標(biāo)題: About anti-SoftICE tricks [打印本頁(yè)] 作者: hbhdgpyz 時(shí)間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500>* R# H, ~( N5 M a3 p
<TBODY>" G, L. K7 b- A
<TR> 0 M' X; k) ?' M8 W( }3 X<TD><PRE>Method 01 2 `. k# \" ?% d( S) z- P
========= 7 d+ u4 O, `/ X6 F6 g5 c: D5 k0 V X9 s) Q+ E5 v) [
This method of detection of SoftICE (as well as the following one) is 5 p2 [, r4 }' o0 H( B, Wused by the majority of packers/encryptors found on Internet. + g8 y: S6 F8 `- Z9 u9 B' g% hIt seeks the signature of BoundsChecker in SoftICE8 v/ N w% K8 \6 H0 Y
6 D* c: s2 e3 e, _$ ] mov ebp, 04243484Bh ; 'BCHK' 5 z' A) j6 J$ _/ e6 t! q2 J mov ax, 04h ( r- H& A) r$ o- ]" _ int 3 $ C: S# j2 V% l. E cmp al,4 : D; @! `1 Y' p jnz SoftICE_Detected+ u' E0 G1 A f& M
( w) h. |3 {% ?6 A; i___________________________________________________________________________% E1 @! ]9 U8 A$ ^( b. \4 g& u
( U l, t# s5 v m8 y, SMethod 026 \1 |+ c9 ~3 \7 W& e0 B* O
=========" v2 _ Y, T* ?* G, V& u' [
& ?/ ?- h4 |9 m9 [0 `8 u
Still a method very much used (perhaps the most frequent one). It is used4 h7 x7 q# R' X7 m( a0 R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 Q. \% F) v7 v. S& D7 \% z
or execute SoftICE commands...2 _. e* J( J: D2 z/ N
It is also used to crash SoftICE and to force it to execute any commands- l5 J% h2 |) X! z! D, ^. q
(HBOOT...) :-(( % L6 h j; J$ K- z0 K& S+ R
; E, X* b: M! V# u
Here is a quick description: 5 {! K; W; ?" U7 G3 u3 N-AX = 0910h (Display string in SIce windows) ( W7 }( p* T9 Y8 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) ; M! [2 Z9 g1 L. u6 X. k {-AX = 0912h (Get breakpoint infos) 4 A5 f/ k1 R- ~-AX = 0913h (Set Sice breakpoints)6 ]+ @. E# c" W4 K+ k& V
-AX = 0914h (Remove SIce breakoints)* x+ M- p& E" `* b* l, F- R
% t M$ X9 H8 R# ]- x+ M0 D# [Each time you'll meet this trick, you'll see:3 O6 E! A z5 d9 G4 z
-SI = 4647h ]( u( A$ [1 C3 `; [' X-DI = 4A4Dh$ }( I9 b5 v+ z- T
Which are the 'magic values' used by SoftIce. : s6 j! C) C/ d& `For more informations, see "Ralf Brown Interrupt list" chapter int 03h. ) Z1 X. E2 y9 u- f$ \2 p2 j( r" \ 6 h0 Y* }, u% s x( qHere is one example from the file "Haspinst.exe" which is the dongle HASP o+ D6 l4 W" B, H/ T' S
Envelope utility use to protect DOS applications: ! J+ q5 E2 c7 i2 J1 ^% n; c6 c4 a+ f: l& ~4 A
9 D) h7 N5 j2 J r1 G; w
4C19:0095 MOV AX,0911 ; execute command. |6 e: R8 J9 Y: S) @& |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). 8 L2 f$ s+ Q6 ~4 q4 v3 C4 C4C19:009A MOV SI,4647 ; 1st magic value.) F2 y& \5 S$ I& t5 [
4C19:009D MOV DI,4A4D ; 2nd magic value. & j" q# V( D1 M+ @( i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) 3 y3 n3 n- D7 r0 u0 T5 R! e3 F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: [ d1 L' ^/ E- A) W' T8 V
4C19:00A4 INC CX! Y. H! Z. a! ~6 ^) Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute u" A8 f$ K9 p; r6 N) o8 K4C19:00A8 JB 0095 ; 6 different commands.& [0 e5 A) ]6 C$ Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back. " v* {3 Q8 I/ o/ w+ F$ d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& v8 w: n# w9 J* v
! W- Y, S+ v h( ?The program will execute 6 different SIce commands located at ds:dx, which + r0 Y& z: S( x7 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. 2 Y0 ^0 M( ~# r7 Y* A. d6 w( x- W/ ]! h7 m9 m# G- Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. ) L/ G( ~% V3 Q! j& ]! I___________________________________________________________________________; ]+ k1 }3 ]+ K- C5 ?1 r
: z L+ m: ?- J2 m
+ U. \: ]9 j) S2 K9 P; x! d2 t. a' PMethod 03 / X2 o: [3 y- j; J4 F========= & A( n% d# N) i : x1 k1 C6 q/ J; a. J8 n* CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h 0 a+ A( a' _& d/ W. j(API Get entry point) Y# B9 y! y7 z& H/ ^- K ( Q: W4 o* M2 X6 u& c6 a1 b
' @7 b9 H8 X9 }: X" @& Q6 L, `- ]
xor di,di1 \. h1 F+ _, C( w
mov es,di& w$ x3 T+ }( u: w, r/ M% e
mov ax, 1684h 1 G8 w, N. q: E
mov bx, 0202h ; VxD ID of winice P( l7 v" @& m9 V+ b* t. m* c
int 2Fh ; X( x1 i$ ^' v% m. d" f mov ax, es ; ES:DI -> VxD API entry point ) O! g; l- I" Z$ F) A8 |* Z$ Z add ax, di 3 q7 F# H% V5 f$ c9 R, t" i7 G1 R test ax,ax# V B# A8 ^2 @: Z9 l# ]$ W% X F
jnz SoftICE_Detected 0 ?& W# B6 m1 Q2 D( n6 X 7 r# t% j u q) b! |3 F___________________________________________________________________________4 [2 B# z1 a4 c& R" x
" c0 m C8 ~2 S5 c( a! r' ^
Method 04( C w" H& k0 ]& u9 H( T- ~
=========* g2 H+ a3 D; g
6 w7 x6 N* v/ d
Method identical to the preceding one except that it seeks the ID of SoftICE ' D3 K% ]# E' |# E2 Z/ wGFX VxD.2 j0 e2 v! E; {0 [: v: K: c# ~
8 Z$ Q+ w% z3 @ |- `3 I7 e2 f8 v
xor di,di 7 g9 u3 b' l/ L6 \" H* v' R mov es,di % f* g5 u* x: h2 o0 E$ `, o$ y mov ax, 1684h 8 @0 K5 j1 R) N% k
mov bx, 7a5Fh ; VxD ID of SIWVID . [ Y( r7 c6 U; a4 ]# _; q int 2fh0 I+ M4 w' [2 G' x4 }9 d- \" g
mov ax, es ; ES:DI -> VxD API entry point/ r" h V) w3 D' w) g9 c9 ?$ s
add ax, di ( V$ p2 w F- N% k5 I test ax,ax& j v0 c4 r8 U9 l0 W
jnz SoftICE_Detected & i. M0 j; u% B0 ?9 t4 V* A 3 W4 S( }" z4 v: E3 e; ^__________________________________________________________________________ 2 m4 ]3 L3 ~. A z" N: C* S% I2 i. ?6 A- A 3 T/ ~& |7 ` D4 \- H5 \Method 05% _$ s5 D5 k3 l+ o1 J
========= & R; t& R E w5 O7 m& n- Z7 O. R" y2 B v# {2 J8 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system * Y2 d3 K* ]' `; Z' q, ~$ l/ hdebugger. It calls the int 41h, function 4Fh.6 i7 q; @1 v g8 g: W% |
There are several alternatives. ! l( P) k- O! d3 ^. ~
9 e, F6 d9 \1 |* j+ p2 H/ B/ R' J
The following one is the simplest: 7 K& x; Z) X* b/ K( E# U5 i 0 G0 v: \! J) U* A3 u# z mov ax,4fh 0 _* z2 b: z& E1 J int 41h + B$ Q2 n8 J0 T3 f4 e. R cmp ax, 0F386 h* H; z: ?; b) X
jz SoftICE_detected) R: \$ l4 f2 b: d& O% i" P
R& S6 R9 O* c7 K7 ` ^1 q5 H1 w+ Z) @# ]; a9 Z
Next method as well as the following one are 2 examples from Stone's 7 z- H' K8 c( C! T7 r"stn-wid.zip" (www.cracking.net): ' v* M" ^; t# `0 \' O) r2 H5 v0 A8 L6 X ( u& i- W; s0 k$ } mov bx, cs " e" w# D' e! B' z* ? lea dx, int41handler2 8 e% h- M; A5 O. }4 Z; h xchg dx, es:[41h*4] . z5 Q) |# x7 Y0 {/ D7 W xchg bx, es:[41h*4+2]# a: O' [: z% R% r% a* e* M: l- s) f! Y( K
mov ax,4fh 0 t4 S! o' |9 x1 @ int 41h* J7 D3 @, A2 w( l* i
xchg dx, es:[41h*4]( h, `) @/ m9 {# M& _# z* i, v
xchg bx, es:[41h*4+2] ! j( T7 E1 f: a cmp ax, 0f386h/ p0 l3 P8 Z; g
jz SoftICE_detected . C" K2 [! k4 i# ]" z* [! X* c1 [9 Y4 l3 l
int41handler2 PROC / [( @! L6 N/ i2 j+ W iret " i1 w0 W, [5 Lint41handler2 ENDP' D, j4 E/ _9 ~# g
( T& t' \0 F4 ^ + f0 s `- e ~4 d7 K: dMethod 06 8 P" ~' t1 h& i5 k( d# g========= 5 G' U! ?; u7 }9 j! d K0 b, F8 }( v: k& i6 I
* g |, \2 q6 A' H; w- ^% I
2nd method similar to the preceding one but more difficult to detect: ) e. N& y( M( B! m, q3 Q 2 H9 d4 n% Q' C- M9 i H' V, z; f* V$ i5 y4 M4 d
int41handler PROC + B! Y8 |+ ]) m6 ~) L( X$ z mov cl,al$ p1 Z) l/ m, a# [, [
iret- \0 S) c9 k) c; a+ Y$ v
int41handler ENDP( g$ i; Y: L! e+ E, \6 x; M
1 r" T! M# \, @- X2 m5 }
) w+ }" `# S2 b) i
xor ax,ax 5 l! I: {0 D$ W! ?5 Q4 b& Y mov es,ax ' i) z) g5 ~7 @* z7 T. z- T mov bx, cs& C4 y) K4 c2 G$ G/ Q$ O, F
lea dx, int41handler . }3 l+ M5 r2 Y0 E/ b3 _( ^ A3 W xchg dx, es:[41h*4] ( p1 S/ J* G" n/ Y: W( R8 u xchg bx, es:[41h*4+2] ) G- ] @% l' v6 _( }5 D$ t: Q( B in al, 40h $ f2 v0 g8 S/ B- R0 f) a0 @5 ?% Y xor cx,cx 1 L. }) `4 y& b* ]# ~# q, g int 41h . n( h1 z" o* U9 o$ }8 X; ^4 Z- E xchg dx, es:[41h*4] ( x1 t2 e0 ~9 u% d$ Q xchg bx, es:[41h*4+2] ' q# q7 b! Z0 d3 ` cmp cl,al+ }! \/ `4 [- F: z( l6 ], D( N g+ i
jnz SoftICE_detected( p6 J" @1 \- h1 x7 F* p2 C8 J7 N; @
* @" Z* J. B: w+ f3 I_________________________________________________________________________$ V8 M$ y9 ~& F3 M3 y$ p6 V5 q
8 B( W' U! G% B7 X/ a
Method 077 j0 S# C8 E, m/ A+ e
========= ; F: \; k* P% T7 D9 k 4 g4 k: V# D1 HMethod of detection of the WinICE handler in the int68h (V86), K/ }$ W1 ~) `+ f9 k
" C8 u% ]# d4 \ a2 G0 \$ Y3 Z mov ah,43h+ P; n$ B. _; Y; L
int 68h- J8 Q, r# @, G
cmp ax,0F386h( o% P5 a; T) {3 w2 [
jz SoftICE_Detected" W: w4 f I3 ?! W
y4 l- U% ?+ |1 @1 M, G* O; O5 g& h7 G0 H9 _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ S, K/ L% m1 w4 b0 _
app like this:1 |) g: M1 q" b$ N, t
7 o1 ? ~1 R2 ]! x, I/ F" M BPX exec_int if ax==685 o& a0 } S( O3 m% Y2 c1 Z# x2 F9 ^
(function called is located at byte ptr [ebp+1Dh] and client eip is# G6 k; M, \. a1 b9 @, ~& B
located at [ebp+48h] for 32Bit apps) ) }9 g2 j( w8 z2 K! Z__________________________________________________________________________ : _8 n+ Q' F, u/ d/ N0 f7 ^ 7 g0 }9 w) a; C7 s( D: m ' m1 F5 _3 h) k, O" Q* C: o3 X: L7 lMethod 08# L8 [0 q' H. X9 ^2 ]( W% q) w
========= 0 I3 a4 ?4 D/ O3 N! l, C2 I/ N2 [' h5 E) U9 k
It is not a method of detection of SoftICE but a possibility to crash the ; V4 H$ i( D" \8 D5 w8 osystem by intercepting int 01h and int 03h and redirecting them to another% \( K" f3 O( t v, E3 H6 A
routine. . ]( n$ [, o* |/ u. f& V; H' kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points 7 p. }0 |- }$ Q3 s/ I# d% Zto the new routine to execute (hangs computer...) / B# W6 L7 T6 H& O % z( q! N; s X! \6 q mov ah, 25h ) p; {0 z( |/ I! z0 u% K2 ?$ Z. ~ mov al, Int_Number (01h or 03h) ( a; d) h( D9 z; D1 C mov dx, offset New_Int_Routine$ W7 a$ Z9 Q/ P- Q0 P! a. a7 u' E
int 21h* N3 ^8 i/ [9 J
. T# Z% c( J3 K, N7 U3 t" @# o- y0 lMethod 09; Y0 Y: E3 W( R, {
========= ' g+ l/ ?1 x! F5 j* D% g9 h) E0 d6 n, \# |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 y5 ?5 O o- c& c% c
performed in ring0 (VxD or a ring3 app using the VxdCall). 0 `& G+ ]% R- \) ~! {8 @The Get_DDB service is used to determine whether or not a VxD is installed & n' l" k# u; p9 b+ g. m x+ `for the specified device and returns a Device Description Block (in ecx) for ; G1 v. r: b+ `: i$ s' n( j! w. Dthat device if it is installed. % k# {9 D4 K2 X! w: Y9 V8 h K3 U1 \7 P, n! J. P+ y( H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 ~' I) R0 c) Z( _$ o3 O* i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) ! H% R# a3 U$ ?, W6 o VMMCall Get_DDB / M% I$ h0 `0 r: c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 O3 f3 k! j: M# s! y U$ t
3 P0 E9 M. K {% Y( y& \' O( I5 ^ h
Note as well that you can easily detect this method with SoftICE: 7 M$ I" l Z6 Q" z7 b bpx Get_DDB if ax==0202 || ax==7a5fh+ Y; V& y- I; p4 |2 y" J0 N( }9 ?0 o
6 a5 k+ @) O! F# r__________________________________________________________________________/ j0 g: g, |. R. G
- |& ?+ e' u X, E- J. r# T t b# EMethod 10 0 A2 t1 z; G) @* }2 n' V========= * y' I F! ~% S1 @ & a. w+ I% z0 r5 N=>Disable or clear breakpoints before using this feature. DO NOT trace with " j8 I6 R# A" U SoftICE while the option is enable!! 2 E6 a4 X0 {- U) \4 S& n, k( Z Y' p+ t8 L
This trick is very efficient: " @/ A4 R0 [: q0 Yby checking the Debug Registers, you can detect if SoftICE is loaded- x) U2 y( V; A; K( ~- B* p" m& G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if . p9 U" I8 W, I/ jthere are some memory breakpoints set (dr0 to dr3) simply by reading their* M0 Y8 \, [" d
value (in ring0 only). Values can be manipulated and or changed as well5 z; Q8 S# I" I, b! H# }
(clearing BPMs for instance) ) ?7 d: J$ H3 Z, [% w" _$ S1 m- o, Q/ L0 A" p5 c3 U
__________________________________________________________________________' [' E+ U9 M: c: w& H% C; o
0 ^$ t" J8 @( C# k$ ] W6 Z
Method 11% f5 z+ k2 }6 |4 r- w( }
=========. H2 C0 v$ s3 I' j! e
# `4 B* \7 R2 Z6 c2 I- TThis method is most known as 'MeltICE' because it has been freely distributed5 ]* l+ r2 v. u7 ?
via www.winfiles.com. However it was first used by NuMega people to allow! r( ]- u; z% a& Y5 n( i$ O/ C; b
Symbol Loader to check if SoftICE was active or not (the code is located : c2 Y- F( q. g' H4 einside nmtrans.dll). & p1 o# n# U4 v# A* a4 m' e; Y - V% }4 O3 E( m9 N* X7 r" xThe way it works is very simple: - l4 _8 i" ?5 B* |/ V4 y1 ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. k1 S: r9 G4 K4 t" F1 v
WinNT) with the CreateFileA API.: ]8 P' k6 `/ T: E5 m
. H+ \6 O: b8 F0 zHere is a sample (checking for 'SICE'):) g9 o4 P9 I# t N p) Y; {0 _
8 R" ^$ U4 R. \- i! ?! b, ~
BOOL IsSoftIce95Loaded()+ |/ w3 S$ n3 l% ~ [! S2 Y( s
{ % p, n6 U% `1 n. k$ v& s2 U( K HANDLE hFile; * ]+ k/ K6 Q' w* y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% Q( K, c& X9 _; \9 z
FILE_SHARE_READ | FILE_SHARE_WRITE,. K4 O* t; Z0 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 0 D: J# d# S. s7 y- M if( hFile != INVALID_HANDLE_VALUE ) - j" M& x# z- y* {1 z {+ W3 `4 W" _& q+ V0 N) b! F3 C
CloseHandle(hFile); % o& V( |9 `, x3 q8 x# F [% i9 i return TRUE;. _& A* Q" R- f
} / n' E: H% P) V8 G1 c- S return FALSE;0 p5 B7 u5 t: T% f5 ]/ |
} 1 e( G# D9 x# p- u' \ " @+ ]; ~0 ~+ P9 ]& R& dAlthough this trick calls the CreateFileA function, don't even expect to be 2 ?5 C. @% m/ U- K0 k; a% Yable to intercept it by installing a IFS hook: it will not work, no way!* i/ d) l T8 s* e- r+ t3 J. ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F " |# h, p5 f$ lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ Z& f( X1 h" i+ Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc 4 a" H6 U, J4 gfield." l* O" X1 ?/ c2 R+ o# k6 Q0 }0 \5 H7 Q6 b
In fact, its purpose is not to load/unload VxDs but only to send a * _) S4 I K2 f# l/ F4 aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); H' k% N. S, T* v# q) A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try 6 w% X) o2 K8 T! V7 E1 R4 j% eto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 o4 ?5 y% Q/ S! H% w
If the VxD is loaded, it will always clear eax and the Carry flag to allow / l1 ^: J# e. P6 m9 K/ kits handle to be opened and then, will be detected.' N) G5 {+ |7 J9 H) @ p. h' C7 w% d
You can check that simply by hooking Winice.exe control proc entry point; n* D6 @- b# V* q9 k- N2 d
while running MeltICE. 0 x7 |. D! A2 S5 X* Q4 j0 I 9 Q3 c2 T# c# _# p8 L8 G: |0 i7 V* {$ Q
00401067: push 00402025 ; \\.\SICE \' c/ a1 \0 H 0040106C: call CreateFileA 3 Z3 D- b1 R; u( X 00401071: cmp eax,-001 2 H, |/ @( X9 |# z$ g4 q 00401074: je 00401091- ?0 d& @ c# Q6 O4 z/ G+ T: z
9 R' `- {5 R* L( v; s( o
! {, `/ n+ f6 Y0 B, k( B
There could be hundreds of BPX you could use to detect this trick.5 T8 h& L# }/ r9 D0 x, l) h5 r
-The most classical one is:! U2 I5 W% C; S2 ]$ C" U1 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || # i |8 c* f. p' b0 L *(esp->4+4)=='NTIC'' g0 G; q7 h/ C& v* C
4 k( }7 t0 Q. A-The most exotic ones (could be very slooooow :-(8 O3 ^! p* z1 t; _- ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 `9 b- F5 |. v& K3 E ;will break 3 times :-(8 c) @+ G6 U. E9 [, ]0 b" @
# g* I7 Q4 W- K; m1 l3 z' a-or (a bit) faster: 1 G9 P8 ]. P. R" l, S8 e# {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 b/ X4 N; G% A' l" d+ t" a* ]
1 j4 c1 v4 m: H$ z: y4 T+ d- w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 r: i7 d# E4 C& I ;will break 3 times :-() c) P4 l" G4 }6 R/ w
2 \' W4 L! j$ m; w! A t& V/ W-Much faster: $ {2 C/ {# m9 ]2 J8 v0 x- y4 h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( h* \! ^+ ~/ N
8 D3 g8 Q5 E% @! Q! dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 f) x) l8 L: j C
function to do the same job:" q: o0 I# Y% ? _
2 N+ C' d0 H( Q. C# k- L push 00 ; OF_READ ! z, Q$ V6 c6 Y& ^6 m mov eax,[00656634] ; '\\.\SICE',0 & g6 w5 N' b5 }% Q push eax 9 I. c' O7 Z8 c: ^3 O% u% N4 U call KERNEL32!_lopen0 m& l% F0 G6 X! f/ o( X
inc eax( z% X. ?( P1 e/ `4 x1 [( g
jnz 00650589 ; detected5 y( i2 P) `6 e) v6 J P
push 00 ; OF_READ . [1 V; _; t, \8 I, t9 k4 H mov eax,[00656638] ; '\\.\SICE' , A! {4 c' ^- m7 e+ Y push eax9 P Q6 ?5 b. Y5 E7 l" O. {3 V
call KERNEL32!_lopen `8 n, f; d6 X: W% t* y
inc eax / ~" X4 N, y7 o D+ |# f; f; q& E8 F jz 006505ae ; not detected 0 |8 `! s1 Y5 b! x; C0 B& l; t
: x2 ?6 ?% p) a; T
__________________________________________________________________________* S% J; I2 v+ G8 X9 |) s
& Y$ {* ]' ~4 u9 uThis trick is similar to int41h/4fh Debugger installation check (code 05 6 k- D( U% }/ V& 06) but very limited because it's only available for Win95/98 (not NT) ( Y9 [8 y1 _& F6 e' M/ N) v8 Y* Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo. & m b! G( K% m + Z) p/ Y* ~. h% Q push 0000004fh ; function 4fh U) R! q' ]/ B* {9 ~ push 002a002ah ; high word specifies which VxD (VWIN32) 2 p9 c9 I1 U4 v* f8 F! t( W ; low word specifies which service 0 k. S2 @, z- u8 h2 L# l- G% C (VWIN32_Int41Dispatch)7 i. ^6 v9 i3 ]0 ]9 b; M4 Z
call Kernel32!ORD_001 ; VxdCall2 O+ H& z5 O2 ?: l$ |' A% g
cmp ax, 0f386h ; magic number returned by system debuggers9 F, t; v! n: x; n
jz SoftICE_detected ( g! A6 Z, I9 u" ?# U' l$ E3 s 2 L5 e1 i% g+ W2 v& K6 e+ N" xHere again, several ways to detect it:0 b# W; ^2 u0 k
2 B+ A' B$ b1 f8 O- k/ d& b6 k( {
BPINT 41 if ax==4f ! v' w2 }# V) I! }* ]7 W [. R4 A! ^) ? a& |) y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one ' ?' |! r8 p( G/ G" B: {8 p+ N Q; k2 `9 f7 U6 _4 G3 d+ {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- A I2 n! Y9 A# c; C% z
& v( f) X$ Q* T+ W: R8 x9 H( a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 [* h/ Y, ?6 b. W4 v. @" d
1 Q2 N$ ~% d$ \3 \( ?__________________________________________________________________________7 h& R5 K V# y
) l" U; Y3 ^( j/ L0 r+ D$ e) U3 t
Method 13 ' v8 Q7 N1 l% v=========' K! Y* p. c1 M; t
% c8 _3 \( Q( j% S" j dNot a real method of detection, but a good way to know if SoftICE is 1 k9 z! R, }" W( p8 w4 minstalled on a computer and to locate its installation directory. h1 I) b0 _7 Q+ n
It is used by few softs which access the following registry keys (usually #2) :$ j% s$ G# g) p( @/ N
v2 s" f+ Z. s- }7 H& ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 n0 t! E: ^4 `% K/ S* M# H
\Uninstall\SoftICE _3 H. u- Y2 a* O( W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE : D/ d {3 c- ^- X, z( s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion % I; K9 F! I6 \% e1 B* P; q\App Paths\Loader32.Exe 1 g& P* v; ~& r- {, W) b U 3 n) M: b) G" Q8 T* v+ G, D! w8 g9 K5 O% M# Z7 Z7 L6 k; Y6 L E
Note that some nasty apps could then erase all files from SoftICE directory Y! w* x/ c! p; L( O) q8 z9 I- ^(I faced that once :-( " \0 R% V, X( X / n _. O2 Z" AUseful breakpoint to detect it:: }$ [1 V- z: \/ P9 n2 ^ |! J9 M& t, w
) J# j# a& T$ Y& m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' 0 U* y1 |( z, p; e6 G; H. J2 l8 s m5 a6 Q k4 W* B
__________________________________________________________________________: k+ v, D, |& o6 ^6 f) I5 v
9 [% E' u A7 I9 d% Q
2 O9 b% A/ O9 q' k o- MMethod 14 # D9 a2 c0 d' g; x========= $ `* p4 ?' D( Y. p3 N0 n0 c8 U/ ~- I/ r" i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose C+ @8 p8 C& _
is to determines whether a debugger is running on your system (ring0 only).5 @/ g& p; U" e% X2 Y
: b O o- W" M; D/ w+ u5 t% ^ VMMCall Test_Debug_Installed 1 ]- n. j; H8 B) W! T je not_installed: w/ @5 D2 K4 @
@- i) h7 N( s$ M/ d; P5 Z% O wThis service just checks a flag.' K* Z" }. n3 J5 N
</PRE></TD></TR></TBODY></TABLE>