標(biāo)題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時(shí)間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500> + k3 j+ p2 _% |, ?" A<TBODY> " C0 j$ Z4 ^# M: y+ \9 g<TR>: n Q$ J; S T l
<TD><PRE>Method 01 $ o, |; T; i' H* j) i4 e=========, u8 O/ z2 n) f
- F" m# S+ P* p0 i
This method of detection of SoftICE (as well as the following one) is # v7 @1 z+ F# L7 }: c: |used by the majority of packers/encryptors found on Internet. % E" F- T6 B+ b( ?0 ^It seeks the signature of BoundsChecker in SoftICE ( W- h" B4 Q/ b+ q; V; h 9 P6 i% s0 y4 v0 z6 d8 }+ j, L/ Y+ G mov ebp, 04243484Bh ; 'BCHK'# ]9 y, s% |- ^
mov ax, 04h + D- P x! E$ D8 I D9 S9 p int 3 - W$ l" a; W; \+ d8 j5 Y
cmp al,4& d6 o- l! G7 l8 l3 `
jnz SoftICE_Detected 1 m3 B( D7 n6 t) h8 E 9 t( i" w; M6 w$ h9 s% C. m# D___________________________________________________________________________ ; w4 X5 s) Y; @! n ' x4 C+ D: B$ [4 {% I2 FMethod 02/ E8 ~( a6 \% g( Z/ L
=========9 k6 v) e# S1 N3 K& b8 G4 c
. a& ^; v) [, o& R. W6 ]Still a method very much used (perhaps the most frequent one). It is used r- h/ N M" X" Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints, " l6 x' B0 U/ h+ K2 g7 u. mor execute SoftICE commands... ' I+ {7 Q3 [6 y0 U2 B mIt is also used to crash SoftICE and to force it to execute any commands 6 M$ |9 k+ e' W0 J(HBOOT...) :-(( 3 D* @& v6 U; S# s* \0 i% A
t8 \$ @ O, n" B% l' g1 t. M* Z0 G
Here is a quick description:. ?3 k4 A' L. M4 O' n* ]" p' R5 t* |3 ]2 E
-AX = 0910h (Display string in SIce windows)& B, b3 _. i/ ]1 S; ^0 L1 b3 c$ {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) 9 J8 M+ G) P1 w5 Y* S-AX = 0912h (Get breakpoint infos)' F R# J+ p* ~ {% }4 I' C; |
-AX = 0913h (Set Sice breakpoints) ( x- e# T5 Y; D; U1 F: q2 X-AX = 0914h (Remove SIce breakoints)% Q* R, {' ] o4 _8 i
1 q D. i2 i) W( s. E
Each time you'll meet this trick, you'll see: : M" O- t8 L* \& n-SI = 4647h d3 r6 o* Y- W Y-DI = 4A4Dh & l4 J& l5 X+ I8 t- \! u5 QWhich are the 'magic values' used by SoftIce.# }+ }( u6 U- b$ \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. 8 M/ o$ T% P- S( w f# l2 a/ p2 E& _' ~6 n1 Y' E$ s/ C$ \1 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP , G" p) j6 z4 y9 o# FEnvelope utility use to protect DOS applications: 8 Z$ U5 k* f: c! L 8 W* N6 D2 a+ @1 \: n: k! E8 g% f$ G9 I
4C19:0095 MOV AX,0911 ; execute command. + B# M4 {4 Y2 v( ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- Z! x8 V* {; p, A9 B; r
4C19:009A MOV SI,4647 ; 1st magic value.8 m3 q. L W" ^( j& `3 `' \8 u
4C19:009D MOV DI,4A4D ; 2nd magic value. ! E/ [+ F) j) Y4 u6 f; f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ G+ Y, }, q3 R6 E4 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 h+ e& P/ u$ X& @
4C19:00A4 INC CX " A- j7 k8 e; D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute 8 P' }2 S& u, N- D7 i+ \, u/ W4C19:00A8 JB 0095 ; 6 different commands. % t7 A0 m* e/ H4C19:00AA JMP 0002 ; Bad_Guy jmp back. 0 O# m J$ C! b4C19:00AD MOV BX,SP ; Good_Guy go ahead :) 3 Y4 J2 q% n2 M9 y5 p, D 3 z# S$ E; {0 p8 ?The program will execute 6 different SIce commands located at ds:dx, which9 ^8 ]: v+ ~$ c' ?- K& Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& d: n$ ?2 T& J: @
1 R. Q( A O$ `( j1 @" F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ \" `% h( ?2 f8 C
___________________________________________________________________________ : {, z6 ]. f1 t7 H4 I A$ [8 z5 N% Y0 S& {& k7 p9 g* x" a$ ~+ U$ I K
Method 035 I3 y1 k7 c: B" J
========= 8 L' X6 K, Z Y: s6 o2 e/ o. v2 A& c! X0 m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h 9 u/ E5 q4 f7 c% J( g5 l(API Get entry point) W- K5 K2 K0 L! C 7 {, Y2 A6 L' Y 2 b& N: \1 ?& c, I# a! Q0 G& G xor di,di 2 ^# z5 y4 O3 ~8 L mov es,di 7 v. r! T3 Y9 o5 n# j9 w4 B mov ax, 1684h 9 ~& ^2 W; n! K5 ?: q; k+ d
mov bx, 0202h ; VxD ID of winice Y5 y# {6 y' N/ G int 2Fh ; p9 {- g8 D7 [' A3 e- R6 s mov ax, es ; ES:DI -> VxD API entry point 0 y& @' [% p# I, S9 C* Z0 X add ax, di ) B, D8 `8 ~8 r7 n test ax,ax 6 ]8 Z9 m* X, F( V* @3 X3 x" m3 T jnz SoftICE_Detected @: J7 Y A0 T) e6 Z/ c
+ a) `0 b& j3 A8 r6 x* g; X8 G
___________________________________________________________________________, \% Y: c& T Q k; X+ J- ^
4 `3 U5 u( c* Q/ Y
Method 04 w" e8 M" D2 Y+ P( g# W0 }2 D=========# w2 }5 S: a$ F4 e/ H3 F
* l0 H. C5 t- d+ Q! \% ?, S/ @* U" \Method identical to the preceding one except that it seeks the ID of SoftICE 8 i- W8 |9 X; Q" j" Q! b: nGFX VxD./ r/ ]9 A% t) q. Z1 a
+ r1 ~3 q+ A* a* c; u: j
xor di,di5 x2 Z$ K; A4 K+ V4 Q
mov es,di " l/ j# ]: T2 w6 x; W mov ax, 1684h * m+ z% B3 g9 e2 `
mov bx, 7a5Fh ; VxD ID of SIWVID' ?4 @/ W# D/ Z, D# v
int 2fh7 F+ [4 h* c. t5 m
mov ax, es ; ES:DI -> VxD API entry point " Z$ c% s; ]# Q' f- ? add ax, di. [! h1 K y5 w4 D: M
test ax,ax7 p2 ?* t2 h- @% K
jnz SoftICE_Detected / W3 u% D5 u0 z8 e 6 J% Q% Z9 a; F- M8 c__________________________________________________________________________ / t& I8 }) D- o7 O 6 I1 H5 c9 `1 v 2 r4 p4 i4 _# T# }- z5 SMethod 05 # h+ S4 [( ]" R' j+ E' s, P- K) u========= , F' e7 v1 C: U D8 r+ |9 N: O2 B' H! v
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 K; S- ^' r' W9 Q
debugger. It calls the int 41h, function 4Fh.* W# x3 j3 h9 Z' M) d/ f5 P1 ~/ W# r- j
There are several alternatives. X; ^* z, h. K" L; N
6 r0 Z0 z0 P z, V4 F6 S
The following one is the simplest:' y/ \! y/ x$ `, }
& _8 i; m' _ y3 J mov ax,4fh# G3 x1 j5 J1 z. a, |
int 41h2 \8 x0 g3 D) ^0 X5 f+ ~/ ^
cmp ax, 0F386+ @# C$ r/ s2 m2 Q M3 g
jz SoftICE_detected 3 s2 F( J" ]) s4 S! F8 z; M, B1 k' r! S- O) S& m! m: D
, f# [% C5 E# j5 _% c! }" w }Next method as well as the following one are 2 examples from Stone's 2 W& `% e: l9 g2 O- A6 M6 @% {"stn-wid.zip" (www.cracking.net): , Z4 ?) y8 R) ~8 t$ r- N3 |9 H3 S( f0 Z
mov bx, cs. ?8 [ i& i- L
lea dx, int41handler2 6 r( p, h1 n- ~1 l2 _9 j xchg dx, es:[41h*4]) V* {" v1 j2 w
xchg bx, es:[41h*4+2]7 R/ C3 ?2 p: ^' e% c# D
mov ax,4fh! x8 V# u& b+ z$ l
int 41h $ R+ x( I; V& X2 B. V xchg dx, es:[41h*4]: F, Z( ^) ]9 [ ?
xchg bx, es:[41h*4+2] : c* X: }2 P4 g# I1 E5 Y8 p cmp ax, 0f386h+ q$ Y: {5 e/ I! Z; P2 o
jz SoftICE_detected & }$ A/ `( i. I" p2 P2 C5 h 1 J- T* Z4 l1 F: }int41handler2 PROC - A4 @, U" F# ]1 u/ z iret 2 X( [: {5 p! _0 cint41handler2 ENDP % r' |6 a2 b2 V. k4 o0 l* u' N) _1 |5 l8 G, n6 ]
! Y% h7 q/ P0 r$ w8 l: M
_________________________________________________________________________ / A9 m% K8 z3 N4 v* z- i7 R; {3 H7 L" u- c$ ?
" b5 j6 |. |) d& B7 V2 } {: nMethod 06 4 a) l. O8 a: p" L& i6 G2 E: T# ]=========9 Q* j' U! U; Y7 n4 l
1 P0 {6 O+ l; L O0 n
, n7 u) S6 p( |/ h& G* |, \
2nd method similar to the preceding one but more difficult to detect:5 l- B# {' @ C
, G1 }/ N- l) ?
4 j5 |0 O1 y: A# l$ q
int41handler PROC% ~0 V) e* a' n% [2 S
mov cl,al! w7 r; b( Q9 |- b
iret + N% O8 O5 C7 Z0 g7 n V6 s2 L r# l& rint41handler ENDP 8 a$ I7 X* j: O/ k* f/ v, r1 y. i 1 e9 f# t6 N5 n- ~- T: v 5 q S5 i0 W: A; _ xor ax,ax 6 K3 K1 g. x, o. i mov es,ax. r5 r8 u8 f4 Z1 J
mov bx, cs: m2 F3 j& y& k/ m
lea dx, int41handler 7 x% Y3 s1 G0 C- k8 z' w" L8 w. \- Z xchg dx, es:[41h*4] # c. J3 d3 ?& M9 L# Y" P7 d- x xchg bx, es:[41h*4+2] 5 H4 H6 N% D* k2 c3 s in al, 40h 0 @; P5 E& N* d/ U5 R xor cx,cx ; a: S$ u+ j. N& ], i int 41h3 P" E$ s4 G% H3 H4 F) i
xchg dx, es:[41h*4]7 b9 }$ O J4 Y
xchg bx, es:[41h*4+2]7 x# N* x8 i7 v: _$ T
cmp cl,al( ?* M) ~; l# K X5 c# N' x; L2 _$ M' k$ S
jnz SoftICE_detected/ Y1 r% P& i0 l- ^! P* d
+ g& Z: ~# G% w4 S, ?; x @
_________________________________________________________________________* l6 R) j. j) }; v
; r, {2 W3 S0 B2 c; c4 F7 t
Method 07 " C, r4 @0 W( [ A1 ?7 B=========4 u# Q N$ T. o7 W$ m- C7 i5 S
9 \$ A, ` y9 d: QMethod of detection of the WinICE handler in the int68h (V86)' H, Z* ?' s: @2 p# t
9 O0 A) R5 ?. N# J: X R. t
mov ah,43h2 j9 L* F+ n+ U! }! p
int 68h , F. Q0 [( V+ e. [: g% a: } cmp ax,0F386h 9 I2 b( L/ K" j% F jz SoftICE_Detected * o2 c! g2 w6 g; W" O! m$ H/ w2 `
4 H! {2 @3 M: p; r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 k9 ?6 G- X9 z( l! |# q
app like this: 1 I" w1 L" i# R- I$ F- {# m$ W9 C, q/ M; d U
BPX exec_int if ax==68" `4 F5 j, F) X+ G: t3 C
(function called is located at byte ptr [ebp+1Dh] and client eip is8 b$ i; S A5 w m7 [7 F. r0 S
located at [ebp+48h] for 32Bit apps)7 v) Q$ k2 R. O# ~# n. _0 F: S% v
__________________________________________________________________________2 d3 q; P5 ~/ c; o
0 `* T" d/ q$ }2 {4 I6 d7 M \ K& Q( r) {7 aMethod 08* V: r+ N( A$ o+ t
========= " w, U ^* A6 I& _% m5 Z: s3 H3 @! B+ A( ~) x
It is not a method of detection of SoftICE but a possibility to crash the, i- o5 S" b# `# o# o$ ^2 Z
system by intercepting int 01h and int 03h and redirecting them to another4 @! M2 `) i+ H0 M. O: K
routine." x }- h8 Y+ b% H8 j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points : g7 A( ~2 B8 Lto the new routine to execute (hangs computer...)7 n+ y( l# u2 I9 U! X2 N
* S. v' ?) W) C6 M+ M& v mov ah, 25h! b1 ^2 E/ t- A0 v0 W- `
mov al, Int_Number (01h or 03h) 8 R( ]2 o I* O! U mov dx, offset New_Int_Routine / ]. H6 ~# F' e- [1 \( R int 21h4 r V0 x4 O( D( o y
4 s, F. d% J1 ^8 R/ D__________________________________________________________________________( v4 g: l% u! S
) ^; l0 ?5 f/ p6 W3 n, t, |
Method 09; ?: f2 m& L0 ~( G$ o' e# v( C5 H1 j l4 n
========= - x1 p% ?; t3 P" C: g ' C+ R: ~, Q% t/ b6 `5 DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 g d W; i: S; v( J/ ^* R, d
performed in ring0 (VxD or a ring3 app using the VxdCall).! |/ G: ]& h9 {2 X- ~
The Get_DDB service is used to determine whether or not a VxD is installed 1 `: n+ `. X; \" D) efor the specified device and returns a Device Description Block (in ecx) for 8 H4 i8 z5 l' ]4 Othat device if it is installed. # }0 A6 q# ]! ?2 }& J6 y6 U, Y& ]0 k6 X" U" a- ^$ J& J- C; g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' T: w- D$ T7 @) h* x/ ?3 }2 B; U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): f7 f: n6 X+ ]7 l
VMMCall Get_DDB ' B" {" |; N/ S' ^* {7 m. q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 i- g1 J9 L+ ]! v% O) l! d, u
% ?5 d- c9 W! KNote as well that you can easily detect this method with SoftICE: & o. I% I1 i! O) j bpx Get_DDB if ax==0202 || ax==7a5fh - j- x, h( c! S$ P, l" f ] ; G$ J& d# Q% \& [1 y7 ~4 v__________________________________________________________________________& c4 D3 L7 }0 _$ k6 |
, b* i% H) u* K0 o0 ?& ?$ ^- {
Method 10 + A' h0 P$ h% {( _+ d6 @=========" T3 g% k1 B4 P# I
m( g: {2 Q3 X, S
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ ~, |, x( q: y6 I% K0 p
SoftICE while the option is enable!! 5 g# M4 o6 p. s; h }# p! q( W9 Z/ U1 x$ b
This trick is very efficient: : d/ g+ A8 R3 P, Vby checking the Debug Registers, you can detect if SoftICE is loaded 8 z6 c1 Q3 d. P$ O- l! v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 Y9 _$ H' b5 l# k6 \3 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their : O1 c$ r. {+ `* q4 Uvalue (in ring0 only). Values can be manipulated and or changed as well o7 i, Y# u0 g$ K2 l
(clearing BPMs for instance). ^. d0 B1 w5 w4 u& x9 u
- ]5 X) P+ _4 h7 C- X: m
__________________________________________________________________________: a- K0 ~7 f, n* f3 i+ j% c0 F
8 r/ S& ]6 J# z- lMethod 11 : a( l$ }; j a. M* ~3 q=========4 o# `* ?2 w. \* i. p& n. }
. y# A+ n# H! K! \ a6 y/ vThis method is most known as 'MeltICE' because it has been freely distributed. ]) ^) g* }* ]( s0 N
via www.winfiles.com. However it was first used by NuMega people to allow $ W6 Z' Y% u+ m4 ^/ t1 t' l* KSymbol Loader to check if SoftICE was active or not (the code is located+ t& p; x K b
inside nmtrans.dll). % i \' d; p+ y v& C8 k! P1 _7 g1 S1 _; f+ Y
The way it works is very simple: & x$ k& M2 F$ t: N' G& J5 e) zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for ! d' { ~8 ^* o ^: F. P5 w1 C- vWinNT) with the CreateFileA API. 0 x' T8 w2 y: s, G * E+ I& {) P. w PHere is a sample (checking for 'SICE'): 5 C' B6 E+ g" o# H" Z0 l! y, n2 C$ A4 q
BOOL IsSoftIce95Loaded() $ D$ y( G: l# Y& l$ U7 q{ . z1 J7 r/ }6 o/ U2 m9 U4 D HANDLE hFile; 2 V, o, j3 E/ Y4 E& E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, ! o4 H; W" ~4 ~' b# u0 _ FILE_SHARE_READ | FILE_SHARE_WRITE,% @( o( K E& U+ t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); d. A! M! }$ a3 p3 c4 W
if( hFile != INVALID_HANDLE_VALUE ) + c' }4 n* l2 Y( {( @5 d$ y5 @ { ) Y- ^4 z0 J- _) [2 T2 P/ H CloseHandle(hFile); 8 A7 O+ W1 F3 g p# W. G return TRUE; 1 X/ `# A2 w& T. l$ n/ l7 y }4 f) T1 \7 z G/ b$ n5 \2 J
return FALSE;6 M3 Q6 c+ Z( c S+ T! z
} 6 v( E+ F+ r8 t( Z0 ^ 1 {/ J, N7 r# U# F" MAlthough this trick calls the CreateFileA function, don't even expect to be ) V6 G" F$ K1 G6 b/ s- B5 \3 H4 |able to intercept it by installing a IFS hook: it will not work, no way! 0 N' `; C4 a- @7 h1 i3 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 L5 T; r! i- g' h, G1 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 P6 x& b' t7 c' a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc / w/ f" z5 I# o, |8 hfield. 3 n0 F0 a; L( B0 N3 h7 D$ LIn fact, its purpose is not to load/unload VxDs but only to send a * O, i7 r% G$ T2 ~- }. |! N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 G- ~* |3 E" `# i- T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try 1 V, b/ a6 k" ito load/unload a non-dynamically loadable driver such as SoftICE ;-). , l) p2 t3 C; FIf the VxD is loaded, it will always clear eax and the Carry flag to allow; [ C; P |! x8 n2 q
its handle to be opened and then, will be detected. - ^, g7 M5 {8 U# ^: r4 m a' {- a. ]You can check that simply by hooking Winice.exe control proc entry point ; g) w3 T( ?* L" @while running MeltICE.! A' P7 n5 s6 l, E. N- k& ~$ n
h1 p- }1 Z, r! Y) j, O/ I2 l) R9 T5 H1 N% z
00401067: push 00402025 ; \\.\SICE 8 p/ O# c; U! C ]" v4 N. O7 g2 H 0040106C: call CreateFileA. J" @5 r6 j8 f4 }& c; n; q* M; b
00401071: cmp eax,-001 $ S% n& _. n& A5 R0 _' i9 ^ 00401074: je 00401091/ o6 k4 ] R( B: T6 T- v
$ \% }6 m/ |' [; K6 R @& s9 e - }% o [. ^2 c8 V# \0 j" v+ u8 lThere could be hundreds of BPX you could use to detect this trick. , v5 r- l$ Z- @! ?, u. C-The most classical one is: 1 _+ V$ C9 |: u- p' a6 X' ^/ ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || 5 F* s7 ~8 y" A; s *(esp->4+4)=='NTIC' # C7 G. |: E( p+ Z1 R8 y% {% w) _4 k |: G4 ]
-The most exotic ones (could be very slooooow :-( ; V, x' n1 O* @5 c" \& b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( P# s" I! J5 c# I* N, k ;will break 3 times :-(8 A! f# J2 M* `# W/ k: c; U. H3 `
$ k. S: ?% x7 g9 Q
-or (a bit) faster: 6 x9 Z$ ]1 x" L/ H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') * }% E L$ X1 ~ d2 `7 E$ Y8 G0 |; x/ D1 U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 C I" s o F- | ;will break 3 times :-( ; y# b+ H* }2 } z! P3 Q, ]) P3 N Q7 T) \2 }" O2 V. P' H-Much faster: & z7 i8 D+ S5 D5 V7 L! \4 J( b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' , y% c* ?& a+ l. K% W/ H# v# E - i( V- L- f6 N' [* s& `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen 6 e- o6 J: O3 B$ i1 ?( f# `, }function to do the same job: 0 G: D8 Z( j7 m4 P- K; @, r8 i8 Y" O: D* s/ \
push 00 ; OF_READ: N5 W' k1 d+ T/ Y
mov eax,[00656634] ; '\\.\SICE',0 + l0 h4 O7 ]* \$ m2 ^4 [/ D push eax( g( f' g+ n( Q6 o
call KERNEL32!_lopen 4 F/ t: }! Q" }/ [( @ inc eax) _' w. A4 n6 p; P
jnz 00650589 ; detected 6 p9 n* E2 N2 y push 00 ; OF_READ 2 p; h$ T5 v* f mov eax,[00656638] ; '\\.\SICE'. s& e( {( s* ?0 x! e
push eax* t* K# s* U, M6 V$ y; K; Z" N
call KERNEL32!_lopen4 x K! S8 X) h% L: d
inc eax$ c2 n P% Q8 F& G& {* {" C }
jz 006505ae ; not detected ( D: r; W u% J6 q1 Q+ n* @ 5 d( D" C* D; q6 c; e2 h+ s5 U* r1 t S% Q' F4 ]9 ~
__________________________________________________________________________: K. X% N0 m' X' Y7 x
' O8 e$ [- F+ x: `/ e7 b
Method 12. Y6 [; j( z/ D* ^+ ^1 q
========= ! S8 J8 F4 @) S' v( C2 V5 z7 G; C# }
This trick is similar to int41h/4fh Debugger installation check (code 05 + ?+ N1 h) v) g# s3 d' D' D* R% G/ e& 06) but very limited because it's only available for Win95/98 (not NT)7 z3 B5 V' Q6 {! O& X( O7 |, k8 v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ i( O2 h+ J2 |1 ^: X. i
" J, u# c0 O0 E) B" v
push 0000004fh ; function 4fh1 e" x" @+ }4 v. ^; A
push 002a002ah ; high word specifies which VxD (VWIN32) 4 T* n; s4 f. \* } ; low word specifies which service% u# K, Y6 n, i6 E8 m
(VWIN32_Int41Dispatch)7 P( R4 M0 X' l; O- s- [, k8 O
call Kernel32!ORD_001 ; VxdCall/ c$ b! e H8 ^
cmp ax, 0f386h ; magic number returned by system debuggers : _8 P6 T; B' U9 a jz SoftICE_detected, U; O' o0 q! o2 K
, a( b! D+ N) n1 m; L- D
Here again, several ways to detect it:" z# t$ b- L, `9 J4 K
# @" k/ G8 q9 {& c6 e0 O3 M9 ~ BPINT 41 if ax==4f. u" H& W" b Y& z$ N( O
1 h& ]; B/ S s7 T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& f. T' E* c7 L" r! @, d# U. P
0 w5 W# T+ x1 E$ x4 `8 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A ; i* ~4 v ]! p( [' a* ~& L$ o; J2 R& k$ T* w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' @2 t9 ?, ~* z1 m9 [; U( n
% _: M! B. G( U/ t' L, `__________________________________________________________________________2 k, Z2 }& D( G$ E
4 l" y) n: {- k* `' u; C
Method 13: D8 l6 M0 M, x8 e/ y5 {& S
=========# P6 R# k) R/ U7 `4 O
5 ^) v* \/ Q5 f# {+ [# t
Not a real method of detection, but a good way to know if SoftICE is ; F- D% v, q: Binstalled on a computer and to locate its installation directory. E- r! g. z0 l4 m7 t2 p# bIt is used by few softs which access the following registry keys (usually #2) :: Q& ?; Z0 u+ I4 j C
+ B! F& E, W( Z/ C: u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Q4 _% l+ H$ X) Q4 _
\Uninstall\SoftICE+ [0 {) }- r0 C, D* j5 K6 p$ _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' n& w" L; }5 c# [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion ) c z# b$ q# d$ ~& }/ p\App Paths\Loader32.Exe ' K9 J9 s/ @2 I# B8 o3 ~0 ~# O" N) j
+ m7 z1 [! ~9 y! m: S: | I
Note that some nasty apps could then erase all files from SoftICE directory; R8 {' q4 i8 p6 g2 m# H3 {
(I faced that once :-(' M5 a4 K1 a; q
8 `- j# d! ?9 }: v) _9 z* U* P
Useful breakpoint to detect it:5 s' S, r- ` u1 T! a
* _9 v# |) z& f; q8 \, |7 K, a9 _3 m% V! s/ \9 H4 S
Method 14 ; N: x7 j6 X- S
=========/ |( p4 w+ n5 Y& X* x5 x/ d
8 O$ W0 i% W7 M0 ~" y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose . K- |# ^$ o7 M( ~$ u5 `) e# z0 [is to determines whether a debugger is running on your system (ring0 only). ; g: M) V4 A0 D; c" m* e % `0 w* Q" s' M3 O& w! z& @& r VMMCall Test_Debug_Installed$ T$ E' ?! U, \. E: }" H# f
je not_installed 1 X$ @* v6 v$ ]7 W# B% z/ o* G- C( l9 o- v" T1 a" d p
This service just checks a flag. ' u" \) K* S6 H) t& k+ d, R</PRE></TD></TR></TBODY></TABLE>