<TABLE width=500>; d& s/ Y' Y3 W; g7 b
<TBODY>
7 N3 X% O# A5 b6 {0 W6 w1 `<TR>% M0 b# o& A* P4 f* j# ~3 R5 a
<TD><PRE>Method 01 9 `0 K! Y7 H$ ^& ^9 M
=========& O$ O* ~4 w& J+ y( M
! T% G8 s- X/ [0 VThis method of detection of SoftICE (as well as the following one) is* o! {) G6 Q( S& n
used by the majority of packers/encryptors found on Internet./ T. b( \2 d9 d( t% L* g
It seeks the signature of BoundsChecker in SoftICE8 N; J/ X# |: n. f
& `$ C" F' l2 d4 O4 q4 ?+ C; K
mov ebp, 04243484Bh ; 'BCHK'
% a+ \7 @; s& ^" H$ M mov ax, 04h
; g* T6 o w. U8 A: A0 n0 G int 3
* i) m5 ~- B# V9 X4 ~. @ cmp al,4* k* A7 X/ Q- ]9 B* P5 v9 N+ E
jnz SoftICE_Detected
$ s% m0 m9 ]% u2 |$ }6 M$ n
* K1 ^: I& j) S Z( o; K& t! }___________________________________________________________________________
% Y0 D! p# b2 ?; `. Z1 e2 {1 j7 T% @; _2 e0 C P
Method 029 _7 n; y7 C: Q& B: B9 V/ Y# n+ }# Y8 y8 f
=========
" D/ N$ I. V) g
) I3 D0 F5 B/ ]8 i9 {Still a method very much used (perhaps the most frequent one). It is used2 p$ o' M2 C9 ]4 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; h. ^6 _5 Y6 T. J4 L! V" l% J# N
or execute SoftICE commands...- t4 Q0 E$ W; e* j
It is also used to crash SoftICE and to force it to execute any commands2 e' i$ S8 F# @: T9 `. B
(HBOOT...) :-(( 5 f5 b# D3 K3 C* z. L
9 E$ `) b* K4 j& T
Here is a quick description:. f3 x# K* Z9 l/ h
-AX = 0910h (Display string in SIce windows), ~3 R* P4 [# I6 ]& o) C+ f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 }9 m) v9 I9 d+ S
-AX = 0912h (Get breakpoint infos), A1 H8 v W |1 d- r9 |
-AX = 0913h (Set Sice breakpoints)0 e" c% T% i% u; `
-AX = 0914h (Remove SIce breakoints): D! }. X' j4 O! L$ ~
3 E& p6 g5 [# \7 i! z
Each time you'll meet this trick, you'll see:
1 ]0 A7 `* e/ y; S# d-SI = 4647h' |; G. H/ N1 g1 k* C
-DI = 4A4Dh
! C8 d; s/ k9 t3 \4 [Which are the 'magic values' used by SoftIce.
+ B2 J! q, }9 ]2 ~) qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; R. V0 K9 m* F4 E
2 E$ `: [: N* D; q/ ~% ]Here is one example from the file "Haspinst.exe" which is the dongle HASP; U7 D& t* r' G' j. i
Envelope utility use to protect DOS applications:, O" r4 U# @' Q D- {6 b6 @* M
5 @$ z9 ^. ^! y' L5 N
: o6 y% }% h8 p% j
4C19:0095 MOV AX,0911 ; execute command.
( w" O) R7 e x4 N4 I8 w; L I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 v/ ?9 C8 L! N9 j4 o ?! _4C19:009A MOV SI,4647 ; 1st magic value.
4 u/ Z5 x j, f5 r' i" w4C19:009D MOV DI,4A4D ; 2nd magic value./ t* @3 t9 G9 h# g9 `2 x: |1 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ D) C/ t' b$ r' M' d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& y4 H: W# g) n4 G4 |6 G6 r
4C19:00A4 INC CX
2 p s. z4 z: R, p% O) \ M/ J8 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* I+ g; U, M" A3 m1 k8 u! d1 b
4C19:00A8 JB 0095 ; 6 different commands.
- K1 Y, N: m; a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 D6 }7 S( H) F* T1 G. t5 u* `4C19:00AD MOV BX,SP ; Good_Guy go ahead :): W3 G3 [; j, y7 W/ r
1 E( M+ P$ t7 `: n$ w6 NThe program will execute 6 different SIce commands located at ds:dx, which
; ~5 i% J% `/ j' a* h2 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" @% q/ m% c0 a+ j, y4 f+ l1 n# q1 o! t, M0 `: i u( b( {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 e: t$ u. F! A! @. @6 b4 t& h___________________________________________________________________________
3 [' y9 ]2 L# l# W& X0 d0 O. q# M$ Z" J0 ^2 G
, E% {" ~, a, D
Method 03
7 B- J" h/ N9 l5 Z=========
0 n2 @% p9 Q/ K5 g6 z. j) e: I; u( z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& X3 q, Z' Q4 H/ {1 ]) t Z( V' k' t
(API Get entry point)
o! J! l7 c8 A% H# h
# f7 b- e# Z; {' o1 g% G! c2 \6 y: j+ Y7 x! I- c4 y# [/ J0 w; h* |. Y
xor di,di9 B" r+ J7 z0 I f) o
mov es,di0 L3 w' {+ I7 ]: J; d% q
mov ax, 1684h : t2 m, Y+ Y' r/ x1 L
mov bx, 0202h ; VxD ID of winice
4 D: F4 [4 G7 M8 q+ P1 z7 m. _2 O1 x) I int 2Fh
9 F+ Q9 x/ r6 Q. x/ L* m$ l mov ax, es ; ES:DI -> VxD API entry point( {2 B: q$ M. }0 Y& `) _$ g
add ax, di
* o# K4 C; p7 z+ U# u8 k3 Q, { test ax,ax4 b P' h) l( n/ J) m6 \
jnz SoftICE_Detected3 N1 H% S. i8 o1 Q N3 F
0 x, O/ ~/ e' K1 R2 E7 C, r0 \; {___________________________________________________________________________
4 r! o, S) w8 N4 x. p# |6 ^9 V1 n0 @ R0 N. O+ s9 f
Method 04: j/ }; t8 b8 V) V) U4 ?
=========
! }+ |3 w& J# w
9 h8 D: a$ l2 i% P8 q5 H- [3 e4 g9 ^0 c/ xMethod identical to the preceding one except that it seeks the ID of SoftICE h) ?( H; [! S8 s6 l8 A
GFX VxD.
5 b/ m6 P7 E4 d
+ {( S3 [1 J, r6 Y xor di,di5 {+ n4 q: H" ^ }) x2 j: C
mov es,di4 R3 F( Z1 i0 @6 s1 c0 f
mov ax, 1684h
0 Q3 d# w- l6 O+ b: J0 H mov bx, 7a5Fh ; VxD ID of SIWVID% R4 M. }% S: [5 ?6 c1 @
int 2fh
1 } {' v5 M T( b2 n& f' r/ ?; f mov ax, es ; ES:DI -> VxD API entry point
% {* p( m. P' R, V' H0 s* l add ax, di8 u( r0 P4 l5 Y; d% B* T2 P
test ax,ax& v @: X% w) t8 t8 F' H% m
jnz SoftICE_Detected2 ~" I' w/ k4 m8 I; `% m
5 I1 {. l: M3 t
__________________________________________________________________________0 P6 n% \. Q& W3 x
8 ]4 u# A" B9 t3 Q3 k0 d
: v7 Y0 e( u5 P/ j" ?* N3 ~5 eMethod 05
2 [$ R/ A0 S$ e5 X1 V; r( D H5 {' a=========- P% `/ [" S, m& z+ w
/ p+ z7 A- Q' ]7 k! i. a! V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ T, p) G$ @- ^: {6 B2 udebugger. It calls the int 41h, function 4Fh.
' q! A* f g Y. h# _There are several alternatives. * `- g( q. F% t% h( U
! f! V* f) ?% oThe following one is the simplest:
8 I v$ U. f4 ?1 ]. y; N1 f0 {2 r8 K* w
mov ax,4fh
; q! v! N* i; o9 ? int 41h8 `8 I) ?! n) c |4 ]
cmp ax, 0F386$ ~- G1 S+ V% D
jz SoftICE_detected, k. ]! L- L3 }& C/ W* J
) ]; P. J$ V9 y( b
% Y2 x* d% J6 P3 KNext method as well as the following one are 2 examples from Stone's / _) }; G3 F- v7 k+ p$ ^; Q6 |( }
"stn-wid.zip" (www.cracking.net):# d: B6 U+ t, d4 J! d
z3 g6 j& Y/ C( j1 U, m* ^" Q) ` mov bx, cs: H0 L' ?$ A/ D
lea dx, int41handler2* ^' e8 ^& ]1 m) n( S( y
xchg dx, es:[41h*4]
. d2 }" f# N8 i" q; } xchg bx, es:[41h*4+2]
" g) x( B m1 x/ N2 Y) c7 ^ mov ax,4fh
' m. d5 W" S/ f' g5 _ f t int 41h
' a1 o) H- p* G } xchg dx, es:[41h*4]
+ a2 S9 d6 ?+ n2 V# W$ R xchg bx, es:[41h*4+2]
+ _# m) E! A+ {2 ]. e cmp ax, 0f386h4 z( p8 z8 i7 y, I; O) C
jz SoftICE_detected- Q+ m! R" A3 W5 ~! H! Q* X1 \* b; |
7 z6 L6 U/ D0 g. l1 i
int41handler2 PROC, F; r! M# `; w) _1 x4 V, q
iret
3 _* u2 u' R, I: ]% j% N- Iint41handler2 ENDP
6 |8 |* w ~0 H a! A
6 {& i5 p3 F% o! _7 V( ?
! e3 K, }& Z* }1 G_________________________________________________________________________3 o4 n c( a% V! _
5 t/ I# \3 N( p0 O
) x; ?2 B3 z7 S" O- wMethod 06# }3 ?( z; B! L; `: \* C* s+ j. u6 M
=========; \* ~# Y: Y1 m- G" C) t5 G
2 ~8 z8 z( [7 A8 \
1 Z( x- B+ D& c' n$ ^6 Q- [2nd method similar to the preceding one but more difficult to detect:
) J+ r* o6 X( I1 {+ A( q; o3 [( u9 m! _: I6 J# W* A
4 {) f# S& X1 }; V& Z4 P# z& v4 f
int41handler PROC
7 n" r2 w6 r) M mov cl,al
) f# | a0 C i3 X- n- A5 ? iret
% c. w- i* v, C" t2 Kint41handler ENDP
+ P/ F3 ?" f, _& b
0 w' k- _' k# v+ |/ x; ^8 Y
" M4 n: }! e6 z: u D* x, y xor ax,ax3 K% w" w( k j9 |
mov es,ax
- w( D1 E1 Z @6 n8 x h. H4 d5 @ mov bx, cs0 q4 ]$ Q6 _* l, M9 e
lea dx, int41handler- N& e) |* ] D
xchg dx, es:[41h*4]
& ~' ^/ z: _6 ?% z( p, ? xchg bx, es:[41h*4+2] E9 G; g, h8 I! i
in al, 40h
( v3 o9 J+ U3 f0 y1 b6 t3 N xor cx,cx
- _# X/ n8 E( Z int 41h
8 f* K% G# g4 E xchg dx, es:[41h*4]
- U! T1 c- X2 b* y xchg bx, es:[41h*4+2]
8 T9 `" H: t, _ cmp cl,al
" D R- O7 S, R, H jnz SoftICE_detected
6 V& ^& Z/ Y4 y& q P5 x" B0 p) g9 R8 {, y
_________________________________________________________________________
* j# q' T% z$ f# s; o% R5 w5 j/ ?. R0 ]( K- h) d
Method 07: s3 t6 P) e C# _+ X
=========# ~0 p5 u4 Y4 Z
! M9 _4 z' r8 @Method of detection of the WinICE handler in the int68h (V86)5 D9 j" U3 P. D3 g* q
+ U* U9 _2 n- R( }. K
mov ah,43h
1 _/ j8 n$ W; ^$ S1 q T int 68h! I4 ~7 o- `* a, F
cmp ax,0F386h# N { {( f/ O f* o0 O( d6 `8 @
jz SoftICE_Detected' N6 [: r. s0 V) X4 S8 s
' j) V) P* {3 k8 l# H. c- i. v
- i# K4 ^5 o# k6 ~) C; A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: G* n4 T6 L0 l: o3 c3 t& _% U! i* A
app like this:
( @' X$ O2 [4 l( K# i2 y2 z. z3 \9 n
BPX exec_int if ax==68
: U: i: P( K8 E6 y" l7 \6 p+ s (function called is located at byte ptr [ebp+1Dh] and client eip is
& X% ]9 e3 j# P1 y" \0 u% y located at [ebp+48h] for 32Bit apps)) S1 Q2 K! e$ u
__________________________________________________________________________
$ x. d2 G: v, s1 p9 L* W! h3 v( m- Y6 D% w
$ U5 S* d4 g" t
Method 087 P! y6 Y& u* i1 g- u0 I. c/ `
=========
0 m# A8 W2 } g/ `" }" m; l
* r5 I$ V! I3 N* \& eIt is not a method of detection of SoftICE but a possibility to crash the- g7 q1 ~' U2 Y3 z; t, o) L, g
system by intercepting int 01h and int 03h and redirecting them to another# ], H7 z7 m" z1 @1 r
routine.& w0 Q* ?3 k- S# p( u7 S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 p Z5 J$ ]: J" K# m
to the new routine to execute (hangs computer...)& ~) q4 G% |4 |! S9 b, Z
o. B" c# G" [& x/ @, e
mov ah, 25h
8 {3 s1 R0 X! f( S mov al, Int_Number (01h or 03h)
4 q R8 m$ N5 f3 Z7 n mov dx, offset New_Int_Routine9 s( {4 W7 ]6 I/ _: X3 J7 n7 Z
int 21h
* ^- p9 L( t8 M6 u( m
: @4 O, t7 f# k; }% ~4 Y__________________________________________________________________________4 K) H5 z" ?( r+ m8 u, Z/ h
+ D/ N: K* q7 @5 c' j) bMethod 09
1 Q, ~4 Z+ t( Y' X* G=========
d& |9 H" D6 w) A% d* x9 Q
- r1 k2 F# @& V& [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# s, T' M" n( `9 S) a1 I: G* |performed in ring0 (VxD or a ring3 app using the VxdCall).% S! n/ G2 v+ g: b
The Get_DDB service is used to determine whether or not a VxD is installed4 e } u& w9 v4 G u
for the specified device and returns a Device Description Block (in ecx) for
5 h7 S5 v& V7 _1 \" R9 \) v2 hthat device if it is installed.6 E" g% F: D+ z$ G& |
}; g4 @) C( N( @1 P" D* D; ~5 v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ H4 v" ^- ]) o3 R. Y3 m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ A6 V6 l- m! v Z" W$ M VMMCall Get_DDB
$ \- ~8 Y! U7 q5 ~8 E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ Z) l, S+ |4 O* D6 A1 l* J7 {) d
, w. x' @6 b! |6 vNote as well that you can easily detect this method with SoftICE:6 O, u1 |( A# J" c0 j/ c8 U; R% i
bpx Get_DDB if ax==0202 || ax==7a5fh8 b0 P8 n! p7 g5 V6 \2 J3 F S
t; G/ @8 Y" v__________________________________________________________________________
3 z5 i) B+ D) H+ q% ~
]. M Q( j' O7 `& yMethod 10
, s0 s: B$ ~! I( e- {3 k3 ^=========8 X6 ^5 v7 j* r4 \, c
& x- Z+ d5 u; U=>Disable or clear breakpoints before using this feature. DO NOT trace with
( N" z. S8 ?$ G) ` Q! t" n SoftICE while the option is enable!!
! S7 o, A4 a N# `: v# s& Z* l' h6 ~+ z; l/ n; b# |4 A& c' o
This trick is very efficient:/ z3 `; Q, F+ ?/ ?* p
by checking the Debug Registers, you can detect if SoftICE is loaded
8 w6 {9 m& O4 X3 d0 \: s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% X! S' U' E) p) W% h5 T1 p# k+ m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 I0 I/ T( k. a" z. h1 X2 rvalue (in ring0 only). Values can be manipulated and or changed as well; e; x( h7 N3 o7 }6 Q$ h
(clearing BPMs for instance)2 T- w" H; v8 u* Y
( J6 p" M5 ]1 t- x( Y& [
__________________________________________________________________________5 Z. W/ s2 a' j' ^+ K$ I8 C( Y
0 {, o, f: J1 c: Z1 nMethod 119 ~: W2 e# U! d2 E8 c1 z: M: a
=========/ E: | \0 X8 M: I
+ D) c$ M% b, S, d- ^
This method is most known as 'MeltICE' because it has been freely distributed
- j% a& B- V4 gvia www.winfiles.com. However it was first used by NuMega people to allow
5 _& y' N( T) kSymbol Loader to check if SoftICE was active or not (the code is located
4 o: p1 s: x1 x! G( Einside nmtrans.dll).
2 ] a( o$ b6 S4 V6 J2 J. h$ H# R, ?2 b: v9 d, a& w* x4 ?
The way it works is very simple:
; L& C7 b: x9 Z5 k* HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ w+ x& F. b0 ?2 T
WinNT) with the CreateFileA API.% Y. J, l: x, P @$ l; m" d! S1 `3 X
0 T7 q4 H) h8 i8 S) w) |
Here is a sample (checking for 'SICE'):8 ^2 p0 b' {; g. g: B( D5 K9 O: r- l
3 O8 l0 ~4 l4 F+ J3 c% c
BOOL IsSoftIce95Loaded()6 {. Y5 d% Z/ q% h9 k9 c
{
/ E7 P7 ]/ k7 R% M5 w- J HANDLE hFile;
& C4 H! x3 V' m& ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" e* p: [( s* P, ]0 n FILE_SHARE_READ | FILE_SHARE_WRITE,
- J8 D" S0 ~* b; u6 Z# v! f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( x- z# n5 l; k) V& y8 y6 d# C% @
if( hFile != INVALID_HANDLE_VALUE )
7 u& L. O( q: U1 M) P {" m2 _& s, |0 p$ G/ d2 l: G5 b( d# P
CloseHandle(hFile);/ W7 f( J* z! M. {# ~3 S/ G
return TRUE;) h. { a' g) ]
}
?" K: R' {& f% e! T/ V6 F return FALSE;) U" y( A% F/ M7 J
}
4 A) H) ^! O, O* m+ w1 _7 R Z
+ ~1 B3 a- D2 O/ l RAlthough this trick calls the CreateFileA function, don't even expect to be- W8 d7 m* V/ Y4 m) s
able to intercept it by installing a IFS hook: it will not work, no way!- Z8 O1 v! e, `/ @% L* y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% R7 G8 V6 V6 o6 J2 r' a1 s0 f) B: r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" R" b: l" C3 [3 v$ D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% a1 V( w, Q8 R2 E! c: sfield.
) G6 h( d* D$ JIn fact, its purpose is not to load/unload VxDs but only to send a
' l% l! I2 ?5 K& p9 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): i; Z# q }: A: Q5 g+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 } b5 ]. _, k1 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( S) P- m `* L2 I6 R. @* P* u2 rIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 A3 x; ]% O) r# K& p9 t& R
its handle to be opened and then, will be detected.! U* ?/ s' @! c/ _
You can check that simply by hooking Winice.exe control proc entry point
3 w+ I+ V: j& Z; _1 G) mwhile running MeltICE.
! ^ f/ @# t3 @+ |( q# o$ m, N# x1 d$ s$ ]3 z
! F) q. V* g( m% t$ g9 i' T1 I& X5 L
00401067: push 00402025 ; \\.\SICE
; W+ s2 e$ r! _* p 0040106C: call CreateFileA
. B. g8 i8 X+ X4 k# k2 n& S 00401071: cmp eax,-001. k3 n1 P" S/ d: {
00401074: je 00401091) t' \+ U" [( S8 Q" p# l5 X2 B) Q
) L+ ^3 R) o! Y( v) |. H
* B% P5 j8 Z3 Z/ g9 B9 l$ GThere could be hundreds of BPX you could use to detect this trick.
c" ~3 h3 x# k0 E! N" P+ h-The most classical one is:) [. p& r" k' g/ `: h) k1 G9 S3 ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( c" ]# b. r8 P0 e, z9 M *(esp->4+4)=='NTIC'
$ e! J1 [4 O p' m0 S3 V$ N4 V
( \2 O$ \ F$ g+ Z7 q G) H: H-The most exotic ones (could be very slooooow :-(
3 _! ?* n6 a2 J% k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; z4 Y+ r+ m+ u, |& v5 A3 Y
;will break 3 times :-(6 `; f+ I0 y) ^/ d( Z
( A: ~: j" y, Z; i7 n( v
-or (a bit) faster: , y3 o* [* b2 `* ?" U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& v! [* i( w0 k
- Y# q+ Y* \6 y t o! I7 g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) T8 n9 [0 r7 S) o2 W( Y( N' T* I
;will break 3 times :-(
- ?+ K+ y# j5 J* f8 k0 u
2 O* P. Z. R3 T# i-Much faster:8 q$ j# f! W9 P6 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') Y% Z; k( l/ O$ S
- Y3 c% K: G0 y) G1 H8 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& x/ m1 C1 f% `" U
function to do the same job:" A* n3 |5 \+ z( u8 y( j
& v* P( Y6 Z: K* H
push 00 ; OF_READ
9 u* b2 O9 e: o. |" j8 y mov eax,[00656634] ; '\\.\SICE',0# k* z4 h. W) D- K- l
push eax
! s4 F) s9 o3 h: m# w6 C& T- n call KERNEL32!_lopen# x* }6 {% L' O
inc eax
8 C2 {* i0 K4 N. \! e0 { jnz 00650589 ; detected
6 r% l- {% h# J& {. _# L push 00 ; OF_READ6 n" u9 w) o1 o4 m- H5 j; B3 `
mov eax,[00656638] ; '\\.\SICE'
$ L& L! N- e( m1 p5 @ push eax+ Z, G( c* s2 i
call KERNEL32!_lopen
' C2 A( p/ U8 [2 Q8 |5 n3 r+ U3 [ inc eax& s* [% O0 U8 u0 U) c
jz 006505ae ; not detected4 T- g2 ?0 i8 u% \; m
! {5 C2 J! e! {+ T* w
' Q1 S6 F7 j' J3 w* O" B
__________________________________________________________________________+ O/ t( }# j. n, e
# D: M& L$ I! _3 i6 b% ]4 AMethod 12% e& l8 N8 L( A( k+ w
=========; N5 ^' i% x4 g2 p7 J* G+ k
$ R! B% s8 n* ?% A$ rThis trick is similar to int41h/4fh Debugger installation check (code 05
5 a$ x2 {2 ]! `! n4 j, L& 06) but very limited because it's only available for Win95/98 (not NT)+ j, a5 s7 @+ `: I$ o$ w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* j( w& F* }$ f& ]
% ]5 _; P7 `; `% I l) U' ^: G0 I; r0 k push 0000004fh ; function 4fh
0 l& b+ o& E' D push 002a002ah ; high word specifies which VxD (VWIN32)8 A) I! x. k1 ^" F* D; `# W
; low word specifies which service
' Z2 U: Z1 \0 ~1 T2 A5 q6 a3 I* \1 R (VWIN32_Int41Dispatch)1 H7 d& j" w8 t3 {2 h$ g) V
call Kernel32!ORD_001 ; VxdCall
/ u! h6 }0 b8 ?9 c cmp ax, 0f386h ; magic number returned by system debuggers y# _1 v7 Q3 A
jz SoftICE_detected
; m6 T: @( K- |$ ~& o' u
5 O/ \' j* J2 U/ l1 d7 \Here again, several ways to detect it:
% B/ x0 W( Q/ r2 X: M( x
9 s, c# U5 {" l, f; I BPINT 41 if ax==4f9 Y6 G( Z5 f1 ^( i2 f
( f7 z& d8 _) W% a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 ]* l. z& U+ U& q" e! ?- k% Y4 |; {( v* b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 R$ a6 ?8 T; N' ]# D. l0 h' t2 J# c) T* b
9 m5 T- V% O8 ]! K, d4 `% f& q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ {, ?5 l* _* j2 g# ?& J
2 H1 ^' L7 `+ f6 Z; ]__________________________________________________________________________
# I% Z; }& Q8 h% l8 E4 U. d) i
6 K( c7 L, M6 |8 m7 O1 lMethod 13+ l0 R3 N3 ~7 A& c" U& m; Q) J% E
=========) J# I1 L: T7 A1 T
E4 U) W( S/ F- N. U0 D+ u X
Not a real method of detection, but a good way to know if SoftICE is
3 _8 ?$ I. y3 }) u# \! _( l' D8 Qinstalled on a computer and to locate its installation directory.: O. _5 L$ ` {9 B" O0 ]
It is used by few softs which access the following registry keys (usually #2) :7 x5 o9 F P& A$ j9 z
7 x# p- q; { f1 W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion g9 Q- D0 M0 N9 e4 J. Q
\Uninstall\SoftICE
6 R; P* O1 K! M: u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% ~ T1 @/ P) C) T) s9 h9 [ E" S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. O8 C* [" F i9 ~
\App Paths\Loader32.Exe
# i6 S/ ]/ C& \ P0 w5 ~
; ]* A, X" v4 W
6 I/ [6 _ U; {' }. T$ ?Note that some nasty apps could then erase all files from SoftICE directory3 K' S, ?0 ~4 E* G7 C' X! ^$ T
(I faced that once :-(
* K$ U4 q* G* Q3 r# T5 j
9 o; u# S& a* z7 }/ R8 hUseful breakpoint to detect it:
, G. e* P* \1 f7 L
6 }$ @6 r) i& ]/ w3 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 d( L( U5 r8 ^8 x
. m( T2 Z% O l5 u9 `0 k" @__________________________________________________________________________
- e+ w8 c* N* r3 Z* I" B$ ~3 |
* A2 P- i, D6 p6 |# h0 s
- n- w8 }9 ^: b9 @& c& L9 ~; ~0 sMethod 14
$ K) R: Z! Q- \9 d=========
& Z( B9 b* t9 [3 {/ W5 s; c$ ^! L$ F* ]2 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# _# N' q2 `' H$ m8 @ ~4 M
is to determines whether a debugger is running on your system (ring0 only).% o9 H) L& P- v9 e/ R9 C+ J& c
3 c% A. f- W- G/ u8 P& q5 d VMMCall Test_Debug_Installed
5 ?) J! c" l! o% D a$ Z% @ je not_installed
7 v) Z) G" b) ?( |1 z% x+ b9 l/ i- F3 F& I g$ e" X+ ^
This service just checks a flag.; f- t+ z' h- `# e* S9 m
</PRE></TD></TR></TBODY></TABLE> |