標(biāo)題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時(shí)間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500>( j/ l4 N; S! T; k- t
<TBODY> ) m6 A, ]& [/ W& d<TR> . s, d4 H/ f7 j4 E<TD><PRE>Method 01 % @+ [8 E( J |5 W========= ) s% q5 S6 _, A$ o3 k4 f+ m, c$ L * Q' }, N K( k3 z* u; [ ~ AThis method of detection of SoftICE (as well as the following one) is- w0 X7 o8 Q# K% h/ Y: e
used by the majority of packers/encryptors found on Internet.: L/ j7 z& j& H. I1 M' ?
It seeks the signature of BoundsChecker in SoftICE7 I6 k( \2 l4 C2 w5 d: m
2 l8 Q) m& R# p& Y! h mov ebp, 04243484Bh ; 'BCHK' t) C5 X6 Y' u2 n
mov ax, 04h ' a% @) V, d, t) Z int 3 ! L( O( s4 b& S) a% `! x cmp al,4 + }1 o( i1 K2 ~3 R Z8 [ jnz SoftICE_Detected ' r6 X- S4 k1 g6 U ' ^# v A, {7 B___________________________________________________________________________1 k7 |2 I' L& M' C* `- ]% s
# d9 \; o9 b( M. L
Method 02/ u1 g( L. b2 @2 a2 P) S
========= 6 d" A6 y- H. j+ X$ B3 Q7 I0 z8 Q) b) [, B) s1 p; h9 G; t0 y# V" r2 o
Still a method very much used (perhaps the most frequent one). It is used , Y! v* ?/ T# p7 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints," E' u$ f! d+ S% B7 K: O) f; n) [
or execute SoftICE commands...# ~5 p& Q( ^% T6 H
It is also used to crash SoftICE and to force it to execute any commands ( D, t7 R# i; d3 H! t(HBOOT...) :-(( ; S6 d8 p, {- a, c, H( ^5 T ~" }' d7 z2 u5 e6 P; H: S. p
Here is a quick description:$ W: o* h C: E* h
-AX = 0910h (Display string in SIce windows): t1 u6 ]8 \) d! T7 p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 `' Z1 o- F |+ l% W9 ~
-AX = 0912h (Get breakpoint infos)' g) d3 o1 o$ S# K, C- Z
-AX = 0913h (Set Sice breakpoints) B0 h" T2 p# f' {! f* H
-AX = 0914h (Remove SIce breakoints) : N" Y! c5 V4 i8 ~ ) F# z% v: k6 \( D/ jEach time you'll meet this trick, you'll see:. P9 z! n) @; A' N" P
-SI = 4647h - D. o8 F0 L$ n1 f( _' P0 l-DI = 4A4Dh0 [" e" {" d5 q0 o
Which are the 'magic values' used by SoftIce. 2 {& P, T0 {% i! K0 ~( `: m8 GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. : u- [7 a# y2 D1 N8 }" P* v " u8 J+ e8 v1 K4 U3 C6 }Here is one example from the file "Haspinst.exe" which is the dongle HASP * [7 D2 m, q7 f( Z& S3 E. I. UEnvelope utility use to protect DOS applications:( A7 W1 m/ m/ a+ ~6 S5 T# d
; d; j0 N6 T# F! b0 z4 R ( ^6 l2 p; L; `. d: @4 J4C19:0095 MOV AX,0911 ; execute command. - G, y( O; r' }5 N; I- P8 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). 9 N- [; d: l' h( s6 Z$ V" o4C19:009A MOV SI,4647 ; 1st magic value. 0 j2 s8 v' T: @! p, R9 L5 T; |4C19:009D MOV DI,4A4D ; 2nd magic value. : n9 l v7 c: i ?( ~* {4 [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) 2 k/ Q$ z$ l1 Z: n) Z; N3 X1 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute 4 v: p {; M" W `: A8 v% a4C19:00A4 INC CX' ^5 A7 U5 P' k. E! ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 ?0 V3 \9 v* r: ~: Y& }
4C19:00A8 JB 0095 ; 6 different commands.2 z& q2 Y+ z! m; G r3 @% Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back. 3 a1 Y# Q" o( ^( t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 x0 S( ?& G; @' ~
5 X1 f8 T- }8 QThe program will execute 6 different SIce commands located at ds:dx, which 4 ^- j W; \; C2 }5 R. v$ care: LDT, IDT, GDT, TSS, RS, and ...HBOOT. ( ^% w2 {0 ]0 M( v* T' V ! h. g2 j* D9 q; S& M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 M8 t% \4 @8 W) Q9 W: A
___________________________________________________________________________ A1 M6 r) N; d$ G* f# @
9 q b5 q% q5 y) `7 L/ _+ x6 t( W# [7 e5 d6 f a
Method 03 $ f2 h, t* c) @+ Y9 u! m" r8 d========= S+ t a( ~. P % d1 m- A9 i* @& W7 H& c+ E# _# y/ OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h . R5 Z8 c" K! C: X) Q8 }(API Get entry point)$ q' m! L `! A( [) C) C9 q* S% Z
7 q4 B4 r7 } I0 C( B# W
$ ]6 m8 n! A9 G0 U- J/ s" f xor di,di + T- E- A% }# w4 G mov es,di 6 N4 U6 O7 u i7 i$ u, V0 D mov ax, 1684h / b# I* K# D0 V) ] L4 w mov bx, 0202h ; VxD ID of winice+ D3 x5 x* z+ W( n
int 2Fh 8 @% q# W1 E& k6 Z- l1 O mov ax, es ; ES:DI -> VxD API entry point Q8 R( k/ e% C add ax, di # J8 U+ k0 \) F" r6 [9 r& g# s3 \ test ax,ax, o1 U) ^! e# v/ O+ L* e
jnz SoftICE_Detected" X$ O$ @! n9 E5 n
% G0 L+ n2 \1 m, `9 K! l
___________________________________________________________________________) v' I, `4 @) @
0 E8 {4 h& u8 {3 L/ E; {1 T! c3 H
Method 04 # `) c- c$ C/ x========= , f _; \' Z" q 8 z3 F( W) s, n+ LMethod identical to the preceding one except that it seeks the ID of SoftICE& l. M+ E; J8 @' C; n1 X
GFX VxD. & L' }; A8 W) G U. L: m1 A2 b. w0 V5 t
xor di,di : l2 x. s1 O# y- i" F! z mov es,di ! c/ e4 L+ ~) M3 A' _" j mov ax, 1684h : m- B4 }& V1 `. h4 J mov bx, 7a5Fh ; VxD ID of SIWVID" S" L2 Y7 ^/ y
int 2fh 7 Q/ J7 Z1 y, U' c. ? mov ax, es ; ES:DI -> VxD API entry point; I) m1 L% N9 K) ]% e. w
add ax, di @3 m: m9 c' ~+ i5 ?! H+ v+ h
test ax,ax3 c* d& A& b& F' W" F
jnz SoftICE_Detected6 J, }5 {" A& a' R8 q
2 m u5 b! h( h d: ^
__________________________________________________________________________1 u+ z' a1 p! g
/ }, B# W) v2 J8 }8 t
( g8 z: l" u$ KMethod 05 , [. w+ e6 O9 R, E. C/ T3 O" @========= ' y" [) u6 n& H3 @ 7 |6 z, z8 ?& X; S1 D! A1 Q. E* AMethod seeking the 'magic number' 0F386h returned (in ax) by all system% Q6 E; ~* j( J3 V% {, q9 I# {+ a
debugger. It calls the int 41h, function 4Fh. 5 H- q% B0 f, B' q1 E+ c& X; C5 SThere are several alternatives. 9 E4 q6 j) Q! W0 I
9 J) N$ w. B% @! M: } O8 q
The following one is the simplest:0 _0 z( a4 ]; l* o/ r7 k. u. R
7 z' c( X% W0 j& b9 C$ P1 A- m+ \
mov ax,4fh( {1 y0 N, F" K/ ?
int 41h U \- F5 O# d! T4 K U cmp ax, 0F386 * J- p$ K) @! N5 P% e jz SoftICE_detected1 E/ c. t( G; g6 a
1 I1 o3 u" ?) j2 Z/ ]% P
6 |. ~4 M) r) I9 H3 D+ ~6 fNext method as well as the following one are 2 examples from Stone's / Z$ o1 @9 C: K/ A
"stn-wid.zip" (www.cracking.net): " k# ~2 X0 s- ~& @6 `: U 4 n/ ^- P$ @ m: J: | R. [5 n0 ^ mov bx, cs" r4 v& q+ _( }$ ]
lea dx, int41handler2" i+ N" L: l& X9 ^! [8 Z
xchg dx, es:[41h*4]' M7 C: Y) I3 n7 l
xchg bx, es:[41h*4+2] 9 R. r0 j* m) `$ {$ B' m mov ax,4fh# {& o" e- o9 G0 f
int 41h, R9 T! D$ b+ \2 y1 F( F
xchg dx, es:[41h*4], `' f& e6 y6 C/ ?
xchg bx, es:[41h*4+2]1 ^. j' {( ?0 {
cmp ax, 0f386h . y/ P% \# E; b" R& }, k jz SoftICE_detected 6 z' J# R* L- m6 ^+ M 0 b2 p( `: P6 r9 Y+ ^! o( zint41handler2 PROC : {7 A" n" c, i v$ a2 V iret 6 [ V% v8 p7 p+ Bint41handler2 ENDP 1 G- q' H" _ M# ?" ]. {& o+ g( y: T% [( a$ T2 O
2 @9 h6 l: M0 c m6 @% n
_________________________________________________________________________8 k% ]0 }5 Q& D9 R4 B
. r3 {( ]: K' o8 V( h" i4 R' D' A5 B* F
; t3 n& w0 {9 D; P8 k/ ]$ n0 y2 `
Method 06 3 ^) V; i* o/ N8 z5 r! N========= % {2 J8 Y7 I K* S$ t( j 7 d+ y/ m3 X% k4 B: m% Z% a W$ F( m8 j
2nd method similar to the preceding one but more difficult to detect:4 @; o9 o& L4 r1 }* f
P: B- U: d- c) @, n* s# ~. W
' u7 m+ E) Q/ a% o: u# V; ]
int41handler PROC 4 o: G8 N4 w, E6 L2 V6 \ mov cl,al % n1 [9 p3 B& Q6 T& d% W9 M7 y iret 2 Z" O8 l$ T* s: m" I. U1 Oint41handler ENDP ; ]( C; } O$ _' p6 H9 D3 J# ]9 k* `* Y9 s/ s
& d2 w+ g+ V# \
xor ax,ax ' G; \) {- d- @5 R mov es,ax9 H, K* h. W5 t) f) C A5 ~, i
mov bx, cs2 u: c. g$ ` e+ b/ `
lea dx, int41handler3 I" K$ l) T2 t: r' D7 j
xchg dx, es:[41h*4] % J; W+ k0 s l! U; Z xchg bx, es:[41h*4+2] ) B$ g7 V* V. ^' @- `* i4 R# g in al, 40h ! o# W6 o9 K1 `5 x7 E xor cx,cx1 O; R5 A' D; {4 ^* i
int 41h8 ^) q! {+ W% t! n" B
xchg dx, es:[41h*4] : m: O+ h% _3 r xchg bx, es:[41h*4+2]9 x& x$ | N. G c
cmp cl,al {% [6 Q& D6 I! e, m; Y5 K7 O
jnz SoftICE_detected/ A& a9 E0 y* X6 Y! }! G- {4 m
P6 I8 w. }- E8 Y
_________________________________________________________________________ $ c4 @2 A) E+ u. A ( e& L- f4 K" S9 }Method 07& s6 w% T, b1 U" x. ^0 L; F# n! k" J
========= / l; S \) I3 X. f+ M3 E% a$ I# d; O2 S' E# P7 z
Method of detection of the WinICE handler in the int68h (V86) % ~& T( I1 g' q; a # s: ~3 }( W7 I+ w mov ah,43h- T2 ?9 t, A7 ^ B, f4 ~% H
int 68h- ^: _, V. r$ y1 o: }3 Z. }4 f! d
cmp ax,0F386h & R) V) F/ D% c1 D; }2 Z/ ? jz SoftICE_Detected 7 |; [2 l% \; Y) I* [- C% [/ \( R9 _( ]7 Z0 d, a0 A
- r3 A1 r1 W& H6 }4 D) I8 B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit 4 y: l7 R: L+ N# b: g! t app like this: 4 {( @8 N6 x/ x6 ~5 F+ o' h X5 j! [, t) f4 O& U% C3 L+ Z4 A
BPX exec_int if ax==68) ~0 b( v2 U, t5 n1 I, `
(function called is located at byte ptr [ebp+1Dh] and client eip is 1 Q) u8 l& ~. D1 A located at [ebp+48h] for 32Bit apps) k' M5 a9 g! L' x7 r+ A__________________________________________________________________________ 5 n5 H/ O: K$ K9 X, e1 {0 p9 C q+ n/ y
9 y; j% l, i3 X+ |* g' G/ K5 q6 S
Method 085 {9 N0 T* P2 g, ^" s6 r
=========; X0 Y" m7 k! n8 X3 X/ q) e
( ?% `/ r# g/ r% a9 Z1 S5 T$ P
It is not a method of detection of SoftICE but a possibility to crash the ; T0 \! |- m+ t9 J5 usystem by intercepting int 01h and int 03h and redirecting them to another ) \) L: c. n4 Y! q8 e: Troutine. 1 z& {6 Q7 W3 W6 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ n# D# c" L2 S: r1 j+ ~9 |! I/ l
to the new routine to execute (hangs computer...)2 A8 z" z0 O' O% C
! e' l4 U6 f/ d- r
mov ah, 25h( N, d4 R4 i' v( r) i3 `
mov al, Int_Number (01h or 03h)7 p! n- r- f- P5 H
mov dx, offset New_Int_Routine, g# ^ p9 C4 T6 ~8 [, m* v3 R/ g' J
int 21h + q2 A" a5 ?( F% T, u# k; B " q7 S- d' v# ` u0 f o__________________________________________________________________________# R g! B: V; S6 x2 n
0 {) Q2 u2 l/ ]$ T R8 E4 f) Z4 f
Method 09 7 C$ K/ q0 d9 j: u) f========= 7 X( R( S2 {7 O# A. W: ]. ?. F$ R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only 5 B2 T" c; u( L$ Operformed in ring0 (VxD or a ring3 app using the VxdCall). 1 y6 V7 b2 c8 R% Y6 ~8 R; k# A; nThe Get_DDB service is used to determine whether or not a VxD is installed 7 L6 B0 {. m* {) D9 y3 _for the specified device and returns a Device Description Block (in ecx) for' O) _- u# Z9 P! T+ S3 C* u+ W
that device if it is installed.( [1 z6 y0 A s* j4 F9 z6 {
' ]# L2 o3 e* C8 F; P6 }0 u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 M& U- \6 d k/ I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 y$ D& V9 x H/ P: y
VMMCall Get_DDB l$ T. |1 ~1 O/ ?, \- y. T" O- w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, }$ P7 J2 I* C* q
$ Q F5 L3 a2 A3 |) p) L# qNote as well that you can easily detect this method with SoftICE: * X/ h! l. j g$ l5 Y+ S bpx Get_DDB if ax==0202 || ax==7a5fh ; O* b- P9 L4 b/ x" Y7 {3 A 0 [( J. ~4 r5 H$ }5 l__________________________________________________________________________ 1 T$ T @" ~. [; V8 R5 G0 b. d% T- `% h* a# [- ]; @
Method 104 q. t( M1 j( z$ G& Q9 Q) i
=========, D! ?( o0 H4 X7 y
) |8 Y; c2 u3 `% s% ~0 J# y=>Disable or clear breakpoints before using this feature. DO NOT trace with ! I6 m. R8 A; C SoftICE while the option is enable!! : ` ^ k% B7 R: J e5 O- y, w9 r( |% R3 R5 Q/ `( ?
This trick is very efficient: 2 `0 v0 V! ]! ~, H0 S+ F" _' Nby checking the Debug Registers, you can detect if SoftICE is loaded $ t* N! p1 Y2 l% F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if + [5 e0 a) N) N1 t1 _; e: c% Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their& C6 ^" ]* |- i, u
value (in ring0 only). Values can be manipulated and or changed as well. X8 }( Y! H5 ?# Z
(clearing BPMs for instance)6 I3 G1 G# }) a6 ], x; O
1 T: \. S1 ^/ p
__________________________________________________________________________ / A' L/ ?6 C* O1 t, _: C( S: n0 k3 _ ! k, v; q- E y& |Method 11$ P/ [3 p1 E4 m; R7 Y& G+ q
========= 6 }( Q& Y& X# M$ Q* A, M" _$ ?5 L: e& y, t; q
This method is most known as 'MeltICE' because it has been freely distributed' o4 ^' H/ f6 t" j) @) C
via www.winfiles.com. However it was first used by NuMega people to allow! P+ ~% \; S u Y
Symbol Loader to check if SoftICE was active or not (the code is located0 y) [! h$ o4 A+ g, `& n5 b5 Q
inside nmtrans.dll).% d i0 m& s% y" d" [0 g/ m, R9 u
) i" {% e0 f7 K- N( ^# N5 h
The way it works is very simple:3 E3 s5 H# Q8 j2 ^3 n' y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for 2 i" M9 r- d3 W: ]( WWinNT) with the CreateFileA API. * P" r/ S2 q, ]; H2 y: q h3 m5 V, U1 q7 v" h# j7 P
Here is a sample (checking for 'SICE'): 5 P" P) a7 J3 r6 } L 9 Q- r+ H8 r3 SBOOL IsSoftIce95Loaded() , _: b6 V% D8 n: B/ i{ / } i, k" l+ n& z HANDLE hFile; 0 f5 x" r1 f6 I5 c! Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, ( Q! P& A2 R9 G8 n; t! p' j FILE_SHARE_READ | FILE_SHARE_WRITE,* R- _. x" J5 b( i2 H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 V; @3 V9 M' {0 j
if( hFile != INVALID_HANDLE_VALUE ) 9 g+ `! M0 {- Y4 p. D7 z {3 L F5 _5 u. @! }# Z* r( q5 Z
CloseHandle(hFile); ~. q4 g- {; X! H, W
return TRUE; ! h6 Q5 ^2 J+ K5 ^9 f- o- l8 ~ }( P' U9 Y% G: j) V- Q' w/ Z* w
return FALSE;# _9 B$ t* i; T5 }( A
}: Q7 s1 r9 V4 {" y. a" A3 z& f
; [$ \- w, s" s+ }. g( X( O
Although this trick calls the CreateFileA function, don't even expect to be/ W, |; j2 h, y$ G* a, j0 r' L
able to intercept it by installing a IFS hook: it will not work, no way!+ A2 z* X9 a& k% s( u" @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F % ^5 U/ A8 ]) S; F5 P- O; K2 ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) 9 ]1 B. i! g% Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc* Z: z1 ^! y% c( g3 B2 Z2 s
field. 0 \# }: z# n( i0 z; I8 ^' ]% zIn fact, its purpose is not to load/unload VxDs but only to send a 4 n) Y$ \; @4 @# V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ x4 W2 ?+ h& }0 T3 t& o ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 A! S, Z3 f- P/ J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& }, N- U, h7 V. ^; |
If the VxD is loaded, it will always clear eax and the Carry flag to allow % l, y8 [* Q+ u F0 H( E- }its handle to be opened and then, will be detected. ' [1 p2 K: T& G4 ZYou can check that simply by hooking Winice.exe control proc entry point0 B1 z/ n- V) x7 y
while running MeltICE.6 `9 X' \7 H$ k1 x8 h0 L
# v2 Q" J& x1 L: m0 P9 [0 D4 l6 J1 |
00401067: push 00402025 ; \\.\SICE 2 U' X$ H1 ~* E) G 0040106C: call CreateFileA " A) `( z. `6 S9 j 00401071: cmp eax,-001 / T: F0 M4 ]7 m3 L* K 00401074: je 004010911 P% P# H" Q5 w/ x5 G; [# K! f
8 C$ ^& S, L8 r a |
. I2 x; S# Y8 W# t) s0 x& t( F
There could be hundreds of BPX you could use to detect this trick.9 V; e( M, _4 i5 c1 b; ^0 E
-The most classical one is:' Y" \' _( w6 R+ W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 w; k3 C5 N8 z+ a
*(esp->4+4)=='NTIC'+ p) v7 E- [ E0 @# _ ?
0 s. G* b" O6 j-The most exotic ones (could be very slooooow :-(1 x: W( V# A) Q, ^2 a! K$ `- _0 Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " A) E4 N$ s5 g ;will break 3 times :-( 6 X: P' B; {0 M+ G2 a: P9 m. M3 Z/ i4 U( T
-or (a bit) faster: " c- M1 R8 ]" a+ T! i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') 3 G! C2 L; o9 R, ?& c + N4 N& ~( q- \& f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' Y& Y3 R/ S% P9 m' k4 `3 h. P
;will break 3 times :-( / P" t1 Z- Y9 f. C0 h. d5 j( N/ X7 a& ?1 ?7 W, O$ m
-Much faster:7 J' u; v( S. r5 J5 [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' 3 I! }" S: R# \- Y- ` 4 z/ Z5 l2 X2 W' d; k! ^* eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& e0 |: B T! r4 g4 a
function to do the same job: $ T, b0 A7 y6 \3 r% [& L& A, l0 A5 j. {0 V- P$ G b6 r# R
push 00 ; OF_READ $ m; Z" g, L+ [" a mov eax,[00656634] ; '\\.\SICE',0 5 H! S! H( b6 X; k% R push eax0 b, K L4 |- e9 v
call KERNEL32!_lopen$ Z2 v( F8 a# I! G1 T8 d
inc eax, K j6 N0 J* X8 x5 d3 @8 W# o
jnz 00650589 ; detected . } L, [2 V. L% a push 00 ; OF_READ0 u6 `2 }& t& Y' _! X7 Z
mov eax,[00656638] ; '\\.\SICE' ; R/ z7 T4 Q: i B3 c push eax @) S: y7 j# n' X- e7 d( W+ ?8 ~
call KERNEL32!_lopen1 L- `# \1 G+ K3 P
inc eax# z1 L; k( c' o+ K
jz 006505ae ; not detected ; P/ n7 k1 o* ^' e" b; a5 D5 U& x
" O+ I7 w. V6 Q. M
__________________________________________________________________________* n$ q( ]5 ~+ N8 C Q) l7 A J
1 k5 w/ t2 {4 j3 PMethod 12 # |4 y, b4 j9 d* f6 X3 K3 h: P=========5 W0 ?& \( f$ K. q) M1 V+ o
. ?" b9 H8 y3 y$ w: S0 @This trick is similar to int41h/4fh Debugger installation check (code 05+ V% A; |2 X3 `* T; A2 z4 H4 y6 K
& 06) but very limited because it's only available for Win95/98 (not NT)) s( {3 `: g: [! u+ V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* { n0 A1 q3 F# n% L: y4 k
6 Q# g+ l2 O c7 E3 V! `% G push 0000004fh ; function 4fh 9 \# x( O9 M. h push 002a002ah ; high word specifies which VxD (VWIN32)' L# P; E8 Z! k" F: Y* j( c
; low word specifies which service 2 r' f4 ^# }$ a1 s# _1 L (VWIN32_Int41Dispatch)" ~5 z& y# I& s4 z9 F% G
call Kernel32!ORD_001 ; VxdCall) f2 @8 M! k0 U) H3 v0 Q- `
cmp ax, 0f386h ; magic number returned by system debuggers ) e# l" w# W' Z4 J/ ^ jz SoftICE_detected 1 D8 h T- {8 X% o ( t4 ~1 ^. q- D ~9 MHere again, several ways to detect it:: L: D3 g% \, O- H' [3 v
% Z/ h; k9 L8 U: e" `
BPINT 41 if ax==4f / c7 t* b! V: N% D) _0 ?' p6 `, U9 @, o/ X5 \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 Y: K) m9 D" O* V* p# V' q/ F
9 f6 ?" M, P8 S2 \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" |( ]9 r; V% N9 C9 J6 e! h$ ]
. w) \9 ]6 H( c; w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( J. a# o, x3 w! E+ @
- b& _6 N, l+ y; x0 \
__________________________________________________________________________: N5 \* X; w: D" j+ q
1 U, T8 n% w0 hMethod 13$ V, ?; ~$ {5 o& N, x8 [. d
=========. t( y6 t- z! N! \; b9 Z7 I: H
5 b) j3 y9 k9 X
Not a real method of detection, but a good way to know if SoftICE is& w" `1 Y7 z+ G. e6 I0 N& ?0 m
installed on a computer and to locate its installation directory. $ f6 B R- c) G; b6 C$ M5 k7 q$ i# JIt is used by few softs which access the following registry keys (usually #2) : 3 m! f. a2 d x% { * _; V# Q8 f8 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: z6 r0 r$ C5 |- U1 n
\Uninstall\SoftICE 6 ]. K0 e# V2 X0 F* d% {9 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE # n% {5 j! C' J8 C0 ~3 \; E2 H7 }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion . O9 X. `3 `* D! o\App Paths\Loader32.Exe0 v' F8 i; ~) I& Z- F/ q
, m/ d5 c, v: B+ y" b" z. Y/ Q3 b5 d
Note that some nasty apps could then erase all files from SoftICE directory * z" K9 o% Y% [: G! P8 c(I faced that once :-( 4 R! S7 R+ n6 |" v% H$ u' {. Q+ Y9 S* m% y$ Q/ X% W1 `$ N
Useful breakpoint to detect it: 6 G5 ~ Z1 g) A# W2 Y2 e" Z( a- i2 e+ L" ?7 m1 C6 I& z8 a* z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( |; Y0 s* V X; M/ Y6 b1 D% I
5 S6 V9 F/ H0 Z__________________________________________________________________________ $ j; n. q6 y0 [9 I9 F' w$ x * L6 r& b; |$ q/ V 5 J- |) }# {0 H% k7 vMethod 14 ; q+ a9 r* K- G( ^* h& Y+ J- h0 r
========= ! P0 R) h5 x2 ^ |) t" ~$ a+ z 6 a7 }* m) R L1 s _- hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ o$ Y& z! ^. L+ G0 i0 N
is to determines whether a debugger is running on your system (ring0 only). & {* p N" F/ \8 f1 w( M4 I* f - N/ Q) T2 q2 t2 W" m/ @0 g: w VMMCall Test_Debug_Installed7 `6 |; K/ j Y
je not_installed % V6 ~0 ^- |* O5 K3 X. D! D6 S; e' a7 b) @ P) e
This service just checks a flag. - X3 C9 L; ~9 B' ]</PRE></TD></TR></TBODY></TABLE>