標(biāo)題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時(shí)間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500> # C9 Q0 T( P+ I1 C" K5 Y" K5 l' T$ N<TBODY>- P0 N- S' ?$ b1 R/ H
<TR>1 t5 S4 K, ?$ c R- ?+ v: z7 |
<TD><PRE>Method 01 # a9 o6 ^& H- D8 {========= 7 H0 {# ^3 D: U) V0 U; D j0 }3 j3 b. t# @- Y$ @5 S7 p4 f; z
This method of detection of SoftICE (as well as the following one) is+ @, t# {5 @7 ]" f" ]9 ]; g
used by the majority of packers/encryptors found on Internet.. e8 G& g9 r$ T3 A/ D ?+ X+ {
It seeks the signature of BoundsChecker in SoftICE/ p% N9 q" H) D1 Q5 Q
2 f/ u E# B. a1 d/ i1 |( _ mov ebp, 04243484Bh ; 'BCHK' + _& k! E N0 ^ ] mov ax, 04h9 ~/ Y- U/ p( Z4 C6 u
int 3 / ~$ F, x5 a: E
cmp al,4 6 ]" N3 H# q( L! q, D jnz SoftICE_Detected ' d$ ] b; l: x) H2 W% \0 @5 ]' W* w5 F/ S" l. W5 H
___________________________________________________________________________2 I" R7 w( S4 Z4 w4 D3 t5 l, V
+ i1 i. d3 ?' A7 u4 l) t
Method 02- ?) f( U1 x6 }: w# a
=========3 T- E# Z9 c# x" v
7 p6 V4 Z: P# O6 r, K/ ?8 u
Still a method very much used (perhaps the most frequent one). It is used # D/ ^ P S6 i) ~0 m' F, d) \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 q! J6 O4 `. v/ \* O# p
or execute SoftICE commands... 6 G1 O# @$ R' Q9 s( rIt is also used to crash SoftICE and to force it to execute any commands , H9 m; v+ a' @! D! t, E% m! Q(HBOOT...) :-(( 0 p; C9 I" }0 B( ^8 T8 |
5 \- A' L/ v; O$ W6 Y& s7 wHere is a quick description:3 z3 q' t* N7 z5 i' [ I
-AX = 0910h (Display string in SIce windows) / \% ?$ J& B! k: N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) , ^7 [. _% G: t/ D) ^9 E. b-AX = 0912h (Get breakpoint infos) & k- c; ^( N: X2 T& O8 R0 [-AX = 0913h (Set Sice breakpoints) * x. _# \2 l1 D% V1 S% K-AX = 0914h (Remove SIce breakoints) ! C& e6 ]# U, w4 l5 t- g. u9 J$ G: A7 f
Each time you'll meet this trick, you'll see:1 S% ^& }- J0 S& { Q: x
-SI = 4647h( r, v) @; I7 ?" b% n
-DI = 4A4Dh $ _; x' t* A3 ^. V3 W+ O& R7 eWhich are the 'magic values' used by SoftIce.# o, t' A k: k! {6 s, r/ ?+ j' Z% X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. 8 T' p% M$ i8 ]4 y7 w6 D% Z6 H5 ^8 c/ t3 o# W! x6 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP ]- W5 D) d6 o' C
Envelope utility use to protect DOS applications:2 Z' G# G3 L& O# _
* n, T( n, [0 l8 H! T2 v+ l q" D6 B
) N3 u6 Q( \) @
4C19:0095 MOV AX,0911 ; execute command.( _( {# ~/ p5 q9 I. O9 b: f0 p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' \. k+ w# s7 D7 G/ ^+ o
4C19:009A MOV SI,4647 ; 1st magic value.7 [( F7 `* Q; [' ~
4C19:009D MOV DI,4A4D ; 2nd magic value.: X. j, D! F4 N, ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) ! B6 M' D5 y4 Y* v5 ]5 ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute 7 a7 b- |; B, I+ R4C19:00A4 INC CX5 g3 m4 ]0 `# w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 W# }5 q- g+ D t8 [2 \' u
4C19:00A8 JB 0095 ; 6 different commands. 5 W* b) ^/ n1 {9 {+ X4C19:00AA JMP 0002 ; Bad_Guy jmp back. . g( i1 d7 y: H9 K3 Z- p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* X, x" f( R/ b% ^, G2 v. z Q& c- a
7 [: j( k4 k8 }6 s2 w; y( CThe program will execute 6 different SIce commands located at ds:dx, which+ A1 `3 k5 ?1 ^$ D3 X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. ! G& V+ C9 G5 Q1 g " v; m4 w3 \7 `1 R' D3 P- @0 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. # j5 V8 \; j' j+ m' V- U___________________________________________________________________________' W4 Y7 r- ] {' s: U1 |; Q
+ b$ l/ |) C/ B( z. u
' r! u5 T f1 [
Method 030 ~+ k" _3 _0 m5 y, r9 u6 b
=========7 I2 F2 Q+ Y4 T! b+ y) D
6 F+ r7 x, T6 ?5 q% M7 p) G" Z6 ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h % w% Z7 `) J4 R$ C(API Get entry point)0 g+ h6 F6 q7 X, `4 T& `
1 z6 `& H- ^9 }8 {% k
4 {" T/ i+ @# f xor di,di" Q6 n0 G+ M* K! C
mov es,di 3 t: ]& S4 A9 y, G: z mov ax, 1684h 5 }# s! M' {( |% p$ a mov bx, 0202h ; VxD ID of winice : G& u3 Q) J. O8 [* k8 z int 2Fh* I- A) W) Y6 b ?- s
mov ax, es ; ES:DI -> VxD API entry point , y$ p9 u0 P9 M( B5 d add ax, di ) X I4 P/ q% ]% }8 c test ax,ax ; K8 A, v" w- V" ?3 x$ Q- ^4 ? jnz SoftICE_Detected 3 @/ C# x/ M. t% o 9 J% l; p/ y2 \7 O' A___________________________________________________________________________& g- J# ~ d3 X6 w% R: A/ p
* O- Z* v4 c& T4 C6 s+ r
Method 04& J- w0 W9 ?7 h6 S" j6 c5 B, S) `7 x
========= + f1 |% N1 Y3 O, f . T: |( l2 `- A9 QMethod identical to the preceding one except that it seeks the ID of SoftICE % w0 H& T! V1 z& {0 s0 [GFX VxD.$ P d3 W) t( y& U y
Z. s2 @8 I* Q5 e" }3 Q xor di,di# R' K5 w2 f. k; X
mov es,di , {$ x0 e. A3 O. A, m+ w mov ax, 1684h * Y4 y/ {& } o; c
mov bx, 7a5Fh ; VxD ID of SIWVID$ G8 L7 u" {4 d$ t* e
int 2fh5 s( ]) S0 I* y& Y1 L2 P
mov ax, es ; ES:DI -> VxD API entry point1 K! `4 a6 r% t! D( r: p
add ax, di 0 G; K3 G' h2 g% [6 X( L7 S test ax,ax9 m8 F j, |& `7 k, O% Q. ?4 F9 A
jnz SoftICE_Detected - x9 M, v8 k3 V& h% ]( K Q ^& P) d: L4 a2 s+ L__________________________________________________________________________ " _) V% l' ~6 p8 Q( f2 q6 `4 a/ q% q, Z
8 t1 u- g( ~ tMethod 05 0 e( u# O% u. j/ n% U========= . `5 j }0 O: z: H9 l 2 {3 X8 P X; v& UMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 [: m% N/ l7 n+ @
debugger. It calls the int 41h, function 4Fh. 8 T9 O) ?2 A% ]3 wThere are several alternatives. , P; r' t5 S& A" t& d) _$ u5 w
) z- h; k2 w* g, K4 t- p' y) k% s5 `. H1 \
The following one is the simplest:/ N S" g. w. g. C
8 a: L0 W3 ]2 l: s4 Y9 D$ H mov ax,4fh ' v8 ^6 }$ y4 \+ U: a int 41h U. c }& K" l
cmp ax, 0F386 , g/ t: O7 S4 d% b, H jz SoftICE_detected( b1 X1 F! L ?6 c2 f+ \: ~
, [" c Y( {* g! _' L& q: `: C0 z1 |# }+ j# p& k) R
Next method as well as the following one are 2 examples from Stone's 8 `& ?6 N* ~: H! t4 u' M
"stn-wid.zip" (www.cracking.net):3 ?6 {# @' X1 s$ O9 Q! w
2 q* \# s! u# `1 y: H: g7 l
mov bx, cs8 ?4 K0 U1 p0 x' y
lea dx, int41handler26 w, k/ ~) I! u; _! a0 m
xchg dx, es:[41h*4] ; K5 O0 B, t4 _0 V) u5 N xchg bx, es:[41h*4+2] . R6 i6 H& @" b8 V: C mov ax,4fh " n& L4 s% ?& B int 41h {! L# m# n$ I; y% T0 [ xchg dx, es:[41h*4]" \# n6 ^" N' S) N4 }5 s
xchg bx, es:[41h*4+2]& \3 s. n3 m9 s- J6 i( h- Q
cmp ax, 0f386h t1 f' s' B7 n2 S" E/ y jz SoftICE_detected( L' H& i. ~! _( o# Q
0 i: }4 E* k" Y. f! v( N& _
int41handler2 PROC : O. J( I( u" q0 _% @7 G/ I* \ iret2 ?5 o8 W1 t) z$ c# }2 O, Q
int41handler2 ENDP- q* `/ F e# F
2 P& i1 e6 z( O& p) f* L7 X( K' k& `" m) O/ X& p, U/ R" d6 x1 E; D# \2 Z
_________________________________________________________________________ 8 Q& R1 V; l* x' n , G# p8 ^4 t4 u+ k1 ]( h8 v9 B Z1 Z5 C3 U# s
Method 069 l* T/ L8 ]8 P5 K
========= / Q1 @! @& n* }+ h% N: C$ p $ }9 C. p& V: B3 p# J* g! O% X3 z3 @" J. n6 @' M" h# [$ |' ^
2nd method similar to the preceding one but more difficult to detect: m# X; }% t; x; H3 h
+ f1 o$ ^7 i" X9 p% [
. r5 A0 W( {. X* L
int41handler PROC . k: C4 U% U: b* S" j6 T+ L mov cl,al/ D' _5 C# C( w. \8 r
iret ! `. D% L6 d! T- U6 u( _8 X) tint41handler ENDP. G3 z5 t. |1 D. Z/ ^7 C: e' ^
4 z8 Q" F/ }2 |( L! Y- k# G) V* e
8 r' {$ p7 C8 J | xor ax,ax! d7 y( r+ K6 a/ D
mov es,ax! V8 U3 U2 w1 S, m1 ]
mov bx, cs" z3 k% k( v0 U9 u1 w ]6 i1 R
lea dx, int41handler $ h5 u6 P. e! _1 B( c+ R1 e. r xchg dx, es:[41h*4]4 P" K: A" z# u; x
xchg bx, es:[41h*4+2] 3 X' D: i" P: z8 t0 j; S0 R! r$ M in al, 40h : n, Z- B5 _, I' O/ | xor cx,cx 2 `3 d, r3 ?4 P. z% S, z% P3 z int 41h9 _% }6 c3 R1 ], [: o3 ~/ S
xchg dx, es:[41h*4]3 S5 J% k `8 d4 G$ m, R
xchg bx, es:[41h*4+2] 7 _ i7 i+ X0 Q+ f4 T3 x cmp cl,al7 R0 {* M+ b- L, H* }3 v
jnz SoftICE_detected' h# C3 B% ]0 Z6 b/ v. g9 m& j
1 A- `" H0 b9 i' ^, E7 k
_________________________________________________________________________6 S! e5 z' |1 q
# Y/ Y" w0 g) k6 u% _1 w1 L
Method 07! q5 Y; |, v* J. L
========= % P* Z# s0 F5 b! \* i% j) R 1 [2 a0 q; {5 Q, Y' G# BMethod of detection of the WinICE handler in the int68h (V86) ' @( x7 o* g/ d c2 ?+ o! j4 m7 |9 G: t9 E
mov ah,43h7 _& B, {0 ^$ f" V2 O4 C9 B
int 68h 5 i# F, p% }* w8 ? u cmp ax,0F386h ; y; z: v- O* P, q6 u jz SoftICE_Detected B: p( ?6 R/ E3 G$ I* m* i( M ~4 N 6 ~) u* V. I, w0 b& _0 b) q6 r, ^6 E" G! N7 D# f3 t6 G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( q6 a# W/ ~$ V$ e" K. |4 M! K* R
app like this:+ R5 P7 n* ^- _9 K1 U
5 n3 d1 c8 q9 h% a BPX exec_int if ax==68 ( T/ n7 {6 B# R1 h" h! ] (function called is located at byte ptr [ebp+1Dh] and client eip is' r" I/ d" y7 Z" V& o* z; j* T3 }) _
located at [ebp+48h] for 32Bit apps)* a) b- b% k9 ]& d1 D3 ?
__________________________________________________________________________ $ m- F- `6 P! y0 G+ A0 i $ }, Q/ d* t# b" w: a, E8 k) K; `; e" H0 V% {, v- j
Method 08 ( P2 I1 B3 c# E3 h========= & j" P+ |1 V& X) `; ~' ?* @) a9 n% \4 F8 U4 w9 _1 B
It is not a method of detection of SoftICE but a possibility to crash the. @" k) ?' o: c3 q
system by intercepting int 01h and int 03h and redirecting them to another N" h* A* _& p' W; o" b
routine. / R& u; w. z4 `5 O0 e6 }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% F' I5 G( T* V8 k
to the new routine to execute (hangs computer...)0 Y E2 a' ~8 i+ ?" r2 [! m6 o
+ B7 ~* t r1 `" _5 i4 Q; {5 L+ n) i
mov ah, 25h: x; c$ {, y' b( A
mov al, Int_Number (01h or 03h)- Q/ l8 R) W. ~ g; V% I$ I
mov dx, offset New_Int_Routine" Q- _9 h7 {* v- ]7 s) ], R
int 21h$ Y6 q$ w: g5 @# s8 s5 H
/ {8 Q8 j0 G/ b9 d+ A0 g6 U__________________________________________________________________________ 3 R# k$ O2 L. b( P5 O+ w" M) N3 Y & A+ _7 R) G6 {Method 096 ?3 D V$ g6 @# ^* V0 [. V" \
=========4 w) Z4 S3 k, A4 h u
& Z: i3 Q7 r' w5 K, Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only ; z; x- j- v3 \$ J$ F% z7 x% d! eperformed in ring0 (VxD or a ring3 app using the VxdCall).3 k+ n' }$ T: Y5 L$ `" _& l
The Get_DDB service is used to determine whether or not a VxD is installed + ?/ M" E" I: d* P8 Ofor the specified device and returns a Device Description Block (in ecx) for - [4 z" L5 G W9 zthat device if it is installed. ) }# l4 }: O' d: }) b9 [ * n. G( q9 L" D6 q' Q( t. H, V2 S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 ~4 ?* X8 S4 M, H! D* j: H4 X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) [ f: N3 s3 {+ j
VMMCall Get_DDB ' U2 ~1 U+ d7 M7 j R3 L3 y; R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; C# `! Q+ E5 y# w
( f6 e$ ]! b; E8 o" g; YNote as well that you can easily detect this method with SoftICE: ~& c6 U& k4 A3 I% I
bpx Get_DDB if ax==0202 || ax==7a5fh3 I" B1 a3 A* I
! ^; S" s, D" Z* ?* ^
__________________________________________________________________________3 i# X$ _: C$ y
& ^6 k1 e& ?; R' p, ~4 }; G
Method 104 R0 l4 ^ h9 Y% }& \" f
=========5 M8 u, R' k& g4 A! K
6 V. S2 O6 s8 l/ d1 n9 Q. s0 c=>Disable or clear breakpoints before using this feature. DO NOT trace with7 A# M. Y3 _# m* h( j
SoftICE while the option is enable!! . X, V2 ]: L( U2 j) K2 w- s 6 y- }/ L8 Y1 v2 d. r- E% `8 d0 SThis trick is very efficient:% M$ S1 @5 f7 i3 @8 q
by checking the Debug Registers, you can detect if SoftICE is loaded- ~! V8 p4 Z5 k; x7 U5 i0 Y2 [. O' V( a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ r, K" A; }2 V1 p% Z& f5 A7 \2 c) Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their & C8 v8 u( M* [) F+ t( }value (in ring0 only). Values can be manipulated and or changed as well4 f: M& i% B0 S
(clearing BPMs for instance) 9 T8 ~2 m) t( V* t# A( R8 E8 D0 v 4 r5 w5 q h% ]7 Y7 D__________________________________________________________________________5 E" F" Z3 Z6 \; y
! U' q7 Z, A' g- PMethod 11 + J7 D' Z4 Z. D x4 E=========: M, q" ?! U) W
8 |! e e4 t& P6 B a1 r; F8 q
This method is most known as 'MeltICE' because it has been freely distributed6 x s2 `2 F7 Q5 @: h
via www.winfiles.com. However it was first used by NuMega people to allow8 u4 m5 `' Y- n3 s: V0 m
Symbol Loader to check if SoftICE was active or not (the code is located1 i! P9 H. _9 b: C8 C! G3 Z5 {- r& z- y
inside nmtrans.dll). : {. g h( D% x* b8 b # b- K1 B# r8 g. e: d5 t/ ZThe way it works is very simple:0 @7 E0 \. p' S- b3 r; t7 o5 G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for " r: X V$ A: KWinNT) with the CreateFileA API. : K) b) {& u' t0 z" g8 c2 e$ e$ K0 u5 z0 i; w0 E- j
Here is a sample (checking for 'SICE'): + ]% d. r9 b' p( I- d& ] }# l- Z6 E# s8 N3 n$ s# k- I6 {BOOL IsSoftIce95Loaded() 8 z; G6 A* L, P{8 k3 b c; w; U0 R( v; N/ L
HANDLE hFile; ' H3 v/ ? x7 b7 a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' @) j5 P( ]: o+ J% ?
FILE_SHARE_READ | FILE_SHARE_WRITE,3 |5 C9 z8 y# \8 z& {) r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - x/ d# ?1 g, V: M, ?1 E! A( f if( hFile != INVALID_HANDLE_VALUE ) ( I' `5 m9 k8 C) I+ K: u: q { , s, n: U. R# y( ^% }- v CloseHandle(hFile);& u: {4 u1 J% i
return TRUE;& S! A6 ^5 X" @* T& _
} ) _) k6 f$ D3 V$ h) n- D; {8 B return FALSE;4 W/ G7 C, c. @$ Z
} 2 N( O9 R- N9 B! _- q% t0 b& C- k1 T" z: E8 p2 w/ o! y# B3 \
Although this trick calls the CreateFileA function, don't even expect to be1 b" F/ s. E7 z3 p
able to intercept it by installing a IFS hook: it will not work, no way!6 V; t' |0 O9 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; R: m. r3 z1 X( c) K4 x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) $ {/ O$ c) Y# {8 P% p8 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc) I+ h: {6 s$ F) @0 `; J
field.: D! }6 n" h2 a) l- @
In fact, its purpose is not to load/unload VxDs but only to send a - g% e5 g) h+ S: w( U! f) m: W/ QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 t0 E; J9 k. e! W8 O) C7 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: k2 K {5 l8 q( j8 ]- Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-). ! O. c# L4 I. C. SIf the VxD is loaded, it will always clear eax and the Carry flag to allow # d, n# Z' F9 P+ ^# j* ]) lits handle to be opened and then, will be detected.* J9 m0 a6 ?1 ]/ {
You can check that simply by hooking Winice.exe control proc entry point 3 u1 H4 w4 K9 D' F, t7 Y5 ]while running MeltICE." E" @# E% X( e, H5 v+ h2 f b
' a. K {% C8 j3 G4 B
8 ?! _( i3 Y) l9 F$ ~
00401067: push 00402025 ; \\.\SICE! {% ?6 F( ^6 P4 o; ]* D- x8 _
0040106C: call CreateFileA3 d! F' t4 g) c& W% `* T
00401071: cmp eax,-001 * Z( J& Z R+ R% T% _ 00401074: je 00401091, O; l# ]" n+ K2 U5 N( h
7 [8 N) p) j9 L7 R! [
9 X, F' a k' m9 @
There could be hundreds of BPX you could use to detect this trick.- _8 A8 d1 r6 J* }, e
-The most classical one is: 3 A8 j. W* m) _- d2 a. D7 z- A4 v" a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || : |# P7 Q/ ^2 _- i7 _6 O/ z( ^) E& b) r *(esp->4+4)=='NTIC'+ B: [3 c/ W1 ^1 q6 ~1 e9 {
( O) s9 h6 }$ p8 T" ^
-The most exotic ones (could be very slooooow :-( - f0 S2 Y7 a$ n/ {3 i( \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " J. a, l6 g* V3 u! W5 Y
;will break 3 times :-(# t& x6 H2 {4 D9 t+ f
8 O# O# n k) E4 ~& t; D
-or (a bit) faster: $ r0 M" e p) N! d BPINT 30 if (*edi=='SICE' || *edi=='SIWV') ) F2 _$ q5 X3 v3 @) }7 y! | ) T/ `$ e+ P" w9 s9 v0 A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' I2 ?2 f3 z+ A, Z& k ;will break 3 times :-( 2 L: H: l0 g- W; K, ~$ ~ ' Q8 G$ t$ r) }-Much faster:! S4 S6 w1 o, t5 H5 h! Q: ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 \6 `( \8 U0 y3 |
& [' _$ @4 A! m" e5 wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen + j, \+ q! \$ ^% M6 m9 ^: Ffunction to do the same job:4 O' k: @& n4 e8 D$ F/ R% L
) A( L" V& U- v" n* n/ L push 00 ; OF_READ . f8 @, d9 r z' H. B mov eax,[00656634] ; '\\.\SICE',0 / i0 R, `5 r7 C. E6 H* i push eax8 o7 z4 y. k3 O/ o% y
call KERNEL32!_lopen z. W% Y5 ^9 S inc eax $ y: g1 I0 C- ^ jnz 00650589 ; detected# m: N {% _% b4 {) f
push 00 ; OF_READ ( A( [$ M9 S( Q* S7 r% L mov eax,[00656638] ; '\\.\SICE'1 E% t5 q( k7 v2 Q9 L
push eax 6 B4 O2 l: @# Z _ call KERNEL32!_lopen7 L3 D# N# u6 g5 Y" \+ `
inc eax 9 R& K+ O8 Y+ ^* a! t0 T/ T jz 006505ae ; not detected5 w: {# s- g; P' h$ R, ]
2 o7 N3 u: T' l3 n , u3 d* J: M( k+ O5 h; q) v__________________________________________________________________________ s! w: d0 ~) _ " j4 P# B, S3 Y+ n+ g4 h( b xMethod 12 # |% p/ s- K' }========= 0 A$ Z' [! g/ `% P( \8 V5 _% J$ m0 c8 Z
This trick is similar to int41h/4fh Debugger installation check (code 05 ) `; r9 m6 q U3 }& 06) but very limited because it's only available for Win95/98 (not NT)" w0 j2 m* @) `. Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. * C4 [* J$ Y- y j* R ' {8 q+ `, n- | push 0000004fh ; function 4fh : V- V6 [* E$ R+ `, z, ]0 E push 002a002ah ; high word specifies which VxD (VWIN32)+ W b% Q. E6 Z8 f' [
; low word specifies which service+ N" c: u' f5 e) K, m* O: D
(VWIN32_Int41Dispatch) / |5 T% d5 A/ |, Q* f call Kernel32!ORD_001 ; VxdCall 0 s G: C3 m6 v" A1 G cmp ax, 0f386h ; magic number returned by system debuggers 9 | Q" E# l4 S2 D5 D% h/ X" { jz SoftICE_detected 6 `. w: {1 D( Q. P- [% p % e( J+ o% G& V a! {Here again, several ways to detect it:7 l0 b/ Y' h: K' w
- o$ u: U' k2 O) a7 b! u% b: E" j
BPINT 41 if ax==4f( L7 ]& ? R s. m4 j& k
' c: A) _9 w( C, i8 y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one 2 A( x( \' a: ]& S: ` ! E+ p9 I& g8 s5 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- Z7 y2 k" ]; C3 X m
/ H! {' H% b$ d) I8 z6 a. l$ z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* S q9 V- e. x# s/ d- d9 j
: I' g7 W k' R F5 v$ i$ E) S
__________________________________________________________________________ & N9 m; K0 `' A7 P- q 8 C4 X0 d3 e: x: sMethod 13+ y+ w& k" A! |
=========8 O6 t$ M9 {/ x5 l
1 j3 S( b7 n4 d# U* h& g
Not a real method of detection, but a good way to know if SoftICE is6 b8 z+ g3 Y" ?5 U }' `
installed on a computer and to locate its installation directory. ! y( o/ |1 s# F- L1 wIt is used by few softs which access the following registry keys (usually #2) :6 q# S g" G P* C) Y4 b! P
* s S5 b! j0 R% y1 I" z V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ?7 v: @ d% s- s
\Uninstall\SoftICE ( D6 J7 r! E7 _4 J; K) k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& {6 Q* Q; E- k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 Q2 u: u; G! s9 q
\App Paths\Loader32.Exe8 `( t7 X: R( Q2 _# M7 a7 E
: r. T$ F- A' g$ s$ y4 Z7 m7 e/ u : D' Y* S# \4 n5 a6 MNote that some nasty apps could then erase all files from SoftICE directory. h ~& e2 @1 ]3 `, m3 a
(I faced that once :-( ( H; M3 G, y; | 6 z y. J* g& H& x" t8 jUseful breakpoint to detect it: 9 F+ w0 O0 l% ~6 w Z* a6 \1 w$ M' P# X8 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 i$ A" W% H( X# l
% L0 k; h7 M5 u5 c/ q6 I__________________________________________________________________________3 ]+ s7 E. G) ?; l; U/ T
6 s* Q( a" Y7 J- y8 X - A8 ?8 h- o- m: rMethod 14 1 Z0 M' s, ?; ?: v=========* _0 ~( ~' S4 }; N" x
5 p/ c* Z7 s3 H. E ` C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose ; Q6 t6 b/ c4 B3 Ais to determines whether a debugger is running on your system (ring0 only). + t& _5 f, }* q : b4 g$ l& A1 T VMMCall Test_Debug_Installed 1 w& R% Y6 s5 D( c1 R2 g; J je not_installed ( y& S* v4 [9 n {% [! e0 r( d" ]1 K$ d1 I
This service just checks a flag. + x4 b( J, {! A- [% I" ]</PRE></TD></TR></TBODY></TABLE>