About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
<TR>
  g# E' x2 o/ P' i<TD><PRE>Method 01
# F* A5 u0 v2 J/ G! ^=========
1 z! F, K4 E4 u- v
: P1 f/ R+ \- RThis method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE

% X0 b0 e* C9 J' [* O; I: _6 s    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
; K1 `5 [. f0 L" q    cmp     al,4
    jnz     SoftICE_Detected

1 c6 B4 E0 j; j3 J___________________________________________________________________________

Method 02
2 H7 S( a. N8 q) D=========

8 T8 u$ ?" y& JStill a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 V" W" g. k* m; n9 ]or execute SoftICE commands...
/ V: [& w8 @1 ]0 DIt is also used to crash SoftICE and to force it to execute any commands
7 I6 n7 l0 D& p4 k  O, y) J(HBOOT...) :-((  

: Q$ ?4 `8 `1 A  g& ?Here is a quick description:
-AX = 0910h   (Display string in SIce windows)
4 x& [, G6 i) m! B( \5 Q9 @  C-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
% E7 w5 D+ C; H5 B: ]6 O' K# F-AX = 0913h   (Set Sice breakpoints)
0 P, [" O- V! \% M7 e1 j" D/ `$ ~  w-AX = 0914h   (Remove SIce breakoints)
7 Y6 E( ?5 M4 b3 a% O  v; T1 g* p
Each time you'll meet this trick, you'll see:
! G& F  T# }7 d-SI = 4647h
-DI = 4A4Dh
6 e5 L# P7 i/ _" V; VWhich are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 {- M5 d8 l! _
% u) K. J# V9 d  H/ A# I4 S- g( pHere is one example from the file "Haspinst.exe" which is the dongle HASP
- L  C; L7 S; I& j* XEnvelope utility use to protect DOS applications:

$ x3 |8 s; W& `! U6 `
7 l  J" U$ H% h: F- s4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! A% G1 H0 R/ J1 x+ y5 D) o4C19:009A   MOV    SI,4647  ; 1st magic value.
9 E- b  p4 t/ z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ O6 g6 z- K# H, i4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. e1 v" g. s, K8 I8 |  h: p: ~
The program will execute 6 different SIce commands located at ds:dx, which
4 }" r( z; z: dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; k# T, A1 @* e+ J
& V) E" i% a0 ^2 A) d4 M' K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- O1 t, \" }$ I8 H$ d___________________________________________________________________________


Method 03
5 W9 x' }) o2 }# }=========

Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
: M1 G) V1 k' g: i8 n        
' z& ~8 ~; J7 H' j. {( H
    xor     di,di
5 b, K+ c) u, s    mov     es,di
    mov     ax, 1684h      
8 ]+ |1 a9 {" w6 @' `3 z' Z3 A    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
9 x7 t) z, W3 e' a+ y3 `; Z, f    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

___________________________________________________________________________
* ?8 }8 u/ A7 G3 d' \$ W; a
. H, g% d+ U9 LMethod 04
6 C  Z6 n% i/ P" d=========

Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.
2 D0 O  Q$ J& A( C8 l1 I
6 ~5 g. N+ g7 I. c. n  x    xor     di,di
. a" m6 H  K, h# n$ P    mov     es,di
8 e6 {+ |: n6 J. G/ z  s    mov     ax, 1684h      
4 N- Z; h# o& c. v    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
+ D4 ~  @8 I. B, t4 C% E4 }    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
6 C& S# g. t' H6 o5 }    jnz     SoftICE_Detected
3 i, f- _' B0 O* {# D
__________________________________________________________________________
& P4 j$ T6 X, z9 W$ W
7 p- Z/ ]' O" ~2 q0 N0 P# X
Method 05
, B% |  ^: E6 A=========
2 D6 Z) Z0 G, j+ u' l) {$ h
) M. v# a- l7 G! U- iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ m, V  x) P  q+ _debugger. It calls the int 41h, function 4Fh.
3 A* Z* {) n6 Y4 pThere are several alternatives.  

! D$ K4 n$ w( R/ r! C1 D1 UThe following one is the simplest:
2 j+ k! D* m5 A. x5 ~7 `1 S- m
* [: H. M) a! C" k& x+ G9 @    mov     ax,4fh
    int     41h
- K. Z0 n; }1 D, V. Z: W    cmp     ax, 0F386
% F7 F$ R" q6 j) t0 S* l1 {    jz      SoftICE_detected
3 T6 t& T0 a' ?: {
, m% I$ R6 y4 d6 e
Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):
$ C# Z+ U1 _2 }) x, C; y, Q
    mov     bx, cs
    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
( Y- |& x2 b, D* I' j5 _8 c    mov     ax,4fh
: R7 N8 L; i9 v% [: ^! b' G" Q4 C    int     41h
* [/ p, ]+ {! D1 c0 D    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
    jz      SoftICE_detected

int41handler2 PROC
8 g, ~4 i( w8 r! y5 T    iret
  P: I6 a; A; N/ L3 |int41handler2 ENDP
. f( m" f: m+ ^* m* W) B( E% ]; O3 t: u

_________________________________________________________________________
. w- p" z; X$ U# W

. w" h& w% t9 G, RMethod 06
=========
( _) s( z* Y+ ~1 S/ Q1 D; `

; P7 ^" ?& H. T- b" r; Y2nd method similar to the preceding one but more difficult to detect:


; S% Y5 O  M: v% K8 yint41handler PROC
8 h) F  \5 f. k( t    mov     cl,al
    iret
1 y9 I) J$ v' J& c" Rint41handler ENDP
6 X# m. F7 |' n, o+ F- \' m

    xor     ax,ax
    mov     es,ax
3 \: _" a$ X7 Y' ^4 [' D6 R( z    mov     bx, cs
6 r) L: H# |7 ^    lea     dx, int41handler
, U6 C0 B' m- W, m    xchg    dx, es:[41h*4]
7 f4 C  V5 ?/ H: x0 Z    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
    int     41h
, Z2 d- m1 O5 a: q: r# M2 }    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
1 \& x: g2 e, i/ a! i    cmp     cl,al
1 G9 ^; p# C8 ^+ `" Q8 Y    jnz     SoftICE_detected

_________________________________________________________________________
( U9 y+ D2 g5 i9 N! S- Q+ p
Method 07
2 _/ [3 G, E& s, \6 E=========
! f0 J9 f: h/ ~5 y
' a, D7 t! j: o# jMethod of detection of the WinICE handler in the int68h (V86)
6 q7 ~8 t4 Z6 S6 m7 D
    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected


- @' o* ]. _7 Q. b; I8 i6 ^* ^2 ?=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:
" C  y) s: r! ]
   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
) b7 T: I9 A! `, u7 z/ J4 W
' _4 [% E1 [# B$ u
Method 08
5 W: j. M* h& [8 W=========
! H; _) F5 B. I2 F$ T5 @3 v5 b% Q
It is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
- v1 v9 Q( I& L" i& E7 s  H5 troutine.
  A# a0 [& P- t- F  YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% T; Z. [* Q( T5 qto the new routine to execute (hangs computer...)

9 k# g* ]# j1 I" B7 S" S1 Q    mov     ah, 25h
3 K# ]5 a% l# |    mov     al, Int_Number (01h or 03h)
8 n6 ]4 O6 x& K' E1 X% O    mov     dx, offset New_Int_Routine
6 I: ?* ~) s3 o8 w  f! l, I    int     21h

- n7 M+ K( |$ Q5 G__________________________________________________________________________

' X6 p$ C. K4 ]6 }& E) C; u* ZMethod 09
=========

This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ `5 m$ M6 V8 j5 R- w: C( eThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
# T2 p* t2 M4 t# j6 q: D- t8 k7 vthat device if it is installed.
" d+ S$ C+ }/ G; W- `; y/ E
5 l- ^9 L2 ^3 _% Z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% y  c- O4 }* j   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 G* [8 J8 }/ @5 L% E2 Y
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________

" Z3 z* Y# {8 c+ H; \Method 10
=========

9 s6 q: ], O. K% `  l# n$ M' r# U=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
- a% J( i- ^; D! T7 P! {4 B& i
' S7 L5 i9 i- l* g9 R2 e( i4 gThis trick is very efficient:
' j: E; f7 U' y! [by checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* T- X' S% c9 E9 d7 K4 uvalue (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)
# c% m& m; R& I% w! F
__________________________________________________________________________

Method 11
5 S4 {- L7 k# v( Z3 B' e! B' |- @=========

( [9 h, ~8 {+ G8 K2 mThis method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
1 Y9 I8 x; l) {- M2 E4 I  e/ r; tSymbol Loader to check if SoftICE was active or not (the code is located
+ t: I$ U' r, Y  J7 {2 Xinside nmtrans.dll).

7 m. K8 L& J9 uThe way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
7 S  v# n1 j  m) ~( W
6 `+ n2 k; q7 f6 h# F6 G! U* tHere is a sample (checking for 'SICE'):
5 C0 ]+ O- {* j2 |; q
! d% C7 \  M/ x0 J' f1 o& W3 n6 MBOOL IsSoftIce95Loaded()
# b8 p5 T# L$ A9 E{
2 l( S& M; t3 @1 z( s' ^* S   HANDLE hFile;  
4 B" S8 ^* ?" G6 e   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  O4 U# e0 B# C6 T) G9 i! |! N- _6 h0 s                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
      return TRUE;
5 i, g% I. B; k. k) d   }
4 C( k# Q9 N/ R" t( ]5 b  x   return FALSE;
}

" b5 P3 N0 _& ~& w0 k1 c' }Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
0 R  Z! D* N" T8 m6 Y0 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ y) b! p8 D( X# Y8 [! ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  U+ X4 }5 \1 B5 ?4 y& |1 Q6 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ]# q  m3 |" C! A6 Afield.
In fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: C( v; s6 q& x1 X- t" uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. s. f" j) Q5 Q) ?1 ~  bits handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.

4 [$ P- m7 C1 B& W% a
! X# m; s: C4 r- Y* @: e  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
  00401074:  je        00401091
6 d3 E& R+ T- j5 H
# J" o8 A& S$ _6 l7 U% M( k
There could be hundreds of BPX you could use to detect this trick.
! O4 }( h5 ]$ N& x-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ }4 L; |( ?' `    *(esp-&gt;4+4)=='NTIC'

) i4 v  K" x7 J" R-The most exotic ones (could be very slooooow :-(
4 o3 G) k2 m( D( R5 ]   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" b! h' Z; J1 Y5 b5 O1 j- p  a9 P     ;will break 3 times :-(
' b+ ~* @0 {  z( D$ s8 o
/ f% {1 r+ X, Q0 a! M' i7 b4 o" j9 C1 J-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
9 D' ^8 W9 r! \& x# L# ^
-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

+ n5 y3 z" x; iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ F. J' H, {/ J9 \8 D1 m0 Afunction to do the same job:

   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
1 k& m( c) \  o( S8 w1 t   push    eax
   call    KERNEL32!_lopen
4 [( M. q8 c2 x" [& C$ V   inc     eax
0 C# R) f, {" ?  k' f7 k   jnz     00650589                  ; detected
: \% N3 C9 B; [1 N( G2 v  V- ?$ P   push    00                        ; OF_READ
" u. W- H1 W, G( I6 l2 f   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
  M, [9 L8 [2 f4 H2 Y: Y/ C) x   call    KERNEL32!_lopen
. H& l5 {8 y$ o* W- T' P+ @5 m   inc     eax
( \1 V3 G5 N" M4 ^$ t- i/ Y   jz      006505ae                  ; not detected
9 x- @, L8 H2 `8 \1 O5 T! }9 H. k
' @0 d& C" u! b3 }" [
5 M" |( v% q* _& r9 u& K: u__________________________________________________________________________
8 ]( B9 q$ ?& M& Q
Method 12
=========
1 g! l' F7 H$ A0 {3 j' A
/ d3 b: j& |9 [, ZThis trick is similar to int41h/4fh Debugger installation check (code 05
0 C. D8 o* l# b( ^, |8 w( L&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: H1 }% M7 O/ t' m3 }2 fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 d" e1 p% M: }) p& N
   push  0000004fh         ; function 4fh
. d8 v" c% Z2 O4 C: Y, Z   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 R% B: v/ o4 a' Q6 r) c( g                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
" o$ x$ V6 Z8 m# k   call  Kernel32!ORD_001  ; VxdCall
, f' G' G: Q4 k8 c$ H   cmp   ax, 0f386h        ; magic number returned by system debuggers
, j+ W; K& ?" b- I7 y   jz    SoftICE_detected

! m, G  H7 n2 D7 c. T9 `Here again, several ways to detect it:

    BPINT 41 if ax==4f

5 e8 }6 N4 n0 F9 @4 R# N% Z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

: f+ O5 Y1 u1 @, l- |1 b% o    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
8 k2 K! a, H9 {5 A3 j
: N! }3 }/ x% Z% M9 D& n9 Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

1 K: ]5 ?! U0 s2 M7 X7 W__________________________________________________________________________
8 r: K! F3 P' ]7 A
Method 13
, R  e# Y2 J1 L1 R+ [, D=========
# J$ O* X4 D6 F" ]  S, O
3 E! l4 Z; o6 S" S5 ~! y# ?Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :
8 x, ~: e0 e# ^  N- `' s- G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
" V, R* s, x5 J: s0 r3 O" c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ G( Q& Y; K, r* I8 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 o/ I4 z6 Q  Q\App Paths\Loader32.Exe


; G* s3 `8 S3 \$ KNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(
  z$ W6 b1 W$ h; w8 |( O3 B; H! j! j
Useful breakpoint to detect it:
+ Z0 E: p0 o0 f( Y$ S% m3 i
2 @" `3 J* A4 x" P/ i! u     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________

- F* a8 V: U5 S5 n( W5 k
Method 14
8 |' D  L1 R6 |7 E2 V. T/ R% K=========
" H# B# ^& t% l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).

   VMMCall Test_Debug_Installed
   je      not_installed
5 e" Z: u: E/ }) h$ W
This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>