<TABLE width=500>0 F' {8 l# C) E. q2 B6 M2 s( _: A
<TBODY>4 ?2 A6 B. U5 Y3 w* O/ G
<TR>$ L A% x9 n! X, r% C/ F a
<TD><PRE>Method 01 6 L/ O) l- V6 d& M7 J) `0 j7 p
=========
9 M2 W( b: e' o; s8 j) o& q* l: w6 A1 e0 |. `
This method of detection of SoftICE (as well as the following one) is
4 ~7 \# T; c6 g+ Dused by the majority of packers/encryptors found on Internet.( Q! V. t2 t) m, k( P, ^
It seeks the signature of BoundsChecker in SoftICE' [" ?, x) i& ]- N+ n
3 u& ] b- b( w6 ]- [" a
mov ebp, 04243484Bh ; 'BCHK'
" B1 _( n, ^( n+ C1 C) [ @ mov ax, 04h
0 v. J4 R& S& P4 V7 q/ ~/ S* O int 3 ; n: c0 T" f5 R. C' p
cmp al,4
1 K# T) W: S. o7 v* t; x9 H jnz SoftICE_Detected: V8 Y& r: }; ]8 w% Q
) V( S- F/ c8 ~- Y* g! Z___________________________________________________________________________ R( j7 W2 Q+ f, l c' P- E+ i% ^
0 K; l5 v2 P. ^0 z$ Z
Method 02
5 ~1 w9 A! m& }7 k! W1 G8 ?=========
, m* o R& e& K: g$ F; C
& I$ T; U3 c6 [9 ?8 y- o9 Z5 H' z$ BStill a method very much used (perhaps the most frequent one). It is used
$ [) r) _2 R( h- E$ qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# d8 F, T# w0 Z2 r
or execute SoftICE commands...6 H6 ?% Z( Y( Z) `; i# u2 c
It is also used to crash SoftICE and to force it to execute any commands
, U5 i$ M8 n; h+ O(HBOOT...) :-(( ) M6 r# F: L+ ^0 q4 B+ f
9 }9 _9 i' j- j. C
Here is a quick description:, N' ^; f5 U; q
-AX = 0910h (Display string in SIce windows)
' Y: f- B0 |8 x1 t. g6 }; W# E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ r7 {6 @1 V: m. l% V' _* R) _5 j# d5 x
-AX = 0912h (Get breakpoint infos)
7 F0 r: ^, Y; l, e-AX = 0913h (Set Sice breakpoints)
- g( y7 e* H. }( F/ {- }$ _-AX = 0914h (Remove SIce breakoints)
6 l3 V- [/ l% j; l7 n% p$ e
, u' {8 g$ A5 p% kEach time you'll meet this trick, you'll see:
8 T- d) x' J% ~-SI = 4647h
: D; n# q& p. E-DI = 4A4Dh# D$ q. \' n6 i7 Z8 P
Which are the 'magic values' used by SoftIce.0 I9 ]( ~* B5 m, ]1 j M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- u B- l0 t8 t/ l9 Q0 j( V3 d& ?% y: b. X+ G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 S" I& {/ t# ~0 T O- f" tEnvelope utility use to protect DOS applications:
2 z a O2 U- F2 V* _6 G
% ^; C t2 d4 l7 [5 }$ k; `+ V/ p4 R F: r& d) L0 O
4C19:0095 MOV AX,0911 ; execute command.
$ {2 X3 z- u- Z4 M$ t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 E7 c+ k+ i a8 C% k& s h+ ^4C19:009A MOV SI,4647 ; 1st magic value.
* v, m% y+ S! b" B9 u1 v4C19:009D MOV DI,4A4D ; 2nd magic value.
7 |- B: y4 I. @1 K5 ]/ ?. |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( C% m, [6 }+ _% }" a2 O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, W. j" V; f$ Z) w4C19:00A4 INC CX$ c9 H, U& r |6 `0 _! O L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" W0 Y" i* Q) {% D7 w- I
4C19:00A8 JB 0095 ; 6 different commands.
5 h5 Q- l b+ r4 d) o' x4C19:00AA JMP 0002 ; Bad_Guy jmp back.
G' d: N! k2 F; U7 Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) N2 D b+ ^6 r$ Y) U% x8 @
F- K/ }/ ], |) U* Z0 [: A& @The program will execute 6 different SIce commands located at ds:dx, which3 h2 ~/ }% e/ O* G# a' e6 H5 ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! d, b! s) P) Z" g4 h
: F. B. `/ ^, g) Q0 m4 s: q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 @" K" j' d( B$ ~# Q
___________________________________________________________________________
# w% h% M4 X+ o3 N9 ~1 b# d% ^, O1 |
- A. ^8 Q' G& E$ q: [: p5 z1 a* q% i" k8 I
Method 03
# K1 E% U# Z" V' O4 R=========6 K% {) O( i. B, |; O
& f T- ]) k: J" V/ m6 d5 OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 z, l4 P8 {8 J3 h9 p
(API Get entry point)7 P/ _/ B" H' S' _' ?
: V$ j3 s( R/ C9 u# R g$ T
6 k1 v! c4 a" q. a9 P
xor di,di) C- x% c$ M% |+ f( G7 e; k8 F$ Q; }
mov es,di5 g2 }) X( b) V" u- X& @
mov ax, 1684h
3 H c- N, F/ t. D, l. T. U mov bx, 0202h ; VxD ID of winice
7 N, x7 M3 H: g. z0 H% s! B- g1 ]4 L int 2Fh r1 M5 ~( B5 g
mov ax, es ; ES:DI -> VxD API entry point
# X ^3 l! t1 }" d add ax, di/ O( e+ G$ R8 x* K; a) }4 s( S: w
test ax,ax
' ]% N+ t" s# ]0 V4 G jnz SoftICE_Detected
- E8 D' R+ o% ~0 I3 r' f/ l4 x3 w" O9 F7 \: v3 J% @
___________________________________________________________________________4 c0 T% h) O1 l7 ?6 S' l( P
1 ?8 u" Z& B! j7 zMethod 042 ~# Y* ~) ^. o: l8 F( d8 c
=========
) z% h+ t) H: g0 M* @* d: B3 |$ m% E. |# A$ r
Method identical to the preceding one except that it seeks the ID of SoftICE ?7 p; v1 Q- s
GFX VxD.: e/ w! w e+ i* h6 S1 K! \# {2 y
6 z3 Q# X% K% d" g
xor di,di; C6 D3 ^2 c" X+ g. r: o' ^, v
mov es,di2 Z. g% [% j6 U$ ? J
mov ax, 1684h 3 L- k& X* m Z. }$ w
mov bx, 7a5Fh ; VxD ID of SIWVID
- J+ F4 {/ r2 l0 O int 2fh
7 S3 z5 l4 E! F' } mov ax, es ; ES:DI -> VxD API entry point9 ] r) q8 L7 f' l- p' ~
add ax, di! N' J+ D0 d |# T3 S# U- ]
test ax,ax7 T( d2 `9 m" y0 Y
jnz SoftICE_Detected* ?, P; w1 @ P3 S. K+ ]
" x; Y4 c8 H3 B( v
__________________________________________________________________________
1 E+ x8 S; Y$ s! r. r$ M9 z% P$ Y: t" }2 O% _
- F8 A0 H+ @2 U
Method 051 {: b8 S6 w$ g2 r
=========0 I# s7 c ~% E+ L2 W# W- c
$ v1 ~; [2 S& h* oMethod seeking the 'magic number' 0F386h returned (in ax) by all system& d1 G `5 f* d; `: i0 H6 `; q
debugger. It calls the int 41h, function 4Fh.# r4 b; D3 `; B" t6 `8 q) ~
There are several alternatives.
7 u) C: M, v+ l% Z& B
7 R$ D& ^0 p$ X n) CThe following one is the simplest:
2 I7 e" _0 q, q9 f" j; F w' q2 g' ~* t# C0 d
mov ax,4fh- n; f+ @, M2 i& S' L' A2 t
int 41h& d) N0 I; E+ l& B( Y8 |5 C
cmp ax, 0F386
" ?! o/ k; T5 G, e$ T. J jz SoftICE_detected& S' g/ W+ O+ c1 N& X
6 f& a& z4 M ?/ p
9 k2 ]- K8 C; v( ` @/ h) s% ~
Next method as well as the following one are 2 examples from Stone's
2 J; {& V7 D0 g; d. x5 [" G6 T"stn-wid.zip" (www.cracking.net):
0 j& m6 O3 J7 `) C* [4 b. O& i2 b/ y$ ?+ |
mov bx, cs
) D( a/ l; g8 W H. Q% k lea dx, int41handler25 R9 I; U7 o$ I- t" ~( m
xchg dx, es:[41h*4]
) |4 k3 J1 @ @0 j& a: f+ N8 N" v xchg bx, es:[41h*4+2]- l% z/ I; y4 k* q1 r+ ]. [
mov ax,4fh
7 `/ i* y Z- |0 o* r int 41h
1 @4 P$ a- @. i1 O: J xchg dx, es:[41h*4]
! u- x4 T6 `/ W- n5 o xchg bx, es:[41h*4+2]
- y# v5 @& U7 \ cmp ax, 0f386h# S4 s Y1 Y; E/ v' h, K
jz SoftICE_detected
: d w( j; z! w- i' Q
: c4 R2 M+ J3 t/ b. a$ ?int41handler2 PROC8 ?) B: A) |4 Z% x. T1 o! I0 r
iret, m! L. {. a; x6 d/ e& @ ]
int41handler2 ENDP/ W! c# L3 f( |) e! M
$ J# m" J: o. S5 m9 p
, U% u" J+ L1 a: V! y4 j_________________________________________________________________________
- {- _3 w) q7 C5 p' j
3 i( J1 d# O& Z0 K* |! I: ~: t) e- a5 U% R% S
Method 06
6 q* d" W- Q& S9 [ h. d q=========
M) q6 L: q/ |% M. u9 w9 ]
9 e3 N3 V# D) p. r/ w# t
$ G0 b+ G2 l, h8 M2nd method similar to the preceding one but more difficult to detect:
* L4 E4 m* ]7 [
$ L! A# Z4 P2 e, d% l8 T
9 R7 O2 J4 O! h a/ rint41handler PROC8 t7 Q2 C5 u- h' X8 _% E
mov cl,al- M" f8 H: z. c' j( U0 ~; g
iret- |8 P. i5 }( E
int41handler ENDP
& l# `$ I- _/ U5 [/ \9 v( J! i5 j
3 [$ A t/ p- ?! e: u/ p" S
xor ax,ax! I1 E5 \1 a* b. E4 n
mov es,ax! {: L$ y6 I. x4 l
mov bx, cs8 v) t1 J8 @% F2 U
lea dx, int41handler9 ] M! E/ C. v. x7 J6 b
xchg dx, es:[41h*4]
2 z, G' Q( }! x) f, l xchg bx, es:[41h*4+2]
; Q: |9 V: {4 [" z0 L. }( O. H% R6 Y in al, 40h
# b% X- C \4 ?' z) Z# r4 _) F" ~. z xor cx,cx1 t# c1 L# Q% L% K) V, H
int 41h' v3 {' e4 A8 M1 x
xchg dx, es:[41h*4]8 m' C. C0 e0 c2 H: k1 V; y- r
xchg bx, es:[41h*4+2]0 l; S6 a7 L+ [% E `5 X
cmp cl,al9 A7 R8 u; k0 f: Q. z' L
jnz SoftICE_detected
" S3 H) `: h$ R7 q6 w3 K* C* W0 v5 U' t
_________________________________________________________________________/ T# {& i+ u$ I6 n: v" A6 H
( Y. e$ @+ B; h' M2 VMethod 07* s" z, f% X* d9 ?
=========6 a2 G t8 e) g# c, @! d6 m
. Q( _1 W; B5 W! l! k9 m9 Z
Method of detection of the WinICE handler in the int68h (V86)5 c$ v. Z9 C) V0 a4 v
6 ?7 V/ M6 I9 q k a mov ah,43h
' L3 l4 P' g, w int 68h) ~; F7 N1 s; \1 Z
cmp ax,0F386h- a' Q1 u1 l8 b. k) W3 i
jz SoftICE_Detected1 p4 U' c& ]3 v, ?/ u2 T! L+ u( W
9 Z7 Z5 i5 U4 \6 c, \& V
* a+ m r4 Y$ m2 U# Y1 d; f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 ^5 J! N5 A/ c
app like this:0 U! w6 k1 X8 \8 \7 @
) Z5 V# _" u4 E% m0 c BPX exec_int if ax==68
) S% V* c G% e* m$ g# z (function called is located at byte ptr [ebp+1Dh] and client eip is1 H: q' Y0 _+ H' v; y0 Z9 b* _
located at [ebp+48h] for 32Bit apps)
6 Z; d- v) j1 P0 ^% `- I! ?3 \__________________________________________________________________________) j: `6 A( }$ T3 _) L
# h- K1 f3 h5 { e. c9 ?" ~
/ n9 L2 x1 m+ w7 Y4 A/ k& n! J. @
Method 08$ A4 d. T: ]2 p2 S7 E4 L
=========! O+ h5 i* m& x9 N
6 P* [0 ^; ~5 P4 S
It is not a method of detection of SoftICE but a possibility to crash the0 |4 T: |& z' I+ O i
system by intercepting int 01h and int 03h and redirecting them to another
' H" t% R. y9 [9 u8 Froutine.
X" ~% Y: i( w7 S: LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points T& `4 W W0 T6 m: d/ @
to the new routine to execute (hangs computer...)) K7 C. Y6 W& A# d( |& [! [7 K1 j2 [
3 A) s- I" I3 [- Y+ ^
mov ah, 25h
6 y x! F: Z5 a, [; O% h" S! C9 Z5 a mov al, Int_Number (01h or 03h)
3 W8 G! d# Z5 s+ c3 g$ B2 b. x9 V mov dx, offset New_Int_Routine- k0 {( T o: b# n
int 21h5 I2 F) Z6 M* y. m) ?1 Y; Y6 K5 [" W
" z- z; d. ]% q+ }__________________________________________________________________________
, d' d* P% n6 _" P# f0 p: [4 i* n$ _0 y, L/ e, w8 z
Method 09
8 i! Y! j, J1 [=========7 H, E* C$ I3 C: Q* l% h/ f
7 K0 b7 ?; f0 P8 k$ n" V% mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ t% {4 ^% x) S. f6 ?8 ^9 X8 qperformed in ring0 (VxD or a ring3 app using the VxdCall)./ d! Z/ g+ L/ [7 p
The Get_DDB service is used to determine whether or not a VxD is installed- d+ P! Q, R, a6 r+ U' G/ k
for the specified device and returns a Device Description Block (in ecx) for8 \8 T0 V$ N; _- c! z3 ~* D9 ]
that device if it is installed.+ a1 C5 t" }, ?1 k( {
6 Q' f1 Q$ K. u5 f! U) z0 I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ g4 X' R3 Y0 k$ h, A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 s6 D. s! d4 X. }; M
VMMCall Get_DDB7 M: W% J d B+ W0 G) W9 N4 H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 q+ L: e( l, W' B9 L7 Y
! N- [' t1 n6 Z1 j8 C% |8 A7 F$ H, Z9 L
Note as well that you can easily detect this method with SoftICE:
$ z" o1 ?5 o5 m. E9 K1 q& a bpx Get_DDB if ax==0202 || ax==7a5fh
# u- Z$ W0 ?6 p% q0 {9 P6 H# \, Y. z0 l% G4 b4 y, ^
__________________________________________________________________________: f; z0 G4 y, m O! h
, g+ a/ W5 j* F _+ m
Method 10
4 d" V4 e5 V' s% V0 m& v: }=========
) {# D; s* K& L3 e7 X0 d) e
' p4 k1 p. x- _0 u5 ]9 p& b=>Disable or clear breakpoints before using this feature. DO NOT trace with. [0 _6 J! t- i4 t' z J
SoftICE while the option is enable!!
2 ^( [, g& N, Z- M+ T" A
, _9 N+ ?4 `' H1 I: M# @3 W% mThis trick is very efficient:
c" c; M7 \. c6 Yby checking the Debug Registers, you can detect if SoftICE is loaded
6 z* L. m% s8 K, s) _7 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& {! c4 e+ _/ Y d$ Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their# Q: {* X5 N- i
value (in ring0 only). Values can be manipulated and or changed as well
5 i6 Y: v ~2 `: [% x- B$ ](clearing BPMs for instance)
% z, {: D& I) i2 q6 t) n) @3 V6 j9 L/ L7 N% K F
__________________________________________________________________________' T6 L3 e4 A# Q/ w/ q/ g
+ ?: P8 t' d3 y* j, x" t mMethod 11. u- S# s) Z1 M! q. f
=========6 r M# j) r0 j; P2 R6 I5 X
. E* f& i# C [% v/ J- ]This method is most known as 'MeltICE' because it has been freely distributed8 p% n. s, F4 H5 X
via www.winfiles.com. However it was first used by NuMega people to allow
2 l" z. K- y: N. A& \3 C# oSymbol Loader to check if SoftICE was active or not (the code is located
: y1 B- e9 H$ Dinside nmtrans.dll).
8 H8 Q; u, N, p( P) H$ y9 r' I4 \ |' G7 h2 `
The way it works is very simple:
7 n& g& q7 }1 K9 v7 X( jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* y7 i/ @, ?9 R4 D5 n
WinNT) with the CreateFileA API., z. r+ x* A# r' b1 n
: O8 R$ ^. [) P8 [% oHere is a sample (checking for 'SICE'):
9 R' N* J7 p9 }* p2 j! t
9 k8 q/ A: R4 Q/ {BOOL IsSoftIce95Loaded()/ `3 E( j( Q- n% m I- y0 X
{
6 ?: j; S3 p9 B0 u$ Y, Q8 s* Q9 Y; c HANDLE hFile;
- P0 G; F F2 T& I1 A+ o h6 D3 P% B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 w2 a; k+ j) s3 O. y8 @ FILE_SHARE_READ | FILE_SHARE_WRITE,+ H; z3 c8 u* c5 }9 g' e. H" [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( |5 n, k. n/ f) A& j; }& S
if( hFile != INVALID_HANDLE_VALUE )
: N2 M% d4 C( m% `5 G1 L2 G, { {8 d/ u& B6 m% I' t5 ~! L
CloseHandle(hFile);
: [7 x- E: s! F return TRUE;
# V8 o8 t" ~; I }
! ^8 p6 B6 M, t s( H9 e1 a: X2 h& M return FALSE;3 a. m. h) ]0 X- ?
}
/ h0 {2 d6 q! @9 n7 j- W/ a- g! _+ S$ }, n% k; ]7 [# J# `' B; s
Although this trick calls the CreateFileA function, don't even expect to be
; ]! T) Y' c1 l# Yable to intercept it by installing a IFS hook: it will not work, no way!
! k, C4 f9 P3 B7 p# ~4 lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 E i$ l( S; c& j/ Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 o$ Y, W2 D# s2 ?; xand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 L* P" p3 W, t" f* Y$ N* d; h" d
field.* L5 [5 T2 Z5 i. _
In fact, its purpose is not to load/unload VxDs but only to send a
2 _1 o4 d! `' s" D/ b! u6 y: n% \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
@" }- L3 r8 o! ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
n. V8 i0 s7 B6 o- f k' o: k$ z! M/ Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 J) e; H; k' Q% e$ J( gIf the VxD is loaded, it will always clear eax and the Carry flag to allow. [5 O7 j0 A$ a0 J" e7 y+ g
its handle to be opened and then, will be detected.$ N2 e* @# n! M+ b! ]2 w
You can check that simply by hooking Winice.exe control proc entry point4 ]" b) ~3 a( H3 t
while running MeltICE.
! {% t9 h3 L F z
) G% |% n0 D9 l- k5 c3 D$ {6 f( D+ m0 c- q
00401067: push 00402025 ; \\.\SICE- e% y: O& A$ [& b4 U, L
0040106C: call CreateFileA) @- r. W% \9 d
00401071: cmp eax,-001* i l$ E( e# j7 s1 j: k7 d
00401074: je 00401091
( @/ @0 k/ L- q1 O3 D1 {: z3 b: {7 f) e/ U
4 b/ H3 f9 P3 w! b
There could be hundreds of BPX you could use to detect this trick." E+ F6 c' ^% V/ o' N/ ~! s; i* w
-The most classical one is:
4 h( j& l& ^! r' s9 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 n2 @5 `" e' E- ` *(esp->4+4)=='NTIC'& D/ R$ x8 {) O! l0 Y
. L; K6 o) K6 E3 L) C/ [: @-The most exotic ones (could be very slooooow :-(( w2 A. A3 @& I# D" t! B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" A) R* g2 K( g# U# v ;will break 3 times :-(8 H/ Z0 V; L" W R1 b
( i% k+ {) G* F% b9 ^* J
-or (a bit) faster: 2 x3 T3 ~" F5 E! p a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! i9 [) k% `7 K& }0 h$ q2 V
, [6 s+ L S: g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 i8 _3 Y4 K) z: O6 A) Z# D. _
;will break 3 times :-(3 Y H& R; `7 F4 L1 D& w
8 P: B- J% X$ F$ v2 W6 b: l
-Much faster:
/ U% @. s" e2 J' N1 C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ h( t& V6 B3 n2 @! U
# _" k6 |- C% H9 z" ]; BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 A! M* w$ Y3 X9 n0 N
function to do the same job:
! E7 h( ^0 p; H) V: D J% D J3 d" }( P! ]; @$ N0 M6 H1 \; k
push 00 ; OF_READ/ V4 b. i5 V2 p# t
mov eax,[00656634] ; '\\.\SICE',0
2 e+ Y; ~9 A( J9 ]$ _" u; _ push eax: p$ W. |( y; @, l
call KERNEL32!_lopen
! v" S4 _8 H. Y+ V8 P, y inc eax
$ o8 t3 A% S! v; R `( n jnz 00650589 ; detected
+ u! p/ x5 Y6 j5 j push 00 ; OF_READ8 A. p4 ^) d; p
mov eax,[00656638] ; '\\.\SICE'
9 S$ p5 F w6 @# C. R3 W# p push eax( ^- `! J0 n/ ^ {1 X4 z' p3 _% S
call KERNEL32!_lopen! d/ R) P& D# I% L; z/ v
inc eax- |8 q1 V+ p8 w/ h4 H; \$ N. D: H
jz 006505ae ; not detected
: Z! r ?" _$ c1 ]; S
2 ~3 c+ n3 X5 p- X: i' A, c( B" W* z, g6 L3 M6 s7 ?+ G: W& s& |) ~% u
__________________________________________________________________________
: e, B- U; S! i+ \3 I; r+ y. T5 ? @5 A
Method 121 |3 ?( P n9 A7 c; W4 `. Q# M/ e, T3 Y
=========0 J; g& i. k$ C* q6 n+ B9 I
/ w! q% h5 ]$ b! V" X0 P! BThis trick is similar to int41h/4fh Debugger installation check (code 05
1 P6 n1 Y, q/ o' w+ a& 06) but very limited because it's only available for Win95/98 (not NT)
$ W& {# C; m5 ?3 U2 [5 uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
e) L& y% x- E
8 v J7 o+ r$ o6 ^0 p$ A push 0000004fh ; function 4fh* z; J* |2 i/ ]: d, d H
push 002a002ah ; high word specifies which VxD (VWIN32)
- s' {# `; H( b. \: ~8 R1 z ; low word specifies which service4 S0 {) f a/ c8 O4 A( r4 w
(VWIN32_Int41Dispatch)$ Y5 |- w( I) I5 @* B0 e& e+ O
call Kernel32!ORD_001 ; VxdCall& `% Z7 n1 n3 n5 b
cmp ax, 0f386h ; magic number returned by system debuggers2 j3 U6 Q; C, J
jz SoftICE_detected
9 I3 L9 E+ Y5 `; O7 l
( Y! ~; i5 ]& t7 L. NHere again, several ways to detect it:
. n5 v6 W! t9 U1 y. a ~2 u! F+ u. M" ]+ q: `: B! g& t5 L( b
BPINT 41 if ax==4f) g8 K# u, J( j' M0 ^ N4 b
' r8 U- t' J3 Q8 o6 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
Z+ l) I) i: ?7 j) W- r: O& @' M/ r0 y$ C3 C' r8 C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! L, q V1 X {! F; t
* t1 U$ Q, Q! w4 c$ y) K4 T0 g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. X2 G8 N6 A3 y
8 o, u% | b0 j/ G1 l5 J3 V) F
__________________________________________________________________________
1 b# I8 G8 `3 U2 `' ?4 \" W( I
Method 13* W/ M& J1 b8 h
=========3 \1 |0 k; _" \, E7 g
* X [; a& E3 L2 e4 T
Not a real method of detection, but a good way to know if SoftICE is
& E- ~# v! x% ^6 i5 V8 ~installed on a computer and to locate its installation directory." Z9 W ]2 s& v% ]
It is used by few softs which access the following registry keys (usually #2) :8 k7 l4 _, ?5 p$ r! q
! [! O% w( j3 c, {* M7 f# j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ i y' o& ?; |. {6 n
\Uninstall\SoftICE2 v5 Z9 r) h$ G! M1 x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% ?! v$ o6 `7 L- k' i1 J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' M& R! h9 G& ^9 t: @6 M\App Paths\Loader32.Exe/ E# S- R2 e, e/ Z: m
" B; N+ h- Y/ X0 Y8 i7 M
5 g7 |5 t/ W" L0 g) s2 p9 }
Note that some nasty apps could then erase all files from SoftICE directory
. L, T; k" {4 p7 D3 ~( g(I faced that once :-(2 Z6 E5 m# X4 U, B, \3 R/ m- K) c
, h; ~* S1 g4 t5 ?Useful breakpoint to detect it:
- d) w0 m6 A! a) ^1 V, q" y, Y- g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- T( _. ]4 g3 ?$ L
+ y/ s) }2 I' f; j' g__________________________________________________________________________
2 l$ s. w& ]/ M& I9 g& e- G7 A1 v: I; D" `- D; r
4 h/ W6 m# X4 ?% Z
Method 14 ) ~7 g( ]2 W$ B
=========
% \) |1 E5 c9 V+ j) M5 |5 P+ c, U' c* [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! S! @- s- k/ xis to determines whether a debugger is running on your system (ring0 only).
9 W& R" v( G4 d) z4 k* N3 u# S. S0 ]3 S. s& |* _5 y( y
VMMCall Test_Debug_Installed. J% o1 s# b. |: |, V# d. S1 a
je not_installed+ V) t# r7 P* a9 ?8 F# m6 W; {3 W
( }2 G" V6 Z. V% T1 d! y. o0 bThis service just checks a flag.
! P, v1 w2 A* S/ O9 n</PRE></TD></TR></TBODY></TABLE> |