 f. T+ @9 l, m/ BThis trick is similar to int41h/4fh Debugger installation check (code 05' B; L8 w3 R z* ]& s5 T2 t& ?
& 06) but very limited because it's only available for Win95/98 (not NT)+ p3 a+ u( P$ K+ ?( `* o: D6 |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 I5 E' v( _2 o$ d: j- P
. ~( ] C6 H* K% j
push 0000004fh ; function 4fh' x( L. T" E& j t, @7 _
push 002a002ah ; high word specifies which VxD (VWIN32)+ b$ a6 h, ?1 J. h: C. I, `1 s
; low word specifies which service
. Z0 X( J& B$ F( X' [0 w6 J7 x (VWIN32_Int41Dispatch)
& J) s' ^; f, F: J- l l call Kernel32!ORD_001 ; VxdCall
# S1 z+ I+ }# S4 a9 M9 m cmp ax, 0f386h ; magic number returned by system debuggers
- [5 K7 D( K; p* V) n/ \ jz SoftICE_detected
$ O& D5 {4 ~1 E3 M9 \( h2 d6 D: W; Z, U
Here again, several ways to detect it:/ h; `# f( ~8 ^
" {! h" m. V" H, m5 P BPINT 41 if ax==4f- N: m2 [& Z1 o
! z( q+ ?3 t0 s# {8 x( v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 W0 V' ?; d' j3 Z0 b! o7 R+ }5 l9 D6 _. `+ E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 e+ F* V* Y4 f6 X$ ~0 i
' P X) t' `) U% E& L e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 \$ m$ h" |/ @8 x# N* u# u5 d
8 ^! {5 {7 K: R$ k6 O__________________________________________________________________________
. E- C1 Q, ~( _( `) o( k
# {0 x0 y, |7 U4 h; f# _1 pMethod 13
. L0 Z2 ^/ o& y$ l/ i# k5 ^; {=========, `% B% P: V9 o- C3 [
& e2 }! b! e& xNot a real method of detection, but a good way to know if SoftICE is( l4 {, @" P) |, G6 S" c( p1 M
installed on a computer and to locate its installation directory.
- w! G, N4 k4 H7 x: G K/ WIt is used by few softs which access the following registry keys (usually #2) :2 m+ } A$ R# l
. F( J G7 F6 X0 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 J& N6 k, ]+ w\Uninstall\SoftICE. o+ G: `: ~8 ]4 w) i$ T- w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 R; \: X' p' `2 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 Y3 M( E; u0 n4 w
\App Paths\Loader32.Exe
: K+ G5 _; E: Z2 U' x: Z4 L; A" g$ V" Z( Q) ?% [8 [, m- r' ~
- Y# z( z" g; g( @. @Note that some nasty apps could then erase all files from SoftICE directory! n/ V: c8 m9 {0 A
(I faced that once :-(
2 j/ h4 h- p0 p E* h ~3 M7 a, O
Useful breakpoint to detect it:
! B3 i, d3 H2 o6 P, z
' ] r- y! P* Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! D5 J5 T& M" z" E# H5 ~
2 A$ A, i8 m! b8 B
__________________________________________________________________________
# S. _- R, ~3 k g
, ?% n7 i. z) V* Q+ O8 M) ]8 Z- z0 y9 U. F! C1 k9 X) i! E
Method 14
1 N) z4 W% J* M=========
; S- @, F6 I; s% R; p( Y4 t7 H# G% _6 m2 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: \( T# h; p8 S$ ]is to determines whether a debugger is running on your system (ring0 only).5 V1 u7 q& N' V$ q
& T6 s9 R/ C4 g" D8 @7 v: N VMMCall Test_Debug_Installed) c: ?* G- M. v& g1 S2 N
je not_installed' B- F, u- c4 z0 F+ N
; `' Q4 s0 s6 H* kThis service just checks a flag.5 _9 @6 p. E: D2 T" b- ^
</PRE></TD></TR></TBODY></TABLE> |