About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
0 |0 T; |6 Y" E, Q4 F<TR>
<TD><PRE>Method 01
=========
/ _1 U0 p5 r' T
This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
# o1 A0 ?/ N! [/ W3 XIt seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
    cmp     al,4
    jnz     SoftICE_Detected
, b6 j/ L& K% L) `# m
- n4 a5 L4 _" f* f' F___________________________________________________________________________

7 P4 `8 J! a* R+ AMethod 02
  T+ d& Z. S5 M' e/ \, N; A. o( m# R  I=========
. l6 R) Y9 u) h$ U" F
Still a method very much used (perhaps the most frequent one).  It is used
& K2 ?4 Y7 R( I& [8 g5 Z, rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& E* A4 b$ _( A' S+ i4 lor execute SoftICE commands...
/ e4 Q" r: ]2 u, m! L( oIt is also used to crash SoftICE and to force it to execute any commands
3 Q! v, o& J' {$ t& b% d# A% ~(HBOOT...) :-((  
9 K5 ~3 _6 ~1 T5 ?8 C" w7 b
4 z4 V( k/ X/ Z$ ~4 u% THere is a quick description:
: ^9 Q% R" E7 l0 P5 U9 ^( X-AX = 0910h   (Display string in SIce windows)
; A. [* `3 ~6 m, l, ~$ }: _8 o-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# b& m5 s; g6 q( P9 n0 v  ?/ B-AX = 0912h   (Get breakpoint infos)
  @% E' n' u7 J) [( b' Q-AX = 0913h   (Set Sice breakpoints)
  X4 j5 S# D" \-AX = 0914h   (Remove SIce breakoints)

Each time you'll meet this trick, you'll see:
-SI = 4647h
( s! E4 X) w! L8 L( }7 {-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 k: k" E/ z0 {, n3 Z6 s, r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:


4C19:0095   MOV    AX,0911  ; execute command.
/ ~: d# u) G/ l- a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* a9 {$ t: d- w! s( R/ L  j5 ~! u2 o4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" \& s; R1 n4 [1 Z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: j+ c6 {2 D# {, U" f4 y4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 }) }  p. }. D7 o4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
& \1 D% N+ ]6 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( P" P9 @- I7 b' r3 S/ u% P! k___________________________________________________________________________
. h/ F4 |9 w% b9 ]- _7 K' k* S8 _

Method 03
: C1 e( M3 v1 c; {" E, U=========
& y1 Z& d9 q0 E2 x
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
5 q. w# X( c& ?  H5 M! P; ?        

! e! g8 l* k+ A6 A1 j    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
' L! b% p6 Q( ^& J+ I- s    int     2Fh
$ M5 O  X8 f5 a2 j4 x0 c    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
+ ~9 s# f" L, N7 p
: _% n; j, D! U& q4 P) Q___________________________________________________________________________
) b! |2 {# |1 M  b% r
$ H+ y& b. F* G$ A# f1 y& @4 |! BMethod 04
6 V# N+ z5 i$ E' E& E& c) D$ Z  H=========
$ [. P9 C' H* u8 q1 E) J
, i; N% l9 Y! _. D7 L' Y3 `; XMethod identical to the preceding one except that it seeks the ID of SoftICE
( T8 c  L# Y. [1 x) R8 YGFX VxD.
+ e3 C! X, b5 g( T1 K
! i; n, a4 d- B5 T% x    xor     di,di
9 x; ?5 i! O4 ?& ]: ^1 J2 ~% S$ r    mov     es,di
    mov     ax, 1684h      
' T  e) X3 M" L1 E9 o    mov     bx, 7a5Fh       ; VxD ID of SIWVID
4 Q8 [# s9 K0 T; C- A    int     2fh
- r7 C+ Z/ h0 o- [9 @( i% n- p    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
+ ^1 I# Z9 A5 t7 [+ k$ V4 M5 t, U( g! \    test    ax,ax
: `) Q9 ^6 M; k5 M    jnz     SoftICE_Detected

) _+ v2 o; y: q5 e" a7 E__________________________________________________________________________
2 A+ W2 ]( B# F: }4 E+ V
2 Q# n! W) ~6 `
Method 05
9 Z5 Y, g* {- V: S=========
9 B1 W4 A( ]# L$ l
/ b/ }3 F9 N$ `Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ p9 Z4 Q4 W, Z8 I1 W( k7 E* Ddebugger. It calls the int 41h, function 4Fh.
There are several alternatives.  

$ d8 Z$ H4 p/ a1 B: W. R, ]The following one is the simplest:
9 `0 F1 h1 l) n# s
, R+ i4 {1 h; t& W    mov     ax,4fh
' w8 b7 [) c% F. y! ~    int     41h
" \5 }( H  X9 [4 c    cmp     ax, 0F386
7 Z' S8 P2 {" A9 Y8 h0 I4 H) D    jz      SoftICE_detected
; z8 B5 S0 }7 B9 ]" A/ [! U
6 }+ m- t3 m' @: n: Y5 N5 G( t
Next method as well as the following one are 2 examples from Stone's
% M. x  X) y& @"stn-wid.zip" (www.cracking.net):

    mov     bx, cs
    lea     dx, int41handler2
; B  t: O/ u& `: F2 Q1 I$ Y2 o    xchg    dx, es:[41h*4]
( q9 K3 r3 A( Y$ D9 S    xchg    bx, es:[41h*4+2]
1 P$ G( S) I. \6 A: m! V. l  f" V    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
3 i3 A: n# ^+ _* ~! P- D: T    xchg    bx, es:[41h*4+2]
2 e% q* \2 l, r& `+ B# N1 _& \    cmp     ax, 0f386h
    jz      SoftICE_detected

( w% c8 Q' T: B" h8 r' wint41handler2 PROC
5 Z4 a7 }/ B, t# ~( V$ H' s" _    iret
- ^$ w: w8 G7 u; Hint41handler2 ENDP
& u9 S" w! e  E  R  w; h7 Y1 A
" a8 x/ L" N& u6 E& W  Y/ }
! W; r1 p& p& r5 T_________________________________________________________________________
2 G" m  |; }. D' J3 S7 i

Method 06
=========

% |7 j' H2 {; [; v8 f" \) M
: |+ Z% O: R  Y8 o# |/ X2nd method similar to the preceding one but more difficult to detect:
. D7 T- y- g* Q  I" G+ g3 F
" Q6 [1 A, e: P& G$ a4 }
# Y7 ~1 }, B& Y# G9 d* ~8 `3 ?8 c4 gint41handler PROC
2 b; w' M7 j& _5 L! j) h    mov     cl,al
    iret
* L9 X/ h! r- q' [! \int41handler ENDP
: f% ]$ u6 x6 l$ H: B; m
# l) Q- x1 L) \" d/ v
    xor     ax,ax
    mov     es,ax
    mov     bx, cs
( e* m# M* F+ t" F    lea     dx, int41handler
6 W- D" a1 ^3 E1 o    xchg    dx, es:[41h*4]
' j' v" X0 w8 [# O$ d    xchg    bx, es:[41h*4+2]
7 ?9 ?4 Y/ e- y! K" q& g1 P* e; Z    in      al, 40h
" l  Y, g% R, f2 i    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
, H+ j5 g+ q1 z( ^. Z    cmp     cl,al
5 p5 d3 M* I- }3 k  \    jnz     SoftICE_detected

, I" G  b5 J* W. V8 }! I: F_________________________________________________________________________
3 v4 U3 m/ V# u; N; @9 G
( f% t" X7 {. e% O; jMethod 07
=========
3 I& o2 Q5 `# L0 R) E6 ]
- u) @  T* d3 b- N9 m& GMethod of detection of the WinICE handler in the int68h (V86)

( s4 n( |: }# N3 T9 c    mov     ah,43h
    int     68h
5 e- |3 i  W) U6 T2 q# U1 L9 N( n    cmp     ax,0F386h
9 k7 s5 l) v, c. ]6 g    jz      SoftICE_Detected
/ w7 x* a; W7 R" C+ O+ y
' N/ U, j# v4 |8 e% `0 i* d
- a( m, E& R* m0 Z8 G0 ]1 z=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:

  t5 C* l6 m2 Z- ^1 L: [! f( Q   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 M  c- G6 ?7 c1 z8 q  S1 t+ d7 f   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
  n1 i7 K& t' C" Z: V) X
* M4 [2 w: S& H: z
Method 08
=========
! Q4 `- |+ B' c* e5 e
It is not a method of detection of SoftICE but a possibility to crash the
+ q) _2 Y  \- C( d  W9 W* `system by intercepting int 01h and int 03h and redirecting them to another
routine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

2 N2 R5 Q0 k( v% \    mov     ah, 25h
6 j& ^/ ]: n7 T4 |$ }    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
4 ]: P6 c- X( O7 Z2 w$ X" c- l    int     21h
5 x" s+ A1 Q6 @4 A, D; R
' ~  p* M! x$ y__________________________________________________________________________
6 }6 K7 T9 ?8 o0 e- ~
% a- Y9 Z! j4 G( B0 s, ]0 t0 i' `0 MMethod 09
: K6 h! v: {9 d8 v, R% f=========

( @! Q. I- f0 `2 a5 I8 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
( L/ Q: `& n/ C" M6 LThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
5 H8 t7 V( M7 {2 N+ e8 x6 ethat device if it is installed.
) e5 [) @' I, l- T7 N
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' M7 ?' s6 q% v' d  i2 Q. N( }   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
% D/ E! U) Q" h- Z* n& d5 G' h   bpx Get_DDB if ax==0202 || ax==7a5fh

4 I: w* ^- |! N/ c# P; l# A__________________________________________________________________________
4 u5 i: k1 J( X+ A
Method 10
=========
/ M. p% N6 @( a2 x
. v/ n% F  l1 [7 U% ~  V=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
4 `7 s8 v! S: f1 ]
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
' j  O8 @" j* x2 e- Z/ C( w) W$ G  O' s' P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 Y9 |! x/ z- [( j, H. svalue (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)
* H; x' C; m0 M" Z
7 X- j; M3 [' f7 e9 x3 L__________________________________________________________________________
3 A  u! ?6 s* f( X/ j( ~- H
Method 11
  r1 z: p# a6 n) u( I=========

) `4 e( e6 w& I3 WThis method is most known as 'MeltICE' because it has been freely distributed
' x. I1 D. e  u. Zvia www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).
2 G5 z0 ^, m6 N1 v& r1 k/ a) Q
The way it works is very simple:
$ p7 ^. ]1 \( h5 C* CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( P; h* h5 _% o. L( _WinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
{
) V9 E' H! e1 S$ C( u1 n   HANDLE hFile;  
* n) f, x6 l) z1 `: }, u( y   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: h6 \/ t$ x6 @% M: E                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. ^8 R( {3 D; t% I1 O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( f! d7 F3 k$ Y. z. U   if( hFile != INVALID_HANDLE_VALUE )
2 t+ |, P# Z% d   {
      CloseHandle(hFile);
( @& l* s3 t' K4 [      return TRUE;
   }
   return FALSE;
}

! x, ?. X7 o( G7 QAlthough this trick calls the CreateFileA function, don't even expect to be
& F* \; x0 u9 c2 T, q- b2 Eable to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ n( J8 Q2 Y' T$ f) J/ wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 i% k5 {, E6 R/ Dfield.
In fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 e8 e' f. @' q4 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! u# h; F  M8 bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 }8 c3 R1 C5 \8 P0 v3 c2 @# JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ i! M' J8 T- d- F( Qits handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
& [& U: Y- G* L3 q: _' h! K; Uwhile running MeltICE.
0 Y- m2 n' }' p. v8 N

: Y+ j! F" P4 W$ E' _& C1 w  00401067:  push      00402025    ; \\.\SICE
0 @4 h8 o/ g: c  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
  00401074:  je        00401091


- R4 b- \) H' xThere could be hundreds of BPX you could use to detect this trick.
) G! l8 e0 M% y1 e-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'

7 y4 D: a( t6 [-The most exotic ones (could be very slooooow :-(
8 z& s" C  |+ P   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 O1 [# C) f. b  [  l1 I2 i7 v% }' @     ;will break 3 times :-(

-or (a bit) faster:
% J' j; ?: S. J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% S: ]7 {. |1 S  C
; e0 R8 g' J$ @; x8 P$ A$ j' H3 O   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, `+ j/ w$ g! M" N1 c     ;will break 3 times :-(
& m4 ^' b/ v; Z) c$ h
-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, t- {) S7 p1 n* P, e' I
2 Y( ]+ b' Y8 N% A3 }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% j+ o: D  c" q3 J: Dfunction to do the same job:

   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
* `+ ~. i; }$ A( m* F* i  g   call    KERNEL32!_lopen
6 s: _) s6 X4 A0 M5 S$ ~* a6 A   inc     eax
   jnz     00650589                  ; detected
   push    00                        ; OF_READ
: e( |& a* f) j9 }% r! g   mov     eax,[00656638]            ; '\\.\SICE'
7 M8 A; u9 D/ `- T   push    eax
   call    KERNEL32!_lopen
, a% ]3 l+ \0 T' E: W; c   inc     eax
! \2 y. z" `  B+ d% k, I   jz      006505ae                  ; not detected

; Z/ O3 R, Q1 B8 N! e
__________________________________________________________________________
4 }- [: R. b8 K/ |# v! Y+ f
Method 12
6 b4 o/ H+ \4 @, R; v! H=========

1 P9 J0 E0 }0 [This trick is similar to int41h/4fh Debugger installation check (code 05
# F7 n# W: G" {7 \  l5 w&amp; 06) but very limited because it's only available for Win95/98 (not NT)
8 |3 Q3 i7 z! c! n9 Z$ las it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
* r  d4 I, _5 n& c/ M9 h7 ^4 n" W                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
! x$ a$ c: p" k6 s! ~0 [3 g   jz    SoftICE_detected
7 k  S) g! z( h  L
# }! t5 X& A( N9 {  OHere again, several ways to detect it:
# g! B9 F# w# a$ Y/ |
# }* O. V$ y6 `: G% T( C    BPINT 41 if ax==4f

    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 j) \4 T! J& F
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- R7 J' b+ P  r9 ^% b  `
) S$ U; L0 h( _# l& T# w  p" N    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

0 E* h7 h: w+ W: ~) V. N6 y__________________________________________________________________________
2 r6 m5 e. _0 ?/ D2 D
Method 13
4 |; X2 e( Z9 N, Y) j$ C+ w=========
9 Z1 R7 o: g8 q* F  L( }
  J( I( p5 X- s  H7 iNot a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
8 C5 W' A) O# m) u8 n+ zIt is used by few softs which access the following registry keys (usually #2) :

, N1 \5 h& ~7 G) g% ]1 P5 q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ B/ w3 ]( n6 ]4 t, G2 g. L\Uninstall\SoftICE
0 L& J" `  o# b; y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- x9 C) K' \5 ]5 }; r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe
' q2 w- o7 B: w6 m) O

Note that some nasty apps could then erase all files from SoftICE directory
8 H5 {& D! I5 C1 Z% G5 C(I faced that once :-(
6 y9 t4 z3 O- e. Z2 a2 ]
Useful breakpoint to detect it:
# H. z6 B4 e  B+ M/ ]% q. B. e$ K5 U/ j
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________
) O7 N& ]3 b' W& x. |1 o

: S+ y# n& X& lMethod 14
1 `2 r* n$ `* _0 Z0 w. T=========

& r+ m& _5 O. W  Q1 @3 E3 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, M1 G7 X8 S5 c1 \is to determines whether a debugger is running on your system (ring0 only).

0 o& P' _" t5 p4 G3 n   VMMCall Test_Debug_Installed
   je      not_installed
4 G7 q% k  Y; H; |
This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>