<TABLE width=500>
/ k8 w: V, V% y2 n* |% H* \<TBODY>
' c* O( E/ _1 ?+ C7 Y<TR>0 S/ e2 a% n' x7 R# T
<TD><PRE>Method 01
3 K: ^3 g, j/ L% D( W! n3 c, l=========; j/ {% Z# Z% x! e' Y
; r5 r+ y# d/ E7 j+ ]2 \4 aThis method of detection of SoftICE (as well as the following one) is1 u- n( P0 O- x" j0 t# Y' h; `
used by the majority of packers/encryptors found on Internet.
' f. m4 \+ o' ]+ o" gIt seeks the signature of BoundsChecker in SoftICE1 v( S6 A4 v( p5 [
$ J( t Z! F* K/ \: ^
mov ebp, 04243484Bh ; 'BCHK'
# x$ c' g2 }9 o% @ mov ax, 04h
2 W. h6 f2 x. l: {+ M/ @ int 3 % o6 Y5 @/ n0 S+ K& R
cmp al,4
2 k6 W6 m- m* G8 J) P9 T jnz SoftICE_Detected
4 d% p" f$ h; b) M4 S3 i* m% K9 u0 k5 y2 o# j
___________________________________________________________________________; l& E) T: A0 `% A& Q
# K2 u, I% P/ q+ w5 W
Method 021 T- {" A- f. @6 J# z7 k& V1 `/ \
=========
4 T; ^$ {8 }9 `6 h h; I& S" ^3 R/ H' S9 V8 n
Still a method very much used (perhaps the most frequent one). It is used
P" g3 A p/ l) H: vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ T% B7 D+ |) L+ ~2 ~$ ~6 Z! ^) eor execute SoftICE commands...- G% x) S# d5 Y7 ~9 H. @
It is also used to crash SoftICE and to force it to execute any commands$ X J0 F, M6 B; r2 s2 p: ?5 ^8 f' Y9 J
(HBOOT...) :-((
3 J; O K0 u% r; m* D
@% p8 g$ c1 vHere is a quick description:
0 p5 d1 Z9 y4 S3 Z" j8 X1 A-AX = 0910h (Display string in SIce windows)
3 m' [8 ? G$ @; A' B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
F5 \5 D3 d$ Q) Y( y-AX = 0912h (Get breakpoint infos)( n: ?3 W5 k5 W" g
-AX = 0913h (Set Sice breakpoints)& n/ ?; {0 h7 _! |5 ~7 J- @# \
-AX = 0914h (Remove SIce breakoints)
! w' l& f2 `5 a, J" g
; A r" i) K, l" X9 M; iEach time you'll meet this trick, you'll see:
1 V7 E0 L7 ?/ I" b-SI = 4647h
2 l4 ?+ P6 |3 \0 w" w' j! E-DI = 4A4Dh. r0 R$ \, p" F! T+ P
Which are the 'magic values' used by SoftIce.
, _2 e& {& z5 n# F4 U; cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 I8 x/ F1 S) ~: g! i
& _0 t- U4 [, [6 P) S2 K2 Q* H
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ G0 U8 O4 m! p+ ^1 rEnvelope utility use to protect DOS applications:1 }8 }- L" Q$ U9 w3 j
i* j" y5 R2 U+ u
; h9 Y1 E$ O2 Y' B# L P( d% i4C19:0095 MOV AX,0911 ; execute command.
3 u" U. u8 R, y1 M& S' i- O) ~) i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ Z# U. b W( N- w* c: `
4C19:009A MOV SI,4647 ; 1st magic value.
7 f) N( ~! o" O" f& p, o( R4C19:009D MOV DI,4A4D ; 2nd magic value.
$ C6 J, S4 Z( D6 M! X$ e7 \7 w% U! n9 Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 F- H8 P; l' I% [; F% g" \) ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, \9 o; {% T+ P( t8 z6 x8 a/ C6 u; W4C19:00A4 INC CX
, [3 V( r K# V& S& |0 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" S" ~5 g% l. [
4C19:00A8 JB 0095 ; 6 different commands.+ {2 K y3 V# E: G2 @9 f
4C19:00AA JMP 0002 ; Bad_Guy jmp back." k8 H3 l% E. N; f) h+ J7 O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 P! Z4 a6 @# G6 ?% W) K( z) C; i
" V5 f4 V7 S/ AThe program will execute 6 different SIce commands located at ds:dx, which d" {' \, b) G# H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ~9 T1 S1 o5 A2 C" t2 H, V9 a
' Q7 ?: }1 t, k* }1 O- E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( X# i: m$ \6 {
___________________________________________________________________________: X: x$ k ^3 Q2 E' y
# s: n; }1 M) V# s3 z/ ?
% G+ ^' E, k& g+ ~0 b" sMethod 03" p; z7 Q( e& w0 O- Q' [
=========
4 R3 k6 {* [5 ~% y( H
$ Z7 b) i& P& z4 pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 p, N. N3 y0 Z q* o
(API Get entry point)3 Q& U- ] x, {9 q
) p7 C. }! d, ?
6 B# g5 D+ u4 i/ W5 x4 y+ S6 U5 D4 _
xor di,di
6 f# h2 ]' P! o2 h5 d7 y mov es,di4 u/ f- `/ g3 N
mov ax, 1684h
! \9 l0 k! a+ u+ {& c% k: ^2 y mov bx, 0202h ; VxD ID of winice
' w! O) H5 y% ?$ ^ int 2Fh2 O" L% s. g3 n/ ^) J$ P1 C
mov ax, es ; ES:DI -> VxD API entry point" N1 | \/ Y$ f& p# J& F
add ax, di
9 |6 }* u5 l. Y, l7 p test ax,ax
, Y6 E$ |5 D6 v5 X jnz SoftICE_Detected8 I/ c! F3 n. Q5 Y' q
3 A6 w* f; x8 B# ]1 J
___________________________________________________________________________% Q6 a) z+ Q2 d8 a" }3 v- ~
( o/ p R3 M! C) Q0 R
Method 04
5 l# |9 E+ \: g8 Y=========
/ m: S: j' d' o8 q& M* A+ d' r: M o8 v7 k _
Method identical to the preceding one except that it seeks the ID of SoftICE
7 N3 W% r- l% ]2 O. tGFX VxD.- r: }- u9 W3 K" K7 B9 }; y& h8 D
. F9 V/ \5 i6 Q) A9 ~* @+ q
xor di,di+ H9 k; X* c" O \! U* x
mov es,di& I: S6 w- a( w/ N8 r
mov ax, 1684h 3 d6 J7 l# T+ g( i+ _3 v( m
mov bx, 7a5Fh ; VxD ID of SIWVID2 h/ O9 t1 J6 V6 V; M2 {
int 2fh6 i* D: s+ S* T% o! ]1 S% q1 B" e% r
mov ax, es ; ES:DI -> VxD API entry point7 G% H, t6 G) Z4 }6 I c& J
add ax, di
9 S" S7 [4 x( X5 m test ax,ax+ a" \8 w8 r; Z) C+ S& N& k Q
jnz SoftICE_Detected w7 z C# T' Y/ s6 B
2 h8 L2 u6 ^ d
__________________________________________________________________________' r" i3 G$ ^2 g) ~
1 \$ g) D: z/ q( ]7 U
8 M( ^* o2 F3 }$ i+ V
Method 05
, {6 r9 ?( T, S G0 ~- ]0 P=========) O7 b) ]+ K' x+ g
8 F7 G: j+ D* \# F7 [3 R0 V3 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% D1 i5 H+ r$ @% V. D7 D# x# ddebugger. It calls the int 41h, function 4Fh.
a& j/ z9 a! U, v7 EThere are several alternatives.
1 ?& u& @& Y1 Y9 @1 w3 j0 G
# t& j5 m2 q) x2 ~1 DThe following one is the simplest:
2 w8 ]4 `! {' Y" E' x' w
& ], v8 F8 B" Q, N3 }/ c mov ax,4fh. @' T4 s+ l3 q- ?
int 41h
6 N2 [; Z$ s+ G F/ l cmp ax, 0F3862 M, J' n2 V8 S
jz SoftICE_detected% k- @* J6 p) ~4 p" F1 |) e- ~4 W8 [
3 m. I+ { v, O7 k
% G2 ` g; q1 |) C/ I" F0 f) hNext method as well as the following one are 2 examples from Stone's
+ l. i6 y/ r% w6 Q/ x"stn-wid.zip" (www.cracking.net):) Y$ }, X. Z: [0 r# u
. u, o1 R. D" T- d- \) d# V2 S mov bx, cs% H* ~ W. \1 S- S* A4 B3 L6 \
lea dx, int41handler2
8 E; X7 k( h$ S3 ~ xchg dx, es:[41h*4]) t! A8 u- e" N2 d \
xchg bx, es:[41h*4+2]/ r& `3 \& i9 b8 I: n2 I. ]& D/ k
mov ax,4fh) X6 X1 g$ N+ k. R+ q- Z
int 41h- F7 [% J9 `7 y) K& p
xchg dx, es:[41h*4]0 ?; X/ T" X3 w# u A, O
xchg bx, es:[41h*4+2]1 c$ i2 @ ?0 N& M/ \* t# [
cmp ax, 0f386h
) [/ s6 _/ K! C6 ^- F jz SoftICE_detected1 }* ~7 r2 [8 I: m& m. Q0 [; i/ Y
* D- b' g+ k- f1 H
int41handler2 PROC) m7 a( h: [' ^1 C! y$ Y
iret. m# |% D. X7 v' }* o
int41handler2 ENDP
. w a9 j- `( ?: r, r2 Z$ ? h' Q8 c" S' H1 E# w* l+ D% x
0 r8 E6 f4 h0 P0 e1 d3 n) P s
_________________________________________________________________________
9 G" i0 a- {! U' p( b, r# A) z' @8 ^- ~5 }7 Z
; {& G* Q9 R9 |+ V" dMethod 06
L; g. Q; O8 G, V=========/ d9 e) L. k4 [9 | F% |- T4 @. K
7 e K+ c g$ I+ `) W
_3 i+ [# ?; U2 W
2nd method similar to the preceding one but more difficult to detect:% t" o0 T" j% L7 r: r- U
& ]& o& D; D" D; K6 g* }& ?
6 B5 a8 y( x) Q. f. _) u* Xint41handler PROC3 \3 C' e' ^# @) ~: X# Q3 j
mov cl,al' W. r) E7 S: l9 T# ]- \
iret7 x! k; o$ X# E3 n2 J5 W$ y& e* z* o$ X
int41handler ENDP
; W$ M( J( i: l3 Y6 @* W4 ?+ g3 W& T: V; h4 N1 N$ k# |
8 J3 ] j3 Q4 X7 E
xor ax,ax$ ~: z' D) ^) n5 A0 t
mov es,ax
' z* r. l. t6 A$ W8 K# A* \3 ^1 | mov bx, cs5 H. s' ?1 M% D! [
lea dx, int41handler
; k* @/ A1 Y7 `. d. V6 @/ u xchg dx, es:[41h*4]- T+ J( p% C4 L. K
xchg bx, es:[41h*4+2]- f/ E2 D: u' {8 x* O
in al, 40h
% j/ q- ~2 H" M1 |& e# \' K! W xor cx,cx% K" m) b" M$ P, t
int 41h2 y- Q- u) N; I: H0 P
xchg dx, es:[41h*4]
, \! z$ v6 `; t6 T/ z xchg bx, es:[41h*4+2]
. x, e9 M) W" h- O/ z. S" X cmp cl,al
/ c7 g2 }+ Q1 v jnz SoftICE_detected; [* X) I; y' e1 q0 F8 h
2 r% z0 j" A# c9 E_________________________________________________________________________
& t" V; N3 m+ H! E, F! e7 q4 J% ] L8 W, P
Method 07( A1 v9 o8 r8 o) |- _# \
=========
( @6 I" M# `8 ^% |8 f' c) _) ]% g8 g, Q( Q% G+ c" X9 R
Method of detection of the WinICE handler in the int68h (V86)
* k- m% n# }( B# i5 b- h' V
- L$ o3 G. {8 U) A- S7 Z mov ah,43h
$ B0 ?) q/ Z- k/ o# l( i int 68h' ^, k( ]! m* u9 {" o$ D/ G' n
cmp ax,0F386h
6 v! P% q) ^: d jz SoftICE_Detected
. _# |6 l5 ^' p3 o: V: x/ |/ ^1 I2 W" R% q8 G
% F. S! U9 }8 ~- D# i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 n' w* s. ^1 b0 e. s6 s6 F app like this:
$ i$ Q {9 P# `6 ?% G: O: b( i5 v. r2 |5 B, k7 H0 m7 P" f1 Y
BPX exec_int if ax==68
5 P6 h& j* B$ J (function called is located at byte ptr [ebp+1Dh] and client eip is# ]" O1 ^! w. G' f
located at [ebp+48h] for 32Bit apps)
~; y: e8 r7 ]__________________________________________________________________________
; ]- G! o! p9 r$ P. A) e/ E. s1 Y
4 T! T$ V& p; c( G- |) Y# F" |, _" J% h! L
Method 08
0 d g: {) g$ v/ b' U4 ~=========# L. j- J" T2 U: f- h( u
~2 g% r& J+ G4 ^& ?
It is not a method of detection of SoftICE but a possibility to crash the
2 {" P; I- {' O9 O# i, L6 Bsystem by intercepting int 01h and int 03h and redirecting them to another8 `8 h- G5 Y8 F+ I
routine.
( ]# I# m% X8 ^- M- DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( \# v0 B$ h- k4 O1 g4 L
to the new routine to execute (hangs computer...)
+ H: R, C+ K1 G3 V
4 e# e9 p# d, k A' M, ? mov ah, 25h. Y1 T! A, A5 C4 A0 }. K
mov al, Int_Number (01h or 03h)! w* @9 { V$ O4 L. f# ?
mov dx, offset New_Int_Routine' L/ O, R% f, b$ ]% z2 ^: G9 X
int 21h
1 x; E( A0 N/ ^$ w* g# p9 H" ?. F4 x3 v
__________________________________________________________________________
: p8 ]4 ~8 k) p7 k' `& h3 k7 `+ ? E% p% P) u& C" ?" G
Method 09
# F2 m0 L3 @3 g=========# H' H3 n: u" B2 H/ i4 M
1 H" P& E3 j1 l2 `* H8 ?2 F8 k2 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% ^# P! Q k; a; X: L% m
performed in ring0 (VxD or a ring3 app using the VxdCall).* I( j' u' j2 w3 L
The Get_DDB service is used to determine whether or not a VxD is installed
8 g1 S& }) E2 c: I- jfor the specified device and returns a Device Description Block (in ecx) for
" q4 h7 y- A/ s, a9 Qthat device if it is installed.
% p- L6 z' l. N, ?/ f) Q" O
$ u& D9 z: n) ?1 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ p( T c2 c+ [; D3 e) w" k; x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% N6 _. r0 u: L3 i# U @3 q VMMCall Get_DDB
2 ^3 g5 h# \3 r1 W+ i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. I) M% Q0 E f; d1 m
# o( C0 W, Y$ s2 j& DNote as well that you can easily detect this method with SoftICE:
% c9 o1 k# i3 _ [+ H8 L- X bpx Get_DDB if ax==0202 || ax==7a5fh
5 W# ~8 M2 y8 B' b7 N6 u7 O5 _
- c1 D7 `- X, D( w6 O' V5 b4 w: s__________________________________________________________________________4 G* m8 U# V) A G% W1 J
d P: M# N4 J' o
Method 10* @. z5 e; r) U' {+ c, F# R% S
=========
7 K2 s% ]/ K% ]
: ?5 e$ G0 V4 ~3 o. D) s=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 }% g: H1 N! H3 R. I9 S% M SoftICE while the option is enable!!
$ N& _% y! ] Z% ^) w' I5 l8 v3 Q- N& \
This trick is very efficient:
) d5 X i* A4 s: e1 l; c$ Bby checking the Debug Registers, you can detect if SoftICE is loaded
9 u' {* [* g1 z K8 E2 d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# I5 e/ i5 c: N( {
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' u! Z3 T0 O, P3 a: bvalue (in ring0 only). Values can be manipulated and or changed as well: O8 N9 Z9 J8 y1 D# F
(clearing BPMs for instance). Z0 f, v+ z9 M8 y4 T7 W
" `/ \$ H; M3 x' A% `5 y/ `__________________________________________________________________________. c) w! E) R+ R8 t p
+ r# C- ?# [) t! t2 a1 ^Method 111 s& j2 ]4 V9 S% v6 f# O M4 \0 V
=========* O" Z6 Y0 w" z# I, G; X1 A
( R$ w" C: L( [) X6 e' nThis method is most known as 'MeltICE' because it has been freely distributed
" W! v4 G& L4 ]" M& S$ Zvia www.winfiles.com. However it was first used by NuMega people to allow
: J7 t+ i6 [- h$ w/ ^Symbol Loader to check if SoftICE was active or not (the code is located5 ]( d* ], X2 B D2 K4 x0 D; n8 B
inside nmtrans.dll).
' G y$ L, k7 c! S
' t. J' @% v& H# ?% T% Q2 z/ Z! GThe way it works is very simple:
; G. \% l* Q( E2 | |9 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( g+ L6 H B# k/ g! l) c, GWinNT) with the CreateFileA API.
9 _% J, D) w4 n% v) w
1 D$ J1 o$ ~2 E; g P( a `5 }Here is a sample (checking for 'SICE'):
8 ~) a. h, E% f, k# p
' I" @/ Q: O5 v' B9 i E+ oBOOL IsSoftIce95Loaded()3 D1 m. T5 L$ Y% [+ l( j
{9 Y& d% N5 s1 E3 K1 k1 q4 p% v; H
HANDLE hFile;
% F6 M+ @7 S8 o1 F7 N+ B, o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& t; N/ D) ]: h2 `
FILE_SHARE_READ | FILE_SHARE_WRITE,
) ]1 y. L: e9 b9 y# f% v/ w/ J) m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 u* }" t4 B' j' ? if( hFile != INVALID_HANDLE_VALUE )/ Q6 S* o5 Q. ]8 k% N8 X
{: r) d, I7 A9 T7 D! C% P1 o
CloseHandle(hFile);
5 b8 k9 U' L& a" Q return TRUE;
* o( Y; e: R. N" i, S4 ]3 ^ }
5 q, Z9 i* T! T' Q+ o, O) ^ return FALSE;
- |* m& D$ C' E' m6 M) J. [}
e% r: i0 v' {, a" e" A6 u Q5 M, s6 ` c3 [
Although this trick calls the CreateFileA function, don't even expect to be
0 B6 H, v8 C. U. u' B2 sable to intercept it by installing a IFS hook: it will not work, no way!+ H" M$ q+ ?1 _# A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# k9 q" v4 H) ~5 F7 `2 V' H, \) dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 N- ?' @2 R1 U3 u% o) F T [! J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; \$ `" R. l& C/ m) g
field.
) S; c+ T; u2 R8 YIn fact, its purpose is not to load/unload VxDs but only to send a
S& o) ]* y, m7 I! H! ]3 m6 f! IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) }: }0 }! M% v- j0 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, a+ f3 l' E2 ?) b3 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).! O2 }& ?4 y, v! @/ f3 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow. G" p1 j; _6 k6 S* l& E# m
its handle to be opened and then, will be detected.4 H! a' m8 J2 J4 y- J
You can check that simply by hooking Winice.exe control proc entry point: Y2 Z- {( q9 C
while running MeltICE.
" V7 C4 M- e+ k* c/ ~) P
! c/ v; |# a* g/ ^( l. z; ~7 w
3 e* A1 `0 \: I& @ 00401067: push 00402025 ; \\.\SICE
% f# r5 x- h( y) Q! h 0040106C: call CreateFileA
& B- T3 G) A' f" k 00401071: cmp eax,-001+ b& s8 D A( E# h1 v" T/ \2 D
00401074: je 00401091# Z. |& v+ d8 t
, ~5 }3 x |+ r
! `7 s4 W% }- @8 ~% Z
There could be hundreds of BPX you could use to detect this trick.' e- I7 |: z% ]1 [3 H7 }# S% S
-The most classical one is:" b) G" k/ g6 X W* n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. B) O5 [3 ^1 c0 M
*(esp->4+4)=='NTIC': ?3 U) } O/ v5 h# e: ]" E
' K+ L- u1 ~; m1 {" H. t
-The most exotic ones (could be very slooooow :-(" ]% [/ H+ r! J3 _7 m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 F3 s3 k& ]) J7 E; S* \ ;will break 3 times :-(- b8 s4 V" ?! m. k8 |$ z
9 O7 H* }0 x! U: h- x& T0 s' X-or (a bit) faster:
+ x1 n4 k3 ]; x7 u, m/ K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* P6 v: A! O1 M3 X/ t
, h, _# s3 b% U9 k( b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 _# y: K: w* |0 {" K- R6 V( ^
;will break 3 times :-(
/ z% [, N6 M O9 u
4 r9 a; i+ E h* F-Much faster:) C& N0 V/ i2 J0 f! R5 w( ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 n; e7 M+ X" |8 _- a/ a: ~! N H% }/ L2 v) |' d0 K* l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; F- X& i$ S" Y2 H0 B6 V
function to do the same job:4 ]! [8 {8 b1 T$ u' R: ~
* x; ]( [/ o% P( ~- c* f/ f push 00 ; OF_READ) t: U6 O% k, t+ X
mov eax,[00656634] ; '\\.\SICE',0 c3 M2 J! H6 C8 m9 r; @
push eax
: q4 l! {% J' J n) W, C call KERNEL32!_lopen; v: c' R3 W# e+ X6 z
inc eax
6 z7 Y% s1 o: C jnz 00650589 ; detected: o" ^! c) Z7 O
push 00 ; OF_READ
1 P# ~$ K$ g- y2 \; R mov eax,[00656638] ; '\\.\SICE'+ ^* ]2 { M8 ~3 z
push eax
" D- \; ~" G* W3 d' L/ y% L3 K* @ call KERNEL32!_lopen
6 V2 z; W1 E0 f% l7 ] inc eax n5 \) _6 P: F6 d
jz 006505ae ; not detected& H- N4 j( u1 }# a# ?& g
, l' f, L- ?+ \
$ s' x( |- F( ?2 t__________________________________________________________________________; y# |# \8 K4 W1 `+ A: y
& i6 S5 l1 S; G3 j( }6 E7 C
Method 12
6 t! s0 ?* T4 w, ^7 E4 t=========4 f- k4 o8 \: i% H
4 s+ w. H3 B2 [
This trick is similar to int41h/4fh Debugger installation check (code 05
: e+ v4 t2 {+ J6 r" k. X( O& 06) but very limited because it's only available for Win95/98 (not NT)! {# b$ ]- Z3 S+ t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* S5 o- i/ c: R |+ d+ Q: I% z3 `1 s) E& z
push 0000004fh ; function 4fh
* {# |3 N1 @* w+ \$ d: c0 j* r) o push 002a002ah ; high word specifies which VxD (VWIN32) d% d6 |' V6 J/ y, O# t8 p, ], X! e
; low word specifies which service! o/ }9 w i8 d% z2 m Q! a! Q
(VWIN32_Int41Dispatch)
8 `0 S7 U. ?3 L2 o" [, Z call Kernel32!ORD_001 ; VxdCall
( y/ S( Y7 h6 u/ I' ?( i3 Y cmp ax, 0f386h ; magic number returned by system debuggers: X: M' x; a C# T2 C
jz SoftICE_detected
8 l$ l( i x3 A/ _ P
9 F# }" r, \+ N0 `( sHere again, several ways to detect it:
* ^1 p t& B1 t6 M3 X7 u
. j# |" S9 T2 v# a3 e3 a$ z* v; E BPINT 41 if ax==4f
. o+ p! M l0 o8 H4 O; I' n
/ T0 | ~, P, t$ e: j7 M, n; r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) b' Q" ~* b* t- r
/ O z; [) n7 m' y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 b' D( V2 e6 |; d) h0 k) p& [" {& P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 m8 E T( T3 d& G0 l7 X
& b: H Q) j: K. H5 R2 {
__________________________________________________________________________
4 x6 K/ Y0 `3 A9 e* M9 P; P4 v q Y
Method 13. V3 }' \' z5 R5 K% s
=========
/ c: F0 B5 B3 e3 l" |' Z. V* ?
Not a real method of detection, but a good way to know if SoftICE is
" b- z0 U& {- U# n; A+ R( Finstalled on a computer and to locate its installation directory.
3 q* ~3 t' X U: ZIt is used by few softs which access the following registry keys (usually #2) :
2 X: k2 ^7 g9 U; f( D/ `
6 N- Z0 Y' `2 A0 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 [1 V* ~7 C, D* V2 J6 n6 |4 J; p' K\Uninstall\SoftICE
9 n, L( _! l( V( x4 F; D# U' s# P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 S7 X, i* d9 `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ r% t" R& B3 P\App Paths\Loader32.Exe0 Y* z6 L6 Y, H' n
3 a( N( H! {5 C4 {+ R& Q
& Z B6 e q+ k* [1 y6 QNote that some nasty apps could then erase all files from SoftICE directory. @! K" a" w' U3 X; G6 E
(I faced that once :-(
% W# r; Y# h- ^' J2 P6 L# r
& h" i- M2 e; { d' PUseful breakpoint to detect it:
9 W0 k0 W" o7 z8 R1 T; w, g3 |9 C8 }9 y) A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; r% H0 d9 _9 P' C, v \( \3 s: B4 Y' g* F4 e4 Q
__________________________________________________________________________
! A H0 y! B+ @
. h8 K# T# l" d! n( a- r' t
; Z/ I* ?) `5 L& C4 LMethod 14
* T! ]4 `3 W- L1 U* |, m1 e5 b=========2 T5 F4 m8 g. m' \" \: w
( o8 b( G6 ], L. b8 J: _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' {% n+ {$ L6 m! \is to determines whether a debugger is running on your system (ring0 only).
2 t9 d/ j9 H6 W+ a
- P r4 N) @" N7 d; B5 P z+ J VMMCall Test_Debug_Installed
, j; p/ X3 {5 e$ P- \$ ~ je not_installed# U; L" d- a7 G4 ~& f3 q
9 V; \* H% m1 MThis service just checks a flag.
! z8 a5 q4 H. l! [* \- S4 e3 ]</PRE></TD></TR></TBODY></TABLE> |