標(biāo)題: About anti-SoftICE tricks [打印本頁] 作者: hbhdgpyz 時間: 2008-9-28 16:34 標(biāo)題: About anti-SoftICE tricks <TABLE width=500> ( \& C. Z) w. y1 _<TBODY> $ C# ~1 F& r6 s* y; k) Y+ Q<TR>' S7 r/ z' R. o$ m, u, D# Y
<TD><PRE>Method 01 4 L4 e) ]5 w8 q5 C
=========5 E9 |+ p" f& _% g; `* J
9 {. X* y2 L* w* q' V6 ]3 [: eThis method of detection of SoftICE (as well as the following one) is 5 ?) b& m; w; N6 y6 ?; aused by the majority of packers/encryptors found on Internet. 7 s) p! P$ b* u( b+ _) uIt seeks the signature of BoundsChecker in SoftICE/ C0 `, Y- Y% }3 O% l; y* U( l
* E$ a6 Z. f" h5 R9 ]; A mov ebp, 04243484Bh ; 'BCHK' 6 C% S, o- h: g$ w" q mov ax, 04h 4 L* e/ l# K% Y; A% ^/ ? int 3 , s% w5 X, m! p z6 b" y8 R" q cmp al,4% T9 ?- |# N+ a6 e8 [
jnz SoftICE_Detected 9 F! f' S' V6 e# Z$ Z X* |5 k% t3 n' m" p2 I
___________________________________________________________________________! w9 j/ A4 ]1 I D( L0 C; z$ T
* D# p; D! |# g7 v5 _
Method 02 & ]" X! u& s4 P( s& }7 U" B9 o$ P========= 2 i+ C9 R/ O5 i: r( L6 g$ b5 H, h$ d: V9 f, ?/ M
Still a method very much used (perhaps the most frequent one). It is used : L5 M) _! U( c" l' A; Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 ]4 t" `2 j# ^+ w
or execute SoftICE commands...1 L2 P" Y: i7 J) m7 k
It is also used to crash SoftICE and to force it to execute any commands + I! Q' `2 ^3 R! q6 W+ }7 ?% J$ c2 ^$ ^(HBOOT...) :-(( 6 j8 Z/ s1 F6 q
`4 }0 U9 M. q8 U6 k, P8 kHere is a quick description:2 i7 K, Y$ O" D" U; w' z: b1 s
-AX = 0910h (Display string in SIce windows): b7 x1 D- S/ O' Q' R; J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" L+ h; A- G- U
-AX = 0912h (Get breakpoint infos)5 ^* [0 M2 j# O8 T! u5 m' e
-AX = 0913h (Set Sice breakpoints) 7 s4 Z8 M3 q" @; h. [5 B/ e/ ~$ q-AX = 0914h (Remove SIce breakoints) 7 Q) B% g0 |' v* [( `/ ?1 X; t4 z
Each time you'll meet this trick, you'll see: $ |8 [9 p9 v9 Q, A-SI = 4647h % C* `; N2 Y. {: e+ D, Z8 O. y-DI = 4A4Dh" u/ \ b1 R, S' S% p
Which are the 'magic values' used by SoftIce. " z% ]4 {2 k$ y# rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 D. B' n6 N( I6 {8 _, z, J9 Q
) I5 R/ |' ] c, f7 qHere is one example from the file "Haspinst.exe" which is the dongle HASP; ^7 s7 |2 D' ?2 S5 Q$ J/ `& \
Envelope utility use to protect DOS applications: - ^% ?. o0 f+ F/ t/ N, r0 C1 e# R4 |3 ? w" m/ L9 X- K; J |
/ [, y% r6 \8 [* B2 o4C19:0095 MOV AX,0911 ; execute command. " W4 v& Y; |1 Q ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). & N" H- \ R: h, Y1 d4C19:009A MOV SI,4647 ; 1st magic value. ) H! x8 l7 \5 B4C19:009D MOV DI,4A4D ; 2nd magic value.8 o+ Z; e/ j- q5 `+ U, _6 Y! p" H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) - [* k- J- c# n, Q/ a8 p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, R/ K# ^$ d2 ?
4C19:00A4 INC CX ; X+ b" N% @1 N1 O& O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 R; f# n D6 k2 I# S$ U& X# q
4C19:00A8 JB 0095 ; 6 different commands.0 m0 T5 J5 A) E
4C19:00AA JMP 0002 ; Bad_Guy jmp back. & X7 }. t) j, l9 z' S+ ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( R1 O4 f" S! W |) A7 r' Z
/ Y: b2 k1 s7 w @) `The program will execute 6 different SIce commands located at ds:dx, which . Z1 c/ I5 K5 q$ O; lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. ( n; i" s' L+ G! {/ d# @1 g; M3 `* Q9 S/ g4 h3 T4 r+ |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. & h' k" K0 ~8 H/ [7 |$ y___________________________________________________________________________1 J. o. k2 D; ?3 u/ ~8 _5 f
* ^& u; `' I8 U& ?: E6 j# h( k+ o" r, u# Y) ~* `( q
Method 03$ C1 G0 X6 G9 e' r. i- ~$ y# N
========= 5 c: T# |+ R1 R/ q5 p7 L ( @, E; B' G1 O+ l" TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h " }0 ] i$ L* H P6 z& {(API Get entry point); [1 i( N6 o W$ h+ S+ e
" I$ T5 R1 }9 H' |4 F: N! o- v
5 ~: A+ P: t- d& C6 F" d xor di,di 7 F" u) B4 O3 Q1 r mov es,di / Q& Y( A- Z: l9 c' U- {: R4 v5 T mov ax, 1684h 1 d) p7 ~" K8 _. _6 i4 ]0 { mov bx, 0202h ; VxD ID of winice2 U# _* p# {# W/ ]+ {4 `* {
int 2Fh 5 m( v5 Y$ j5 x" M8 \5 F3 c mov ax, es ; ES:DI -> VxD API entry point 7 Y9 m) x9 k( ~: o' _. ~$ X+ _& a8 ?- U add ax, di1 w/ E" c# A# h
test ax,ax ; i9 ~. C1 F/ o% i8 d jnz SoftICE_Detected. F8 r( V* r# m
; O; X- n4 Q+ F- i7 c
___________________________________________________________________________8 f0 z. ?. N( _4 m4 X
' j" y0 h2 b$ n. W! L6 P% Z4 UMethod 04: E; H# V+ [6 g C
========= , I* A$ `2 `1 K( M5 A, ?) c 8 `" l% [& T" z+ C3 d6 E' SMethod identical to the preceding one except that it seeks the ID of SoftICE3 K: g9 T% \/ O9 N) |
GFX VxD.' Y/ V1 c9 @1 a1 O# X5 A
+ L$ _& ^$ K, W! H xor di,di5 y' y8 O7 q6 j8 R! @0 i! Y
mov es,di ) I# i: p, ?7 _+ A mov ax, 1684h $ n/ _( y( I* V N8 q+ I
mov bx, 7a5Fh ; VxD ID of SIWVID& L7 `! N) G, |1 ~
int 2fh0 W4 {" r% v1 \5 \: N$ T# o
mov ax, es ; ES:DI -> VxD API entry point# Z* [% g. V6 m$ i) e$ }
add ax, di + W6 k g. y6 y) Q0 Q& ^ test ax,ax2 k' F. p$ I3 R5 c1 v$ u+ V7 {
jnz SoftICE_Detected) O+ u' O' T6 ?0 f$ K
. e+ \4 w+ W. k4 s, S e$ e__________________________________________________________________________ 2 i3 Q( _, O0 | c1 l , e- ?: N3 X+ Y9 R% z- N) \2 K2 M2 k3 I& a3 A/ f: n& J
Method 057 J1 o9 E1 r4 j0 {7 N# ~
=========/ S7 b3 i" f( ^' d
7 s" f+ w G/ y8 `. W
Method seeking the 'magic number' 0F386h returned (in ax) by all system ( T W! M9 [; Z# qdebugger. It calls the int 41h, function 4Fh., {5 X& Q Q4 {+ U' I
There are several alternatives. 7 }# G: ^$ s) l, P6 q
; h( c h, ?& x0 H; R$ X$ k0 w. ]: I
The following one is the simplest: 4 X; K0 T1 L7 ] + y& F, ^0 N* I U/ v2 P% H4 d1 K mov ax,4fh; N1 U: H3 {( o6 X
int 41h ' B, O& l6 C3 X% [% V* J4 V! c cmp ax, 0F386, k. {3 y% J# c! \7 K# Q* t8 R; M
jz SoftICE_detected ( B6 l& a: n* t- _6 S# {' y0 d- e) u& f4 Y8 A% P3 s
2 X" u0 W: C Z# c' x6 S1 C
Next method as well as the following one are 2 examples from Stone's 9 t& j8 Q0 b3 L9 ^"stn-wid.zip" (www.cracking.net):1 Z7 S. v; D0 b
/ s" J2 z! w4 _" p- f+ \
mov bx, cs4 q( O. B4 I7 `7 g# X5 R2 j" ?+ _
lea dx, int41handler2 + ?' e0 @9 g0 ], w xchg dx, es:[41h*4]5 b$ d) h0 x6 v) n
xchg bx, es:[41h*4+2]. D9 h0 P% G" k0 Q3 M. v0 ]
mov ax,4fh 8 Y0 x9 _. [4 S+ o. Y4 x) V, v2 H. E int 41h( ]6 u1 Y' e0 x1 |. d6 B% b, Q
xchg dx, es:[41h*4]4 E0 ^3 Y' f/ c
xchg bx, es:[41h*4+2]+ q# U8 }+ n+ i! d4 t3 G) K
cmp ax, 0f386h 1 @6 U. O# E! `2 v' K' X jz SoftICE_detected & q6 B9 Q# [9 Y% P6 u h& P/ [9 A* s3 B* X$ ]5 C
int41handler2 PROC7 x5 Z! H9 A4 I/ T
iret 3 `6 Q) d! I8 {9 T/ zint41handler2 ENDP8 c$ j p5 W* k. O; d
6 s: Y: z' L( Z/ Q% J: w . h! ~- ?# I4 E1 \_________________________________________________________________________$ u. ], L4 T* i5 [% F0 M* w
+ S0 q7 `* o8 u. q- k4 _5 U
- u) g7 D/ o5 C% \# R: [# c( P' e' cMethod 066 s# g [% `8 _1 a7 W! X
=========9 W/ Y5 a: ]: f6 z( _8 l" z6 N
, i, H8 G3 T6 C' L* g7 y9 O6 g* L% A U+ L( W+ a/ q9 e4 S3 R
2nd method similar to the preceding one but more difficult to detect:! a7 S% ?/ Q( i6 T
; r) ^/ p% z+ y' G. M+ O5 W % {9 e+ q6 N) \, {0 t3 V+ `int41handler PROC : v9 \" | n# m* L& |9 s& H mov cl,al4 L+ e2 O. ?" F1 K+ _$ Z9 ` m& r! `6 E
iret / J9 R! f6 d6 [, Q8 S" z& Eint41handler ENDP0 k) K/ Y3 E! `+ J/ k! [7 h: h
% y4 G! f% ?% j$ D' L! A' j' e * r5 E1 `$ f: ~% o+ Z xor ax,ax6 H7 A" x% e5 U5 M% j
mov es,ax+ C4 l8 x2 e$ J5 X7 Q- z
mov bx, cs 0 Q. D5 c1 m# ~, d l8 ^- P lea dx, int41handler 7 p2 x) H4 f0 r$ w7 T; Z- _ j xchg dx, es:[41h*4] " F; g' x7 M! Z" m5 [" R xchg bx, es:[41h*4+2]0 b5 M- i% T. W7 h; X" H, Y b- ]
in al, 40h( K. g3 j* L* ^* u
xor cx,cx : O' t/ h- T2 g! R' N R9 ? int 41h' L8 `; R1 ?2 g8 {( t8 s
xchg dx, es:[41h*4]8 Q& y: }5 C0 t" R
xchg bx, es:[41h*4+2] ) G' @+ [' T# Z+ g cmp cl,al 6 M# h2 ?7 T8 H) c' w+ C2 E jnz SoftICE_detected5 b2 V& Q. x9 Z# F
' K& ] K3 g T. ~* A, M
_________________________________________________________________________8 H p3 H) Y' |4 I8 E, d3 I1 c a# [
, n4 j3 ]6 R8 U, r
Method 07* q: s9 m0 X+ B( d/ Q5 M! Z: r* f' D% a
=========( U6 E# d0 G% U/ q& X y
9 d7 U; q! x$ I8 ~
Method of detection of the WinICE handler in the int68h (V86) 6 R, k' K1 H# q0 x 4 R0 G+ I$ E1 c9 P3 v$ W# H mov ah,43h * C, C: I+ h$ J* \1 c int 68h" f1 ?5 o! }. o9 v; e4 a
cmp ax,0F386h 5 |' P, K/ G! k jz SoftICE_Detected! J } q) w" i8 m
( r- c$ r8 O2 z- x
9 N4 i$ J, _/ |- p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit ' f* R& B+ {* X! g app like this:6 x, I6 J' x0 g c& k Z2 n% Q
6 a% L' c1 g' h$ ], c
BPX exec_int if ax==68( S7 O8 S+ L. q9 d2 u7 |
(function called is located at byte ptr [ebp+1Dh] and client eip is 0 x. C) n# H* ^/ F: h$ l located at [ebp+48h] for 32Bit apps)$ x5 t; F/ y4 F( ? e& ]/ A
__________________________________________________________________________ - h5 W9 k+ ?6 Z: _# ?9 l) E1 V/ {, P- X0 [2 Y% E Q
+ N& M# l6 I* g! B. R8 r1 [( _( f
Method 08 ; Z$ R* x/ a, E7 o7 l=========0 K% g5 S+ E" A5 ]" W
1 I' x1 [* D8 F) v; oIt is not a method of detection of SoftICE but a possibility to crash the/ i" J7 G* T& @ a
system by intercepting int 01h and int 03h and redirecting them to another+ {- b9 p* H8 l
routine. # U! C2 q4 p2 z2 s. u2 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 [, b' U; b5 G" t3 E/ c
to the new routine to execute (hangs computer...)) h8 Z+ C+ ?4 q1 N8 Y. }
& y. }+ D7 t: Z% z3 P: B* b
mov ah, 25h 8 H) P$ R. X/ |) Y mov al, Int_Number (01h or 03h) + y6 P9 \. M$ Z7 J Q5 \3 X1 |; U$ ]0 p mov dx, offset New_Int_Routine( G( n. e4 a+ k; ]# f* W
int 21h9 u# B" ]7 H+ C$ k, g! r8 T
% c. t: _6 M. n4 K
__________________________________________________________________________ % G" T3 e2 C6 Y; D 8 j4 d: i( W$ L2 }. a5 J9 ^: m: X- [7 lMethod 09+ A/ G: ?- T5 M: l
========= 2 |; ?- T' b( }% ~5 R/ i" V' L: p( q* ]0 `* P$ K6 n, f2 f7 e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 }. W! }& g {5 O2 l
performed in ring0 (VxD or a ring3 app using the VxdCall). 4 `! B0 r! x2 u% {3 l# S* [5 {The Get_DDB service is used to determine whether or not a VxD is installed& @- a/ |% X b8 p" ?; ^
for the specified device and returns a Device Description Block (in ecx) for " R9 ?! m) }5 q" y6 p2 _that device if it is installed.# Z8 u/ }3 G7 e
( o% G/ c. M$ n/ {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ h7 a2 u- @, ]$ ?: r/ r$ A8 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) ' Z, w" ]7 L7 g VMMCall Get_DDB ( ?2 A% `: B4 D! [* m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, {( x0 @: P5 o I" D
6 B, l' z9 }$ |
Note as well that you can easily detect this method with SoftICE: ( W2 f5 ~3 B( x. l bpx Get_DDB if ax==0202 || ax==7a5fh9 E7 f+ }7 d& X2 I- a) l
7 ^; d5 G7 O& h7 \
__________________________________________________________________________: q4 T% b# N0 e! j7 d
: a& E" j& {) n' A" G6 \Method 10 2 K8 H5 B H, k========= 1 B3 f x6 A0 Q& y. G, B, d5 a" _2 n5 C/ }, P0 I* |
=>Disable or clear breakpoints before using this feature. DO NOT trace with . Z7 p/ \7 ]3 z& q( F SoftICE while the option is enable!! ! s) H# E" j5 k# f( L+ r! j4 q5 e' X6 T! ~/ w, w, c
This trick is very efficient:& _) E% [! `; o1 g
by checking the Debug Registers, you can detect if SoftICE is loaded ; O' G: g$ Y% h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if 1 T) H8 J$ y* r- {" ]$ a. fthere are some memory breakpoints set (dr0 to dr3) simply by reading their) _( Z1 n- r% n
value (in ring0 only). Values can be manipulated and or changed as well4 c* X5 `5 i* j
(clearing BPMs for instance) " X7 v$ a/ H3 w) F5 m G : A# [) z' Y, p2 F0 }__________________________________________________________________________ 9 H* f9 ^/ H! o2 j/ k: X1 E3 E, M+ V, G; d" ~
Method 11) X) B2 n1 |2 `5 P
========= 1 _! H) y- z2 d9 E; m- P. b 7 ]% i9 [1 i# z8 l% a4 i" [) C6 GThis method is most known as 'MeltICE' because it has been freely distributed& }3 O; G& O: s7 L3 J y* }
via www.winfiles.com. However it was first used by NuMega people to allow q% [6 b8 a0 I8 Q1 Y% M- u/ RSymbol Loader to check if SoftICE was active or not (the code is located0 h9 @" Q6 r9 k) @+ d6 C
inside nmtrans.dll). ! z% o0 ~5 @1 w% n ' E1 @0 N6 T9 c% S$ l2 XThe way it works is very simple:1 [+ e8 z% F" ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for , m* f/ v7 @' |, ~4 ]' bWinNT) with the CreateFileA API.$ X3 g' A1 t/ ?3 F" n, Y
/ m* E0 Z- Z8 nHere is a sample (checking for 'SICE'):% `7 {, {" G, S- e' ]
/ i( j. Y/ h5 I9 {BOOL IsSoftIce95Loaded()& g6 r X, p; B0 B g1 E8 N/ H
{ ; M* I5 r+ p3 b1 M$ P4 [9 ]& A B HANDLE hFile; 3 Q! B( r* K# r" P3 H7 B- i) h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, # z1 W- e) z% E2 R FILE_SHARE_READ | FILE_SHARE_WRITE, 6 o9 B x( W1 b9 I p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. s" n! N% ]. ]# }# m
if( hFile != INVALID_HANDLE_VALUE )% k8 f0 b8 p. s; C* ~
{; ] s- `9 P7 ] e
CloseHandle(hFile); 2 g; R; ]+ n& M+ n* F2 L- ` return TRUE; ) m3 ~6 _! X$ e, o }# `* F7 S' l$ Q
return FALSE;! }' c% a# o1 p. a5 r Z
}0 k$ ?, v4 h# c1 o) {. D1 T
3 i. e! N' I' }6 ` ^( T2 T) m
Although this trick calls the CreateFileA function, don't even expect to be 6 t' B! G' o/ A6 Gable to intercept it by installing a IFS hook: it will not work, no way!2 f0 K2 P% c9 @7 P6 Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F 7 Q' g6 h% E, Y7 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 z, H- t5 H! ^& ~% @' v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc ; v8 ?) R5 ]5 wfield. ) A. L1 O, H' c+ _! T) vIn fact, its purpose is not to load/unload VxDs but only to send a - A* E2 ?/ v% j6 D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) + r0 ~' m, c/ n( Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try + ^3 O" @; K$ Q$ r* v v( ~4 b# m8 gto load/unload a non-dynamically loadable driver such as SoftICE ;-). * v5 s! x6 M: g! \6 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 x7 G! I3 p! T
its handle to be opened and then, will be detected. 5 U; n) b' v- W ^7 f1 MYou can check that simply by hooking Winice.exe control proc entry point 3 D( J# V( X+ m; l( Y% Cwhile running MeltICE. % X6 r& i# d! D& {4 K' u7 i9 Z6 J( \1 k" H/ [' ~
7 Y) [$ ?$ U# |
00401067: push 00402025 ; \\.\SICE$ S: A/ E7 J8 _! j0 l% `! s* P D
0040106C: call CreateFileA - r. k6 a2 d; z 00401071: cmp eax,-001 8 Y4 f7 S; {8 ?6 F, h' Z& g# x( |$ \; s 00401074: je 00401091% B% ?# w6 v% e& M
6 Q; \" `3 |8 D0 l5 a
: [- F* ?0 i: V" I' t$ aThere could be hundreds of BPX you could use to detect this trick.6 Z4 z+ I$ l. S- H5 u- P4 I6 Y1 @
-The most classical one is: % I/ U% \3 V& p; L9 {, N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || n" N& b7 ^! I+ F
*(esp->4+4)=='NTIC'& I' I/ c/ v. j! f9 j) @
* {: @2 r3 |! z6 p* K
-The most exotic ones (could be very slooooow :-(6 X5 _$ G9 k9 R, L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 R9 b, w' |2 f- x. w- I
;will break 3 times :-(0 d1 G3 r- W1 G! B7 N
" c* K) j) ?9 [2 i( Z4 f-or (a bit) faster: . E. P) c7 z& K* i! V+ U, e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" W& G2 V: J9 a, `6 h" N7 t& E
+ K! t( f5 f# Q8 L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' e# q7 j1 ?6 N9 s R2 B ;will break 3 times :-( + \; g0 e: D' ~/ W# G+ K) l" X% Y2 ^5 j6 H5 d! w1 q- p$ F' L
-Much faster:) }! G+ e' M6 ?" H; Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& P- T6 S5 _: ^7 @6 e
z$ Z$ n1 b3 z$ x6 e) g, V0 l* @* JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen 3 @# H n0 r, ]. A+ g7 Zfunction to do the same job: 8 s" W3 @! X8 [' d* j) N Q7 Q m2 a; `# M0 d' x
push 00 ; OF_READ+ F& w! ], R3 @0 G" F
mov eax,[00656634] ; '\\.\SICE',08 q/ Q2 f) e! s
push eax$ O- P: C: r% s* {
call KERNEL32!_lopen: I% s* m7 Z! j/ |
inc eax6 F& w* ^0 N3 {
jnz 00650589 ; detected9 M/ q7 v( H7 j" Z U! ^
push 00 ; OF_READ. g# h: W9 ]1 P& W" q' {7 C3 h
mov eax,[00656638] ; '\\.\SICE'9 Q' G( i2 h: J* f) @: ?
push eax : b) k1 y2 O; Q i) S* O call KERNEL32!_lopen1 E0 h+ _' ?0 s
inc eax" X+ P; e8 Q, z$ J- b
jz 006505ae ; not detected" k0 _% G2 S3 a0 U) J
9 w0 ~. l# j* v7 n+ b- b
% x: i. L/ Y$ a# r1 [
__________________________________________________________________________ 0 h9 b, K6 W- m) B% @) s O! c2 O# N5 k- H9 Q9 ]. b
Method 121 h7 ?- N" N6 i: B$ [
========= ( o: Y; T" Y' `3 q, F# l# S ( D7 S$ p4 ?( U3 wThis trick is similar to int41h/4fh Debugger installation check (code 05 & O- u/ `% S1 k$ ]& 06) but very limited because it's only available for Win95/98 (not NT)/ N# G6 K7 [7 S F+ y1 n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( H2 X6 z, X9 A0 \; p
$ I) Y- \! i" @+ d push 0000004fh ; function 4fh P. S( l8 D" ? push 002a002ah ; high word specifies which VxD (VWIN32)% @; C! p* ^' ]7 B% |2 M
; low word specifies which service ; ^6 N1 p8 V& a3 t (VWIN32_Int41Dispatch), z+ w" B* `" t) X% F9 W/ R8 t3 g
call Kernel32!ORD_001 ; VxdCall* @5 t( m5 m9 `# U4 H' q
cmp ax, 0f386h ; magic number returned by system debuggers' k/ g W6 W8 ~8 [6 u
jz SoftICE_detected 4 y$ d, f8 ?2 p; B7 B, j ) P t; V1 P; ~( nHere again, several ways to detect it: $ N% J2 V) {7 [/ H; d/ n0 i9 S; t; i( Z
BPINT 41 if ax==4f 0 i* A- ]! X( \, u9 [ ) W2 O5 m8 [- l6 a1 n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; ]% @/ u( p2 n7 d, q* @; d
3 C' i1 o" L4 Q0 z4 h ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, G. U% y% _) ?& M/ ?- ]0 Y; T
" p& l# t( M( Y! l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! : Y9 V+ V1 B- b! ?" ]/ V9 i0 h! o
__________________________________________________________________________( ~7 ?3 F0 n& k: X: B0 @1 W2 d
$ H% v+ A8 ^6 l0 c6 G: }Method 13- F/ x( g; D# T. V- S
=========& \6 ~# D2 U9 r% f; ~
3 i2 C9 @4 X6 Q8 J
Not a real method of detection, but a good way to know if SoftICE is; ]8 ?. ~5 J: R7 ]5 k
installed on a computer and to locate its installation directory. 9 s. ~( V" g: OIt is used by few softs which access the following registry keys (usually #2) :8 J, \9 b) `7 v& ^' i
/ K$ b8 l: b) r5 z' F0 S" D- U8 t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 ^" x; B" K8 g' U a% b0 x
\Uninstall\SoftICE/ x' z- Z0 E( y8 c; c8 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. I! g6 q& t2 ^0 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion / D/ j( n J* e! U; R" n" u) F\App Paths\Loader32.Exe ' r3 b5 k: m9 S0 p0 a8 Y 2 O( R# b/ ~; K' c! b5 M5 `: Q* ~ D 6 U6 z: J1 h; \Note that some nasty apps could then erase all files from SoftICE directory9 {0 F$ G# V" N6 p0 k: x
(I faced that once :-(% b+ k! @, Z& ^( q8 c
+ ?/ i5 ^9 H @. v v1 q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' ( b* N' q+ z4 o1 R* w4 O- R' l' I1 X6 F4 w$ I7 M
__________________________________________________________________________ ) g8 b J. @+ g0 ]9 Z% X7 z 2 s. i) J5 g, v7 n7 d" [! K* L9 O0 O
Method 14 / Q/ K: _1 E2 \% J% m) \=========( J" _# d1 X5 v, G
/ |2 y. [1 J$ R) Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose : j0 r4 M ]9 [4 Yis to determines whether a debugger is running on your system (ring0 only).# M; k2 \0 x: I) i+ a" Q. r* O4 x0 D
* _: ~" ?3 m6 Y& P C9 P, S
VMMCall Test_Debug_Installed9 Y; ]. u6 f8 z! X6 ?2 J& K
je not_installed' n2 }7 H' ]9 v4 G' a# s
; B# f0 ?; k0 H+ A) t
This service just checks a flag. D) y3 Y5 V' s$ n, x- Z
</PRE></TD></TR></TBODY></TABLE>