標題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時間: 2008-9-28 16:34 標題: About anti-SoftICE tricks <TABLE width=500>' y7 `4 V( n# b; B0 |! [4 S
<TBODY> 4 M, q6 Z1 s0 w; M4 K<TR> ( N) O5 z j$ g7 Z<TD><PRE>Method 01 : P; ~$ ^$ H5 I- G; u B=========6 B/ g. o+ j1 F7 K7 V
2 ^2 z# `# A: @3 a: u2 S# h, rThis method of detection of SoftICE (as well as the following one) is : F/ f* v3 n& \1 I+ v k4 zused by the majority of packers/encryptors found on Internet. 5 f* C5 w& b u9 D/ S8 _7 SIt seeks the signature of BoundsChecker in SoftICE0 S% p7 @. c0 |- s2 k3 c
/ \+ o, S5 Q( ]5 c mov ebp, 04243484Bh ; 'BCHK': \, a) I$ N" i* K. D
mov ax, 04h% K+ j# z. ]- V( Y+ o, D, [' q$ T6 ?
int 3 ( r! @% L' r. `. c/ e! c$ P
cmp al,4 # z. h2 N- g& V8 i jnz SoftICE_Detected " G/ y, i0 t( R. Y/ C' ^0 l+ M' r! ~ b" N* C1 S# }) i- A
___________________________________________________________________________1 Z9 {2 u" o; X, W4 Q+ |- p
+ \ B& ], P- J- X8 [
Method 02: X' w* \$ i8 n
========= ' s+ O4 O" Z) i. `+ j8 [% d$ V/ p+ u7 p- a0 u" N! t
Still a method very much used (perhaps the most frequent one). It is used 8 h+ X, P" E% i U ^: d. |4 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 y5 z' g- ^! R5 h7 M2 u* m) A
or execute SoftICE commands... 9 I7 c; _8 i6 N9 |/ E8 BIt is also used to crash SoftICE and to force it to execute any commands / K1 {% ]. a: R, Q- X(HBOOT...) :-(( % G& h8 G6 i( y
$ t" d( M! f' A1 t" RHere is a quick description: ! b& O# `8 B# k( l! G-AX = 0910h (Display string in SIce windows) 3 U* y$ m( d. H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) ) ^$ \: {4 P3 W# K1 r5 M-AX = 0912h (Get breakpoint infos)/ B" O h5 c3 g
-AX = 0913h (Set Sice breakpoints) 3 r0 V7 ]) S( f: ~, W-AX = 0914h (Remove SIce breakoints) 3 e: ~( L/ U B: V# ~4 h$ h! l5 G4 U6 Y5 q* M5 c5 C9 y
Each time you'll meet this trick, you'll see:1 Y* k; `5 c5 P) ^4 ^
-SI = 4647h 2 y8 O2 ?9 n2 a5 b-DI = 4A4Dh 4 ? v) `; ?! j, ?7 q( l" {Which are the 'magic values' used by SoftIce. 6 |2 A: s; K) |: lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. ) ^" I- }6 W& s' H2 a% R3 E* S1 r- q " X- X( v' j s4 K; b- yHere is one example from the file "Haspinst.exe" which is the dongle HASP , s1 }- J R0 k6 q$ ^Envelope utility use to protect DOS applications: w; b% ^2 A3 F2 z. f' }' ]* r4 B- o" x" \
/ k; y& O$ B& s
4C19:0095 MOV AX,0911 ; execute command. 8 S' C1 W' h( u9 d* {8 t1 h5 k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 E6 U: I7 v( N
4C19:009A MOV SI,4647 ; 1st magic value. , k3 n+ i+ \% N, D5 X2 B4C19:009D MOV DI,4A4D ; 2nd magic value.( `8 d ~8 p6 _$ t# ] Z( x# ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) 3 f- ?: m% z& p( i+ B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute ( T% I/ ]4 C7 E" T4C19:00A4 INC CX! t# s( X, @0 s$ z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 o C" V( d! }& ^
4C19:00A8 JB 0095 ; 6 different commands. 9 P" M7 u2 z* C" Z# m. I2 H4C19:00AA JMP 0002 ; Bad_Guy jmp back.; J$ }- w- [; i4 q6 }3 _+ F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 \0 G* K! v! {; x% E- ]; f; h* O
: ~3 S [" g& h
The program will execute 6 different SIce commands located at ds:dx, which , S% y0 p8 y- R) Z" C5 ?- e( i9 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. $ r U2 j$ l: ?' M+ e. D' ^4 R" y; Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. ( q7 z' s1 G9 X7 D) D___________________________________________________________________________7 U4 m! G" l/ {( U. e( K
8 o9 s) p2 \: ] B9 f3 zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ k2 I9 d9 G6 \2 A, _6 f
(API Get entry point) + f: |" h) `3 K. P4 U) l & _* t7 H P7 K( _! H6 `" n! N
3 k" a# k) a+ i5 a8 g8 a2 H
xor di,di : `6 A# ^1 q; A' C mov es,di9 q/ d( k* H, i0 A" |
mov ax, 1684h ! c9 I7 A' d5 O; `+ p& Q/ W3 E mov bx, 0202h ; VxD ID of winice 2 c* K o, O& z0 u int 2Fh . l1 H' r) R0 o7 t$ J8 q: c mov ax, es ; ES:DI -> VxD API entry point6 v" i& \5 c5 c2 O5 x1 l
add ax, di . y& w' O2 F2 X n0 {1 `& H test ax,ax3 i2 B! y1 X- V( R
jnz SoftICE_Detected 4 t2 B5 Y' d; d& v' G( G E$ e8 c3 U, S# @5 V% B: a
___________________________________________________________________________' @4 E) J( Z0 [, V+ |& H5 U" Y8 f
/ B$ R. L+ N- b5 s! H P
Method 04 ' c5 a* ^/ M& d) Q* q=========: S% C- g. O; t( D4 N% q1 ^# P
5 n% M3 p" C& _Method identical to the preceding one except that it seeks the ID of SoftICE 0 x* Y, |; r' r3 Y+ p- hGFX VxD. ' U# q7 [7 q! i3 p' X) b3 p8 {3 B' r$ r7 x% I9 v9 l
xor di,di 7 S; Z2 v& T8 M3 y# O Y mov es,di. g) O2 i1 Y6 g; | {, S- H/ k) P
mov ax, 1684h ) t! J9 u, E, t
mov bx, 7a5Fh ; VxD ID of SIWVID. i8 j" A1 B; Q$ E, ?3 h2 [
int 2fh& D) L) r. d2 e0 [
mov ax, es ; ES:DI -> VxD API entry point6 h5 s# q/ U5 ]" d$ g" L7 A& X
add ax, di8 V: [# e& z5 H3 E6 ]/ w
test ax,ax# j% A6 {" f$ ^6 e
jnz SoftICE_Detected . x' c+ g2 G/ r 5 t/ Q" w3 Z4 H# o__________________________________________________________________________ 5 X7 Q! H$ l/ B) b! l: ?- N% \5 }) ]- M
- ]# @# V* a' n+ G$ d7 E" E. i5 s
Method 057 J2 U# C0 _, k H, o
=========, Q' u: C+ f M( n
! ?8 q, i- U) j- fMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 Z ]1 c' U& ?, {% X
debugger. It calls the int 41h, function 4Fh. / l i% y X8 Z- b7 o1 s# `8 @There are several alternatives. , Q+ E2 X2 u9 j/ p# Y7 r 0 |; e$ o0 w2 T$ f- @& X# DThe following one is the simplest: / L+ n+ y0 g% W. T: }, v- T' m9 h* e3 m* ?! Y8 a) u
mov ax,4fh. d" C( `: J' n) u) n
int 41h8 G0 m+ `' I6 K2 [: t. k: B
cmp ax, 0F386 , `: m S7 S3 p. r jz SoftICE_detected 3 u8 W! U5 D) K" R ' ~7 ?& j9 P5 o# C* N* V3 Y3 X* s$ `& N. E# M' @6 h4 j; M
Next method as well as the following one are 2 examples from Stone's : O) R5 @: G. A% F* w"stn-wid.zip" (www.cracking.net): 1 |% Y+ z- d# P 4 O! c" @" ] ~' x$ o: L: y7 B# c8 ` mov bx, cs' g# j- o7 \7 \- k$ }
lea dx, int41handler2, n: M# }2 J. X3 ?1 W
xchg dx, es:[41h*4] % ^& d5 M5 d; W7 L: o xchg bx, es:[41h*4+2]% V" M$ @9 P7 M5 f& I" @5 {
mov ax,4fh 6 g4 g) }9 G8 a int 41h q: j" R2 j6 B+ b$ y3 O K8 H
xchg dx, es:[41h*4]5 A1 E) r- g$ _+ `( m
xchg bx, es:[41h*4+2] - K! I7 m9 i+ l7 X% ] cmp ax, 0f386h + S; p# X( x G9 V3 V3 u$ z8 v jz SoftICE_detected ' Y8 b! e( I7 X, K' F2 b( _, O . P) r; b9 p+ e! d6 J7 y8 eint41handler2 PROC2 {7 {" q% Y$ Q# J5 f* ?0 [5 r
iret * ?" m( a! g/ i& H/ n8 H( Gint41handler2 ENDP9 S) O2 e4 e) P( r. o3 P& H5 Q
7 g' ^# F9 r. U: Y- ?2 K6 m1 @$ M! m' N 0 C8 h$ G' J) p- E_________________________________________________________________________ o, ~4 o. ^9 c( i* ~+ n7 Y4 k
' ^$ R* D, M- k# V7 W & i7 v+ c! E6 ^, BMethod 06 5 ~! E0 V* Z1 ~7 K" p, }8 u4 V6 b========= # P# @/ d9 d7 K5 {) d$ K7 L4 K$ }" |- [. _
! J+ g" O) _& Z6 [2 s4 h- M) P+ i
2nd method similar to the preceding one but more difficult to detect:9 q/ S+ r9 |9 e
( _/ }6 M4 } F! d6 _' q
+ M- Y$ e* _0 U0 R+ t. u4 bint41handler PROC * c1 `1 J! S' X. ^( n9 J mov cl,al 7 k4 p o9 Q$ M4 x5 H4 e iret % B* O' k/ i: d7 I- Nint41handler ENDP / B3 x N, I+ A) X+ i3 ~ , ^* D0 S5 W# }* b+ ~8 i% v' x V % P5 W7 { A! J1 D/ B! H% |7 V xor ax,ax# c2 ~8 k9 [% N J! R- g
mov es,ax . n$ r1 v- Y# Y5 D. @7 [+ q mov bx, cs3 g' l& i9 L0 c# L' C+ M
lea dx, int41handler( k8 J" q9 [! u* t& [) g% P
xchg dx, es:[41h*4]$ l. f9 V! @$ x! o" x6 }
xchg bx, es:[41h*4+2]' ]+ |& z) Y" d
in al, 40h1 j7 k( y' W7 m& J, ~- V, S
xor cx,cx' j! {! ?1 E* U% W4 V1 P+ ]! ]
int 41h- b! k3 E1 a& N$ n7 L) I. T; B
xchg dx, es:[41h*4] 7 ^$ _) ~; B* k5 t3 ^3 i xchg bx, es:[41h*4+2]7 x; n1 a* }. w6 W0 p
cmp cl,al m1 e. H" u5 ^, T jnz SoftICE_detected % f8 n: G: s: x) W- g0 H 7 k( y* K8 {/ P" n6 R8 U0 q8 b_________________________________________________________________________ . m+ B9 w( e/ |6 U% B, [6 f# j+ m C U# U1 r: |
Method 07 $ ~6 ^( u/ O& c0 N+ C: _5 [( [" |8 w========= ! s' f0 V5 F6 Z* H t; u* z6 p8 x( L/ {
Method of detection of the WinICE handler in the int68h (V86) ) ~$ N. i6 ]# K. g* M) E1 h% d$ g) t; I
mov ah,43h 0 K. t1 }5 d7 o$ S9 w: I int 68h " {; r' D* w, r6 r: f cmp ax,0F386h ) P) |# |0 j6 `7 I jz SoftICE_Detected6 ~/ |! E5 b( g+ l/ ^8 l& @
0 |' ^) s [" j$ j7 W \3 C2 f" u% k7 ?7 [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit 8 B6 G4 Y6 j% R* W7 i app like this: ( n7 _& D- Q3 x" i- M$ ~# r0 }7 \/ S) h- H- G" k
BPX exec_int if ax==68 + a. J" V9 ?7 m (function called is located at byte ptr [ebp+1Dh] and client eip is9 U3 h& F2 ^# J# U* \, _: E
located at [ebp+48h] for 32Bit apps) ; I3 P; W1 h2 o$ f: g; f& f__________________________________________________________________________ 1 T$ E) E% y. Y- A% {* a. z, d* ?- \3 o* e$ _- P6 q
; M6 G; E. U7 ^4 ~* }6 t" ?9 bMethod 083 B9 U. d8 w. C3 H! j+ B) j
========= 5 g; L9 Z: n, b: W5 K5 f+ k9 g' ~, A m+ H8 }. F4 X
It is not a method of detection of SoftICE but a possibility to crash the ~5 X4 z! @7 M0 zsystem by intercepting int 01h and int 03h and redirecting them to another " o/ g) b1 d& T. W+ i. w" Y7 Sroutine. . h8 [ g) ]' @8 d6 d3 xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 v5 F" S; {# A4 F3 v& l+ G
to the new routine to execute (hangs computer...)! W" I3 U. @0 E E2 r+ l8 t! a: F
8 C9 ]/ D* s0 q2 U' s6 W
mov ah, 25h " E; ]4 L( ~8 R" U+ ]- i, M3 j9 d mov al, Int_Number (01h or 03h) ( h: v* q* Q- M# [5 Z9 \; t2 J mov dx, offset New_Int_Routine# W8 l( F% z5 W5 _& s
int 21h ( q: m. R" F0 N2 G2 y u* {# b0 i) g) V' T$ e
__________________________________________________________________________8 d# Z9 k5 e% n! P% T
, j# G' T& W) ]- X+ x; I0 pMethod 09+ v: A- E: s! m q ~% { a
=========) Y4 q! F3 d. Q# {
0 b" M9 y) \; ~1 M7 t/ HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 z/ \% j$ ~, x' G& m% f$ b: G
performed in ring0 (VxD or a ring3 app using the VxdCall). $ ?' e0 V$ l8 a% h6 t. IThe Get_DDB service is used to determine whether or not a VxD is installed/ y- `6 `1 S3 G
for the specified device and returns a Device Description Block (in ecx) for - n3 o1 y/ }! o, t* O" X+ P# R& [that device if it is installed.- X: ^; m7 f, W) D
+ I9 k S0 m8 b6 M' j5 d! g4 R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ n. ]: s0 K# V2 @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 i2 S3 H- K4 e7 C; y; o
VMMCall Get_DDB% J$ d5 v% X& P3 J+ d: N) m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 y; k# k" Z. e; T( b
# g' L7 Y* [9 R1 G
Note as well that you can easily detect this method with SoftICE: 4 C/ P6 E; O# M$ Z- @, K6 ~5 g7 _ bpx Get_DDB if ax==0202 || ax==7a5fh3 `; m) T" _4 K! I
- ?% g2 w$ b2 @* l8 R
__________________________________________________________________________, a; x; g6 ~4 c$ c# U, ^
8 \1 m$ w3 n3 F
Method 106 ?) T+ n* b$ X, h5 U2 l' J) A0 }
========= ! M4 \/ D1 H- }2 |9 ~! F O0 D5 g5 P( ^, T5 f& N
=>Disable or clear breakpoints before using this feature. DO NOT trace with ! Z" _9 J$ c& E) m1 x" v: ~ SoftICE while the option is enable!! / L W' C# s: p5 t, F! S, e! i1 {- [8 t% ?* @
This trick is very efficient: ' r; A6 M% K6 _4 j! xby checking the Debug Registers, you can detect if SoftICE is loaded7 F6 J% J# N0 E' u: |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if * d; R) L4 |$ othere are some memory breakpoints set (dr0 to dr3) simply by reading their4 F: `* i5 [7 W/ k3 V& [/ O
value (in ring0 only). Values can be manipulated and or changed as well, o! M5 _1 W5 b
(clearing BPMs for instance)7 v% H1 D/ O0 N T
* v, c, Q. t3 I+ V* ]) C
__________________________________________________________________________5 n1 {& D& T' x2 K1 s
* T, i- M8 v. [5 u6 \Method 11 1 }6 }5 d# b2 J7 K=========' r& @6 m( `4 X+ R2 g
" b+ w8 O# l) b- c. L
This method is most known as 'MeltICE' because it has been freely distributed! F9 l9 S) e! ^# Y8 ?% v: a3 [1 ]5 }
via www.winfiles.com. However it was first used by NuMega people to allow : K V& N' j5 iSymbol Loader to check if SoftICE was active or not (the code is located, F4 l2 |& y# L- N& a; |: B% y
inside nmtrans.dll).6 @7 ^0 B# q% Q+ B1 G9 c; I! A
- W5 E: [$ B* a& W
The way it works is very simple:4 W+ j6 q( _- O' H7 j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, V+ }; `% r' N( ?9 l3 O+ b
WinNT) with the CreateFileA API. - X5 T9 |6 j/ p) y 8 i3 T9 V. A' P- Q" u( B* J( ]8 LHere is a sample (checking for 'SICE'): 3 F3 g% s8 M% f7 t/ H8 L6 U P' g6 _$ `- [3 ]9 i8 w# y [BOOL IsSoftIce95Loaded() 4 G P3 K, G' U8 o{ 6 ~2 p0 ] }( g$ h* N( D HANDLE hFile; 2 W% Z6 z4 h/ R% o: L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, $ e# c! O' T% l- x! p' \. z/ o FILE_SHARE_READ | FILE_SHARE_WRITE, 7 E ?2 X$ j: A2 D5 J/ M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); * ~+ R. {# Q/ l' E; D' P4 C3 |5 d0 z# L if( hFile != INVALID_HANDLE_VALUE )5 A; w5 S7 n# q0 b2 {
{/ u- L- q. @% o* w+ v
CloseHandle(hFile); # }+ V5 R9 f) r4 }3 ]8 D3 Q& m return TRUE; % G9 w$ r; j+ ]; x }& L O/ ?, I$ h5 l. K
return FALSE;2 ?( x; D J! c. ?- A
} . x T$ f% c9 s0 c" [/ K2 W0 q( K# g6 N
Although this trick calls the CreateFileA function, don't even expect to be9 ]2 U; _0 ^. e* U: b8 K
able to intercept it by installing a IFS hook: it will not work, no way!0 V: j$ t$ \$ {; W# Y$ s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F / |8 F4 G; M( n* z8 h/ \* C2 Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 l/ v+ D% `! t/ b, R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc 8 @: F. `- _3 j; a7 R5 qfield. 4 h- W+ Q" Y/ i! |7 UIn fact, its purpose is not to load/unload VxDs but only to send a : D9 F6 k& L% y; _3 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). \% Q# X$ Y& x& G6 Y' X# |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try " T, O$ o- H7 G1 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 K, j7 M+ Y% Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 Z* E0 n/ B( N8 Y! M
its handle to be opened and then, will be detected.6 |% b+ X# k+ X! H9 r1 Y1 v
You can check that simply by hooking Winice.exe control proc entry point , A6 c& Q6 ~* X: e" ?! Qwhile running MeltICE.2 g$ @$ z2 n1 ^* M' M4 X. G
8 t% w) ~" X3 Z2 \+ Y8 i* d4 K& c J2 l8 k' f; b) ]% A1 ?$ {6 m
00401067: push 00402025 ; \\.\SICE \9 g* v2 [! |* z: p 0040106C: call CreateFileA & }! ~; `6 ~* B, O 00401071: cmp eax,-001 $ E0 |9 J) @9 j8 V0 e5 K( e. o 00401074: je 00401091 " P) M- W6 ^2 `3 x7 O. ?5 d! f k: W9 Q4 y8 U7 c7 e
: }# q( G1 v/ m9 L. |# u+ y, T
There could be hundreds of BPX you could use to detect this trick.9 o ?9 O5 I; ]- V
-The most classical one is:7 N9 D# }: G4 c ?% u8 k5 y& n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || - T4 m8 s5 k' X( O! {( B- ` *(esp->4+4)=='NTIC'' v& m' U7 e! Z
/ W+ }6 G! I. S$ s
-The most exotic ones (could be very slooooow :-(7 h) m$ d& J( O! g2 B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( a; X/ x( o9 }" g4 w
;will break 3 times :-( + q8 X; u& W0 W6 G) ^9 A0 ]: s ^ ( Y# Y, O# k4 t3 Q5 {% y+ c-or (a bit) faster: # n" U6 ?. j6 ]5 s BPINT 30 if (*edi=='SICE' || *edi=='SIWV') 3 A3 D9 X1 m' w- W1 o! k* R1 Z6 R" C4 F4 E$ q* T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , Z6 a: D8 j$ M9 N% C7 e. g ;will break 3 times :-(! Z7 U0 [' ^: g H
' ^6 J& s8 U8 c% y-Much faster:! F5 a" ~' d- [5 @0 U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( \# K$ l- z/ X& L. l
0 {9 y3 n. l8 L: G* W+ M6 zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen % O h. X# y4 N Q) Hfunction to do the same job:/ m- l1 r: U" [- X
( W \1 s$ h2 c. h7 g 9 z4 M$ E; I' P: c1 k# O__________________________________________________________________________ 1 h* x' O8 K6 M9 ^1 o7 w6 l6 t8 ~8 `1 X" B# p
Method 12 / x2 l6 @$ @4 V- ^8 A2 @" s8 T=========: F5 K( Q7 ]) k: f* v( {& @2 Z
9 z8 V9 N5 ]7 W
This trick is similar to int41h/4fh Debugger installation check (code 05 ; L6 V3 O4 A4 b& 06) but very limited because it's only available for Win95/98 (not NT)6 G5 N4 q" |* Z5 C( ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% u# S) l' Q0 { @+ z7 r+ z
, B& r, J0 n7 a push 0000004fh ; function 4fh3 C& Y: m) B: j) }8 {0 T6 z6 Y9 F. Q
push 002a002ah ; high word specifies which VxD (VWIN32) : H5 Q4 I& [1 Y7 s$ m ; low word specifies which service 1 I" U: Y w" d D5 M8 L! I (VWIN32_Int41Dispatch) + H) @; I0 U+ o6 s+ J9 W5 u call Kernel32!ORD_001 ; VxdCall / _0 L& X/ C) c cmp ax, 0f386h ; magic number returned by system debuggers5 g* A1 n" e% p" F4 C6 r' v8 T
jz SoftICE_detected" T6 j& R# \1 Z' j5 B$ S8 X
6 O* x1 D( v B: J, c
Here again, several ways to detect it:) ~1 b6 v _. j+ Q' G( r4 F5 }
( T: _7 C2 ], ]7 ?. ]# ?7 v$ ? BPINT 41 if ax==4f- t& d' q; |7 o& G& C
2 N/ H) x* h! I" F! } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 `0 c" ^( q* M6 c
/ Y- _( t$ Q7 s3 |$ ?) C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A ' c8 v5 ?- |( X. I) ?/ A* p& R' b1 m/ @4 q( F* r# E9 H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) B% N8 D3 h$ I2 i( R2 K- \- l
! U+ P3 [9 H/ ~) R# ]% T8 `- I. i__________________________________________________________________________ : G6 h" w7 o3 F5 @9 J4 s1 ]9 A! J2 J/ n
Method 13 " r& D+ Q4 W. ~: p$ o0 C" @========= 8 R+ F0 J2 L- A) E! Y4 o' B/ H 9 S2 @* Y+ _ h6 M6 lNot a real method of detection, but a good way to know if SoftICE is & l1 A9 d. m- m2 m0 q) uinstalled on a computer and to locate its installation directory.8 W' F7 Z; i1 E" v1 P
It is used by few softs which access the following registry keys (usually #2) :" o$ ]+ @: ^+ w' [$ p$ U# Z9 _
$ G$ |: k O# J/ x* c& l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion - `5 G5 y, P( P; B9 ]0 D\Uninstall\SoftICE5 _3 z4 b+ |; e1 A/ D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 Z8 M8 t6 X: M+ E0 `- m7 b% U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion 4 u- m; M" K- H: M\App Paths\Loader32.Exe4 Q" E E4 a. v3 e2 a
9 s% D9 h0 H8 ?' Y9 u* _) f , T) p/ a% R4 k5 i9 yNote that some nasty apps could then erase all files from SoftICE directory 4 X* k) j v! A2 f5 Z2 Y, V(I faced that once :-(* m& z4 t# k, ]4 \: @
& k8 M' I6 n F6 K1 d p
Useful breakpoint to detect it: L+ J7 x/ |+ s" j: {- s- r) u2 W ; b" M6 X; }$ }) X- F* f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 z7 ?- r0 J2 ~6 t, U
7 n C8 j$ a% u: _$ \" d; r__________________________________________________________________________ . r7 L3 l& _/ v$ h% Q9 W' W* G Y. L! w3 k
7 P: `) S2 s) t- g# u8 `/ N
Method 14 ( c% Z; m2 ]! M& r========= % Q- p" N" u$ }3 y- y' [$ x6 H) A# j% L+ y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* s7 p% L$ r8 g
is to determines whether a debugger is running on your system (ring0 only). ( X( H! D+ t0 f: t+ O$ L' f6 z$ }) `$ N o& t1 m7 l' s& r$ a. k
VMMCall Test_Debug_Installed 4 M! @8 l& {# `4 {& ^ je not_installed " I( P0 a& f, A6 n; l* C3 j9 ?0 m ; l; A9 G! d$ M2 i6 z+ e: }) Y9 NThis service just checks a flag. 4 ?* [, W1 W8 f4 s2 D0 P* Y4 [</PRE></TD></TR></TBODY></TABLE>