<TABLE width=500>+ A7 e0 g2 @ H d5 @, w( F
<TBODY>
, s, ~- U0 ?. e" c3 N _<TR>6 q4 v6 l6 k3 q9 o
<TD><PRE>Method 01 $ f: ?. i+ x: ]7 T, [
=========( B0 ]0 F& y1 \; q) k: S
9 W* W" ^% G7 o' b# G1 U3 ~This method of detection of SoftICE (as well as the following one) is
8 P$ ^: }3 C' D3 _. gused by the majority of packers/encryptors found on Internet.8 x& q, O6 m" C$ H
It seeks the signature of BoundsChecker in SoftICE- |" Q, P; F* `/ a) ^3 q8 q/ W Q
+ T- n# _( ?. p7 C9 {4 [5 R4 D
mov ebp, 04243484Bh ; 'BCHK'2 T4 i+ m% l I2 P |+ }! Q# e7 t2 u
mov ax, 04h7 h4 W. [" Z2 p7 K7 Y0 J/ |
int 3 , x6 A4 Z8 \$ j8 _ [" ^! q! y
cmp al,43 m: \9 Q* X( W8 {+ x. ]5 J, V: g
jnz SoftICE_Detected
. ?* e; D/ T0 w
0 W9 O6 [( }6 L* E___________________________________________________________________________" ]& h- T, l1 q" L8 V
' _1 Y7 z z* n4 V" O6 VMethod 022 Y6 d: V( _) t8 s& `1 `" R, v
=========
8 R. R( o6 i# I7 H
: I& w/ i; q9 T! F( B: I1 Q5 [4 kStill a method very much used (perhaps the most frequent one). It is used7 z: L: L! N, _' d$ G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- g* b' {) P2 R& `- d6 v& z, @! U8 \or execute SoftICE commands...2 N' `/ `+ v6 D# X8 P
It is also used to crash SoftICE and to force it to execute any commands
* X0 i S7 m) K/ E( U(HBOOT...) :-(( + j& O V8 F$ b+ I
8 Y j3 g+ {+ u6 q. {5 BHere is a quick description:
^6 M+ @% j, w' m. L/ }-AX = 0910h (Display string in SIce windows)
6 Q9 q3 m. a) m( y* U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 G1 m7 `6 p K! D
-AX = 0912h (Get breakpoint infos)& \. z/ N9 z, r1 j
-AX = 0913h (Set Sice breakpoints)# c5 i1 [5 x9 c2 }7 _
-AX = 0914h (Remove SIce breakoints)8 c: j) }: P( C+ R }$ f+ u4 C
, l- x7 u$ D! A R# l8 |4 {6 PEach time you'll meet this trick, you'll see:
- s! R4 v% M/ p1 _* o0 n-SI = 4647h {% S( Z( L; @, B7 O6 [$ f
-DI = 4A4Dh
) s& B2 f' s( X+ YWhich are the 'magic values' used by SoftIce.
I2 w1 t9 ]' ?& i: T% R7 S' U, uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, u: z" I7 Q0 y' Y, e; \
A& I8 F3 o% N$ YHere is one example from the file "Haspinst.exe" which is the dongle HASP# {) @% M4 a3 j
Envelope utility use to protect DOS applications:
! g' ^) T- S1 c. b: U* E4 T3 T8 ^& S8 c0 f+ G; |( R! X/ G
+ T. s# X$ c# ~# t) ~
4C19:0095 MOV AX,0911 ; execute command.
- s; |8 I4 S# U* F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; b/ L: g3 a7 ~9 h4C19:009A MOV SI,4647 ; 1st magic value.- U8 ^, W# }5 c- c3 E3 k2 n
4C19:009D MOV DI,4A4D ; 2nd magic value.! p3 {' m3 T) R+ d5 ^4 Z$ f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# `2 O0 M$ H+ a8 f# q) `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 u" `- h3 H% Z' |. h3 P4C19:00A4 INC CX
8 b/ n9 _' F% }$ ?+ K4 w% O! [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 W' a$ C" V N! H/ N
4C19:00A8 JB 0095 ; 6 different commands.% o% I8 n q5 `/ S5 \; S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 r8 G% k+ R- \3 B$ p8 {' ^& Q7 r# q- V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 N3 G, d$ g$ @1 p: z) X+ _- Q* E: O
4 V0 ^& P" F, E* Q/ W' P ?/ l) v
The program will execute 6 different SIce commands located at ds:dx, which
~ H% {% a* B9 c# O+ |3 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' E0 A; e3 @5 m& w8 W% d# f! t7 Y5 V( g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. b& V8 a. h) m- B/ I3 m0 B8 |___________________________________________________________________________
. V0 T l2 h0 B' ~# J& l% F% l
8 k& n2 P# x. T N$ _
$ J: A( W! y' `Method 03
5 R# k7 p! E5 F2 m8 @6 s. ?=========$ f ]7 k l+ u
2 \; u+ p2 T3 e9 q6 L; H# K* bLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& y' C) {8 g. q. ?
(API Get entry point)
* B4 ~# A/ ?1 J: x, d7 Q ) x' o: b' x0 ]7 | G u: A
; L7 k6 ?; z4 H9 }2 {
xor di,di, j7 n' }% w/ L& T
mov es,di
8 t7 d1 r5 i/ i mov ax, 1684h
9 @2 n5 [0 b& B+ i y) I mov bx, 0202h ; VxD ID of winice. @; z# S9 r- a/ F% f
int 2Fh
* E: H. P4 q. `, Q mov ax, es ; ES:DI -> VxD API entry point
8 M- }) _' x$ I) K add ax, di
# @. ~- Q2 p$ Q# s" h/ J" { test ax,ax& c0 ? L* C# `4 a8 @; A
jnz SoftICE_Detected
! ?# W, _1 o$ q- a. {' }9 }# V h. [9 w* m# g
___________________________________________________________________________
$ k4 B) a E- m5 y3 s- }. [8 c; K" W. Z7 g @9 K. Y3 P; H- [
Method 04$ Y' ?+ b# _& d1 j G# S2 U3 j% l# P
=========
) ]$ k4 W& J9 ]; q$ N" [: ?* X
+ Y8 t! Z$ L+ a! t5 G6 }+ xMethod identical to the preceding one except that it seeks the ID of SoftICE! ^, g+ y$ t, W+ \( q$ |
GFX VxD.
% ~! m) k0 O# W$ a9 L! D2 A; T8 X* p* I L+ C1 P) _
xor di,di) U( A- c8 N$ ^( Q6 @2 a; O0 `: n
mov es,di/ q: s, e l! G5 D/ B# C
mov ax, 1684h 9 H' ^+ i8 ]6 ]; x4 y
mov bx, 7a5Fh ; VxD ID of SIWVID
: g7 X' T d, U int 2fh
+ z( J! \2 n* v+ v mov ax, es ; ES:DI -> VxD API entry point- p( q/ E6 W- D4 V
add ax, di
9 J; S, m3 ]% r/ S U test ax,ax4 `# O6 y2 ]; A/ j, u
jnz SoftICE_Detected
* T9 F- u; U: s: G4 N: G* d0 t( E) `& I% g3 X1 c l& f
__________________________________________________________________________7 w. q, Y! X; {# w6 a5 I( s, L6 T$ _
8 k0 k |8 L9 R2 A8 p9 T: F
( }/ w/ A9 F" u6 w5 Y) |/ r, Z# X
Method 05
4 i: f& K. F- h- A/ g& Z6 U=========9 J3 V# f8 [) [8 F3 p
% q. z4 i% H! ]- u6 q. ~Method seeking the 'magic number' 0F386h returned (in ax) by all system$ z$ n' v+ y F* y' _( L* { b
debugger. It calls the int 41h, function 4Fh.
% n5 g# L' g9 w* A; uThere are several alternatives. . J% X8 _- ?2 w* h# s/ P
, L6 ~( c5 o1 k$ NThe following one is the simplest:2 g7 k" w: F2 Q+ \0 s) ?6 G4 o- F( y
( D1 y1 K' b( [/ y! B* J& y3 @ mov ax,4fh
7 K& H0 ?3 _6 C! T( x v int 41h
+ a; W( Y/ N) b cmp ax, 0F386( E7 ^! m- _- K0 z
jz SoftICE_detected8 W+ C# k- s; J1 _. f
C! M- P( n& B; B+ A& ]
, b4 J4 p( [/ f3 k1 D) vNext method as well as the following one are 2 examples from Stone's 2 k1 U' @; K. f/ M- v5 I" r8 ]) r, A
"stn-wid.zip" (www.cracking.net):5 c6 v) [: O" G2 M! a
/ H* q, ^4 Z, J+ h! ~ mov bx, cs
* @" v: ~: s* H+ f) g: u3 i- P lea dx, int41handler28 s, _0 H- a" a* u3 g+ N- w3 N
xchg dx, es:[41h*4]
( B! E0 h" o8 |; B) d1 h xchg bx, es:[41h*4+2]) \- S% h( r- ?7 K- j
mov ax,4fh
! S5 T8 a, @( o" B1 f' } int 41h$ |3 U( w$ H; a3 @2 ^8 n
xchg dx, es:[41h*4]- A7 y. L1 ]- Y! S$ I
xchg bx, es:[41h*4+2]
* d" f, J) J% m1 S8 E% B cmp ax, 0f386h
" U8 s* g) J7 o; i5 R jz SoftICE_detected- ^- N! [9 T' e" W& E0 b+ K, Z
! a$ r1 v9 {+ s5 O$ [" Aint41handler2 PROC
4 W2 X: {; ^% D$ [9 \4 ~ iret
8 K2 V A/ N% x" I# ^% gint41handler2 ENDP- T0 n; B8 X: e0 H# Y1 h" u
& d U9 I t3 @7 \1 B0 q) T
! ^0 q4 o, p! g) t_________________________________________________________________________
) I0 S* g# U8 q& |' ^2 [& B5 {0 W8 M# V
) P' f, [# c$ c: R n, Y; LMethod 06" f- f8 ]: P9 f7 u1 k3 e
=========1 r5 }. h( y! x! C
8 q0 x8 y6 [& i s4 v
" {% ^4 S6 V3 M2 ~
2nd method similar to the preceding one but more difficult to detect:" L& n0 h. v( V' o, E3 K _
" C2 s6 [5 @4 h: s1 {& Y3 m W4 c) [& v
int41handler PROC) `. N, p3 ^* R/ g3 x
mov cl,al
. }. s4 j! M8 ?6 s! ?$ ^ iret" X5 W) r- G2 t X: F7 @& z4 C
int41handler ENDP! i$ g( R$ }: M4 U4 r! U4 `; o x: w
' ? K2 F1 U, k. S- s
6 \4 r+ S1 w6 \4 L# B- ^, I$ a xor ax,ax0 Q2 e# ?0 M2 b# t! X( b0 }1 k6 @
mov es,ax
2 s+ c' N9 ]0 R! \: z* k: L0 q! | mov bx, cs
$ s1 b4 G1 ?% o" v; T lea dx, int41handler* ?) l' p( }" ]+ l' y
xchg dx, es:[41h*4]7 g4 V/ a. Q( U6 y" r
xchg bx, es:[41h*4+2]% e/ [1 I/ P5 I6 {
in al, 40h# F A6 E8 z( V% V: y
xor cx,cx3 P+ q0 j) |5 A* Q" O# r
int 41h' O- S- p) E& l; @; U0 W
xchg dx, es:[41h*4]$ L5 Z/ J2 B) w
xchg bx, es:[41h*4+2]- X1 m& b3 \$ |) R, G% h
cmp cl,al
. V% x* q2 p* c) Y+ {- U1 [( W8 ^ jnz SoftICE_detected4 Y7 d) M* p8 I1 G" @$ v
5 _# p: h( Y j. Q) x_________________________________________________________________________
% T# f* Y; c1 g4 g: q4 o- V0 f4 _
Method 07, ]3 t. h7 z: l; v" ^% [6 k
=========
" _4 G* m. s7 p3 V+ T! ^$ g7 l) S- V2 D9 N' y
Method of detection of the WinICE handler in the int68h (V86)
% |' C1 m7 n9 q7 B" o2 B3 E4 {2 F- ?2 C2 q( u: t
mov ah,43h
% Z, @: F, m. r int 68h6 C' w1 e! x' Q8 Q
cmp ax,0F386h1 r) o: p' ]3 H/ f) E
jz SoftICE_Detected
9 F( g% V/ l; W: k. {; r* i" b: W
3 `, ^9 B! m; |. Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- r( G0 }5 W% G* G, f O: ? app like this:7 d% W. [: A# C
* b$ l, Y* l8 Z0 y
BPX exec_int if ax==68
5 k) Y1 ?2 g a (function called is located at byte ptr [ebp+1Dh] and client eip is# U# W/ K9 ^6 c6 A1 ]) l% O- M
located at [ebp+48h] for 32Bit apps)
9 ]+ b$ `2 l" C+ A3 Z. ]__________________________________________________________________________$ }. |1 H9 B. @0 }7 i1 n* m
, [) f- W7 x1 _- u& s
: b9 {# @, m2 {5 BMethod 08$ f/ g+ @/ Q- P4 j$ x7 g% u
=========9 z1 |2 z# @4 {' z8 l
# u) S! c) ~& O8 A7 x) n" @; }
It is not a method of detection of SoftICE but a possibility to crash the* x7 y' S! r- j( C7 n1 }
system by intercepting int 01h and int 03h and redirecting them to another
9 P+ r( Y" V' Groutine.
3 [ \4 |3 N. X: |5 J5 mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 r6 t5 O+ `" N' X$ ?; o3 [5 Q
to the new routine to execute (hangs computer...)
1 g1 [ `, X, E# ^! H+ s! _
2 d( l' T v3 I- Y7 U mov ah, 25h: L, q: R% D9 W8 g1 ~. y
mov al, Int_Number (01h or 03h)
! G! I$ V9 {! }) F( F7 N F8 L mov dx, offset New_Int_Routine* C0 e& u( n" y; E9 \2 p1 m" I0 L+ K
int 21h& C9 s- r) K! f% V) v) W+ [, i
# [2 i+ p% t& S0 r% M' Z+ r
__________________________________________________________________________6 A1 ?3 w$ I! v, D# L
: Q+ {: J( q4 T A4 ` I
Method 096 \ w6 G# G( Y; u- y d
=========
% M( J! R# r( }9 p/ D* |" @. b( ?: N2 b( a( E9 H% J: O+ H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! s/ a2 I3 I; A
performed in ring0 (VxD or a ring3 app using the VxdCall).$ d: q5 S" M( x+ W P
The Get_DDB service is used to determine whether or not a VxD is installed
; T1 U+ l% q. Y4 ^/ A; m- D) Ffor the specified device and returns a Device Description Block (in ecx) for* X" `1 R2 S; K; |& L4 S1 `: F
that device if it is installed.* V% A7 @* {# S1 K9 W: \
2 ~& P% n: Z* C' }5 L: b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 Z2 [7 k- @2 X( X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 z' V8 `1 ?' e1 J& M0 {
VMMCall Get_DDB+ {( u2 |% w9 n- }% E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( E! V! _. l |2 _
+ V8 I/ z6 p9 B" i0 s5 `! o/ G
Note as well that you can easily detect this method with SoftICE:% i% _9 b9 v a8 m* a
bpx Get_DDB if ax==0202 || ax==7a5fh
5 j& F6 h$ y9 X$ r& `. D
+ z* l5 ?* u% I! {+ d9 l- Q; y__________________________________________________________________________1 q8 T, i& j. n/ k5 C( M
\! a- L! @6 E* A
Method 10/ m( @' @4 L8 t$ y$ @7 W; V7 N
=========
/ T- V+ _2 E7 P1 E) l
- k/ I6 Z4 u% @! H" a=>Disable or clear breakpoints before using this feature. DO NOT trace with
; w* t; a2 @2 M1 i SoftICE while the option is enable!!
' M, g) { q1 p; X
) e) J- w4 e5 ^; V6 J0 F3 GThis trick is very efficient:6 {6 `4 ]( e3 ?
by checking the Debug Registers, you can detect if SoftICE is loaded9 T, Y0 C! J& J* E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! e9 f, g7 w9 w1 m7 T
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 U7 j1 l: x4 y4 w
value (in ring0 only). Values can be manipulated and or changed as well/ } o* h& r. ?- c B7 `$ @/ L
(clearing BPMs for instance)6 H7 U1 D c% H! r9 u. L
, v7 R9 d. j- b0 z8 u* `
__________________________________________________________________________
+ Z4 X6 d( S( h: T- p
4 \; B4 ^' b* T% M' \5 nMethod 11
* H: w) F+ b W. L( @=========" O. F: ?" j8 h2 F: |6 n3 ~
/ b$ g: v8 [0 F- s jThis method is most known as 'MeltICE' because it has been freely distributed7 X# v% X% P4 c0 s
via www.winfiles.com. However it was first used by NuMega people to allow
2 I9 e8 S% T2 O0 p+ @8 Y6 _Symbol Loader to check if SoftICE was active or not (the code is located. f2 b$ M9 B) n: ]: u* o, S2 J
inside nmtrans.dll).
8 K8 @5 D s2 V2 T
1 v. Z S( b! S, R j3 S5 n6 ^5 lThe way it works is very simple:& T$ Y4 q$ \/ V+ T# P# V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 i E- V, s8 M) [0 x1 q
WinNT) with the CreateFileA API.
/ {7 j3 m) [+ I, k9 P* M/ K) E3 K% j9 V" ~: K% @3 o
Here is a sample (checking for 'SICE'):
' X) t$ j: ] n$ }, a8 i
# k6 M) |3 ]( F( ~1 \" @ \BOOL IsSoftIce95Loaded()
, v) w7 E, k6 Q0 S9 _" w+ u{9 m( Z. f9 b) G
HANDLE hFile;
6 k3 |( K: R. d2 x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; b( ~/ @6 G- `
FILE_SHARE_READ | FILE_SHARE_WRITE,
, j- s( i" _# x0 X3 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; S8 O3 J7 s0 x- s
if( hFile != INVALID_HANDLE_VALUE ) K7 d8 [5 L- z h6 @5 k
{
, a, [! k! r1 U& j' Y7 r% R CloseHandle(hFile);+ J9 f6 [4 G/ S/ S) b" Z
return TRUE;% `2 \( P( T; n: I! a g* i
}& F/ v5 }$ L* H# T1 _& }
return FALSE;% i8 F' m9 z2 r7 ~$ R$ P1 m; O+ W) S, U
}# b$ a! P3 ]% E
& p9 c( v5 l$ I4 w2 Q
Although this trick calls the CreateFileA function, don't even expect to be8 |- U- k" Q% @* ^
able to intercept it by installing a IFS hook: it will not work, no way!
2 P) p! D( l6 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, z# p. q) n, ~3 q7 v/ _9 C! `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 x- N' E8 Y' ~. L" d/ T8 [) W: ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 o: r$ t C. R( H9 v
field.( g1 i& Y9 M9 ~4 n. l c1 c8 B
In fact, its purpose is not to load/unload VxDs but only to send a 2 w9 l+ Y' K6 V0 }" Q" f# R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* @; R3 f" k# G Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
; I; Q2 ]2 y$ |0 a9 ?% x& jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, h2 n9 ~% j0 U, r; zIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 @8 i+ K0 X0 E6 uits handle to be opened and then, will be detected.) K' Z6 p, T1 P1 N A8 L
You can check that simply by hooking Winice.exe control proc entry point _7 Z4 ]6 [5 w( y0 J
while running MeltICE.
+ q3 W+ n6 R; n L d* V
* Q* t$ g* d* z. f# `( p6 x
/ K6 T9 i0 P- V1 k! s' m: ` 00401067: push 00402025 ; \\.\SICE
. s. s+ D* t( w" k! }( w 0040106C: call CreateFileA# {0 r2 i* @8 _) v2 m+ M6 _
00401071: cmp eax,-001( x# X( ?: C" U
00401074: je 00401091
$ S9 t% v" @; l9 s/ _0 z
; B3 Q/ J# ^7 W! z( I; w6 Q: y% b- t- ]* q! E7 I; X
There could be hundreds of BPX you could use to detect this trick.0 q& u- s6 R6 A3 t/ y# L. e
-The most classical one is:$ q7 `" j" \' L. `0 S9 o# v# ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& `# K2 k' M! p" Z& s6 G& {
*(esp->4+4)=='NTIC'
9 |# J2 ]5 q7 z4 V$ b4 s, f9 A3 \! R' L3 |& K5 q! j
-The most exotic ones (could be very slooooow :-(
% G8 R0 W6 n% b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ \8 Z5 f" g' l( } ;will break 3 times :-(
8 W9 r- k) R! {2 V0 D$ ^9 }" H% u. T6 F0 p! p
-or (a bit) faster: ' f1 a7 Y4 N$ I- f6 k# `7 |/ Y7 N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 V- i" ~" q. ?5 x# H
1 |+ l( x S7 c1 f: v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 o) a; ?% ]" v) x" u3 p! d1 C6 v- z ;will break 3 times :-(* u$ e9 G' h) a- R! \
. ?: E+ Y' Q: M# ~1 t. [$ Z-Much faster:
$ D! K$ ]/ U& b' } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' ?8 U3 r! f) k: x( H# B0 o* U% j" P, M T. B- J+ y/ X0 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, Z( T! S" V& c3 S6 w% W) ofunction to do the same job: E6 M' L$ r3 H& w/ v
! z% g$ T7 c% V push 00 ; OF_READ4 q1 c1 H1 A) Q% y
mov eax,[00656634] ; '\\.\SICE',0- t1 L3 w9 M% Q0 @" ~
push eax
+ \ d2 R5 y( D8 ?6 @2 C8 L call KERNEL32!_lopen
" q; j ] A9 ~ inc eax5 j& F+ L0 j' U2 N% w8 F6 \
jnz 00650589 ; detected7 k8 r) Z8 J$ b9 q2 u6 W7 n
push 00 ; OF_READ% |0 P" ]! s. V9 `: O" m1 A
mov eax,[00656638] ; '\\.\SICE'. @" [& X" c* w/ ^ Y) a: {5 N
push eax
% V& u2 M5 W: S& p2 s* O1 J call KERNEL32!_lopen
$ Y* r2 ~! V, b inc eax
7 T, |2 J, v5 I; @2 y jz 006505ae ; not detected, n0 |/ k& t! y. N7 Y( G. z; H7 |
% P: z3 n, O3 g' a \
$ G0 q# k1 k& q1 _, ?
__________________________________________________________________________+ ~- e! W3 {4 O9 G. ^$ {
3 u! Y6 @% l a8 ~Method 12! ]# ]5 a9 n# t- ]3 r( W
=========$ B! T3 ^& r' N0 b; ]% X
9 [6 u4 S R1 s/ l S1 @) BThis trick is similar to int41h/4fh Debugger installation check (code 05% T. N1 t2 P! h+ S* W5 O8 b, p
& 06) but very limited because it's only available for Win95/98 (not NT)
( i+ g2 v3 X1 u7 e- s& f/ has it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 d& f! O8 F) v% T5 J
v6 z0 o) z% q push 0000004fh ; function 4fh5 h+ [5 M* M/ F$ ?
push 002a002ah ; high word specifies which VxD (VWIN32)
+ K3 D- `2 v+ z) w+ x2 ~) Z- N ; low word specifies which service
b: h- o O- J3 g2 {- e (VWIN32_Int41Dispatch)' X4 Q( l$ E7 \# |2 w2 ]
call Kernel32!ORD_001 ; VxdCall, t6 u1 i- S, [2 R: u4 w J% q
cmp ax, 0f386h ; magic number returned by system debuggers' h7 ]# f9 y8 U$ ^- O4 L* }$ p
jz SoftICE_detected
: |" |2 t; n5 s' M1 C
z+ b) j7 [! [8 s( G4 D5 M) eHere again, several ways to detect it:1 H: Q v1 h6 \) x$ d+ _
* W& d& X( r9 O# Z. C6 O$ U3 @
BPINT 41 if ax==4f0 k5 [; a2 E3 b" ^- Y7 Q
8 I- k4 n. {+ k" x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' Y6 V0 U* S; Q& v: S9 K. C9 w8 K" M x* H, Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& G i- O! J6 j8 e' E3 n' t
4 x" i# H6 u7 F1 v+ G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 B2 @/ t3 t. _8 P; S6 G7 [
: b9 R6 d, I) Z+ h) ~$ `# X% M# n9 t
__________________________________________________________________________
, w. C' F: t9 b- I/ |; t- q% u+ E; s. h, g( {" A
Method 13
1 A6 T/ n, N$ c; j4 w+ l+ P=========
; X3 a* c3 R6 d' c* \' j3 J0 D/ ?1 K, B$ T& a5 O4 z
Not a real method of detection, but a good way to know if SoftICE is, \, Z: G% F8 L) c! k" l
installed on a computer and to locate its installation directory.
# p+ B+ p% u" `0 v% W- J: dIt is used by few softs which access the following registry keys (usually #2) :7 a2 l) p/ d0 A& p. q9 s
0 q) D: f3 }6 T8 u- \& A" N# b! o2 ?: E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q& i$ s) h* L6 d; Y/ d5 u8 x\Uninstall\SoftICE! x5 a2 L1 w6 ]. u8 J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% f3 d9 B/ v" M9 ?% u/ d5 ], F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- O3 v' J' L1 Z% ?: L* U% p
\App Paths\Loader32.Exe# ^8 h4 l2 q, E0 c* O5 v8 L) x
: i9 t( v3 F1 J2 }: r. z
* b$ [4 ?% P; {0 u( X- INote that some nasty apps could then erase all files from SoftICE directory, A }% A" [2 |+ }0 x
(I faced that once :-(8 q+ P* U% m1 Z: R+ r. A
8 j5 v6 Z0 H3 a1 M* W! V$ U7 \
Useful breakpoint to detect it:9 C" r2 U: ^4 k; ]. c
% n1 e: l: p. Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( D: V0 Q' a9 i
9 R8 V4 j6 n5 b
__________________________________________________________________________0 ?! x2 h* r1 x# R* V
2 b; D4 R: f" _; K- }5 i2 w# F d8 s5 h. ]2 J) e" N
Method 14 2 n, G1 A2 ], I
=========
0 _5 B) U: O. ]4 Q
% ^$ J4 P" [8 wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ a) s( j+ H) i% _; K. A; U
is to determines whether a debugger is running on your system (ring0 only).% w) r/ A! R4 H5 r% A: {- Y. j. o
3 a9 B2 J* `! a1 i) t- F. A
VMMCall Test_Debug_Installed* J- W j/ m( V4 D
je not_installed
; S) E+ M9 g" f, |9 p/ _" ?0 J
' y. J+ Q; w9 T* e! tThis service just checks a flag.
: e$ ~( g1 z. _- m! r</PRE></TD></TR></TBODY></TABLE> |