About anti-SoftICE tricks

<TABLE width=500>
% d: R& Z7 ~6 P. ]9 z, e, x8 {<TBODY>
0 h0 M- ?: j+ z  r8 Q) X& G<TR>
<TD><PRE>Method 01
" E/ r+ a( ^: \! [! }8 }=========
9 w; |7 ?$ ~& l6 h, A) J/ E
7 ?4 {8 H2 |, i, |This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
$ r8 y" j0 A- m# JIt seeks the signature of BoundsChecker in SoftICE

% d* Y; V& E: x6 Z/ n4 N! N2 |    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
    cmp     al,4
( ~: r; e9 @- z! g    jnz     SoftICE_Detected

___________________________________________________________________________
6 K- i' B! Z$ L# k1 [, ^0 C
Method 02
=========

Still a method very much used (perhaps the most frequent one).  It is used
. Z1 y& S( y: B1 Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
+ O5 |9 n$ i3 I) BIt is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  

' D" r0 f4 p% a/ l6 H7 FHere is a quick description:
! S2 \/ q+ R8 t! l- t# ^& s/ J-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
! w2 S% O2 m0 G" W-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)

" M5 r3 b  y5 q7 c: \Each time you'll meet this trick, you'll see:
-SI = 4647h
6 M9 Y1 }/ A) r' o1 H! B-DI = 4A4Dh
0 ?9 @8 C" @5 G( QWhich are the 'magic values' used by SoftIce.
( R7 P+ s+ O: ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: q/ v0 _* g& t! v* z) R* ?+ A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& b0 j; c+ U2 {( i1 b; k9 zEnvelope utility use to protect DOS applications:
+ T- ^/ G3 X  }7 k- G' K
6 h! H9 `- e# P3 h4 _% e
. o1 ~" F/ J5 v, e% W9 A, l& g6 `# c4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% \' k% @* S; P7 b; n" q4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 k3 Y3 |( P1 q- w  q7 B, w& L  X4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! I1 _' d* [& h1 p. t  q  n4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
9 s" B) N! g5 n2 ?2 b( r; f4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! |$ r2 M" d$ u3 g4C19:00A8   JB     0095     ; 6 different commands.
, X8 M9 j7 ^7 ^$ O  S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 Z# A0 e" S* H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 c# t2 O' m1 h
; O; J; F8 s1 x7 p# n* B6 TThe program will execute 6 different SIce commands located at ds:dx, which
% J8 K6 F+ g; h$ N4 ^" h% [0 Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& [; ^; k6 d3 f: |( l; f
& y% K( O; M0 w( q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- v- }; ^* B  l" k& y" v___________________________________________________________________________
8 U* B/ e; V8 |/ M
+ r7 q3 z' E6 e1 Y  z# T% |  ]: d
Method 03
  k6 P& p0 Y. }=========
' d: d0 B4 ?" D7 J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
) J/ s  F5 W: l# h/ D1 L. [        

    xor     di,di
    mov     es,di
- R6 n' j- u! D1 m# }- U    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
$ n) ~. _0 E' W2 h' H    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

  U1 [( _% C& h" ~: M  G; Q/ p( Y( o___________________________________________________________________________

Method 04
=========

Method identical to the preceding one except that it seeks the ID of SoftICE
5 ~& C. B) c+ c# g2 e# RGFX VxD.
6 N& V( d: p9 @; a
    xor     di,di
. U6 e+ p' [, X9 i3 o6 K0 t    mov     es,di
& o+ ]: ?" l: b* J7 j" A  G    mov     ax, 1684h      
$ t( f& L/ L3 T6 |5 t/ h. i    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
/ O' D: Q- `3 ?' b    test    ax,ax
) X8 S$ v$ A% k1 S0 Y: m6 M2 y4 y5 M    jnz     SoftICE_Detected

0 N7 P+ `! |! x9 o0 B__________________________________________________________________________
. s  I! J4 Q$ I5 ~
$ |. @! p/ c: ~3 x4 Q( C
Method 05
1 }3 o4 S, b1 u) L9 H=========

& g! S* ^; y. H6 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  
2 t: p6 G/ S# y% v& X
( n1 y, a+ @2 U0 U6 D" MThe following one is the simplest:
2 |0 C. G% F- ^) E$ Y
    mov     ax,4fh
    int     41h
$ a% |" T4 @- u  q  E% ^8 z8 H    cmp     ax, 0F386
    jz      SoftICE_detected
# E3 o+ h& C* R5 d
  Q# C+ f  j. y3 Y9 B/ e0 Q
Next method as well as the following one are 2 examples from Stone's
6 z6 u, N, d7 ~- a0 w8 a1 p"stn-wid.zip" (www.cracking.net):

  A6 g8 Q+ K) e    mov     bx, cs
, U7 O" i, R# F0 }' `    lea     dx, int41handler2
3 j5 L: L$ o, `: X& n/ B; v    xchg    dx, es:[41h*4]
% G6 f! w  P) E* A    xchg    bx, es:[41h*4+2]
+ l) {% B8 Q9 ^2 ?    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
0 B3 B! j8 `' j) I2 Y) s    cmp     ax, 0f386h
' B8 p- v  ]/ x, s    jz      SoftICE_detected

* x# o+ j9 H% G0 i8 ?int41handler2 PROC
! a, ~( p+ b# W, {9 W    iret
int41handler2 ENDP
' e, r- \$ W0 T" m+ Y' y

_________________________________________________________________________
- x$ q" i9 E$ Q  _2 w

Method 06
" f* G2 [6 S4 b=========
7 T5 i) d* t# u; g

2nd method similar to the preceding one but more difficult to detect:


  Q3 u& U( V2 c" n% B. W  E0 o- `int41handler PROC
+ B& T, Z. @1 P3 p4 D& h    mov     cl,al
    iret
" N" H3 Q  d* Pint41handler ENDP


( n/ ~6 p6 z" v    xor     ax,ax
5 b' H: F: q# k    mov     es,ax
* i- N( _* p! Q$ z2 F* E) `2 q    mov     bx, cs
    lea     dx, int41handler
    xchg    dx, es:[41h*4]
% o- K. W+ B- p8 D# T    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     cl,al
+ T+ C  `4 R! K, k    jnz     SoftICE_detected
. ^5 w" [$ d. I* D/ |
/ {/ A( t: x* R_________________________________________________________________________

Method 07
; h6 I. U+ T# v) |4 t% A=========
! L% a9 \" Q+ s- o% s" G, p0 a9 T4 I
Method of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
2 `0 u2 h  z8 }" c/ e/ t    int     68h
    cmp     ax,0F386h
/ u4 j: U7 b8 P. e6 k    jz      SoftICE_Detected
3 S/ a$ s% w$ a$ l

* _* v8 l! [$ g4 O6 j3 z- k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ C' i5 g9 Z# v& f, _   app like this:
9 a& l# d0 y& u* b  l: s( a
4 T8 m1 E) F! `6 ^0 ]/ x1 N   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
" j2 A7 ]4 {# z6 ]0 F7 ^__________________________________________________________________________

/ S' S$ [1 Z) e: s* ]3 K! O
Method 08
# j5 C, s; A1 K3 T, U/ r=========

( X5 V, M# z$ L% ^( z: W: PIt is not a method of detection of SoftICE but a possibility to crash the
4 _/ A' {2 Y: @0 R. z: H0 xsystem by intercepting int 01h and int 03h and redirecting them to another
- A& F+ T$ `* b2 [8 broutine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

, P& F/ q1 l* g# P' s    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
( v3 h* E) e( Z/ ]- ~    int     21h
0 K5 o% T" J. q& s/ [5 G
3 N9 F: v* W* A3 S__________________________________________________________________________

Method 09
! [3 k. K) S5 W. [4 `# E=========
5 G% h  @" n3 c& Z$ o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 e9 t4 N. O% Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
0 t# W/ L/ D8 S% \* ]8 [! L( F5 R7 R. Ythat device if it is installed.
9 R; e1 B9 G: M- [9 z. V, S# q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 j/ C% e  t7 R* l1 ^2 z# w$ Z
% k! n+ w: v1 Z# x3 pNote as well that you can easily detect this method with SoftICE:
3 t8 h4 P1 G1 k/ B0 G' n# b   bpx Get_DDB if ax==0202 || ax==7a5fh

5 N( h9 D: L# E0 j' w/ R__________________________________________________________________________
( w8 Y. ]) Q& S$ k! p# ^# l3 w
( w! v* H4 z4 h- n. A8 [" qMethod 10
; i* j$ F4 t: ]. T. V9 X=========
* b6 S3 D: n* W# b& }  z% N
" V  ^' e7 C  S3 e% o7 _# y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
* R/ \3 j, t2 a! E. P
This trick is very efficient:
/ l0 y* i( V: o$ c' G+ f- tby checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 X: s2 M0 g; a& S, K/ J' [there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 V5 Q0 _. ]3 \, v1 Svalue (in ring0 only). Values can be manipulated and or changed as well
: p0 ?8 {2 m% y  v, ^; {/ j5 {(clearing BPMs for instance)
  e# m# H/ Z' ]
__________________________________________________________________________
- u( \9 p' [0 g  X( c) \, A+ |
! y" M7 K" A6 oMethod 11
=========

This method is most known as 'MeltICE' because it has been freely distributed
/ k5 k( C& F2 ?9 w8 q' C' X/ nvia www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
7 m, Y1 v: b/ h. vinside nmtrans.dll).
" v6 i+ p% G9 V6 n1 o  S& g
The way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
; ~- Z9 m" W- P! V+ K5 R4 ?
Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
, U( w" |8 }5 x3 c: i{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
1 k5 _8 P0 G8 v7 i- l# q' q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! e0 G; {0 [* q2 R3 ~: w* d6 y   if( hFile != INVALID_HANDLE_VALUE )
   {
6 E- B/ F" p, X. o1 @      CloseHandle(hFile);
9 L; p" ?; i+ Z& F3 O3 ]( S( o      return TRUE;
   }
   return FALSE;
4 B4 O1 f4 r, s+ ^- l7 l# U}

Although this trick calls the CreateFileA function, don't even expect to be
% C. p" {8 E. [5 R, _% i( Bable to intercept it by installing a IFS hook: it will not work, no way!
: P- V( K1 g# h, I% |3 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; D! j. V; W5 T# z, u* tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: }% b$ Y8 ~: M' S% Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
# I( C9 Z( U8 `3 b' hIn fact, its purpose is not to load/unload VxDs but only to send a
6 `: h7 z" d8 T7 w7 F9 s) e. a2 [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 [$ n) {9 s' h( @/ H" \% ]$ bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
% H$ M$ l/ j. \5 U: {: ^You can check that simply by hooking Winice.exe control proc entry point
* |4 m; p9 q: m( X* Qwhile running MeltICE.


  00401067:  push      00402025    ; \\.\SICE
9 u2 Q- x, g* j' I+ y: }  0040106C:  call      CreateFileA
  u: J4 E: P% s( M- J/ I' }  Q  00401071:  cmp       eax,-001
  00401074:  je        00401091
5 _; L9 Y7 c+ X+ K0 S# o! ~8 ?

There could be hundreds of BPX you could use to detect this trick.
" \: T1 d; u/ l, o-The most classical one is:
8 S/ B1 y1 r  D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'

1 E5 N) w- E* T/ z2 n% V% t; j" ~# H-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(

; {: `! u4 L6 h6 @-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 b$ h) p  M9 }; U     ;will break 3 times :-(

# F9 B, N+ Q  S$ }" B-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* p, k5 i. v' Efunction to do the same job:
) S* k; ]$ j. r
' i3 x3 J4 R- J1 F* o3 h$ f. t   push    00                        ; OF_READ
3 Q8 X3 d+ J6 [. q   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
6 }) Z' x4 K) q8 n   call    KERNEL32!_lopen
5 ?# R6 g: g& T! f. b   inc     eax
   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
* M( A; y. O- p   push    eax
   call    KERNEL32!_lopen
( U$ P, r7 ]3 Y6 w" a- K   inc     eax
7 ]" o  {" s+ m, j( p" Z   jz      006505ae                  ; not detected

$ W/ i7 W& `, l5 l" _$ h( q) X1 B
__________________________________________________________________________

6 V0 b3 B! m. SMethod 12
=========
5 O3 x( T8 }/ H/ u
8 r" G8 f! `/ w1 Z5 b5 j5 RThis trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

. p% t7 `5 {" ^; h% R0 h% k   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
5 c7 q3 a. W+ }* |" N                             (VWIN32_Int41Dispatch)
& y- ^- q% O- E9 M   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
, a5 i& O+ ?+ g3 h   jz    SoftICE_detected

* P: a( v6 U0 i; w: D, OHere again, several ways to detect it:
: W, b; v. K8 B: }0 W8 B9 Y
    BPINT 41 if ax==4f
5 V5 |* d/ `( O! P& ^. N2 S
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

__________________________________________________________________________

Method 13
: k: C  |2 K5 B( D=========

Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
) d( Z* v- U7 w' FIt is used by few softs which access the following registry keys (usually #2) :
6 E5 g$ ?9 l' F5 C8 C, Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ \, X" E- ?9 s2 ?8 Y3 c( b\Uninstall\SoftICE
+ _. z% n0 c; O/ |$ y" s0 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  `6 x0 \. Y# G+ L5 b6 i\App Paths\Loader32.Exe
& A" R+ O% J* I4 _  t* G
' q5 H' a2 O! p* n: l' I2 @0 X
) j3 T1 E/ w8 U" aNote that some nasty apps could then erase all files from SoftICE directory
' p! t7 p1 Z0 Q" k# u! P7 N(I faced that once :-(

Useful breakpoint to detect it:
9 \' q. H6 B9 `5 R# s) H+ y
8 X+ t) `! @. a7 A     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

% I$ i; z3 @* O; G/ v& O! e__________________________________________________________________________
' R! y! c, o8 h6 s  K
( {" Z* a4 ?# ?
Method 14
& x+ ^- i* j5 W6 l8 f* H=========
" E# D; f4 C* q+ W; k: F/ k  D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).

: l% M' D: ]+ ]5 c   VMMCall Test_Debug_Installed
   je      not_installed

This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>