<TABLE width=500>' n3 N1 V- u4 ?. W! @
<TBODY>
* }) ?! m; ?, c; ~( s, X! k<TR>! V0 {6 o2 ~( E- w8 x
<TD><PRE>Method 01
% ~1 Y2 c0 p4 W: L; h=========0 W" n9 y# t+ g, h/ _# [; N+ W( T: U
! Z" }, e1 U# P4 g& e( j5 M3 f
This method of detection of SoftICE (as well as the following one) is
' O1 T8 X4 t& G- w% i& m1 [- pused by the majority of packers/encryptors found on Internet.
* J. S9 x) R$ [8 B, \6 NIt seeks the signature of BoundsChecker in SoftICE( D" `# c, |# u; {* h
, D, f* [5 P ]( |
mov ebp, 04243484Bh ; 'BCHK'9 s7 ~* c3 `. U" r
mov ax, 04h0 F7 e6 s m, [ L
int 3 3 s: A# A) N3 w5 H) U( j
cmp al,4
9 J( R2 b* U5 S' q* D5 a; } jnz SoftICE_Detected
' q/ V$ v9 G0 m9 O2 t" {1 [4 z
___________________________________________________________________________. U1 ^9 b& R; s
0 G4 t# S8 X4 j
Method 02* v7 z m: p/ C* O6 L7 D
========= i" Y/ v2 C3 w7 ~
0 [6 q4 H1 J, g* t* n
Still a method very much used (perhaps the most frequent one). It is used1 [6 k) t. @+ `9 p: H: ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# M. ]9 i2 f; Q ]+ I
or execute SoftICE commands...2 S0 n3 k5 ^6 n, G# B
It is also used to crash SoftICE and to force it to execute any commands1 q# \1 r$ t5 g+ h% q/ J' ~/ [% O
(HBOOT...) :-((
' A. K @' \) ]7 F9 ?. H% F' w! H4 `8 o' S x; D$ `8 i
Here is a quick description:
9 V7 I" F& q, x; _! k+ J-AX = 0910h (Display string in SIce windows)
: t) q6 Y& q/ |+ t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ n! c. M, a5 `. a1 A( L-AX = 0912h (Get breakpoint infos)! w6 Q% s! @1 a. s+ x* z
-AX = 0913h (Set Sice breakpoints)7 V5 K4 f2 E) z0 \2 Z7 w& I
-AX = 0914h (Remove SIce breakoints)
/ _8 N* y. I# u# R ?
9 G6 ]* S' j* _/ y6 E3 W2 G+ VEach time you'll meet this trick, you'll see:. `' @& [3 t! E4 _# e, i( k
-SI = 4647h
( \% A& Y& L9 K5 s-DI = 4A4Dh
i7 _8 E( O8 b0 SWhich are the 'magic values' used by SoftIce.
/ `* V+ E8 E- D- f' ?( K: AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ }( u; j- y' P, m; y S2 [
0 x6 @# r/ ^7 v0 A9 i# }; LHere is one example from the file "Haspinst.exe" which is the dongle HASP
' u. \ t n$ A: Y+ p$ `Envelope utility use to protect DOS applications:5 U3 |! L) U3 ?9 q: `
% V7 D( Y! R4 e- X$ I6 |' H
) } M* [; q1 R8 d% L
4C19:0095 MOV AX,0911 ; execute command.
! M C; @1 Z" V; p4 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 s5 a+ [: |6 a4C19:009A MOV SI,4647 ; 1st magic value., r4 B0 W# D0 I8 F q
4C19:009D MOV DI,4A4D ; 2nd magic value.
, r' X) Y7 K: D0 K% `' e/ ^" O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" I2 q" p: A% E' P: P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 d0 P# G; E! {3 p$ w: u4C19:00A4 INC CX7 r0 t0 _' T" ?/ n& j+ V4 c; N' P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: k, W# L; w$ {# W. E( x& Q
4C19:00A8 JB 0095 ; 6 different commands.
+ E7 R, M5 C" n% L2 ^/ ?2 c/ Z9 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.: q; G0 P% {- o/ f5 u8 s' L7 P; H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& E: ~" n. H7 x; f6 \! H- L& f4 s- S/ u# n; \1 |( ?
The program will execute 6 different SIce commands located at ds:dx, which+ K: @ D2 s* b& M. V: D9 J9 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 f* A3 F0 d6 H# T7 O; ?8 ~0 z0 w: D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 t6 E! i6 g+ B5 Y
___________________________________________________________________________
7 h. s0 h1 A2 p+ |: q$ b' T
J. Q1 t8 Z3 |% u
{" _, G. l* ~( x; h# xMethod 03
. }* ?3 c; w0 \& Z; R( J=========' f8 a( Y- J I% K4 g' S/ g- A! |
# j" v% g9 \% C0 A( S* ~" \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( B8 R7 Q" U2 a; F% I. z6 h(API Get entry point)
' c0 a, c# ?% H
' c3 d. U4 O' G+ E' n
K( [$ H$ e$ [* I xor di,di1 A) e: E) U K2 H% S9 v$ r
mov es,di
1 o/ D; N0 }! ~( p6 d, y mov ax, 1684h
1 e1 O# U* J: e( z5 k! t mov bx, 0202h ; VxD ID of winice5 w. X$ @, W. d2 c F/ t1 m B- y
int 2Fh0 c5 f" T" G* Z# ~4 w* f; K) o" w
mov ax, es ; ES:DI -> VxD API entry point% f, y* A+ C- E: L# h& ]" Q" o' }2 [$ i
add ax, di
3 `% Q8 v, B0 e& Z test ax,ax& U) U* r0 v: Z; y' I% [. ]
jnz SoftICE_Detected
3 W. a2 j4 o* d: F4 C/ K% t5 j$ i; F5 B; }
___________________________________________________________________________
: V9 M* D1 K3 f5 n3 H
2 F) H$ Y+ s' O# F! {/ k6 lMethod 04
" C+ w! {$ S4 G0 Y* j9 M=========
2 x9 f5 q9 s/ n" g6 U8 M" w5 x% j4 x6 j! |" ?- [
Method identical to the preceding one except that it seeks the ID of SoftICE& y! d6 D1 g( e: f# y8 E# c
GFX VxD.
0 Q/ S& j& T7 N& m# c3 { D
+ X3 ~5 ~: `0 @* h xor di,di/ U: ]9 ?/ h1 C% B
mov es,di
, E0 ~9 L. K3 g: j/ E7 G mov ax, 1684h " x" _! e. ?" T6 |) f
mov bx, 7a5Fh ; VxD ID of SIWVID2 G; _" u( ? s% Q4 M& i7 ?" f( \
int 2fh
6 ?8 i+ Y+ n" f; `+ G# Q mov ax, es ; ES:DI -> VxD API entry point
5 C: B' b! T0 f6 D' d8 o" { add ax, di
/ _' D- K: s7 s0 Z' R) u' X9 E test ax,ax
: r V/ }3 h9 ?9 h) | jnz SoftICE_Detected. b8 O7 z6 d$ h8 S) y7 z
3 A9 R6 l9 Y' s! m* O4 t& O__________________________________________________________________________
) s1 {3 }& u1 q% e( {& G8 s7 V# ]" x5 N$ ^- O B0 w5 J6 K
8 f, c; x( R# ?+ X0 ], c! VMethod 05
0 q6 K8 ?- `; {% s+ Z) |=========
* B( M2 C: r& A% ?0 M4 g# M. P/ j# t4 R8 m" j4 u1 G% ]1 ?$ A
Method seeking the 'magic number' 0F386h returned (in ax) by all system) Y' ~2 l3 b/ t* C* x; O1 \
debugger. It calls the int 41h, function 4Fh.6 R$ G& q% [+ ?- Y
There are several alternatives. 0 {4 Q, Q& R: _) x# _
! B6 e1 F+ x. ^2 e
The following one is the simplest:* v( {3 A: z& u" q- Q8 |0 v* G
' c8 T2 [- ^) t' u% P7 t" @( f mov ax,4fh
; |+ q% R/ F- c/ A) v# S/ h int 41h7 b2 R3 T' R; ~3 [* F
cmp ax, 0F386# J. g) j( G( a6 b+ o# S1 h
jz SoftICE_detected- |. P4 w4 h8 v8 Y0 P2 j
8 U: N* u& j# e& k8 ~+ _
& k2 _0 _$ X/ uNext method as well as the following one are 2 examples from Stone's
- j4 F: B" V/ V! l* _9 |; G. z$ t3 s"stn-wid.zip" (www.cracking.net):
( O6 y! K; L- ]! f1 o
4 H* `4 y2 Y+ @; @& r mov bx, cs
5 `8 _7 E) c" ?; `. @; K8 P lea dx, int41handler22 u" O: q$ j2 v" [' ]/ [
xchg dx, es:[41h*4]! B) ^$ R; b8 ?2 C
xchg bx, es:[41h*4+2]; H0 P, a) y' U* y+ m$ N1 f% u5 u
mov ax,4fh r: Z, b$ K) I: P
int 41h
2 u4 W; T. y1 n" ^+ s# _ xchg dx, es:[41h*4]
2 Y4 v2 f( E" F! H9 Z xchg bx, es:[41h*4+2]+ P4 b m7 Q6 Y |
cmp ax, 0f386h( Y6 D) q& E2 Z. m- n
jz SoftICE_detected2 U" w, Z9 J( H6 t
4 u. P6 T o5 f; n* s/ O
int41handler2 PROC
: Y( N- _# b. ^ iret
! Q7 P- Z7 r8 U: Yint41handler2 ENDP9 P" X( F' Y1 L l3 g
* Z: U$ T Z; w
e" l5 q2 k! @% R0 t! T
_________________________________________________________________________
. G6 [% H9 [* X. L: F2 `% B, t* H& f5 B* o3 X& T
& A4 e" S' {1 M. i5 Y# @7 i
Method 06
% m1 l3 {/ W1 l: f* m E=========
$ E8 B% P4 j) i; m. { t0 e7 {# C, Z; k, Q
2 q& L) |( A6 y: f1 R2nd method similar to the preceding one but more difficult to detect:
. |4 P2 A+ b) k ?+ K# Z# V# d i" }- q6 [" i! J+ u0 |
/ c* V/ g# I1 E" I3 M8 e1 g
int41handler PROC- T1 u2 M7 k. W( @
mov cl,al
, h9 @' R' @: ^6 ^6 | t8 x5 H6 X$ b2 K iret
3 s) ]% z5 x5 v& X; u% K6 C& ~int41handler ENDP
" w8 q" R; J7 B% j" r" R5 w0 g# I N3 U" E6 C
) p8 F: ^, X& V ]
xor ax,ax
& o/ L. Q9 n1 K+ v! G+ Y% P mov es,ax1 M' ]5 p7 @5 M: x% \* i
mov bx, cs
8 X, w6 L9 v! ^+ Y% O lea dx, int41handler9 J( D6 D5 |( C# v* j1 t$ B
xchg dx, es:[41h*4]
2 O( p9 G7 u7 T {* x4 } xchg bx, es:[41h*4+2]( X5 @5 A. n t$ ?
in al, 40h1 @9 d# R, C" k* T) m# d8 ?0 f
xor cx,cx
N! O: T6 @: W8 j& s int 41h
! G4 D5 h2 q7 | xchg dx, es:[41h*4]' ], X E8 P0 |' [: ^6 V
xchg bx, es:[41h*4+2]
6 n) Q: r1 ~6 y, \9 w1 q) p( | cmp cl,al3 r, q. n1 x2 X; c0 H. h
jnz SoftICE_detected
: Q! l2 F/ O8 \) [* c j0 S$ R7 C, f B9 D6 S/ V, C% J
_________________________________________________________________________0 |' C+ |& F* z
9 S2 V' {! g9 b, y
Method 07
& O p# X: K9 }3 P$ ]=========
# y' T2 Q) |) ^4 V# j+ ?; u( ^+ }9 ?, ?3 y2 V, K+ D2 n
Method of detection of the WinICE handler in the int68h (V86)9 i3 P+ |/ y) d* A, _% a4 J- ]- A' M
( w' Y/ t/ M' }7 Z mov ah,43h
* h4 c& A: d5 i' l; B4 ] int 68h7 V6 c" d8 S$ B6 Y# x) [
cmp ax,0F386h
?! W/ S8 M Y3 f jz SoftICE_Detected
( g4 {, Y: O' P3 t) S. ~7 l6 q; |. K7 Q/ C
, `' b: g8 T5 d) F9 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, \; {! b6 I' c/ x' W app like this: q, Q7 b# X. K" T4 k: w* V
5 ^. ]* C% L |) H. |
BPX exec_int if ax==68" r' n+ R; T& i5 Q, r
(function called is located at byte ptr [ebp+1Dh] and client eip is" W# Z& q/ v5 q: j) L3 R
located at [ebp+48h] for 32Bit apps)
7 J5 F _, h0 ]. D3 J9 L* M: u__________________________________________________________________________6 C; v% \& ^1 x- k* F. ]
+ p5 h4 X5 S+ P B% ~0 Q5 ~# H. Q/ n5 W* u4 d- h5 `" o! }9 s
Method 08
. ?: R4 a1 a2 E; L=========+ t1 W: O/ N5 V5 A }- J+ z1 M
) _2 h: |4 w0 k- J6 cIt is not a method of detection of SoftICE but a possibility to crash the+ I/ P% W6 F1 b6 `4 X1 M1 B" J. ~
system by intercepting int 01h and int 03h and redirecting them to another
( a/ `" X" k. kroutine.
/ {5 V, V2 S& N0 u9 d( RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# V; _3 T+ C1 W
to the new routine to execute (hangs computer...)
( q( q1 {) ~8 r: F( K+ W" k5 b8 U6 K9 V" p6 [
mov ah, 25h1 j* q: o6 m0 [' X: w8 c9 F5 [
mov al, Int_Number (01h or 03h)
6 j, \3 h9 N6 V mov dx, offset New_Int_Routine
& T9 Q& P7 G3 U2 ]' |3 x. R2 [ int 21h; [9 u+ S9 s) ^* h F
9 V) W( C7 J. n& C8 X; ]! F/ n__________________________________________________________________________/ L/ I8 V0 } L' V
0 n7 [$ \2 M( X8 U) g
Method 09. O, G& o3 w; W% X ]$ l4 ]0 z
=========
+ H: i& ^: g8 D$ q
1 p4 P6 G* u) \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- d" T; _( b; k# a s
performed in ring0 (VxD or a ring3 app using the VxdCall).! U5 d5 k/ s$ r! S0 P# j, P* n
The Get_DDB service is used to determine whether or not a VxD is installed8 C; H h2 D3 M! _ _' C
for the specified device and returns a Device Description Block (in ecx) for
/ U8 b) r+ Y. V+ h1 cthat device if it is installed.
3 _* w' N, j# q# g' u
6 q9 ^ g5 }+ d) h( l; g) C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; S" Y3 _, s$ A( k3 c. Y* x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 D3 F" @# h, l* J8 d) w' {1 i/ j
VMMCall Get_DDB
! y0 ^9 p! h4 L, @8 c6 V# D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 @! _) p- f4 v: m, m( u
1 |. j) _* D: { h% t# Y9 Q
Note as well that you can easily detect this method with SoftICE:
0 z# X2 N+ M( m. C1 X bpx Get_DDB if ax==0202 || ax==7a5fh
2 x: U: [" h( Q
0 D! T4 N+ M) q" l3 ~7 b: w__________________________________________________________________________
) R" v4 t6 g- V5 r+ G
' E1 x4 ]4 g H! ]- k: H3 \9 W- Z1 mMethod 10
/ T" b$ r1 S6 O7 X* _. `=========
: ^0 z M" C/ W+ L
' M: L6 U2 M& _=>Disable or clear breakpoints before using this feature. DO NOT trace with& Q' x2 C1 t, \! e
SoftICE while the option is enable!!
9 k2 s2 U- T1 i4 ~- \1 ^* R, ], X- |" W8 C* R8 z( @. k
This trick is very efficient:
, @' P, g4 r5 g4 u" i( S( @+ rby checking the Debug Registers, you can detect if SoftICE is loaded, X4 l7 w$ M$ f- O1 w( v- E- R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) `% j1 @% k$ Z. T
there are some memory breakpoints set (dr0 to dr3) simply by reading their' L2 N* @! I6 [' U7 t/ ]+ y3 u
value (in ring0 only). Values can be manipulated and or changed as well
" Q5 z' Y I$ Z4 q% H(clearing BPMs for instance)# h4 u9 j$ I8 l& O
2 S6 z+ i4 S: H* J, C! N/ i( C
__________________________________________________________________________
7 W: c; z0 R' H+ M$ x% i o/ X9 k' X
Method 11
- O4 [- v& @9 e, S- `( N=========
& r0 y& N& ?' F6 F/ K+ ]" r8 }; q& A9 C8 k. |/ @4 f; X$ g
This method is most known as 'MeltICE' because it has been freely distributed
% ?2 j; z# }$ [8 I7 Z" B/ Gvia www.winfiles.com. However it was first used by NuMega people to allow' O) O7 k0 B5 E7 I/ N
Symbol Loader to check if SoftICE was active or not (the code is located$ ?) F" v' Q/ k- K+ S/ l
inside nmtrans.dll).
! H4 @% _0 r# v4 r3 V2 A
% l" |& P: t" c7 r! E3 y6 h cThe way it works is very simple:: l* {! O- N4 B, j2 R( S. ^9 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 c: w7 v3 I/ Q* d J
WinNT) with the CreateFileA API.
. o% f& A2 w# X$ b& c% n3 K( W
- O" ~! `+ ?2 jHere is a sample (checking for 'SICE'):
% L% {& t0 R" q& T3 `# S; l9 S5 m) t( S7 u& b- [
BOOL IsSoftIce95Loaded()+ I5 o* b. k- j7 p3 L( R6 p
{
0 S& G" R/ V( a2 @# E9 n5 C HANDLE hFile; 4 Z2 ^* ~4 K/ S5 K& l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& X0 e5 F$ N( j6 I3 j1 T3 t Z FILE_SHARE_READ | FILE_SHARE_WRITE,; j' y5 E+ J. `2 u/ M7 P) E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- L4 Y: x+ w4 R% E+ \9 x! Y2 o if( hFile != INVALID_HANDLE_VALUE )+ A1 F1 M6 H3 W2 B
{) i. @+ d1 F0 y- m. v/ d8 z
CloseHandle(hFile);
& H2 L3 O$ u$ v6 F return TRUE;% t3 Q) |" R* q! ~3 e5 H
}
2 x) V$ T3 ?% }$ h. h& W+ e return FALSE;
9 j( `9 S1 u9 o' Q}* P9 {% U/ w% P
9 x8 o: b0 I1 W nAlthough this trick calls the CreateFileA function, don't even expect to be2 F) _& F) Q( Q& S( ~
able to intercept it by installing a IFS hook: it will not work, no way!
0 z9 c r: d$ }2 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ o; `0 }5 r4 d( T. K3 T' C+ jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) b8 l7 J- c, T: c$ G9 j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 @6 F6 E1 G9 X: c+ x ]field.9 m: N+ c2 e9 m) O0 a
In fact, its purpose is not to load/unload VxDs but only to send a ! m7 [2 G8 o V9 w; c$ f. l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% _7 }7 S8 K+ E* jto the VxD Control_Dispatch proc (how the hell a shareware soft could try, Z- t+ v) G8 c7 M d' m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& A! C U" ^# c5 j+ C) @8 m% X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 y6 a. K' C: \its handle to be opened and then, will be detected.9 g5 }* I. U7 J1 d$ G/ W; C
You can check that simply by hooking Winice.exe control proc entry point
' h5 b1 Y5 C' Y. jwhile running MeltICE.* O0 _4 u; P( Y. P
' i" H3 }. d7 {2 M$ }1 s6 {; D+ \) |- O
00401067: push 00402025 ; \\.\SICE
# s& m7 _. n( G- A& L" `: | 0040106C: call CreateFileA* q1 z7 m8 e! a+ Y! u
00401071: cmp eax,-001
2 `- E$ r. \- e 00401074: je 00401091
# c' L6 J. F9 @9 o, t+ c6 J2 |! O0 c) C" q" I3 m6 ]
# }% t. {4 z4 O/ L2 i) S, mThere could be hundreds of BPX you could use to detect this trick.
1 p) f7 r; ]8 M1 j Q-The most classical one is:' ~1 I. L$ h4 d$ ?# E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, P& `' P, ~% \. R9 V. j* d2 v
*(esp->4+4)=='NTIC'* F7 G- Q% u6 d, t& M9 [0 K
. W" y! R! D" y6 K1 }' V$ N* g& Y
-The most exotic ones (could be very slooooow :-(6 o4 K6 b& ^+ `7 ]) z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - Q% r C- j" N% j1 {% U& H: V* i
;will break 3 times :-(4 H7 i" Q, ~) S1 n4 z# T
; | X! v! @2 `5 o0 W
-or (a bit) faster: 0 y2 T8 q: ]: J' N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. h7 q, c0 x3 J" z; E f# A% F0 g& e4 c# m2 s3 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: {8 T6 e5 j4 S3 p/ v3 I ;will break 3 times :-(
! ], l+ e, C0 u7 |' _, }; p
9 [" i5 U# C) v8 T2 ]-Much faster:" _/ P. x! H* T. z0 |6 D) g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- b+ f# W2 j! z. r" Z# Q! c' c: x' K& `) X8 g: A6 J J( A* U0 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' ~( m) ~3 u% C, l
function to do the same job:
+ d6 L9 O( C" B
2 |9 F2 V9 a6 a5 ^ push 00 ; OF_READ
) J: H6 \& S" n/ Y7 K. u- | mov eax,[00656634] ; '\\.\SICE',00 g- Q& X/ T J: D1 _& B0 R$ j/ s
push eax5 y" \1 Y6 g' n3 x: h6 Q& Y- }
call KERNEL32!_lopen8 o: E0 m& z) R: w( p+ Y, p) ~
inc eax
$ u* w3 @: L$ c1 a8 ^4 Z jnz 00650589 ; detected: G7 K2 V" V8 W. z& a' M( e* A
push 00 ; OF_READ1 |9 k- `. v, u: N3 w
mov eax,[00656638] ; '\\.\SICE'
7 J2 I! |* i/ ~4 c% E u push eax2 i8 Q* \' e6 p( z6 n
call KERNEL32!_lopen
1 Q. \1 T* ]7 i. T inc eax
5 U, n# x. j1 V7 c8 Y3 c* J, d jz 006505ae ; not detected
a) c5 w% W7 X& J- S- p
* M7 a) N% D O+ q
* t4 l! E: C, G* r$ c0 w__________________________________________________________________________# o1 x7 P6 ]* q" T7 {# f6 J; W0 R
1 t. H% K( D) o2 ]* a8 h% t
Method 12. x' J" X0 F. I" c8 P
=========
+ q d% S ]8 h8 y: I, V! W1 f9 B: `) F
This trick is similar to int41h/4fh Debugger installation check (code 05
( x1 f& @* R5 _& 06) but very limited because it's only available for Win95/98 (not NT)
2 Z2 z! o8 k& p2 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 R' T5 w0 h- ~! d$ P {
i; Z, [9 i* |5 \; `8 H9 N push 0000004fh ; function 4fh2 v' Q$ Y7 ^* y% Q9 e
push 002a002ah ; high word specifies which VxD (VWIN32)
; Z: h, e: t. G/ {0 O$ F7 G; ~ ; low word specifies which service8 O" l6 _; F) t9 Q
(VWIN32_Int41Dispatch)* o: K! T+ p; {% j: }3 _
call Kernel32!ORD_001 ; VxdCall
$ ]5 T! M9 U, a cmp ax, 0f386h ; magic number returned by system debuggers
, N- s( c! \ n& M0 s! ]) u jz SoftICE_detected
k6 t# n: @: O- w' E7 o& z, y. ^% T+ H' R& N7 m( y6 C. T% b
Here again, several ways to detect it:2 f, M; y( ]/ n" Y" n- }
2 J, I2 X9 h: ^5 b5 I0 c BPINT 41 if ax==4f# a- ^8 W- _8 o, n' U
; {1 Z3 K1 K- d5 G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 ~5 B# j" o+ m
! S+ q' l# a i d" p, I+ m9 K, g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- {% u% c$ ?+ P3 Q0 ]; {. z6 D
6 E. ]% w8 q' v) b9 w" q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( l0 ~ p, u, h- o" V* j+ V# E- z
f# E/ Y; X/ e b__________________________________________________________________________
2 D3 b& K" ]+ T& |- A& x6 c R9 M) r4 d0 v
Method 13
* I% e4 j+ L" y& s=========
# V% J( m: ]1 i! h/ L. x# J! }) b2 V
. `- [9 T+ v3 FNot a real method of detection, but a good way to know if SoftICE is
" ^/ N. Z2 s9 b8 X; `, r3 k5 Ninstalled on a computer and to locate its installation directory.
0 A5 t4 E6 `. J9 u5 ]6 S9 `! `It is used by few softs which access the following registry keys (usually #2) :' G" I4 M8 h+ {; o- A$ C$ B
0 b& ^" I; z8 l3 e! |- r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ v* M2 Z8 \0 ~+ i\Uninstall\SoftICE
: O9 h( t# w8 T) o4 W: I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! R/ [( t% Q$ T6 u* W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 O' y x8 c7 v) T\App Paths\Loader32.Exe
* f2 {. B* w; F0 `" V4 \; j4 @/ a) `; s$ W! O
+ S7 y3 f$ [1 y% i+ Y' }Note that some nasty apps could then erase all files from SoftICE directory
: v b- f& R) }4 d, ~7 l(I faced that once :-(
! m$ p9 q) I* ^* E3 X
* W& S1 R0 u& z! lUseful breakpoint to detect it:
3 y+ y l4 Z$ L& R! \' n
: j! B, c" y- k- O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; m! [! X- k( j$ j3 g8 q2 `/ b
+ Z1 G* L3 p# m& |+ V& @/ U% p+ M__________________________________________________________________________. P4 h# a5 @: r# Z
9 U* R/ n! W4 c- B
5 V$ ?+ g# ]/ X* O0 G
Method 14 " {! N) o4 x, u% B n
=========! n5 H' T' N! I/ z
4 {! b" [( Z! Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 T E: r X6 s
is to determines whether a debugger is running on your system (ring0 only).
- \9 v1 v+ [2 s% l+ V+ p
5 `, `: d* {7 L1 } VMMCall Test_Debug_Installed
- t% M: _ ^* ?5 M2 P je not_installed) U6 O! x! Q! ~9 `+ q. ^ ^1 |& o1 O: |
; V. \+ d6 {/ z! a# K; Y
This service just checks a flag.' `; O" k% R. m( X( J
</PRE></TD></TR></TBODY></TABLE> |