標(biāo)題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500> ) i3 ]% n2 a) e ]# p; h<TBODY> ]8 q8 m3 z- [% m! ]<TR> , e }( d$ F1 U. h" i" U5 h<TD><PRE>Method 01 5 o/ R6 Y9 x( k. o6 e! l5 E% t=========$ O9 T3 v% n2 Y- w6 N
$ T% @4 X- W9 g, |0 u1 C: p# L
This method of detection of SoftICE (as well as the following one) is) R9 A. {( ^- w, ~. C
used by the majority of packers/encryptors found on Internet. : |- }$ ^; j# y. f8 S3 `; U3 l( XIt seeks the signature of BoundsChecker in SoftICE , M% B0 X$ n8 s. Q4 l 5 u8 C* c' a5 V, @7 U) n7 h; k% i mov ebp, 04243484Bh ; 'BCHK'" k! l6 [+ Q; y) E$ s( K( h$ i
mov ax, 04h0 E& S- a: P# l6 ?* F/ ~8 @# p% ]* x
int 3 4 J1 u8 @; T! W; U. q1 _' v
cmp al,4& F; I! O# u. i% ]
jnz SoftICE_Detected! M3 j6 `8 }, s
+ p' r+ O# h6 `; f% v; B
___________________________________________________________________________ + Q) a) U/ [) ` z) J8 w4 Y v5 Z8 U& g5 QMethod 02 ; j8 Y5 j7 U0 w0 ]========= 5 |. |( c. e/ L1 Z2 a% c/ u - ?4 {- k* }) q# Z; A; ~+ {Still a method very much used (perhaps the most frequent one). It is used5 Y) j. N8 W8 S7 ]9 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& A' q3 y- S6 D( P, c
or execute SoftICE commands... % m" T; Q7 R' O! q/ t$ d$ NIt is also used to crash SoftICE and to force it to execute any commands : u- Q6 {9 R) c0 K( `3 P% w& M(HBOOT...) :-(( + K: J5 ~4 r0 l# z
7 N! w/ f' ]; X0 X# P5 }, Y. OHere is a quick description: + a& m$ n$ _. E2 v3 ?1 {-AX = 0910h (Display string in SIce windows) b2 }+ f: j% z ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) ' ]7 b! p4 p4 E( o-AX = 0912h (Get breakpoint infos) 2 t1 D9 Q0 m) v) Q8 X+ a-AX = 0913h (Set Sice breakpoints); M/ n( S+ o5 j" E+ {! F0 y
-AX = 0914h (Remove SIce breakoints), d6 C" i7 H. q
" N, M5 `: A$ R9 l) ?' Y/ U
Each time you'll meet this trick, you'll see: & k9 p; K3 e1 ~) W5 P-SI = 4647h/ E$ c+ {+ y: N5 e9 e
-DI = 4A4Dh, v) i' ~3 u* {& M4 A+ b7 K
Which are the 'magic values' used by SoftIce. 7 X" Y \( N& Y$ Q; H' [% l, {' TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. * E/ w; d! x5 V3 p $ {1 s6 z, n3 |0 [0 @; rHere is one example from the file "Haspinst.exe" which is the dongle HASP 2 t) V$ ]+ ^# I+ [/ a: \8 G+ o3 iEnvelope utility use to protect DOS applications:1 Z- f. L8 t6 R
) {2 \9 [& p) K0 F, k: {6 b6 T% N0 _! A$ ^. o- C0 ^3 {
4C19:0095 MOV AX,0911 ; execute command.0 v$ M. W* _/ z$ {' U6 ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., N6 e' j7 z' z$ V$ \, l7 n \
4C19:009A MOV SI,4647 ; 1st magic value.- x/ W! `% M: q" i Z' B
4C19:009D MOV DI,4A4D ; 2nd magic value.1 t. K( [3 k9 [% V$ M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" S0 h$ q n2 g4 }, o8 O- q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute 6 n3 ^3 N9 l7 Y# B4 ~7 v& p4C19:00A4 INC CX 1 o% ?+ p: n/ O) c9 z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 L: P, ]8 V2 n; C
4C19:00A8 JB 0095 ; 6 different commands. / Q* I/ |* \6 s# `0 } T8 v4C19:00AA JMP 0002 ; Bad_Guy jmp back., |6 `7 T2 E2 X6 s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) , z2 L$ R& T- T% S: q' N, N 1 ]3 n8 J7 u, z* x3 `) K4 dThe program will execute 6 different SIce commands located at ds:dx, which& N3 x- T0 X3 n w$ f2 {5 M) B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( {! y! G$ A, I* r
5 f& `3 T' s2 G0 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 n1 G4 I1 ` x' C+ [& o3 Z" ?
___________________________________________________________________________2 g0 s8 z# K' }9 @
0 S- ]2 ~, [% p6 {9 Q; p$ x; N- h8 a3 q
Method 036 D8 n2 `( e/ v. r5 y3 G
========= 5 Z$ j) [+ X" W 0 y. r. {( w: M6 Q% sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h " k" f1 e$ p" c% V1 _" J(API Get entry point)2 @3 z0 I' N6 U' d- N3 o
! E1 Q/ l( k* @! A _" l
2 Z, c- r4 A2 A. Y; @ xor di,di + P4 q, j+ G! V" V- \ i4 L mov es,di8 f! O% A+ j0 q9 u; _5 s
mov ax, 1684h ' \) \9 y& x1 \+ y# z' p A7 N mov bx, 0202h ; VxD ID of winice * K) w) {/ M, i# K int 2Fh# T+ u* _2 {9 e2 T9 e! c& i
mov ax, es ; ES:DI -> VxD API entry point 1 O3 p. x5 e w& H% t5 J add ax, di' K( Z2 G; S3 I6 F, K. C
test ax,ax 7 B* o' N6 P4 v! c2 z jnz SoftICE_Detected S$ O% x ]$ P9 _# Y
1 e4 w+ ^) Z& ~0 z+ ]9 T
___________________________________________________________________________ % `7 m3 v% i. E$ l0 h0 }: P/ d4 B* X8 Z1 y" w+ ^. P
Method 044 q( n; \- y8 U6 F
=========- p; k9 U- T- s7 W k) c l3 Q3 x
+ t. O+ S5 u; u" J- Q# s/ tMethod identical to the preceding one except that it seeks the ID of SoftICE 1 O& }/ Z* T1 p6 K4 f3 oGFX VxD. 3 T( Q7 ?( @* a5 v0 a! U1 R/ T1 _' g3 S ; R- a4 z6 m$ f+ m' |9 V$ m5 G: r xor di,di {8 c4 W/ q t- U# j
mov es,di ) B G2 I, ^/ @. u% `; @# D: X+ t mov ax, 1684h * x I X1 v) j" k
mov bx, 7a5Fh ; VxD ID of SIWVID( V6 Q# o% @: _& C
int 2fh , |4 N1 k- A1 k7 U7 `& f# Q2 o( N mov ax, es ; ES:DI -> VxD API entry point - m; O( U, y7 b* d7 j' _; C add ax, di 6 G$ L" y. T, ` test ax,ax " H2 `' C7 T/ g( Q. g jnz SoftICE_Detected* k1 a. k7 g1 `: a: S
K9 A, g8 X3 W+ _8 O4 _7 Z
__________________________________________________________________________+ x' j, t0 l6 u' i
9 q+ R1 a" E. m5 n. Q
2 s# t! z6 o9 h6 b$ f, N6 y4 V
Method 05 2 W( E* N3 S0 A- p; K% t=========" R% L5 t! ~& o. w' F
1 l/ f4 c* a5 v
Method seeking the 'magic number' 0F386h returned (in ax) by all system \+ N. o& S+ S. q8 }" S
debugger. It calls the int 41h, function 4Fh. , i' \; _+ W+ _3 FThere are several alternatives. 9 R2 x% W& X7 G8 M# q7 `
+ @1 u, f- Y9 A0 _
The following one is the simplest: 2 x* F( ]% B( K2 j1 |( a4 B7 h7 S, J0 B) G: G4 k3 g M4 e; U
mov ax,4fh @3 l8 | ]! q1 [! ~+ _ int 41h ; h8 u3 _- }! a. A3 g! v9 ?3 d4 H cmp ax, 0F386 & s$ F" Q5 Q v% `" ?' c+ ^ jz SoftICE_detected % s8 z: d9 o7 r/ G% D: @' D1 z7 V* N3 b
0 c1 x( }; E) }% ^$ F# C
Next method as well as the following one are 2 examples from Stone's $ d5 V- b% d% n3 E$ u; g1 P
"stn-wid.zip" (www.cracking.net): " B7 F4 e; X: ~$ q9 i9 h& r" Q5 ~/ Y0 S' Z7 m- `
mov bx, cs # ~# g0 W: A4 V4 @1 l" h lea dx, int41handler22 X$ O; A5 R: p$ w& ^# }" R
xchg dx, es:[41h*4] : F" I3 L* e. A* K; ]+ Y xchg bx, es:[41h*4+2] 0 X" n+ U$ t" ?* J mov ax,4fh' B; E: ? n- m$ m
int 41h 6 i5 U9 [+ t# \: t1 |/ p xchg dx, es:[41h*4]& a Z* v R+ m% S7 y
xchg bx, es:[41h*4+2] 4 l& L" P/ e8 _8 |2 I cmp ax, 0f386h0 O; |5 @# b% g+ E+ k* @" k+ N
jz SoftICE_detected% a1 u! G8 v8 A8 o9 R' L
6 a8 C: F* Z) Q. e) \_________________________________________________________________________ ) K* \$ Z- j9 j( J" E 4 W" X/ w1 Y5 Q0 V) q- E* k; D7 G( ~. w7 ?
Method 06. E, L2 g' X }3 q% e% v
=========* e% Y7 v& {( X8 R) q9 A# {3 A, c
+ p. N# S5 i2 \% E# ^8 ~ 0 M: {; n | B2nd method similar to the preceding one but more difficult to detect:1 V9 t( Z. h0 c, U) P; G' u' \
( q& Q4 d3 N. n- v+ V, @) q4 a
! T# J: i4 k: g: ^int41handler PROC $ v& Q3 }4 n a! y mov cl,al 8 F: @- z( S/ Q- e# g$ a+ \9 D3 s iret6 q; f; w/ B" I& p* y
int41handler ENDP# D. R8 y4 c; \2 F
/ i% b8 W; s* v# x
( f) F5 `% c# I) f8 Y
xor ax,ax 0 e6 p* b( q. r- u% A$ x& N mov es,ax 4 Z9 q: X1 q$ r mov bx, cs . M" z, A. @# O- N lea dx, int41handler* `( [5 Q' n3 ~0 L; }# G* N+ q
xchg dx, es:[41h*4]! ?6 j4 r5 z. f, W% Z# W0 e
xchg bx, es:[41h*4+2] % K5 }& W/ d( e/ K* D, G in al, 40h ; I3 l8 h$ e( k7 V2 O# T- s xor cx,cx + [8 m, B9 ^3 a4 n: s int 41h - u: m* E0 |8 R2 i x* `3 P5 N xchg dx, es:[41h*4] " a. \" c0 W! [- @, A xchg bx, es:[41h*4+2]* } R, q) A6 P; i5 t! h
cmp cl,al 0 t' s# U* v/ g0 s+ q9 @ jnz SoftICE_detected - ]7 o6 ?. m, s, f & z$ `' {, ]/ q; D/ Y" E% ?1 l_________________________________________________________________________ 8 t" K' q# `9 A( ]; M5 `1 L6 n& z* q) q
Method 07 6 ~2 c& B9 _* x+ Y3 ]2 B5 T* X4 N4 ~=========8 t$ N+ P& ^$ G( p# V
! \" ]$ I9 u1 S# X+ B3 f$ Z
Method of detection of the WinICE handler in the int68h (V86) ; }3 ?$ z$ q* s* t* a6 _8 P+ @: x+ p' K6 h3 @7 V/ p7 _: \
mov ah,43h3 d `; z( S v5 A) B3 @
int 68h+ r: u$ E2 e% a# |, D' T# r
cmp ax,0F386h( O+ z" s$ L9 A: |1 \! ^
jz SoftICE_Detected& `5 k' Z5 w6 r# F/ w+ V- @$ P* Y
& O4 u* w# a5 @# B
0 D/ F0 P3 e+ w/ f' L6 M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit ' W g5 Z9 I3 R' |( `2 h* N3 E app like this: & l* y' I) `& U% X, g1 b6 k% @3 n" h # j( x! C0 x. C$ R1 Y BPX exec_int if ax==68 / o0 h! Y9 z, |9 G+ c' k8 S (function called is located at byte ptr [ebp+1Dh] and client eip is& m' |, Y0 ~ B
located at [ebp+48h] for 32Bit apps) 6 w' f+ m3 u% r$ F1 j7 ~1 {__________________________________________________________________________ 4 l/ G2 N1 {1 e5 C; Z! a- y R$ ~ % E; x" h# |# z3 _( q: z & g, ?: U/ e$ @7 EMethod 08 `6 z# U1 C" `=========! J2 g/ g9 M9 b7 h# r: e/ [
9 j. \$ ?" H; K! X
It is not a method of detection of SoftICE but a possibility to crash the $ w Q3 u% f0 }* I+ C, Qsystem by intercepting int 01h and int 03h and redirecting them to another3 F5 w/ l2 G c2 c4 g4 A8 H
routine. , ~% v2 K' w& L1 S# H8 R( H, wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points 4 _/ l: O9 z1 Ato the new routine to execute (hangs computer...) 5 ?! D& |4 v1 N' A & j5 y7 C" S& u1 m( T' C mov ah, 25h0 E7 j7 s/ o" S* q
mov al, Int_Number (01h or 03h)+ W {7 }" a2 ?8 M3 ~2 a
mov dx, offset New_Int_Routine 3 j: B, n6 N, x8 { int 21h 3 P. w g# @& F' V- v( L3 n " I! S: m; z& E d7 \4 ^8 i5 S) l__________________________________________________________________________# Q+ T& c& T3 B; v
( h. m, K" x. C' _" ~Method 09 k X/ V/ m$ I5 T4 F8 n" B
=========1 \9 J+ U5 y! R
: b0 Z% J/ C- b) DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only 9 F. s$ s5 I3 G7 l f7 P( `performed in ring0 (VxD or a ring3 app using the VxdCall). 4 P* h( {8 W. I. k. E) h8 dThe Get_DDB service is used to determine whether or not a VxD is installed! a% W* b3 m8 e" W# J) y
for the specified device and returns a Device Description Block (in ecx) for # G- R0 L w. N' M) n$ xthat device if it is installed. % z& w5 S% C$ A' P9 |+ m$ t% c* g7 o2 Z3 l4 J% u+ q+ D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- u, `/ s9 L5 K I( F4 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) 4 b+ y" I A) p VMMCall Get_DDB* l4 S- Q# a+ C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed ! W) s: g& x2 k; Y9 ] { # v# t; J, ^ f5 W; s/ KNote as well that you can easily detect this method with SoftICE: 7 ` J. Z: t" V, X: n5 j bpx Get_DDB if ax==0202 || ax==7a5fh1 s+ O" d; C/ X8 Y6 ?1 f
$ }! l. @4 y. u: l) C- J# ~
__________________________________________________________________________ 0 j& l4 p7 U9 E' k- P, L/ }" n# G* g1 f3 w
Method 10" }2 {( h. m+ {: W. i
=========# g0 M0 v# E8 H1 ^' S q! U
* j% g7 @; G& q
=>Disable or clear breakpoints before using this feature. DO NOT trace with % q1 a3 [8 u/ ^& ?0 F8 Y SoftICE while the option is enable!!' t4 |1 p# w$ H% c4 Z- @- i9 b
P4 f! p2 ~1 n$ J0 r0 n
This trick is very efficient: 7 R W) ?# H1 r2 y# vby checking the Debug Registers, you can detect if SoftICE is loaded6 t, {' c) C+ j+ C# C: ^/ \# q$ w) }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( l' z% V0 g- U0 |$ L
there are some memory breakpoints set (dr0 to dr3) simply by reading their ; f& _+ a6 s+ f" O$ Nvalue (in ring0 only). Values can be manipulated and or changed as well( m5 d; J# v6 ?* I3 r
(clearing BPMs for instance): P/ @3 y. s2 G8 c. @2 P) g
3 r" ~0 C9 L; j# [/ m__________________________________________________________________________ ' Q o+ M2 }0 v7 C 7 c5 O( C& q& f8 g! m+ IMethod 11( G8 Y$ b, a9 ]4 [; l' F, P7 E
=========% B! B9 q. v+ B+ M
9 U1 P! e, z- c1 D: X. M
This method is most known as 'MeltICE' because it has been freely distributed- H ^! J0 S+ G, d
via www.winfiles.com. However it was first used by NuMega people to allow1 `0 z1 {5 C) g) Q
Symbol Loader to check if SoftICE was active or not (the code is located, \+ r! p' ]0 L# t. F% @& I
inside nmtrans.dll). : i! N8 M, y' ~2 [, t! C }& Q5 K/ e1 X1 |; a& x7 [The way it works is very simple:4 i' T k& J; ~6 Y H6 p# B1 `5 w* S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* b0 h& e6 q, Y+ @
WinNT) with the CreateFileA API. , g/ b1 I1 E2 H" D- N5 w$ T# W) v1 q+ z: |+ ]
Here is a sample (checking for 'SICE'): 9 q; M0 Y! E2 a1 D 2 D! ]# C7 M: j% `BOOL IsSoftIce95Loaded() - @0 R6 ~: n3 e$ V+ U* K6 w{, H$ E( B3 A8 z% \
HANDLE hFile; ; V. M0 f, J" W3 K" }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' F9 C1 o7 M" J$ ~6 x- Q
FILE_SHARE_READ | FILE_SHARE_WRITE, 9 e6 {4 A: X' i Z" a2 A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% M! w6 P! ~- o. f, d1 }5 w
if( hFile != INVALID_HANDLE_VALUE )2 i/ ?- q+ B2 G W$ G
{2 y- e1 W- N: b( B" `! ^
CloseHandle(hFile); 1 |& R% T4 A( [% j4 T: D9 g& [ return TRUE;5 P# h" S' G4 b9 d3 N
}+ L- h8 b, u) y0 H, N O
return FALSE;% h4 u# F9 ?. A/ \6 H
}$ J# M. B0 {9 W* @ g; V
" ^ }- q+ E9 bAlthough this trick calls the CreateFileA function, don't even expect to be, z7 o" N8 e" e6 ^" \" p
able to intercept it by installing a IFS hook: it will not work, no way!2 ~6 l8 {; n5 x4 ~1 L, ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 q; }9 D8 w5 K9 ~! O& M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) : S- a7 S5 s! W9 n& v4 F. [1 \$ X6 vand then browse the DDB list until it find the VxD and its DDB_Control_Proc + H) J1 C9 Q5 `7 d7 yfield. 6 a" z8 ]' }+ K, KIn fact, its purpose is not to load/unload VxDs but only to send a . w5 X$ s( K: L( h! M% q9 h; O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) 1 I+ O8 H# b$ W; @4 \! |to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 Q$ i! O9 |$ s4 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 F! f1 Q1 d7 p( r" |2 q
If the VxD is loaded, it will always clear eax and the Carry flag to allow y4 O% i, t1 K. a6 t1 B) }2 |
its handle to be opened and then, will be detected. , I" C4 s" ^8 B; e/ }You can check that simply by hooking Winice.exe control proc entry point ; k0 f* t& e# d# S* }while running MeltICE. % c: |4 S( _% }+ @4 i2 m' a: G# J- U8 H0 q& J2 Z
; o, c0 U7 y6 @! A9 j
00401067: push 00402025 ; \\.\SICE8 ?* r; Q" T9 {6 E
0040106C: call CreateFileA+ G$ V* M8 x1 x4 _( p
00401071: cmp eax,-001) Y. a, T: l% I& W3 `) l# Z5 y( V
00401074: je 00401091 % W6 a( ^! o2 {! H( U % {6 P8 E0 a0 ^! Q9 b: w+ q4 b; ]3 s' z& G T h% X
There could be hundreds of BPX you could use to detect this trick.: B, S" Q1 Z2 r- p' t3 P3 w6 f
-The most classical one is: . s* D& ]3 f& D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 v0 |2 N) Z4 c/ L2 E7 N/ p
*(esp->4+4)=='NTIC' / S4 q/ x3 W. b* o 3 B$ P- H% `; x1 b-The most exotic ones (could be very slooooow :-( $ O- d- Q/ i3 c3 ` L. X6 M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * c3 x, w- Z0 K8 U$ u2 W ;will break 3 times :-( ) q% s2 H" P7 _' Q $ |3 D4 e, |" t-or (a bit) faster: * R/ l, d1 D7 h8 Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 z3 R( d" n5 b7 C6 [; H L
! A0 M% m! {5 f4 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . Y3 L2 D9 ?, }2 f. Y: p% q3 } i( {
;will break 3 times :-( 8 {* G8 M/ `) Q* l5 V0 P G# c: u4 N: H; r$ x% h7 l! R% F9 o
-Much faster:; w, }/ c% p! t) s) s+ [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& I) d L! ~% k, [0 |8 ~
, c; C! A* U* ~+ PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen 9 ?; _' x: C- _" M8 Z% n; B6 afunction to do the same job: * }- k. x+ I3 n5 ?0 S5 d* m+ K9 K2 a, Z6 q0 g
push 00 ; OF_READ- A5 Q/ X% h3 N( @; i" K9 K# ^$ i
mov eax,[00656634] ; '\\.\SICE',0 4 D) Y+ X8 G9 r8 F) k, h9 T6 ? push eax) ?0 r# o" \* O# s( n
call KERNEL32!_lopen; z: W3 S& l, g, r
inc eax+ a0 T' y( d/ u1 ~1 X( j, b
jnz 00650589 ; detected & G- u( n. c/ Q7 L8 v1 P push 00 ; OF_READ . F9 K3 c ], I" C mov eax,[00656638] ; '\\.\SICE'. P' N0 a: J# ?5 |
push eax : \( V& O+ E8 n# b' Z call KERNEL32!_lopen2 Z- ]# ~7 l8 t' \+ S$ C% B6 g2 w* \
inc eax: y+ }7 w) @& u5 X1 _; T
jz 006505ae ; not detected & P/ u% [+ |7 W1 N0 T 8 f7 @( _6 N3 i K/ _* o8 u1 `9 w$ a1 l0 j- r
__________________________________________________________________________ 0 U5 E' Z6 q4 U' p* D0 }- v 4 H# C/ R# r9 ]. s9 S: J4 ]Method 12 - c5 s: e3 g$ T=========+ I, Y- @$ B6 c- i* d. A
/ }4 z% |- e" ?5 c7 P% Z" C/ s( {4 f
This trick is similar to int41h/4fh Debugger installation check (code 05 ) O# p9 U0 [9 B' e& 06) but very limited because it's only available for Win95/98 (not NT)/ q, T4 h% A6 z/ w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. 4 ]8 n6 {9 E. D9 @( m; a ! ^; }* a+ S4 U4 p4 d7 c push 0000004fh ; function 4fh' f. s/ B8 p& A
push 002a002ah ; high word specifies which VxD (VWIN32)1 o! P5 j4 T; Q5 J
; low word specifies which service' v+ u9 F2 Z& A% e) [; |7 u
(VWIN32_Int41Dispatch). ]( K v5 R0 i3 [
call Kernel32!ORD_001 ; VxdCall ! M# z- E+ ?% f0 i2 E& H* i/ c3 C cmp ax, 0f386h ; magic number returned by system debuggers * }9 {' M6 x, y1 ] jz SoftICE_detected 1 a; d2 v( j( t% G& {9 ? 4 ~) a( {0 y- O" Q# }7 cHere again, several ways to detect it: ; ?6 w! Q& }4 R+ | K9 u$ m & B' Q, v3 M/ g BPINT 41 if ax==4f 8 [% {" f* c" u9 @, P; S+ O/ H# O' Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one 8 B4 S \( v. R4 ^$ Q4 }& w% _$ K6 h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& ~6 a5 R* c5 Y! c
! {% d; H$ ]: h3 }, M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ t, O# P+ P, L. b O
. c% ~3 n% j) {7 T2 T# I__________________________________________________________________________ 5 h% k4 r+ A* Y1 v$ ` ( [$ c8 _% v6 i" j, M5 O7 a4 f- SMethod 13; g% D4 m: D2 s
========= 6 T7 G' n$ q6 L- m & c8 t& z& g- }( a- hNot a real method of detection, but a good way to know if SoftICE is t% W. z8 V/ Uinstalled on a computer and to locate its installation directory.' q4 Y$ c# n) V( E
It is used by few softs which access the following registry keys (usually #2) :6 q, P- v0 L( s& {$ M R5 s) B
2 _! ^* K* f0 e- o% x2 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; z1 Y- n' v1 @$ J! G0 h6 Y
\Uninstall\SoftICE- b3 M9 T* q! \7 _0 p- k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE + x/ q% r4 S2 |6 {9 q& A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion * E) k j F1 ?- y# x\App Paths\Loader32.Exe 4 F# \( H6 R @7 o$ A4 Z) Q ) S% K& h% s/ @2 Q* _6 C& G6 k, U# a0 R ~
Note that some nasty apps could then erase all files from SoftICE directory , ~2 K) h% U- t2 \: u0 Q7 F7 w(I faced that once :-(! w I G a5 G8 ^8 z
8 K7 l$ d6 B$ z9 i
Useful breakpoint to detect it: ) J- f/ h2 r0 L0 @7 P& g) G7 n/ J/ f$ q* c1 t; k/ N0 e( ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' / y7 A3 h# N2 s& Z) n8 {9 S! H! t$ i+ d4 D5 `4 G4 F8 E
__________________________________________________________________________ g1 P% b$ e/ A5 w- |
9 i" u( L( p7 d# w, n2 D3 K. x' r, z
Method 14 . a8 H0 A) U) m
========= # |0 ]0 _ _# W! v! j1 f 6 i" N5 I/ q) }. Q! A" ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 H% }8 B6 w2 B9 W
is to determines whether a debugger is running on your system (ring0 only). 4 R/ F) e5 s/ C: t# X6 b 1 H' t6 F2 {- c$ @' C- S% L VMMCall Test_Debug_Installed4 j. l: ~9 V* b+ f* |$ n( G
je not_installed1 z1 K' ~9 G/ S* z
/ Z$ Q4 `1 U- H
This service just checks a flag./ x. f; T+ _1 F
</PRE></TD></TR></TBODY></TABLE>