標題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時間: 2008-9-28 16:34 標題: About anti-SoftICE tricks <TABLE width=500>1 l+ f0 s- `5 K
<TBODY> : ~- j: F0 O! [% j/ {4 n<TR>* l: P3 ]; i. r0 |1 i
<TD><PRE>Method 01 / U& C1 D W+ U3 B. f0 y6 [! x$ F=========: T: m9 k1 M7 H3 Y, a2 ]- q
( l7 o! m* G' bThis method of detection of SoftICE (as well as the following one) is ) n, \5 N o! a+ A9 Hused by the majority of packers/encryptors found on Internet.! [4 {6 N* r" d6 @0 n0 @9 }
It seeks the signature of BoundsChecker in SoftICE4 d, o' g* U' W6 p3 q5 t9 M% _0 B
0 F; C9 G% a( X. ?) P* o/ c$ j: {0 o4 v* V
mov ebp, 04243484Bh ; 'BCHK', ^9 h4 w5 E8 W6 E
mov ax, 04h 1 p* B$ i: D; q3 [: {, j+ n1 c int 3 ! c$ C$ A8 B. d6 T+ Y) O d4 p) v- ]
cmp al,4+ E4 U6 X! K" T4 p6 d& a
jnz SoftICE_Detected ! r, i& m3 C# J; N a" R5 Q {; j, }' `4 X* @1 y" }
___________________________________________________________________________ * k5 P0 q% r% t9 c8 m7 k- i6 q6 n C6 L7 u. W9 r6 q. ~6 _$ G
Method 02 3 q) {! K2 c% f W=========& q7 a- s, H3 ]9 ?# k
, N/ n: ]4 j( K$ OStill a method very much used (perhaps the most frequent one). It is used 9 p9 r7 u' T: H/ J* n9 bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- D/ h2 a" A/ x; z2 X
or execute SoftICE commands...6 Z7 D: H- z3 {" x
It is also used to crash SoftICE and to force it to execute any commands 6 [0 x7 Z% K8 _5 Q(HBOOT...) :-(( i9 z: Y3 ]6 R" Z) d9 L : b. ?, l& f- l8 |& E6 p7 i3 E, \Here is a quick description:( A' a+ ^7 [% k. F# n% F
-AX = 0910h (Display string in SIce windows). c* s" Q, [7 p- j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* m# Z* S* S- L" u9 z9 a. h
-AX = 0912h (Get breakpoint infos) " i0 Q7 F+ ]3 ^" o6 n-AX = 0913h (Set Sice breakpoints) 2 N4 G6 _( i' W9 i3 d-AX = 0914h (Remove SIce breakoints) d& s2 b4 W/ f6 {9 Q W
" ?; E) v$ Y! W; T9 `9 _% S
Each time you'll meet this trick, you'll see: 9 B9 L3 H3 J* v1 K* U6 A-SI = 4647h " s Z2 o% x' u" P$ i- I-DI = 4A4Dh ' D% L+ [ F. O$ @8 d xWhich are the 'magic values' used by SoftIce. A1 w" x( |/ z9 C3 q- Q qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: i/ s1 _' h2 Y( M( p3 `! A& ]
8 t* G; Z, ]3 n5 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP % [5 @/ M$ N+ B/ {# }5 JEnvelope utility use to protect DOS applications: 4 L* _3 B) ?# a* t& A+ Q( W$ M4 \, P7 n2 i
2 x3 V4 d; r/ n+ C
4C19:0095 MOV AX,0911 ; execute command. % K8 Q: H9 ^; j& K7 E1 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). + `* b- X; \! _( X4C19:009A MOV SI,4647 ; 1st magic value.) e( O8 `* A9 O' T
4C19:009D MOV DI,4A4D ; 2nd magic value. 8 x7 z5 E) [! @5 l8 O4 N2 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) 4 ?( r- f6 _, h' @, w* W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 f9 V* s6 c! n
4C19:00A4 INC CX - d3 q% W2 C! S9 a( V5 l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 N8 a' R5 P# G# V# m9 z
4C19:00A8 JB 0095 ; 6 different commands. ! x ~. ]+ ?2 g4 t4C19:00AA JMP 0002 ; Bad_Guy jmp back. % Y6 M* H$ U4 @' Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :) 8 C5 l, m+ ~+ u0 b3 M' ^ - Z' W4 K! A5 M. X& g1 c* [The program will execute 6 different SIce commands located at ds:dx, which ' g! U- a8 s! G" O9 v e5 a t% [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. 0 M; p- a9 ~; t7 H6 Y9 h2 Q/ x0 e: s# ?/ R( d& x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 y3 l+ o1 E, z+ s# w ]
___________________________________________________________________________! \; L$ F* e, j2 P
( e3 O9 F g- }/ H H0 P$ Q - W, x. c* q! wMethod 03 ) \* B2 F1 B6 z) b y) [$ x/ y2 E=========1 F% n: M1 N8 _/ K8 M
2 E; U0 i/ |) a A; Q2 K% ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h l4 n" S, Q$ v5 X3 Q; }(API Get entry point) 2 B& j: M" c3 y. | 3 o( n! L+ F1 S
# }: L0 I% s7 A W8 \$ u. ` xor di,di/ x! C; x# A* _: I1 A
mov es,di 6 j/ D$ a( Y5 j6 Q2 Y9 ~: j9 L( ` mov ax, 1684h 9 C) T3 f S; z+ Q& t6 ?6 B
mov bx, 0202h ; VxD ID of winice ( x1 ~( j ~& p, ?% L6 J$ Y int 2Fh; C0 \; T# w% Y" j1 @- w: P7 D, J
mov ax, es ; ES:DI -> VxD API entry point* y8 a3 N: w$ C a, B8 H6 C( X; r
add ax, di 6 ?8 m5 F4 F$ D+ A' W test ax,ax ' I$ V6 U7 y9 K9 P- F( y; [5 } ] jnz SoftICE_Detected * i3 x4 q( D' m. l 9 m$ n/ F. t" Z; X9 x& @___________________________________________________________________________, Q$ d8 E. J5 ?/ b+ s4 U
* Z: |2 F( \! C! u! m) _* T9 D
Method 04 0 T0 V @) t5 _! n3 Q========= " B v! L) e9 w4 G. j9 `* g$ g: k; S2 {* L
Method identical to the preceding one except that it seeks the ID of SoftICE0 f# \/ S2 }5 F2 ]: F$ E+ S# s/ [' M
GFX VxD. & Y8 w' d b1 _& K; l 4 b l9 ^! M' O# }8 x6 J/ P xor di,di 0 v4 O/ }7 e7 S8 j( C( w4 ? mov es,di6 _3 S' e2 _5 K0 _+ c8 o' f. b
mov ax, 1684h 5 u7 H% q% q8 z" \, C! M- i mov bx, 7a5Fh ; VxD ID of SIWVID! z" N- Z. z6 |+ Y
int 2fh7 L X7 |/ F) G8 K; N* F' ~: u
mov ax, es ; ES:DI -> VxD API entry point' [7 i" G. U9 t8 W1 b- P
add ax, di 7 O2 G/ {0 ]5 `4 I test ax,ax: p% {( F- X; o7 z1 h7 K
jnz SoftICE_Detected X. E! q5 {+ \1 @& i e9 a% o 3 ^: g( g: X6 ?__________________________________________________________________________ 2 R2 U! g4 C' a* X) c+ q3 S+ r: r; p; W* [# R1 x
" \ i! ^+ C! _% c4 FMethod 05& a1 z9 }' b" ^4 p( y! p1 W6 C: e4 ]
========= $ U m- h P, y3 r0 K$ s4 K2 b7 r- V- s" k
Method seeking the 'magic number' 0F386h returned (in ax) by all system * K0 f' k0 H1 A0 }- Fdebugger. It calls the int 41h, function 4Fh." a; R/ \; m" @' E
There are several alternatives. 4 |( Z, k2 y: j8 s* C# T
. }7 _$ p. i9 ]3 o7 p+ Q
The following one is the simplest:- ^& n- N- l2 C, d- u [
: R! D+ h* m9 |: ^
mov ax,4fh8 j6 Z9 H$ R4 l' D# G5 H
int 41h 1 ?; H' Y6 G& u8 G! [ cmp ax, 0F386& ]7 r* W& M( P% e X5 `
jz SoftICE_detected , I7 a% [* s" M$ `7 \( m# @. A 7 q4 N8 I' i2 @/ p ) _8 `/ A1 B3 R( f# JNext method as well as the following one are 2 examples from Stone's 1 t$ T1 I3 N, c) \ t7 C V1 U"stn-wid.zip" (www.cracking.net):3 O* V( ~5 d, n3 h8 N+ N& {
: y8 m" {, z/ p8 R
mov bx, cs8 ]- e2 {) @! m4 D. y
lea dx, int41handler2" x9 |" t. x- @9 X& N
xchg dx, es:[41h*4]: r. A$ V+ N7 i. e3 [
xchg bx, es:[41h*4+2]' O6 S& l7 i4 R9 s3 X5 N) [
mov ax,4fh/ z) U8 b7 T6 u$ `! v1 V
int 41h# Y6 P: n: g' y
xchg dx, es:[41h*4]3 k1 E( S3 y5 m$ C6 t6 w( H+ G3 R
xchg bx, es:[41h*4+2]$ Z+ O4 a5 ]. k- ]8 ?
cmp ax, 0f386h# c1 Z t* A: B
jz SoftICE_detected9 I9 Y' H" q; S# ]3 Q6 @
9 b- }5 Y3 W% ]. v8 ]
int41handler2 PROC# a' V7 P& o/ ]% T; K1 t
iret9 z" ]$ I- {4 c; }
int41handler2 ENDP( e& O! d; g, K; g9 s
* Q' T) y; D* W7 L2 o5 B7 u # e" t! X) x- C5 ?6 A0 i4 _8 y_________________________________________________________________________ z& _$ Q- t! e1 W& Y2 S3 u% U- t# b4 s) Q3 {
9 B+ e/ ^+ O9 X$ }3 R. S" @3 Y- }+ _
Method 06 ) V- U X! B J# k========= & U7 V* p! t y" a7 w! L ( Q( S+ W: d2 Z# B) O( B5 O. Q; _2 p' b
2nd method similar to the preceding one but more difficult to detect:* V5 S3 C1 \2 q$ m
6 F! D; k1 z5 D& ?+ ?
# `: R# u2 f8 c2 Vint41handler PROC8 x* X6 w6 a1 {0 q0 Q1 K
mov cl,al 7 K# N- R+ K0 w/ r% o iret * J9 Q* A2 ^1 v2 G. rint41handler ENDP0 x; J# @& p; t: _5 T& Z. L
* }, W( d+ N/ T$ L' J) ^2 N" Q
, ]; w" n I n; v, O2 g# ]) c xor ax,ax ' o. Q; G2 J5 g# s6 v mov es,ax0 A6 v4 l9 o4 L) p. P1 V
mov bx, cs 0 I: X- y( ` R8 p lea dx, int41handler ( k6 `2 y3 [, N) p$ x6 K; j xchg dx, es:[41h*4] 0 m7 w! `! \- w/ ^( ]4 U, z' e; r xchg bx, es:[41h*4+2]' s* x1 |2 ^+ s# I+ k3 G8 j
in al, 40h; v' j9 u6 C. a6 P: W- L
xor cx,cx " c7 T/ @4 V5 G% \! s* Z9 R8 u+ ? int 41h' f5 R; L3 C$ T9 i1 R% X8 _
xchg dx, es:[41h*4] ! F1 @0 c2 D+ P/ {: s4 s xchg bx, es:[41h*4+2] % g \: z% W2 \ cmp cl,al j: H0 B/ _: W! A) D
jnz SoftICE_detected8 `4 F/ B1 y3 w
+ S8 @& ?" i* z- k1 z3 @
_________________________________________________________________________. ]) v# X* |# o4 G
9 ^$ y- ]& [ f. H9 [4 DMethod of detection of the WinICE handler in the int68h (V86): A5 ^. ~. Q0 T$ F) D
4 {) P; L. Z# o& V, U5 A5 Q& Z mov ah,43h* ]$ m5 @# r; W7 x" _: K; H
int 68h b3 s# S+ V/ N0 [ cmp ax,0F386h 6 G4 \( _$ N5 p" I1 J jz SoftICE_Detected 8 S9 ]; i9 W- f" G1 B+ M7 ? 6 K: m' `! l% a4 Y8 x, ?7 A3 [. Z1 \$ ^; l$ Q8 @! S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! R5 X% D, l5 W
app like this: ! }6 A; y$ q& B y+ ^! D# E% B; ^ ! p( X* y3 r0 S; I- V BPX exec_int if ax==68 + i7 k& ^& W: H2 n( O' Q (function called is located at byte ptr [ebp+1Dh] and client eip is/ \9 y, Q- S; b5 j& n
located at [ebp+48h] for 32Bit apps) 6 y8 Y; I Q- H__________________________________________________________________________ ; K: W) }; x# L; w2 m' i ; g, v5 ^3 t% t! P$ Q9 Q/ E$ a" \0 Y
Method 08 ; g h7 X8 w7 n; T=========) o( y# j5 d# `
2 ]3 I3 U q# a6 R: l) C5 \* hIt is not a method of detection of SoftICE but a possibility to crash the8 x4 {+ `9 l& t f0 s
system by intercepting int 01h and int 03h and redirecting them to another# P! d M( s# `- A+ p
routine./ `) w; F$ Q1 v6 t- ?" y5 C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ m8 C7 M" ~" {; v) u, N2 S
to the new routine to execute (hangs computer...) / I0 n3 M3 z) s4 l5 g3 ]. s) @8 p% m! H
mov ah, 25h8 o9 E6 x/ i9 x, \
mov al, Int_Number (01h or 03h)8 M+ n: h- j3 k0 [
mov dx, offset New_Int_Routine ! Q6 Y' t3 E1 @) k) ] int 21h- c$ R7 k: y {3 q b1 w
, K- r) N+ S, i, E__________________________________________________________________________$ u; C% H! d, G
0 u9 q% i8 A. J1 |Method 09 ( a# F* I, L, i0 K& T========= , T9 R; l* m) t% L1 s1 g K+ s2 A; @$ \2 c1 k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only k3 b/ o; _; M j; |0 Hperformed in ring0 (VxD or a ring3 app using the VxdCall). 4 `, w( M0 U5 k( z/ h) xThe Get_DDB service is used to determine whether or not a VxD is installed . M% f3 I) n. S( S2 `% Y+ v; lfor the specified device and returns a Device Description Block (in ecx) for& X2 C o7 q' ?
that device if it is installed. 5 z, G: R( o( l9 W+ y+ l% @ 8 L D- H2 b# C k2 C* z p# |$ c! e7 q4 v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID y% f. E7 v- x' N) b! V$ a. W0 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); o% e( u+ @; a- b; ]
VMMCall Get_DDB 4 Q( j+ K8 K+ ^0 H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- G6 b6 N0 a6 X" Y
$ ^5 C+ I& r" O
Note as well that you can easily detect this method with SoftICE:' l7 w1 `+ a {3 ]; q- w
bpx Get_DDB if ax==0202 || ax==7a5fh7 q7 t/ @; j! s) s R9 {0 f
1 \& k8 f% G0 j8 F$ r t7 Z
__________________________________________________________________________ # `: C5 a0 d- u( [( G, _8 b' p; I; y6 n/ B+ i" z
Method 10 9 e- F7 E& O3 b, B2 T" a. R========= 5 M7 b0 T9 w3 N ! c5 @3 O8 ~3 E: s2 a0 b; o=>Disable or clear breakpoints before using this feature. DO NOT trace with. S) o$ j8 P3 O u$ {8 a) ^' J
SoftICE while the option is enable!! 9 e; o0 T e- T; F7 e" p. W" k) y- u& R7 M, I
This trick is very efficient: , ~. k5 i: _* u5 }$ @- |( xby checking the Debug Registers, you can detect if SoftICE is loaded5 Q2 ^7 C) c& }" P7 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 u% L( b( Y9 H1 D0 H
there are some memory breakpoints set (dr0 to dr3) simply by reading their* U. n$ H* `9 Q' f7 T+ Q) I2 t
value (in ring0 only). Values can be manipulated and or changed as well% W. F$ F$ ?0 H r& {. O
(clearing BPMs for instance) 4 x. p2 L% B" l1 ]+ z% o ) k% U' t& |9 S$ J__________________________________________________________________________) y, Q: i; Y2 j q5 Z8 q, u2 {3 Z/ @
: L7 t7 O4 Z: K) f* r
Method 11* ~- `% D( }* k* {% I# l' A
=========+ y+ \3 v: m6 a% H
% s$ C3 G3 F1 kThis method is most known as 'MeltICE' because it has been freely distributed) N; n1 e3 M2 ~3 m6 A* [
via www.winfiles.com. However it was first used by NuMega people to allow7 D: [0 ^3 l/ }3 D% I
Symbol Loader to check if SoftICE was active or not (the code is located* `+ T, K5 s, i9 @+ `1 [
inside nmtrans.dll). 5 k- }# Q" }; {$ V x' H. \3 W& z3 V+ Z j) U' [ _7 G( \
The way it works is very simple: 1 K) H2 Q; ^7 b0 F4 j! XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for 9 R3 l' Z( Z' g* t. n1 O1 Z1 ^WinNT) with the CreateFileA API.2 W9 v& x: t* L" x3 Z2 R
3 P9 |: x" [* T& SHere is a sample (checking for 'SICE'): 3 o- b5 W. V" t9 A& d - \4 o4 m: L' d7 G; k* h6 [BOOL IsSoftIce95Loaded() % K& H- ?) D/ C* m" Z{1 P* j$ }5 M$ R0 o, W8 n
HANDLE hFile; , |2 v5 V2 |. g, V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! A; n$ ?- T9 W X: m5 {5 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,$ ^+ `% K" D+ A( ~% N! z- i6 z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 @$ ]' g4 B+ w
if( hFile != INVALID_HANDLE_VALUE ) ( `+ l, V0 j/ [. u$ `" b2 j/ R { : h% H0 _$ C' i3 D1 R( R: e: a CloseHandle(hFile);% q9 U+ h4 L: B! B, R4 C
return TRUE; 0 L5 ? N. M0 u6 @ } 3 j' {! S [9 z9 D: c- @. b" C# o return FALSE; : {; Y7 f) D( R}5 j) V0 D. ?& q
) h. t4 G' l2 I+ ^; e/ dAlthough this trick calls the CreateFileA function, don't even expect to be ' O* Q r% j; N6 I3 o! k0 C3 f7 dable to intercept it by installing a IFS hook: it will not work, no way!( B' p2 D: A. Y( g% i. s2 R1 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 |4 I5 o' a3 F9 T1 {/ s( v- y; V, i8 @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) ! k2 v4 @2 u& u7 Y- d9 G6 Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc " g0 T" }/ ]( gfield.3 E* j9 ^0 H" o" C. u& R
In fact, its purpose is not to load/unload VxDs but only to send a 9 O" t- e1 V* y( `* u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ X) |1 t, E+ y& u/ {/ G7 o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 d V$ }: I. H. C
to load/unload a non-dynamically loadable driver such as SoftICE ;-). 1 l5 G0 P. D- JIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 {: U p" h) D" g0 [
its handle to be opened and then, will be detected.: U5 A8 ^& N8 p9 d' i" G
You can check that simply by hooking Winice.exe control proc entry point 1 m& ^- D, L4 Nwhile running MeltICE.3 R1 ^/ Z9 X5 o! E9 C' d
; f$ n% R; V K$ {$ h! R6 x- \% O- n0 D/ w* K" S
00401067: push 00402025 ; \\.\SICE9 O- G2 w9 v) J6 n3 b
0040106C: call CreateFileA 0 V) R! a- X3 S" L6 b* Z 00401071: cmp eax,-001# S6 G9 x$ k/ l- X4 h
00401074: je 004010916 ~$ r+ u8 ?, o/ x; f4 e7 d* n
/ G) H% \0 X* y: X9 g * E- _; W( L/ @7 Z7 aThere could be hundreds of BPX you could use to detect this trick. 6 O5 x8 i4 J# v/ i* t# i! U-The most classical one is: % I2 C, A3 j$ X1 l& a4 F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || # G2 Z1 s* Q" G *(esp->4+4)=='NTIC'3 Y6 u; t+ C5 s
- h3 w4 E5 @" E1 l7 ~5 @+ ]-The most exotic ones (could be very slooooow :-( % X; v0 a. ^* e Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 a6 ~4 G9 M& M) h/ Y4 C* O ;will break 3 times :-( & U+ T5 `3 m" G4 C! d- S* [8 K2 X* ~. B: y+ Q0 S" Y5 o. H
-or (a bit) faster: : x4 L3 Z- {1 _# F- j, k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 r/ Q0 g+ V3 {' r+ C' ^4 d
+ [+ c( Y4 i, [1 y' q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - a& W- A+ W+ W: Z
;will break 3 times :-( / R% @. \' A9 X% }4 V+ X' @- e8 M+ _: i" P6 r/ i' x2 i
-Much faster: ! }0 L% O& g- S% @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 J% j7 Y7 C% h% \) I# r
' |! Y1 f3 T1 e ]4 w0 S' i, CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen 5 M2 Q# ~& _( u5 ?/ V' G5 N; U" ofunction to do the same job:+ D+ A3 v0 s. V* V0 b
7 ~: n' _& x/ a/ p- k; H
push 00 ; OF_READ4 g* V y% o4 W3 u4 |3 i9 R
mov eax,[00656634] ; '\\.\SICE',0* P& Y! T) q+ x. h) F* o
push eax $ `) I0 B2 i+ e' t call KERNEL32!_lopen 4 |9 y6 H- ?+ |! U9 w! |6 m inc eax! e, x+ U( W, f- D) t
jnz 00650589 ; detected u* O4 G! j8 N5 F
push 00 ; OF_READ " I& N; X* o$ U8 S" R; b3 M0 r' p/ q. I mov eax,[00656638] ; '\\.\SICE' % z! e# u/ a2 [% X0 B4 ~2 x, [5 L: t push eax ' `% a2 A) \/ N* T call KERNEL32!_lopen. b# S2 h+ ], j$ V4 n' y
inc eax / U# i# c+ }* V- Q6 }) q- g jz 006505ae ; not detected # f. ]. {. R; V9 R( j4 I( [- c- u6 [4 d" U
$ Z2 w7 E M' n! z8 n8 x
__________________________________________________________________________, Y9 y$ ?0 J$ O) |9 E( | g' @
1 R H$ F# c. _1 g% ?9 N @
Method 12 - L+ S' E1 T1 F* R========= " B$ G$ E) Y2 j" g8 K : H# D7 b" x: Q; k# rThis trick is similar to int41h/4fh Debugger installation check (code 05# K( |' y' ]) \6 N# q" X
& 06) but very limited because it's only available for Win95/98 (not NT) ( H4 ^6 w9 C0 X- Z) W8 jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 I3 F9 U1 s* E: k+ `- [
+ ?& N7 q2 g7 G5 Z2 i& W) I" H push 0000004fh ; function 4fh: `) h9 Q2 p" ?4 T) C* v
push 002a002ah ; high word specifies which VxD (VWIN32) 6 b8 @4 D* K: R% h. L" v! {, q ; low word specifies which service c# P( Z! s) X% {# E4 a0 m1 U& t
(VWIN32_Int41Dispatch)' |$ J6 c/ c' u( V# i
call Kernel32!ORD_001 ; VxdCall 5 a( Q* c' m, _( w5 e. o8 X cmp ax, 0f386h ; magic number returned by system debuggers7 D' l1 v, f# g) V( g. o4 y; ` d
jz SoftICE_detected$ n: H1 }0 y6 Q7 x5 h
" ]) I; p' G% @8 d, S8 \: @
Here again, several ways to detect it:3 s$ [( n. v# R
! |: a% b: t6 H* T BPINT 41 if ax==4f* S3 `0 X2 b' r8 a
" |& i; F d' F) R) N5 B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one 5 Y8 w& m9 W5 }* i6 _- Z" X ' Y7 W/ I4 c6 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. {* o8 [) X5 @
& P! W( l6 ~' v1 L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! . l' x7 x1 Q: ` ) e& J R: B# s9 k' [8 M" s__________________________________________________________________________ 5 N( t" [8 f! p0 u' n6 b , E7 r/ H" ^3 V: s) f: pMethod 13 . B; E# g }4 h$ }2 Q c+ Q=========9 [9 [7 ]" [, s1 p3 J
' m0 E* m0 b% h( o! P: F9 C3 WNot a real method of detection, but a good way to know if SoftICE is 1 G! a p6 m$ \/ t2 Yinstalled on a computer and to locate its installation directory.7 @1 T! [8 U9 d5 \; R2 C7 j0 j
It is used by few softs which access the following registry keys (usually #2) : # Q9 m- \+ u) ~7 C. `# Z$ m9 C$ l2 L$ Z, T* S ?* C# s t' J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion & A8 I8 T0 k; C2 X\Uninstall\SoftICE# n9 Q& ?$ R6 u7 @8 a% j6 u5 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* ?! u8 J ]# R( {3 [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: L8 s. N' \! h7 f
\App Paths\Loader32.Exe' ^3 k- K7 h5 d4 D" q' x/ U
, k8 V3 q% b% U+ m5 |; D8 g
/ [5 N& g3 `% [ b0 K$ ^0 d( Z* d5 s
Note that some nasty apps could then erase all files from SoftICE directory- r4 i: G* z% J; E! ^
(I faced that once :-( 6 V8 x' v7 m5 n2 N# K/ {1 `5 F( o. S4 j+ h0 L2 `$ I- [4 L
Useful breakpoint to detect it: & d- ^5 o% A G$ @2 p( I5 x+ M' D( g: q* X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' ) p8 ~- @. _! t- `; ^8 v6 m0 P7 p2 D/ D/ ~. r# s; {
__________________________________________________________________________ 8 ~6 A5 t* b8 v( c, j, U! ^5 a) ]$ [, z% E
5 b8 P- ?: ]. c; ]" g
Method 14 2 C- k* D! S$ j( ~# |2 v
=========+ S( {7 h$ ]5 ]6 F9 v$ L# h) Z, G( d
/ P% m' l) m/ r4 `0 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- i3 {- D- G |3 _% U
is to determines whether a debugger is running on your system (ring0 only). 4 u U. k% o9 K2 r4 C' k3 u' i9 w, @! h6 N' _
VMMCall Test_Debug_Installed2 G( y) f8 I$ F
je not_installed( f. a5 \% G8 \# o: \2 Y0 r
; A0 A' J5 p) QThis service just checks a flag. ; O+ E6 Z' n) z- L9 H</PRE></TD></TR></TBODY></TABLE>