標(biāo)題: About anti-SoftICE tricks [打印本頁(yè)] 作者: hbhdgpyz 時(shí)間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500> . @; F1 Y9 {: W1 p<TBODY>0 @' M6 J9 |+ b. Z" z g$ k' F1 t c
<TR> ( j5 T8 u/ G9 ?/ w4 n+ A# i8 H<TD><PRE>Method 01 % t9 |$ w5 E( H2 I+ I
=========* } B8 N" M+ F2 Q
+ w/ D( Y1 o3 u# \' P
This method of detection of SoftICE (as well as the following one) is9 @1 @! U; T: N: k
used by the majority of packers/encryptors found on Internet. % V2 F) Z3 V$ nIt seeks the signature of BoundsChecker in SoftICE 1 W. l5 B" s! {2 x" H) h& y) i: R8 w7 P& V! g3 V) [. |' O. a" h3 h
mov ebp, 04243484Bh ; 'BCHK' ; W/ v: ^* O0 o/ O6 E% `. j: K mov ax, 04h9 J+ ^( [, _% C
int 3 $ _' [; l W! S( q" a8 n* m, H
cmp al,4. X; X& L4 h6 ^& C
jnz SoftICE_Detected ! F% y2 r {2 H0 V$ c & M1 P; a1 e$ n6 K# U& y* K. `___________________________________________________________________________ 1 B' F; s) _, ?5 }) e , \% a) `; A! V3 rMethod 02 @ ^5 h$ y7 v' E2 o' p4 t=========- h3 L/ x' T2 S
4 D q) e5 w* m/ t$ s& }
Still a method very much used (perhaps the most frequent one). It is used + O3 r+ Y; [0 ?2 j U! pto get SoftICE 'Back Door commands' which gives infos on Breakpoints, 1 C1 e# u; C) j3 J& q) |, jor execute SoftICE commands... + I1 J! J7 j4 u' W- q5 \It is also used to crash SoftICE and to force it to execute any commands / i- |" ^2 W' D(HBOOT...) :-(( q6 f$ c/ Y9 X" O0 [( { K 4 m* v, B* }- Q1 }+ T L4 dHere is a quick description:3 L; J) O- V! @5 ~7 {
-AX = 0910h (Display string in SIce windows) ' h1 ]) b: y& {7 N H" `/ v% i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 a5 W) n: I$ M; c
-AX = 0912h (Get breakpoint infos) ( [& r7 ?% p& F/ @6 r( W T-AX = 0913h (Set Sice breakpoints) - @+ ?' V$ `5 x; c& O" Z& B-AX = 0914h (Remove SIce breakoints) $ X3 Y* B t. T+ P- e! ^ ?- S; J7 f( E8 \
Each time you'll meet this trick, you'll see:( O; k% c! N* Z A h) n3 f% m* i, @7 i
-SI = 4647h' q" e6 c% S! Z, m; q/ U
-DI = 4A4Dh- h/ t1 j3 x h% H' L
Which are the 'magic values' used by SoftIce.% n4 r# d' \ l) k' y! ]% M: w8 G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. |# X; I3 g6 u0 c5 ~3 Q' J
2 n$ ^6 P: u- T" n& f' M, ?7 d. y) @
Here is one example from the file "Haspinst.exe" which is the dongle HASP 2 a9 y6 T6 [2 s7 ]( y& bEnvelope utility use to protect DOS applications: ( ?! t: K" o" {; C! T6 {. ]2 G- O) x; ]5 w
6 k1 k$ @8 r: S8 k& W# J
4C19:0095 MOV AX,0911 ; execute command. $ e$ R1 _. H; z' t8 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). $ d' D8 m2 }3 y4 ~$ q& M4C19:009A MOV SI,4647 ; 1st magic value.3 i# ~( ^8 S5 G0 v: Q( V
4C19:009D MOV DI,4A4D ; 2nd magic value.0 R s# _% h3 E1 S2 X/ x9 X+ r- B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) z' b$ g d2 Z- [" r' X8 A, |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 H2 |) \. n8 Q0 X) r4 _
4C19:00A4 INC CX0 O$ L. G& I- z; A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute 4 I- t& \+ D4 h. b3 s4C19:00A8 JB 0095 ; 6 different commands.2 M+ }" B% C- u- D. J
4C19:00AA JMP 0002 ; Bad_Guy jmp back. / R# ^; \# [- g! D4C19:00AD MOV BX,SP ; Good_Guy go ahead :) , \/ U* H L1 G* a! }2 e0 p1 ~( @3 A
The program will execute 6 different SIce commands located at ds:dx, which/ W$ I: c8 k& [& m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. 3 o' z2 @3 q/ Y$ _" Y% ^5 N1 h) j+ ~. u/ b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. * B& M+ }- P# T! H4 D3 U2 D; F___________________________________________________________________________ / j! V4 e* }2 L$ H% t) @) D/ A/ f% a' H) z! T8 F/ Y
k$ }. B- \( M/ _, ]Method 03 & P3 m2 i8 i+ L========= 9 G) o. d) C3 g- h1 v# o, g; h) ~ j1 X9 P, K! v5 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h 5 [2 H; o2 V% B) T' e(API Get entry point) . j! Y$ {" J& p* ^- ? / W1 o2 b9 s/ }% D* \* {; r & x5 K; a; B7 L k7 w* W8 d6 m7 q xor di,di $ e8 d- h. ]& j mov es,di ' H8 F; Y2 }2 ] mov ax, 1684h & d" [7 M2 k8 T! Y: D mov bx, 0202h ; VxD ID of winice - P4 ?' n( ]9 k0 ~ int 2Fh/ k, Q8 X1 |+ V8 v
mov ax, es ; ES:DI -> VxD API entry point , ] ~1 k8 f T1 ^' G, z add ax, di- G" j1 W7 {- N0 q) U+ X4 j8 a
test ax,ax 8 \- L- O* q5 A jnz SoftICE_Detected6 e4 W) x/ Q2 y8 G3 T2 ?
! I5 z, W3 A3 S; v2 e+ S3 ?: I. g# ?. c8 ?
___________________________________________________________________________ * v, s) ^' O4 Q# f # E8 D3 J/ v: ]) _' r1 Q8 G) M5 XMethod 04( c. n# K4 A" {+ J6 {
========= * k; v7 M1 f( O. v: U$ B" l1 G; A/ n# @" B
Method identical to the preceding one except that it seeks the ID of SoftICE + c& ~ `! [7 _GFX VxD.4 c1 n' @( ?/ B, m+ W+ Y0 g
2 d, m" _' Q* ^5 x0 T xor di,di) j5 R6 b+ w4 a; O! _7 ~* B1 T
mov es,di # A- o0 [; @: X" J/ w mov ax, 1684h 2 Z ^+ ^: x* y% x9 h mov bx, 7a5Fh ; VxD ID of SIWVID: `! z7 }/ U6 O* K' v9 v
int 2fh + Y4 r0 \, k) x: d& W6 i0 ? mov ax, es ; ES:DI -> VxD API entry point6 r8 y P7 ^1 ]) L8 N/ ^6 a! q! h
add ax, di3 ~- c2 d) {- P
test ax,ax; z( a& w6 Y% a1 `- [
jnz SoftICE_Detected # c8 U( i8 s; e3 I$ F& ~# ?+ x$ b0 P5 k, } 9 N8 E5 a# L( d__________________________________________________________________________ 4 B# l# V5 v" {5 ~ Z2 {3 S) b / U1 M2 y% O1 h 7 M8 q! i- Q8 s) c2 ^0 oMethod 05' \* R. z v2 d8 A$ F5 ?
========= . ]6 p( A, }5 x- M! G; j$ l3 Z, h) A4 h+ m$ W; u( p
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 g! @" b* V# k K( _
debugger. It calls the int 41h, function 4Fh. 0 {7 i- r" S A0 a4 }There are several alternatives. 7 v4 l. V6 Q$ r" X# X4 d. d
+ a% y5 {' G# M2 ]' y* ZThe following one is the simplest:# J V5 E: ]/ ?; W& {# i
7 H# |" z! G% f1 ]) N mov ax,4fh - Y# ^) [. s, [' S int 41h/ R3 O& O+ m) J6 ]; c" L
cmp ax, 0F386+ C- f( q# o* I1 I( @0 O. B: D
jz SoftICE_detected2 v4 s4 |! d+ E3 M
% Z9 d4 N2 N2 S. f' D5 C; V$ W% p* e$ ~& g1 h' M" F
Next method as well as the following one are 2 examples from Stone's 9 H! ?8 z! j& n9 s0 H/ P
"stn-wid.zip" (www.cracking.net):: v3 K$ B& W% \& I' ?, s
* O$ m+ V8 f" f' B$ |) | mov bx, cs ) ?0 X. X, J# a& k p lea dx, int41handler2+ r5 g' ~3 x4 u# W& J; H6 F( B3 y
xchg dx, es:[41h*4] ( W/ C& U/ d3 m; F xchg bx, es:[41h*4+2]% b; k$ M2 u' Y5 t. M6 a
mov ax,4fh( q' K4 n8 ?7 O: V
int 41h& ]$ q, p5 E# j- f% ~
xchg dx, es:[41h*4] 7 V/ e5 @' Y6 t xchg bx, es:[41h*4+2] 9 z |6 p+ U! ~) D cmp ax, 0f386h/ a8 Y7 `2 B+ K) O
jz SoftICE_detected, j7 `; c: @6 E' I K$ f, ^+ s
8 w q3 Q5 [9 _1 o
int41handler2 PROC, i& ]/ O: |* w0 E
iret - k9 k/ l$ g7 O. }" T d! bint41handler2 ENDP + W' t( u% A- \* E" N( [9 e. ?3 D" p: A, N
/ X n$ L) n9 h: l, X
_________________________________________________________________________! t- C( q8 T6 j
$ P. l6 a. g) d# J8 E2 r. x J3 X9 y1 G
Method 06% R( b6 Z5 S6 M2 G7 g, `+ F
========= 0 ~" o9 s. {& Q$ f: T4 M 4 H* J! ?, E/ I; Y# C$ l) i& t# _2 W- E: d+ R, S
2nd method similar to the preceding one but more difficult to detect: ) d, W5 w3 v- ~; ~8 [0 X 5 d/ o# R" l4 K+ s5 b1 S! E8 q$ C% [) Q0 D+ w( F
int41handler PROC' E* t2 ~* x/ S: r) H% S) [6 `! B
mov cl,al + O$ W, C% S; u' o. y; I! G iret; r0 i' r. d: o/ }
int41handler ENDP4 q* M$ F6 ]: ~, G
6 O0 e) N' `: p4 w. |! q/ P
% P) b" G' i- c. u' N xor ax,ax! c; C" E r3 l$ Q" ]! b' f7 {
mov es,ax 3 k) {! l# z" M6 S# I+ V: S mov bx, cs: s) j. P2 K" i9 R# y! x1 p' d
lea dx, int41handler ) ^( k0 {8 f |- { xchg dx, es:[41h*4] 1 { e5 c+ k( x) t xchg bx, es:[41h*4+2] " J; ~! a5 W4 r3 } in al, 40h) O9 m% ^ x% g4 F
xor cx,cx * i: p1 a! u7 d Z1 q int 41h, P& t8 Z, \! Y P3 J5 A4 _
xchg dx, es:[41h*4]7 y/ f5 O& l# `3 p) ~
xchg bx, es:[41h*4+2]# {0 W& F: y: ]7 `1 h1 p$ [4 l
cmp cl,al * i: e" t1 K ?2 r& w$ i; h jnz SoftICE_detected 1 N' X/ q2 K, _/ e9 s. h9 y' f0 W8 i- [
_________________________________________________________________________6 v! F; Q5 H [. S
: h8 f% P( K3 {4 p, m9 n0 gMethod 07 9 Z! K# T1 n8 E) ~9 r. K* f=========6 C m @# w+ f& a7 I& S- [4 C
0 |9 b9 T6 @- L9 |! SMethod of detection of the WinICE handler in the int68h (V86) * ^5 ]( B' c2 P% e% ~, t* m1 [( ^0 K4 P7 W$ Z
mov ah,43h8 j1 q# V) Y7 y# C( x: \$ _
int 68h ! A$ G5 Q+ R) g cmp ax,0F386h$ o" a- Z1 U0 H% O
jz SoftICE_Detected 5 `2 Y4 f" g: T/ A+ x( d3 L+ Z1 B9 ^/ ?8 w- w* V( k H" J4 z
. Q' E8 Q- g$ `6 t, [" q* Z9 n! S! X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit $ I" Z6 b8 r. L' d( Y+ X) o app like this:% @3 x- @$ }" J
& ~4 L$ Y3 F5 v% ?0 c
BPX exec_int if ax==68 4 ~; |7 p7 }, s; j- m! \ (function called is located at byte ptr [ebp+1Dh] and client eip is' K, B! i1 P( t' K8 _
located at [ebp+48h] for 32Bit apps)7 c: K% q- e: a) Z3 ]
__________________________________________________________________________$ ]5 ?0 h3 N# O* B" q
' j! W, K6 q% L) Y
( B1 Y* |/ w |( t8 y
Method 08 % D: U5 l* f( _# e; k+ m" r: t=========2 X1 s/ y! p2 ]
% \- S! l! I4 c1 R' EIt is not a method of detection of SoftICE but a possibility to crash the& d- B$ w$ G/ Q' l
system by intercepting int 01h and int 03h and redirecting them to another& ~" r J$ s7 p/ g; y9 M
routine.; l% C! ^$ I" o9 f: v% C' a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, _6 Q+ z/ L. Z
to the new routine to execute (hangs computer...) & Z9 w% w1 U) o/ \6 a: h+ Y& [6 J. F& H d d
mov ah, 25h0 ~& _, Z2 o- M3 X- Y
mov al, Int_Number (01h or 03h)6 p0 p6 d% f \2 P9 G; H
mov dx, offset New_Int_Routine ( j( u' o! G, F0 x, T- x1 B6 ? int 21h 0 b# w6 w% q. h# E ?' L. j% ^8 j d; ?) o0 ~' U' q: p
__________________________________________________________________________% i5 s! T0 f& N/ y) _1 h9 c
4 l' g* K. u, U$ N, NMethod 09 : k& \4 {) X) P7 `' [1 y* ]========= ! j' u, h: L8 G, _' ^+ S7 D1 n9 ]. l5 y5 K! W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only & `" X( x) }2 ~performed in ring0 (VxD or a ring3 app using the VxdCall).* s3 D$ H5 f" Q
The Get_DDB service is used to determine whether or not a VxD is installed7 K6 y/ X! h" k, ?5 s5 f- H2 {/ f
for the specified device and returns a Device Description Block (in ecx) for 8 Y) d/ Q3 z U4 n( \( M3 {that device if it is installed. + S0 q" K/ {$ m, V3 i+ V. j% K6 F) `4 z2 M/ r9 J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID + y% ]. y( m8 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) $ d% ~ R+ ^: P. D. G VMMCall Get_DDB x. E" Q1 C+ l& ^5 A) d+ W( M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, D% [7 I6 o4 q0 ^% ^
5 _8 o9 z/ M# p/ v3 ], p$ P1 tNote as well that you can easily detect this method with SoftICE: ( p8 B$ f1 T( b% ]5 p8 O bpx Get_DDB if ax==0202 || ax==7a5fh: B1 ? t# J! u
3 z6 l- @ f$ r' _8 l+ S
__________________________________________________________________________ $ ~. Y6 C& B8 e v7 `5 T& i6 `* N4 M4 s W4 d8 e' S0 a
Method 10 : j2 @; `; K% y" T) c/ T$ X=========8 s' Q1 c% f+ U
2 A% l! B5 g1 \9 F* t. b' i) C=>Disable or clear breakpoints before using this feature. DO NOT trace with; w4 b/ n" e# f1 K
SoftICE while the option is enable!! / W. @ b. [8 K8 ]$ _ * c* H7 @! F+ p' }7 U- ]This trick is very efficient:1 E8 t. _2 P6 x, ?
by checking the Debug Registers, you can detect if SoftICE is loaded8 r; l6 T$ V1 t! u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if ; [$ T7 J, `( _1 s; cthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 l) v% j4 f/ m. Q/ g% H
value (in ring0 only). Values can be manipulated and or changed as well 5 z, H4 q/ l# g(clearing BPMs for instance), Y, |& h, _ _% ^; e7 Q
( _2 A1 r5 K6 b' S& o: E
__________________________________________________________________________ ( x5 A! }4 f! U7 w& m3 B6 I* s9 i( Y6 x! V- x
Method 11 a2 i/ ?) S9 u=========5 J) M1 b& q7 p& S( e! a, u0 k
6 F1 i1 B, O6 M1 \+ C6 CThis method is most known as 'MeltICE' because it has been freely distributed+ S: S* F: r1 M5 J4 ^ D2 ? d
via www.winfiles.com. However it was first used by NuMega people to allow . ~7 `6 K+ h4 Q% p$ a& t1 pSymbol Loader to check if SoftICE was active or not (the code is located' z( s* Y2 V, F+ c% K0 N
inside nmtrans.dll). ; _# |( [: K/ B$ C) m; r. y' [: J( C! N# X y2 P
The way it works is very simple: ( P" ]" T1 W) g' T* ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 J: ~1 X, Q) z% g' F
WinNT) with the CreateFileA API.9 \6 O7 R) G9 a- E8 g
# j) |6 S8 ~0 r0 j8 U
Here is a sample (checking for 'SICE'):9 P1 |0 Q) ]: L; \. P* Z
: P0 W4 N) G( B& MBOOL IsSoftIce95Loaded() 3 l( R9 O$ W4 m{ 4 r, X+ `9 M* @8 `( y# o% Z8 @ HANDLE hFile; 1 Q; y% {1 t1 ~: G2 H0 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, 7 \, B$ T8 [+ {5 J P FILE_SHARE_READ | FILE_SHARE_WRITE,5 N- J1 O& W- \# {4 R. J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); . v/ f+ R6 G' V& K if( hFile != INVALID_HANDLE_VALUE ); C8 ^+ k. Z$ S$ T" k
{( B9 [5 {- Z# X% L
CloseHandle(hFile); 5 {5 [. n3 _, l4 m8 Q return TRUE; ) [7 m; C4 r; j- i& F/ {& I* [ } 2 q' A4 |7 C: f7 t0 ` return FALSE; ) m1 t$ Y, Z% ]# G* B$ W} # u% ^* Z$ \3 A; D: }* ~6 f 5 W" F% Z& ?7 B& Q( `& N$ wAlthough this trick calls the CreateFileA function, don't even expect to be 4 V6 `+ a/ S( iable to intercept it by installing a IFS hook: it will not work, no way!6 r: u4 \& c4 j. }, z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ ^6 q& T- i4 a- I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) 7 ]! a: h6 e* H7 K3 k0 E+ Z4 ?3 Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc ) b, |% I- b7 g+ \field." `- I( e) {' e5 |4 _
In fact, its purpose is not to load/unload VxDs but only to send a : W$ j8 Z' x. ?9 b3 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) 4 \! b* f8 P5 C, @$ h/ Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try. q1 K' q8 j, R
to load/unload a non-dynamically loadable driver such as SoftICE ;-). - t; x# P# U5 m- iIf the VxD is loaded, it will always clear eax and the Carry flag to allow 2 ?; y3 l. V# }its handle to be opened and then, will be detected.# B/ R9 h d2 E' q2 s) {2 y* `
You can check that simply by hooking Winice.exe control proc entry point ( h( K+ { F1 P Q; v$ [while running MeltICE. 8 j2 J% O# E3 P, ~/ _3 l) J: M' N( ~* c! \( B
% x Z% G5 f7 r0 N& _9 T
00401067: push 00402025 ; \\.\SICE* S8 q+ T5 R1 t2 v- ~1 Y4 I
0040106C: call CreateFileA $ n" ^1 j6 p# {1 o) B 00401071: cmp eax,-001 $ O) M7 Q; Y5 S3 J5 P% K5 w 00401074: je 00401091& R9 u/ n' ]- L/ R
! y$ n9 w5 H- m* ~) r; k, O R
0 ^) Y0 l2 D2 @" B$ |
There could be hundreds of BPX you could use to detect this trick.9 A! N" h2 t' t& F1 t6 W) {, U# Q
-The most classical one is: 2 `3 E2 n- D9 R: H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 L0 { i" b5 V2 ?; x
*(esp->4+4)=='NTIC'$ m( _) F" N5 J% u! N K
2 F8 q/ y0 ]3 J, _-The most exotic ones (could be very slooooow :-( ! h% U" m/ a5 r) B3 ]) ^# F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - i. p. j) F# ^" H0 `0 ]9 B ;will break 3 times :-(- w3 j$ i! L! B1 b9 C
) E3 [% S' j9 P1 c0 m-or (a bit) faster: 1 N9 d0 V# v$ B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') I( f" D% q9 a" `* @$ ^* C7 \+ k) M1 z3 u7 f* m# _4 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & p9 O" L, L: v( Q$ j; k3 S ;will break 3 times :-(' ^( z9 [, S8 V4 }, O
, z3 W' H3 ~. Y8 i, E3 m
-Much faster:+ n3 K" Q: @' H# x8 o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 t. C) [: O5 _1 J: X/ z
; J7 m) f* }8 }- T- s% _+ q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" R: S8 `1 o: p0 ^" w
function to do the same job: 5 x* D) b) t+ h( N& Q; C+ I . ~% G8 o6 R" {( \! {3 h( `7 S push 00 ; OF_READ 2 l/ b2 m2 G6 F" } mov eax,[00656634] ; '\\.\SICE',0& |, S' v$ X1 Z1 p+ D/ L( I# D( h
push eax # m! H& Z' V: I6 Y, V% h- S call KERNEL32!_lopen 4 \9 Z3 b3 U( E7 M inc eax4 x3 v Z! D0 Z( z9 z. e
jnz 00650589 ; detected ( o" t6 J6 G5 { push 00 ; OF_READ) H7 N1 G; f6 z- m/ m# }" p
mov eax,[00656638] ; '\\.\SICE'! x7 @1 S& a! ?9 f7 B
push eax 9 D. D4 r9 q; u4 R# l call KERNEL32!_lopen 2 {4 p9 P9 @' s- N, k+ R5 F) W4 H inc eax 9 p7 Y T6 T# d3 P) c% K) Z jz 006505ae ; not detected 0 x, h2 F$ u+ U" K* b+ Y( ~* c' O; f
; n' z' z0 }" V% X__________________________________________________________________________+ s/ r7 A; o) B) K/ K2 f$ e( n
+ W0 Z$ Z( n1 L$ s" a0 HMethod 12! p, j% H2 C$ G, E# d
=========6 ^3 `2 H, U; U$ P
& n/ `& k# X# _) w& W
This trick is similar to int41h/4fh Debugger installation check (code 050 l2 A- Z K+ t' l
& 06) but very limited because it's only available for Win95/98 (not NT)+ z E2 O" E. l! u7 W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ r7 U. M. X7 r4 P6 k: S
. {* |0 J% S* G1 M push 0000004fh ; function 4fh4 G. S) q$ e" l4 V4 v
push 002a002ah ; high word specifies which VxD (VWIN32): @$ D8 R$ C. ?
; low word specifies which service' A4 i* R/ S: w, B8 D2 ~
(VWIN32_Int41Dispatch) ; `/ l$ W2 V! E i. e5 Y9 t# | call Kernel32!ORD_001 ; VxdCall9 R0 I! Z% t0 C4 c; f3 Q0 {
cmp ax, 0f386h ; magic number returned by system debuggers, I0 ]% Q) W. ~, z
jz SoftICE_detected ' A) s8 Q5 H" M7 L; z L+ s4 d, M3 w) I
Here again, several ways to detect it: ' `) C5 j4 P: M) t! w/ y7 ]4 s5 y$ S' O- G9 A X5 l, {
BPINT 41 if ax==4f* t" Y+ l- R3 x$ R9 \( e
# H6 |! k# P, o$ Q4 m. u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one 8 T0 y& S- N2 V/ E7 h8 t% S J: L3 [* _0 l: `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A }2 n3 q8 m" T 8 \0 R5 R) M# o6 B d% y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 V' u1 b3 c4 Z
& y* e: n6 x% f
__________________________________________________________________________; Q& d3 j# c5 ]- X! d! ?0 }- E
: t; d, C _; c: k
Method 13 ; G# f: {# D: o$ q=========+ b4 P( B3 Q1 x$ z, O- x9 U
% a* Q; D# ~! b q: X9 s; eNot a real method of detection, but a good way to know if SoftICE is + ]* n0 D3 ]3 G! ^& Tinstalled on a computer and to locate its installation directory. ; Q) N5 \: b/ T3 UIt is used by few softs which access the following registry keys (usually #2) :) `2 A) q. j3 R9 X0 \
% s+ H5 s# k# J4 R% f- G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion 7 `- @$ U( N1 X+ H: A. G/ q6 D! Z: C\Uninstall\SoftICE v% ^5 z' C) Z8 E3 L8 k/ t- p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE + s2 V9 A! v7 r8 g4 W6 ~6 j* r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion $ l8 Q/ D2 q: b' G7 @# R' h6 d: {: k\App Paths\Loader32.Exe( J- z: o+ x: {4 M4 ~
9 K8 l) M. \' H
" e2 `- ?) s- J/ P9 D" A5 h
Note that some nasty apps could then erase all files from SoftICE directory + ]# W q0 M5 X3 {' q' U4 s8 L* J) y(I faced that once :-( 8 d) q$ U6 L/ `9 H7 g |8 l 3 d5 X! o! v2 t& b; aUseful breakpoint to detect it: 1 a1 P E" K* s8 W4 i7 ?& _ + a* E; u$ b$ w- U8 n1 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') w" e3 z# ~, [; q, L
/ ^' R; {" i D) _7 E+ r__________________________________________________________________________2 i: d7 O) X" t! m8 G' |
. I5 @& {7 w' \; ]# ~& e6 g x6 }
) v, k u5 g( f4 d
Method 14 . g7 L/ Y, F! Q. R' u========= 9 g+ D- o% ]9 ?4 p g9 e% P( G: o# g/ G# I! Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% P1 ^/ N; A9 r4 V; D* F# x8 K! o
is to determines whether a debugger is running on your system (ring0 only). ) q5 n, |1 ~5 p' i4 b1 L, R" C- Y9 `: C. X
VMMCall Test_Debug_Installed m! v2 Q$ q. x7 s6 f6 v0 I) P$ i je not_installed + l+ n3 ]- X8 R3 s4 A' _" R. [: ] / F/ P- t9 Z( v# V2 z9 gThis service just checks a flag.2 k: M$ r' K9 i
</PRE></TD></TR></TBODY></TABLE>