About anti-SoftICE tricks

<TABLE width=500>
: o9 u/ h! v: A+ e3 n<TBODY>
: n5 Y- G" G9 z<TR>
<TD><PRE>Method 01
4 J  A- g, u6 t=========

This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
% V) ^6 P3 S& l8 r- t/ TIt seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
9 Z! t/ U5 b( J/ Y  [! A    int     3      
% m6 p. ~0 _# M5 [7 Z% a    cmp     al,4
( s7 p8 U# {; j0 X; U    jnz     SoftICE_Detected

. {) f# s7 g& F9 X8 H___________________________________________________________________________
/ y6 S& V1 s2 k% `( I
Method 02
=========
% \# m* ^3 U" B2 \/ G( K
1 u5 U8 s; D( r$ b3 V, ?Still a method very much used (perhaps the most frequent one).  It is used
* B3 {0 T& C& `2 S5 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
8 C& K; u6 T( X+ `( A" i) I$ sIt is also used to crash SoftICE and to force it to execute any commands
& J1 }% b8 l. u$ p9 S; T( q2 V(HBOOT...) :-((  

( Z) j# @, e5 {% E, aHere is a quick description:
" W$ a+ F; j" m3 P5 \4 v# @! G-AX = 0910h   (Display string in SIce windows)
6 a0 z# |7 D' n-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 ^3 c5 F8 v, T; ^* M( g) x. |/ s-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
6 J7 n" k0 z! a/ z! z-AX = 0914h   (Remove SIce breakoints)

* j5 J: l8 S+ U) L! tEach time you'll meet this trick, you'll see:
( V. u# g6 k% R) k$ y# N-SI = 4647h
* s% c) U; S" F-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
  ?' F3 K! [+ \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" y0 ~# Q* B# D# s. z: u5 |+ @" }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:


  v. p( n  e. r4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 F0 {) p& Q; x" ^% B# K5 X% o4C19:009A   MOV    SI,4647  ; 1st magic value.
! B6 [9 ]7 K* o# o7 t2 T/ ?: \8 W* g4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 B" g0 N- u+ d9 @+ w4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% \2 m7 T$ S# _, w4C19:00A4   INC    CX
3 w2 ~" B! g: Q, w7 O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
. q' k+ D8 f. ?$ S& r* ~0 [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ R1 B+ s5 g: x9 d2 A/ j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
4 h. `/ V0 ]6 y  M; M( Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 v- {) v2 |9 d  @, U. T2 m
; z: P; l; y) l6 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 {: a$ ?3 R( r- o+ q___________________________________________________________________________


0 G: E0 w/ J0 F: T# ~7 TMethod 03
=========
" n$ W4 x! E, z. |% ^6 {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 j0 y4 d. y# b- U' {& `7 e4 }3 I(API Get entry point)
1 N# B0 c, i# E! M2 ^5 S        
2 c4 u" E8 j  I4 Q) l5 T
    xor     di,di
8 A' W9 S+ Q$ s: S& i0 h    mov     es,di
9 j3 N% n5 z2 Y5 D$ Q1 |    mov     ax, 1684h      
/ H6 p% S3 D4 K' |1 Q: B  V    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
6 M8 G7 Y" ]/ T    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' J: R" q" O- m$ c8 E9 F) g    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

___________________________________________________________________________

7 f9 K8 V0 ~' D2 H5 W7 cMethod 04
; g. s3 Z7 J3 ?7 M8 R  x8 t=========
) L6 I+ F% w. O" A: E0 o0 o
: ]1 J& ?$ e% a1 i; `Method identical to the preceding one except that it seeks the ID of SoftICE
7 H$ L6 q8 y2 yGFX VxD.
+ P8 _1 [9 c& T2 I5 e' n* v
    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
! N0 h: I; l. ^( m: R. C    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 |* Q  N! N3 H9 g+ j) _    add     ax, di
0 h% S6 L+ d5 R: f4 m8 m    test    ax,ax
0 c  u/ D' t/ t    jnz     SoftICE_Detected
7 S8 i4 D  m5 d1 W4 w. N
__________________________________________________________________________
/ _8 t6 W" ^- q- ~1 o1 Q( C3 O& ]
- A& |$ h0 O& S0 p
% G% b, B$ [  ?Method 05
4 m1 o! E; f6 x' ?=========
! n/ y: C2 y, X
/ q/ H/ T4 I4 _/ O- \Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ H1 X' \% U5 Sdebugger. It calls the int 41h, function 4Fh.
1 J$ ?, K! X) b( EThere are several alternatives.  
9 o: `6 V: n. r4 _
, K& q' _, d+ Z) W) ~2 n# YThe following one is the simplest:
3 Z: l" n# s8 i* F
0 [: m* j* l" |7 N6 d    mov     ax,4fh
    int     41h
* J( B& f0 T6 R- K3 s    cmp     ax, 0F386
! B6 c: W3 z) p- T+ `' Q( a4 l) o    jz      SoftICE_detected
1 ^5 N) D- z9 v. o2 L, \* W

Next method as well as the following one are 2 examples from Stone's
7 n' e- K& u+ k1 `1 }" E1 X4 d1 w"stn-wid.zip" (www.cracking.net):

    mov     bx, cs
    lea     dx, int41handler2
  ]$ c( |: L; t8 s    xchg    dx, es:[41h*4]
& Y5 ]1 `8 I. K& x0 ^% W1 L5 m; a    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
6 y6 Q- I: @( j$ Y2 K    jz      SoftICE_detected
3 z" W( t+ Q( z1 y. \: j" J" D
int41handler2 PROC
9 t5 `: X: N: d    iret
int41handler2 ENDP


/ J( W0 H8 R( i, j# d_________________________________________________________________________
7 |3 L5 E' O+ C) B8 o$ u

Method 06
0 @" I: F* v# n" `$ d=========


2nd method similar to the preceding one but more difficult to detect:


int41handler PROC
2 a- o/ e7 [, Y* k- ~    mov     cl,al
' m5 n# v& q, j8 k% X  S    iret
int41handler ENDP
+ }  [/ E# z- x

    xor     ax,ax
    mov     es,ax
    mov     bx, cs
3 L  D" s5 M: c, ~    lea     dx, int41handler
2 Y2 N! }" D: e" z& U    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
( h2 y. _# V3 W* ^" _* t3 s    cmp     cl,al
1 k+ H& r$ S2 }4 M    jnz     SoftICE_detected
- O6 \" I- V! v" ]( Z
_________________________________________________________________________
# @% p0 l* g6 g  h0 j4 M
% g1 [; F# ~6 b2 Y9 p' W, G, \Method 07
=========

! i0 v; v& X! F* c$ Q8 SMethod of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
    int     68h
# s2 L- j- J# G+ Y; U    cmp     ax,0F386h
) I5 e; f0 K; g! V) U    jz      SoftICE_Detected

9 u5 ^* ]7 {8 l- \0 @- y/ o/ ?, t
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

) p  C/ `! T% Q% J/ `* f
Method 08
2 V0 P! ]4 o2 c  w7 B=========
! y6 E& h1 @- N
1 N) w9 R- B( b$ Z. l* h1 wIt is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
routine.
* {. c/ c8 d3 v- ]& H' [: AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
' ?: f* M3 Q$ O    mov     dx, offset New_Int_Routine
* i. r" q7 n/ U0 B0 h. A: g' J* h    int     21h
; I0 C4 X1 V0 T4 C  r5 Z
__________________________________________________________________________

Method 09
=========
% l( r! n1 o# g3 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 `7 j( H1 u: |/ M$ t& z, [performed in ring0 (VxD or a ring3 app using the VxdCall).
* p7 c. i; a, W+ B! S4 n' W# WThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
% f: v* o$ d* V' ithat device if it is installed.
1 K$ @. O( o, d! Q; P
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
+ }% k( `; |7 u3 W+ U- s* g   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
8 ?( L* F) E7 A   bpx Get_DDB if ax==0202 || ax==7a5fh

( i" Y/ r3 v4 j0 m7 M2 {: G__________________________________________________________________________
$ j1 t- R3 L2 @; u. g& U. }+ e
' g% U/ ^) b; ?5 V/ GMethod 10
=========
4 s8 O, a: S# x5 l* z  z, N
/ c7 I" t8 E7 B" R: H=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
) W! `- v" t9 K# o) ?% P, w
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
$ s$ K$ _  a( a* r. N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 A- p3 }6 C! g! E& P8 }$ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( i. W4 r" ]' E9 b, X+ E! _value (in ring0 only). Values can be manipulated and or changed as well
+ w) ~: b( i7 A(clearing BPMs for instance)

9 {+ d2 V7 O; I4 H$ @) Q: h__________________________________________________________________________
& ^& `) b( E& D0 z
Method 11
=========

This method is most known as 'MeltICE' because it has been freely distributed
; c9 v# Z& }- q6 S! yvia www.winfiles.com. However it was first used by NuMega people to allow
, z% \: k+ U9 y8 dSymbol Loader to check if SoftICE was active or not (the code is located
- F! _3 y4 O; ]' g8 {4 qinside nmtrans.dll).

The way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
% t6 }; y  _! N% E" v( v0 j( ^3 D
Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
6 o# n# _1 f6 G+ P{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! U/ G. ]: B! u- H2 j2 f+ K0 z/ z                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ j* _8 r4 D; A0 z" D/ w2 C   if( hFile != INVALID_HANDLE_VALUE )
9 f" S( x- y# {; d3 N3 V   {
6 a  N' G4 u; ]6 R7 q' d% s8 u$ F      CloseHandle(hFile);
      return TRUE;
   }
5 ~: o- i: b! I   return FALSE;
}
! S1 m8 e' g# @; f
0 u2 p+ p! @4 `Although this trick calls the CreateFileA function, don't even expect to be
- ^3 p+ q5 w* Nable to intercept it by installing a IFS hook: it will not work, no way!
& R. a! X' v; h2 S* sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 S) a! F) \; nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 b$ I+ n5 B: L7 G, T. Hfield.
$ g6 Z2 @8 Q/ jIn fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 `4 ^3 l9 G' oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* v. \5 B% Y0 T; n% M' fits handle to be opened and then, will be detected.
: w  N# J6 }* OYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
+ ]8 m; I. D: R3 r& G
6 x, w$ X: ]% A+ ~( t) ]) m) X
  00401067:  push      00402025    ; \\.\SICE
" }& Q( ~& c1 s, @* A  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
  00401074:  je        00401091
; b+ u1 c, n8 C

There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 F! i+ I- `5 a+ Y" ]% c9 b    *(esp-&gt;4+4)=='NTIC'
! z0 x0 o/ [+ ?6 ^* U
2 U6 K. b7 S, N1 g-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(
) C3 z/ b$ r) m/ d) P( Q
0 X# _. @$ L) t* S) z-or (a bit) faster:
" V; r7 K# k' J  t   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 B% h4 O$ J( s. e) h8 L     ;will break 3 times :-(
9 G" S  N0 o4 T( y
( _+ x) F, |2 s. Z% n-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

+ n0 }% Q" z0 @- Z" DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
! f& Z4 a2 q$ p8 ]6 G1 I
   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
' U9 c* X4 v& h3 I, c) J1 l# X   call    KERNEL32!_lopen
   inc     eax
  b- z  o6 O! L1 A   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
   call    KERNEL32!_lopen
   inc     eax
   jz      006505ae                  ; not detected

5 d9 ~# G; N* g9 e4 y2 R( `
- g& E6 ^' e9 r" d5 Y: M__________________________________________________________________________
6 ~# V4 O' b  \" w
! N  C; A6 D2 i1 M6 u2 ]* `  kMethod 12
3 C; R* b" L# w& G* k=========
* c3 M$ F& ~8 K; e* Q! b6 {) A3 e  s! x5 }0 j
" M9 L- k5 q: h# t( _This trick is similar to int41h/4fh Debugger installation check (code 05
, I0 p$ F1 P5 x1 ~% o* r2 Q) E- d&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 A' ~1 s4 a* z+ ^- o5 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 D* y7 a" Z( C1 |9 `
* M9 c2 y8 T. V# Z1 {   push  0000004fh         ; function 4fh
) J* D1 u/ R* V/ g   push  002a002ah         ; high word specifies which VxD (VWIN32)
* l, {9 ~4 J* _& R' B6 H7 H, X                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
. C' O' t( {5 @% `) l9 e: P' _: F   jz    SoftICE_detected
/ u: r% y+ q- L+ \- D
Here again, several ways to detect it:

    BPINT 41 if ax==4f

6 K3 R0 |2 ~, t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: f4 d9 a! b7 m" ]0 u1 P
2 i# u$ _2 }! M7 ~* f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; L' a+ ?7 n8 @
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

__________________________________________________________________________

5 c2 S  C3 T" p6 v" D$ W9 bMethod 13
=========

$ n9 ]! \% \, [5 z# O- v4 h+ uNot a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  p  O) {. O) W\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# @# ?2 ~1 x) l+ ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 q  E5 o" Z8 o3 _* S\App Paths\Loader32.Exe
& w# ?, R( K$ u5 A

( l! L  O6 Y1 W  z6 L* zNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

2 i& ^8 m$ E; oUseful breakpoint to detect it:
! a7 H0 Y+ b9 v2 f
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 {; Q- Y3 o2 I9 w; B' H% N4 v
  R1 x! ~; B' ^  D. R__________________________________________________________________________
& [; `7 `2 O; O. T$ I

Method 14
5 ^' i+ s! j9 v8 v=========
+ m5 H. y, |2 L' g5 Y- j5 t
; z$ [! \% V' X3 w7 v. l2 @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, p' Y) G7 c9 {. {( vis to determines whether a debugger is running on your system (ring0 only).
* p! L  k) g! `$ O$ k& ?5 s' o
   VMMCall Test_Debug_Installed
   je      not_installed
( x0 W) J8 q0 c, T7 Q9 a
1 z7 ?5 Q! @( x: X( N; R6 ^This service just checks a flag.
' Q' T3 \# d" A# a  K</PRE></TD></TR></TBODY></TABLE>