標題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時間: 2008-9-28 16:34 標題: About anti-SoftICE tricks <TABLE width=500>1 }% i6 O& j0 k, e0 m2 S
<TBODY>2 a B1 J% e5 I# F9 `
<TR>) ? ^' I3 z; H5 Y) z8 w3 ^" z
<TD><PRE>Method 01 $ S( m4 ]7 ~6 c% q========= ! ~4 \2 m2 j2 G4 M) y! ~ d8 d% Z1 ^/ O7 f& fThis method of detection of SoftICE (as well as the following one) is 4 n" X! ~' a$ i/ h, @used by the majority of packers/encryptors found on Internet. 9 k9 f/ B7 @7 o2 X5 r1 d3 l; n$ IIt seeks the signature of BoundsChecker in SoftICE- |' W! ]; W" B& P
|2 p% c. v) t
mov ebp, 04243484Bh ; 'BCHK' " k% W1 b9 o2 j$ t mov ax, 04h1 O3 n" n4 c/ `" F
int 3 , S1 e0 {+ c5 I8 A' [
cmp al,4 5 m8 v( d: ? V jnz SoftICE_Detected 8 |4 Y. ~& `1 ?; C 1 O& L3 p+ h/ l/ l7 j___________________________________________________________________________ # h' y' \6 s7 J# z+ k; s8 S7 \# E6 M9 O. J' {
Method 02$ Q1 j# ^' }) S2 @6 \! w- v
========= % n! }2 P5 [' } x' m" t' I 9 H2 C* w: ~' e# y" ^Still a method very much used (perhaps the most frequent one). It is used, W r/ C# @1 i& ~. b8 [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, * E, o+ h4 H0 t& k% g% mor execute SoftICE commands...( S- s7 m! I& R9 F+ z3 k3 Y, g
It is also used to crash SoftICE and to force it to execute any commands( N( D4 Q9 s; _) m8 N
(HBOOT...) :-(( ! K' P) C. O- p& P0 U* v F7 U8 c; B
Here is a quick description: 4 V3 F* w( K" E( m0 Y-AX = 0910h (Display string in SIce windows) 1 }( D* p ]/ D! z% u( Y6 v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) : L+ I! c7 i/ n& r) p* m( I-AX = 0912h (Get breakpoint infos)* } ~+ ]8 Y8 D- k+ Y, v! h
-AX = 0913h (Set Sice breakpoints) k2 N. N' v3 p4 t0 I6 u-AX = 0914h (Remove SIce breakoints) 6 F+ D5 i+ E9 m, M# l: D1 ]$ X; ]0 U j8 v# j5 h' V X( {- C* g4 g
Each time you'll meet this trick, you'll see:7 q! o. [) h! n9 _, w2 w
-SI = 4647h 4 i, C I7 z C# U& k, k-DI = 4A4Dh 3 ^2 `- T* n. l* ~Which are the 'magic values' used by SoftIce.# ~( p1 o) _# N4 V5 |/ I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. 5 ^8 r# ^/ G& ?" D1 G$ O4 g5 J, v! o4 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP - J; E( G3 k, q% M: MEnvelope utility use to protect DOS applications: ' o! Z# [* v: L; F" ~5 C( J$ d' g % U1 D1 i+ J$ f1 A% `- G( L& j- M0 s$ _
4C19:0095 MOV AX,0911 ; execute command. $ s1 f& a- d: j: o$ p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 d$ A8 ] J0 q7 g
4C19:009A MOV SI,4647 ; 1st magic value.5 G% B/ b' M! N1 B8 s1 T
4C19:009D MOV DI,4A4D ; 2nd magic value. 7 d2 c, k" f2 K. S: b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) ; F& `! Z; r5 ~# z1 @' D- D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute * r$ k& j6 F% M8 J. g4C19:00A4 INC CX5 y: F: _/ p8 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 s. D, a+ B9 u, x0 `5 {
4C19:00A8 JB 0095 ; 6 different commands.. i. o, v0 }+ b( ^8 _$ @! B
4C19:00AA JMP 0002 ; Bad_Guy jmp back. * Q4 C; w ]6 I' S9 Z8 M# v4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 W: e; h$ o% v' d
7 C! e0 t9 O8 m( ]. j
The program will execute 6 different SIce commands located at ds:dx, which 5 n3 H+ R4 I. ~4 d; |+ w* Y* Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. & S( p! G# e+ s, W! T2 V; W1 h- s7 {% u& s2 c a3 ~! v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 x* m1 w* Q) I, X
___________________________________________________________________________ ( ~! D( N! x% _0 U3 F* @! y/ Q/ T% p' ~0 y, ~
2 G1 Y1 O5 v2 L7 P' s: j6 l( U
Method 03! e2 G( f1 L. z
=========! j4 J& i3 M! c* ?
2 q' \7 ~: s, F( B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, A; s% i! |& v2 M# Z; b# T4 x
(API Get entry point) ) |( B( ?4 ]7 o0 K' | ) i P% z% N6 O \ 1 h' b0 d! N5 W8 I4 Y+ K* M% U/ \ xor di,di! {$ r+ W* t0 M6 r; @- d1 u
mov es,di: [" x; H( X; @3 F+ q# _- O
mov ax, 1684h * r+ s9 U7 P- c, U) M. f% |. F2 F mov bx, 0202h ; VxD ID of winice % x9 L/ Y3 l. X3 i6 I) k int 2Fh; ?% ~! \" W8 {4 a3 }! y
mov ax, es ; ES:DI -> VxD API entry point * h1 A! Y/ E) [+ e' m- T add ax, di. H; w; ~( n( ?6 o$ C
test ax,ax 7 W& Q- K' i0 i( Y$ f- ]# p jnz SoftICE_Detected. Q, ~9 g1 v' \" e* }
x* g( Z @, A1 _Method 04 + a: M: ]% i5 D0 o=========; R- O4 S5 P6 a8 S" D: u2 T
q1 D$ e+ m, H
Method identical to the preceding one except that it seeks the ID of SoftICE9 O" c5 l! s2 p) i- t
GFX VxD. 0 c5 ~. B9 V# U; S; v& h1 E- R2 N% L; i. Y* ~& i
xor di,di 6 ~( n5 e# |7 R, I7 H mov es,di : E8 t+ v( c% j0 C, X mov ax, 1684h ) | X* r0 C+ ]6 f5 i
mov bx, 7a5Fh ; VxD ID of SIWVID 5 `9 Y% E; d9 ^/ t9 F6 U int 2fh" i# O, t. p9 s
mov ax, es ; ES:DI -> VxD API entry point ) B, u+ |& e6 m( I add ax, di * S1 Z) g9 v/ j7 @+ Z: x test ax,ax1 l. a _3 Y$ E2 F
jnz SoftICE_Detected ; ] q4 |: O0 P. C) v$ V2 R( \' c! s# P+ ^) q B
__________________________________________________________________________ 6 T* k" ?0 d8 o( M7 k+ L3 k/ W! A/ \! [& w' |
4 ~0 f4 j& p( y5 s! a! x
Method 05 9 G1 ?0 u+ N1 B& l2 F+ J7 j=========1 v% M0 A( C" t1 [ J
, v) H) }, h; PMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ P5 g. i$ Q. x8 b, Z# G) F
debugger. It calls the int 41h, function 4Fh. 4 b$ V7 o1 I9 i7 W! L C' u, }There are several alternatives. . g* K3 n) Y, T
4 p8 q2 B$ P q2 GThe following one is the simplest: O; G2 ?& P* q9 w) F% {) T6 _
& j5 \1 y( @* P1 F5 m
mov ax,4fh 6 @+ G5 P# }/ z* V int 41h. B4 j* [6 @6 [
cmp ax, 0F386% |, T/ K" G: |
jz SoftICE_detected 0 B1 R2 _' b4 L* v/ f; [+ }6 y 1 J* O5 y+ J& q" n: I* o6 D: e% Z" `5 @! W1 {
Next method as well as the following one are 2 examples from Stone's 6 w: R# P% Y! T8 a5 ^"stn-wid.zip" (www.cracking.net):& b. W9 y) m6 f
J3 h) ` [3 y& l) E
mov bx, cs 2 {* q3 G2 {. D/ W+ ]& K7 @4 y# t lea dx, int41handler2. {1 W% ]9 P- y$ r5 h" L
xchg dx, es:[41h*4]0 f. |4 @% r; g1 s& ?5 R# i
xchg bx, es:[41h*4+2]' a L* R! }2 _& p; @2 O3 H' i8 m/ k
mov ax,4fh" a5 E* N& H x, `% f5 Z" F
int 41h; x/ E2 Z8 p* f! L7 ~4 \/ @
xchg dx, es:[41h*4]6 v1 w9 g1 ]( x! {- L
xchg bx, es:[41h*4+2] X6 S. w$ Y# z6 n) x) C
cmp ax, 0f386h& c. ~* E% K: H3 \* f3 l x4 w( a- D P
jz SoftICE_detected: R' z T0 e4 S% ?
1 f( t. c. U3 u" T4 S$ O
int41handler2 PROC & I, u- I0 b& L5 q iret i8 H; a2 c9 y' r! m E. }2 h# n1 V
int41handler2 ENDP( r) {; p6 e1 _$ E9 B X
" ?- f j. q0 {! {* L7 }) a6 R3 s* [4 {) Z# k7 C8 A
_________________________________________________________________________0 H3 P5 u* C& s$ O# B
7 e% _8 O" x% Y3 b; U9 v9 M! S% H: K, ^9 R
Method 061 A5 z7 F8 O2 X4 s3 w
=========$ }/ n$ }; T2 B1 [7 O
8 { ~+ A( X2 a0 A4 `7 C; h
, T1 M9 v& |# @
2nd method similar to the preceding one but more difficult to detect:6 H4 o- O/ v! K8 }% o
9 W% f8 ^" A( A) n
( x. d& ^5 m4 o+ T' f. lint41handler PROC ! b: x% e+ o. L' u. G mov cl,al 9 h; I \4 _: E C8 G. C. X( R iret/ O% p6 Q; P! k- t
int41handler ENDP 9 Y+ z* a2 d2 z ! c) E! M+ l$ X* Q, x7 D! j u7 {* n: J2 L" S0 E
xor ax,ax$ l. s& z6 s; ]+ l
mov es,ax4 G5 J8 p. l6 r% L- |4 T. _6 T' y
mov bx, cs+ x \) Z7 n) Z$ x
lea dx, int41handler" x8 B/ }7 p% R; `. N
xchg dx, es:[41h*4]: o; l9 r8 P4 P) f) B2 J2 u) m1 \
xchg bx, es:[41h*4+2]2 x0 J# {. S: E! P, N* I2 B
in al, 40h & e& R1 d& d; P& R: f7 [ xor cx,cx0 p8 T1 c+ y' s7 D: z4 Q8 Q
int 41h ; E/ y, g! A! ]8 D+ B! M% w* x0 k xchg dx, es:[41h*4]( G$ o( G( a% b; }. T6 d# \
xchg bx, es:[41h*4+2]3 X" t# X' C1 U: u' z
cmp cl,al" e# g2 g/ t; I' R6 t% {& C
jnz SoftICE_detected & b+ f& s+ U. O# x F% M } # \7 X; C' L$ s+ d_________________________________________________________________________5 _" F) y$ i: |# o) [5 w+ g% ^
6 v% s5 h" u$ g' a) I3 F% ^. F- G; E
Method 072 ]. w$ B% K' d- A2 A9 W
========= 1 W5 T' P4 P A5 h0 j3 C5 ^- p7 ~! D; C6 y
Method of detection of the WinICE handler in the int68h (V86) 6 W' m0 P Q7 L. A 6 e: S( ~9 r+ B6 j% {/ _% j; [/ h mov ah,43h9 S* K" Z& q1 c0 D
int 68h& ?( J2 d6 @" V- A& K' w. |
cmp ax,0F386h$ ]+ n8 w7 x$ F% f' U& K- @3 F
jz SoftICE_Detected ' _6 S/ R( i# x: t( n% y) k / F8 e7 w1 u3 m$ N/ r + \; O5 C% P* \: m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ F! y- [2 O$ u( i) y5 i9 h: b
app like this:( O; X7 f$ z" G+ z8 T
4 _' X$ y/ g! J, G
BPX exec_int if ax==68 % i1 y( A# C7 X+ f; T: l (function called is located at byte ptr [ebp+1Dh] and client eip is) N' M0 A6 Z @" |, s' g1 y
located at [ebp+48h] for 32Bit apps)5 i3 [6 N7 t9 D. b8 I0 X# V- s- _9 u
__________________________________________________________________________ $ H; M: j% u% R" }& a2 N. b) z* Y4 B3 n v% D/ S; C4 H
( C0 e5 `) b* ~( k% Q( N$ vMethod 08 , K/ l) W- u0 U# C! I=========& b' a' z& y5 A. r$ x$ p
# E8 m0 w3 ?7 U& s7 T* [ lIt is not a method of detection of SoftICE but a possibility to crash the# t2 b5 k. `# x' N1 k+ p) L) C
system by intercepting int 01h and int 03h and redirecting them to another. S9 @5 P; z* _4 L3 J
routine.' j3 e' {3 w6 [& L% I ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. c9 P* v! b X* S
to the new routine to execute (hangs computer...)8 `$ T, y" c. C% y; P! T- f
4 ], W7 B/ n& B; }; M# z d mov ah, 25h1 c$ r1 Y) o/ ^5 J. J0 T/ C, T
mov al, Int_Number (01h or 03h) 5 b' `. p4 ^+ [! a4 [6 j+ { mov dx, offset New_Int_Routine. i, u* a% @& Z# d- }
int 21h" }) w. e6 |; r9 Q
5 p, @2 _6 m' B9 r0 }
__________________________________________________________________________: |" n6 L) y }8 S5 J% Z+ W
" }5 m, I+ s" ?. Z
Method 09 ( ~5 X( I; |: [, P6 l- |=========2 E# u. ]/ A" w
3 G% F6 U ~8 q( ~7 M# f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only 2 X4 ~7 u# }+ F+ Dperformed in ring0 (VxD or a ring3 app using the VxdCall).. h! I4 {7 }! W1 q
The Get_DDB service is used to determine whether or not a VxD is installed, I6 T/ f) \& C: Z; n
for the specified device and returns a Device Description Block (in ecx) for3 G! u+ z, e& H: M: ?# |
that device if it is installed. 7 N6 T, X6 J/ Q5 [' y+ m; Z 6 N, k7 w$ b' Y, N mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 J9 V! V* p+ p) J- D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) ( M$ Z( m/ T8 t. x& ^ VMMCall Get_DDB& w3 d. W. x' h0 p1 Z. b; R, d( Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 q+ C% {) Q% ^) B& O4 q1 S6 t: o
' \' c2 ? o: l, C
Note as well that you can easily detect this method with SoftICE:! l/ r" J. B" h) ]' _
bpx Get_DDB if ax==0202 || ax==7a5fh 4 |' f4 i8 S# Z8 r. I7 t % z! z1 @4 T& x' J% O) S__________________________________________________________________________ ) l! q6 s4 G6 ?& t % \; r0 I$ \; L. ?+ ?% {) R+ @# a/ mMethod 10/ |; \. V s O
========= % ~& q5 \5 C9 x( R* d8 J$ ` 4 c4 A- S2 E7 L6 s- Q=>Disable or clear breakpoints before using this feature. DO NOT trace with% @6 _" p& }, T( T. [% b7 T
SoftICE while the option is enable!! B' I# @& C& P& N i) O
) R. V j' p9 t7 pThis trick is very efficient:" L7 @. ]" A7 z5 H# b
by checking the Debug Registers, you can detect if SoftICE is loaded " S+ [; ]; E9 I% j$ ]+ g- C# l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& _% A& C5 F4 u( S& h
there are some memory breakpoints set (dr0 to dr3) simply by reading their 9 f: R2 F L% @value (in ring0 only). Values can be manipulated and or changed as well K: I" ?/ ~2 {! J
(clearing BPMs for instance) 3 R) I- w9 y( K( a , w5 D! ?& f- t6 S( M, L__________________________________________________________________________ ; C: T e! F; A! W v) c # D4 ]- I, a: a- g0 Q* _! kMethod 11 ) j6 q8 Q' e0 D=========6 p+ U3 v, T' t9 C" H
2 O9 |+ P M4 M0 r
This method is most known as 'MeltICE' because it has been freely distributed2 V% w: l5 H+ n! r. f" X- _- Y9 L
via www.winfiles.com. However it was first used by NuMega people to allow 0 W: n; y$ W' n+ h# s# Z2 uSymbol Loader to check if SoftICE was active or not (the code is located: M" B, V. y$ N; ^' Q- L
inside nmtrans.dll). . v0 v. g7 ?0 A * |% k: m Y* @The way it works is very simple: ' {$ l+ \/ Q5 r. ^/ zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for # M$ b4 M& H' A1 @/ _WinNT) with the CreateFileA API. 4 N, I1 n! i2 c$ ]5 ^# p& Z1 F4 _6 K8 q4 I- k' D
Here is a sample (checking for 'SICE'):' [. {/ O" s# x, g. B* f
; R1 h0 q7 g2 ~ t( u- M1 L. HBOOL IsSoftIce95Loaded() * u( V }# O x; v{% {1 f4 S E5 i9 Q$ R
HANDLE hFile; . s6 T$ J" G% _" _! ?; q; v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, % U, D1 \- \4 b; S3 K' v7 R1 E FILE_SHARE_READ | FILE_SHARE_WRITE, # [. s7 `. z% U: F. t* `& d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% }% W$ |. Y2 Y1 n4 r
if( hFile != INVALID_HANDLE_VALUE )+ u* P f+ n6 L' b( ^% e
{8 M( [! z8 f/ x7 M
CloseHandle(hFile); + w- U8 ^2 L8 T+ C return TRUE;7 e- Q7 T7 h* A5 g) g2 P2 K
}. H6 x. B. K$ m8 P4 o$ I
return FALSE;% x2 R7 T9 _# l' G. x
}3 H, i* O: D0 F: v1 }+ G
5 o! d. j) e- K) S5 m5 P% o
Although this trick calls the CreateFileA function, don't even expect to be 1 h) A9 t* {; x9 Iable to intercept it by installing a IFS hook: it will not work, no way! 2 o, N& ^. j2 F# c0 z eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F . S) H0 b& v5 w+ D5 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) " [* S2 k4 M: K) ^; Z% ?1 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 t2 z F: T- T x. Q3 E: n; J
field.) G: y- E; k9 z7 x! _1 l: F% Y
In fact, its purpose is not to load/unload VxDs but only to send a ' i6 g9 z. g" t: d! k l' yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) ( g& i/ R- g/ Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try; `3 T$ [- Z( p% d" I
to load/unload a non-dynamically loadable driver such as SoftICE ;-). ; g. }) v! C- R! xIf the VxD is loaded, it will always clear eax and the Carry flag to allow 0 Y* H) w( W( Rits handle to be opened and then, will be detected.3 X6 M5 V* w' `9 Z8 @, I7 w: C
You can check that simply by hooking Winice.exe control proc entry point ! ]1 q6 T3 h0 y8 x t/ _2 P# Ewhile running MeltICE. : _& l: b5 I$ \2 n( v- g3 Z8 ~+ O8 _$ Q& }" W( `# S9 C
, l4 G$ H) L' z4 H1 | 00401067: push 00402025 ; \\.\SICE 6 k9 ^$ {5 {4 @" ~& M$ Q 0040106C: call CreateFileA 7 `. j9 K7 n& w e; t. C# g 00401071: cmp eax,-0012 p' i; f) i: t- P# V% c
00401074: je 00401091 : L. i& X" S5 v# @! x, O! U2 l3 Q' `2 U4 t& m) R4 g4 y0 I' ~
" B7 j7 _& ^4 Z% h, k) r* k
There could be hundreds of BPX you could use to detect this trick.0 U/ s, |5 p E4 `, G ^3 ?* H
-The most classical one is: - l. E& K. k9 J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || : h4 ?9 z$ ~; D! [& t: ~" z; _ *(esp->4+4)=='NTIC' % i( u, x$ r$ t- z: \5 R | * w8 r4 g9 F& u-The most exotic ones (could be very slooooow :-(4 S; Y! S w7 a f8 d: G8 \7 I* y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & T+ }0 {8 D' b9 X
;will break 3 times :-(6 g# e0 }0 D7 M4 r$ k/ T, {
4 f' N3 |7 e. g C" r
-or (a bit) faster: - K0 b/ e" L# a8 U* z( w' @) \) u- W) J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( H9 ]- o: I9 o: a" t
. O. N( R, i; |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' n- W# X7 w7 a+ y
;will break 3 times :-( 2 K* K6 c9 x8 z& h8 M& A+ f ) O9 D8 m& Y; x- {- j4 l; v7 U-Much faster:, Y' O9 a# v* P5 b+ h3 A: n8 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" N- `2 D7 w0 W/ P/ o) v
* A Z( q1 h0 \5 p; i, |$ u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* R* x$ R7 q3 ? J4 ~
function to do the same job: 4 a; s$ c" Z/ D1 D9 q" \ 5 \+ b3 X0 |& c' X: P0 Y push 00 ; OF_READ % `% ]$ s5 y1 r9 n- @( k, b, n/ I mov eax,[00656634] ; '\\.\SICE',0" d. E7 z. Y h2 w
push eax/ N% q8 ^5 i7 j5 M
call KERNEL32!_lopen 7 X3 J$ }8 @# S8 n- ? inc eax ) k# N, z9 m. d e% Z jnz 00650589 ; detected. T4 c, g" @" r- f# i9 F
push 00 ; OF_READ 1 c* X& C# N! E6 V9 q! T mov eax,[00656638] ; '\\.\SICE' 8 C$ Q2 x! Y( W push eax ( \& A( D8 J, _3 l call KERNEL32!_lopen " e4 [, @2 Q+ ]4 R inc eax) v, L1 Q! r; @; O0 [
jz 006505ae ; not detected6 C$ i0 _# e4 }
2 M# Z& R$ V' U: V& j# G2 w( ~$ N5 ~
( k5 c) i7 N& s# A
__________________________________________________________________________, e8 ]- Q! s( k( b) z; ]
$ m/ q6 g6 v7 K1 E( ^/ D* J+ y
Method 12' y& X! }' }, C" f, A
=========/ w8 }8 l8 |$ L M6 A! y( ?% o
* o! C# H7 @2 O5 Q) M
This trick is similar to int41h/4fh Debugger installation check (code 05& p4 |2 X4 Q2 L
& 06) but very limited because it's only available for Win95/98 (not NT) - a o& U6 o* L3 C- G( v: cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 I9 d; Q: l; L$ g2 `4 p
! \" j; \' h; J2 c+ u* l) L8 |
push 0000004fh ; function 4fh f; `4 ^0 G+ F push 002a002ah ; high word specifies which VxD (VWIN32) . W( y) K+ g) H& z5 ~0 q3 s ; low word specifies which service3 N" W* x3 @9 y9 t" Q
(VWIN32_Int41Dispatch) ' }" r9 O% T2 U- f2 Q2 i call Kernel32!ORD_001 ; VxdCall . b' l) ]# E9 e& a cmp ax, 0f386h ; magic number returned by system debuggers 8 K7 Q0 Q% m) r6 [( V jz SoftICE_detected) S5 W7 ?" d, P0 s9 k
& r1 [% r- X( Y) P& {
Here again, several ways to detect it: 5 v9 M. G& n* t! }' \% J0 L' g1 z: G: O+ g1 M
BPINT 41 if ax==4f 5 N; C& K7 [0 P) `6 r8 H5 f7 N8 x7 O3 m9 x2 t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 }! w) D6 J- B; M q5 ]
) }/ s' ^# B7 D. a6 c9 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A # C# w) x7 l3 B) {6 p - t2 \+ I9 X v' N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 ?2 O+ ]3 R. Y2 f# y4 d6 y& T z& N
& c$ ?7 a. ~- K' s0 q
__________________________________________________________________________: q i* M- h4 y( s
1 _" ~ q/ B5 o
Method 13 1 f$ D a1 Q/ w- G========= , n, _1 D% M7 |5 H" f 1 M1 e7 r) }8 b7 J+ kNot a real method of detection, but a good way to know if SoftICE is : }. r; I0 j0 |. uinstalled on a computer and to locate its installation directory.! V' J i0 m4 p% j$ H$ V3 ]
It is used by few softs which access the following registry keys (usually #2) :' K/ a3 p- F0 k& |
9 t& _: R. M' |& A, E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ q5 Z/ X' y/ }: H
\Uninstall\SoftICE0 ^7 f( q5 a7 @, X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 I F( d% [8 `' e, ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& Q1 e+ d/ I6 ~0 q
\App Paths\Loader32.Exe; l) }( M" y3 E* v" g
6 z- g# S' m7 C3 H, g' H
! q7 ^ g! g5 c! b" `, n/ PNote that some nasty apps could then erase all files from SoftICE directory 9 M' A3 P5 Z5 s4 I(I faced that once :-(2 \' G. P! a' e( O, d% L3 `
X# j3 d) I4 J
Useful breakpoint to detect it: 7 i5 q+ U: y, G" k9 |- y+ E1 z S* ?7 }) u" |. g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 q0 F: k' U! V: {( K$ z! h
0 H' o) \3 U" \* f* \0 _
__________________________________________________________________________) H' O% N/ t" @1 C1 M
9 W8 P1 B4 M. }2 K; u$ |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; q! y# O) i/ p/ Z% C
is to determines whether a debugger is running on your system (ring0 only).% w5 H( I; g/ ^1 R
4 y. D: g6 n; f2 V9 K7 z; V+ b9 P5 M VMMCall Test_Debug_Installed / ?" k* z- P6 \9 Z je not_installed ' L: X9 J, l c+ m9 ~0 P/ ]6 v6 s; H3 x% s+ @
This service just checks a flag.7 E/ E$ t5 @6 e2 l! U4 v. t- u
</PRE></TD></TR></TBODY></TABLE>