About anti-SoftICE tricks

<TABLE width=500>
/ |( s/ m! J0 L3 P2 s1 f, `( D# P) a" ~<TBODY>
<TR>
<TD><PRE>Method 01
( Z* z8 Y3 a* s# L3 J/ E5 |! R+ `: Y=========
% a( O% b$ a5 k
- D. N* c3 |& d# ~* u, zThis method of detection of SoftICE (as well as the following one) is
$ n7 z! E) h! v3 r" X( aused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
- k4 V$ M8 r0 P; U: ^$ j4 ]2 A
    mov     ebp, 04243484Bh        ; 'BCHK'
8 q* Z; d0 k. g    mov     ax, 04h
# M" m! J% T; j# g    int     3      
    cmp     al,4
    jnz     SoftICE_Detected

___________________________________________________________________________
: \6 D+ [# Y- D# Y' V
4 P( G) H% L  C5 Y7 G+ ?" o  S; qMethod 02
. _; x6 z: q8 [5 i; v( |% g=========

" Y- m( \  u1 @+ t0 m3 }- r, ~Still a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ b  v+ n! n$ S' L- Q' ]or execute SoftICE commands...
" Z+ a4 w! p* l# Q# m! |: v; DIt is also used to crash SoftICE and to force it to execute any commands
% _+ ~- i7 l4 @( s% p1 h0 ](HBOOT...) :-((  
1 n% ]3 H- r* U" G* S
; l+ @' h* l! ~; L' n* iHere is a quick description:
-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ l. c5 P7 I; V$ p( c; g-AX = 0912h   (Get breakpoint infos)
# r7 [, y+ `3 H+ V-AX = 0913h   (Set Sice breakpoints)
) J# C) s  `9 F6 o: J: {" Y-AX = 0914h   (Remove SIce breakoints)

* l8 ]  ]9 D. B  a4 L( B- p& k& @Each time you'll meet this trick, you'll see:
$ E: |1 I$ x3 Z9 i: Z-SI = 4647h
-DI = 4A4Dh
, ]) N$ M3 D* [9 p) lWhich are the 'magic values' used by SoftIce.
5 _' W9 a% X3 y0 d9 ]) i8 U, u4 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 D$ ~6 I3 b  m& \( Q  |
5 Z+ s& O4 s; A( O' Z& X: o2 i5 NHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 e6 [% w" A  M6 M$ k" m$ zEnvelope utility use to protect DOS applications:


4C19:0095   MOV    AX,0911  ; execute command.
* ^* g) a8 J  A; V0 O$ k/ e1 E8 y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
( R7 B$ H8 }" ^' l# i4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, h' B% A1 V$ \# ^" p- ~) ]4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
$ K2 F9 I6 [) h4 @4 iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

' B# }. |- Y' X- T
Method 03
" t9 ]2 U' n5 O6 M' s=========

9 N- Z  n. s9 {- t$ h; qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; K+ e" k7 o7 O5 i4 M. j; t3 D& }(API Get entry point)
        
6 ]- J  `% `% h! p% Z) b
    xor     di,di
    mov     es,di
1 v& |; \8 y! ?# ~& S" ~* p8 Q    mov     ax, 1684h      
& Z6 k& n3 [& s) ~    mov     bx, 0202h       ; VxD ID of winice
/ C3 p) G) u3 I# w' B2 q    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" X8 V- g& @; N- H4 I8 F    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

___________________________________________________________________________
. k& M6 K# k" G+ {7 H$ i8 }9 \; h
6 \$ k$ g0 H& b. yMethod 04
=========

. M# L8 v# F6 c  L/ r; X1 \Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.
; f' z  p0 m5 w( T* U
    xor     di,di
1 Y1 u' q% {$ E  f( [) ~    mov     es,di
    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
. d1 ]/ C; h) s4 c* s    test    ax,ax
; j* s/ a$ U% v8 _+ ~    jnz     SoftICE_Detected
. G' c- M( @6 u5 E) `
__________________________________________________________________________
8 J! Z. U7 @# e" `1 y
1 w' c+ K3 c0 h3 d
Method 05
=========
$ I+ w. e% t, g$ _  p3 J1 I2 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; o% ~3 S1 a8 z6 `5 e5 Q8 q' u, z, ydebugger. It calls the int 41h, function 4Fh.
There are several alternatives.  
5 ^' }1 \8 Y- |/ s& B! d
The following one is the simplest:
/ F/ B8 L8 ^0 }! Z  d. A
3 W  n' ]8 y5 ?# {! i8 ?    mov     ax,4fh
6 f( y- ?- O% V9 [# o    int     41h
    cmp     ax, 0F386
+ g5 E9 ?0 r: a: _- y) v    jz      SoftICE_detected
' P, X, O4 t& b/ l" t

Next method as well as the following one are 2 examples from Stone's
! x/ N7 I$ I* K. m" ?"stn-wid.zip" (www.cracking.net):
, p% E  i' j8 b7 u' M4 i
' u5 o5 N% j4 T) u0 z    mov     bx, cs
    lea     dx, int41handler2
3 }  [/ v+ W) w: U    xchg    dx, es:[41h*4]
8 @9 n) ~: \$ A3 h0 V( h    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
) C" \# R( E' \' c" m# w( Y! D    int     41h
    xchg    dx, es:[41h*4]
) o7 d3 r) s" b* b7 M3 w    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
* z. G( Q  l( {( |/ t' U  t/ |    jz      SoftICE_detected

; f$ K7 T. n5 R# b$ M( @3 pint41handler2 PROC
    iret
int41handler2 ENDP
! G2 [, ~; s9 s9 q

_________________________________________________________________________

% H4 \# l) S; n+ o8 x3 X! a
Method 06
4 E  h" b4 }( B; P) \=========

( I( d- v) o9 D
2nd method similar to the preceding one but more difficult to detect:
5 x; v. ]3 A8 n' s

& F9 }( x' X9 D7 fint41handler PROC
9 V: y  X) F# _3 m. b2 [) |    mov     cl,al
+ ], S1 A# \$ {% m* h    iret
int41handler ENDP
4 j  l+ j/ B$ S( S7 |/ j
" Z% v* {+ J5 u- e5 h
: A1 B" _& x2 Q1 k    xor     ax,ax
  s9 ^$ f, Y9 ]* u+ @    mov     es,ax
+ E$ R4 e5 B' A# K    mov     bx, cs
! _, f2 y; k2 w6 q3 o8 g$ c    lea     dx, int41handler
, y6 J; h: P4 k. k2 m1 j, h% v    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    in      al, 40h
) K! r/ F# y; h% U! z; X    xor     cx,cx
4 _2 [- x; M1 ~' ?0 ^( G/ i    int     41h
+ Q9 x' s0 N0 L4 o4 h* F    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected
( [6 f) o3 j& ~  h% ~5 Q' r( v
: F! a4 y; ~% Q5 q' P_________________________________________________________________________
" n* l: q6 o9 I/ _
Method 07
=========
! k6 T4 h* V1 L
Method of detection of the WinICE handler in the int68h (V86)
7 T5 N( U) |; @
2 c5 N. f$ ~( N# j% n# ^3 S    mov     ah,43h
; r3 Q9 k( L2 E* N  Z0 |9 B$ S    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
5 Y5 [' i) t/ N
- Y% R3 s& i3 m+ l: l
! c$ P3 v' D! p% V+ k3 ~* ]=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:
2 v, R* W+ v# K$ s; ]
   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
8 e. u3 U4 i  w, ^: `9 ^   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
- p: R6 @8 n  c6 ^0 c
, \) O$ G' a* i+ Y- J
9 ~0 ^0 D; l( nMethod 08
6 N5 F+ g) u6 i* h( W* H=========

It is not a method of detection of SoftICE but a possibility to crash the
# P+ z# H  Y1 isystem by intercepting int 01h and int 03h and redirecting them to another
' H8 \& g% B$ U  g+ f$ aroutine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)
$ n7 M8 O% Y$ z
    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
) K) w2 L+ H  @$ P7 T) y$ E  X$ g    int     21h
% D+ ]% o" j. L7 M& @& ~
__________________________________________________________________________
. Z& S3 h+ M8 C
1 `2 ^' U8 t2 r! q' LMethod 09
=========

This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
# X4 r0 R6 }) Z5 {! q* @7 Ufor the specified device and returns a Device Description Block (in ecx) for
! I/ W: s, @: v6 [that device if it is installed.

8 F7 B3 ^/ \9 R7 a, e+ y, t5 m, \. |5 [   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% B/ q& S! r' X& A   VMMCall Get_DDB
; @4 J" M0 ~; P* X  g3 Q5 l9 h4 @   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ S9 C+ W$ R" E! R- B5 G3 j
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

: P7 C! \5 o- V+ @: b( B, E__________________________________________________________________________

Method 10
3 G( N5 ?, e2 `# r/ s=========

=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!

This trick is very efficient:
% x2 Q: c9 Q5 a5 i$ I0 ~# O" v. }by checking the Debug Registers, you can detect if SoftICE is loaded
/ V( _( ^$ w+ C$ l8 X" A7 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ m. `  B' l9 c7 ]7 B- b/ x& Q5 Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! z; n' U/ `' P: \value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)

* }7 X: B& R6 D0 x/ Y$ h__________________________________________________________________________
" Y9 q. G; r1 L8 `
. }: N8 V/ u! o- qMethod 11
=========
4 B0 X6 t! g3 U8 }6 D+ Y* d
2 I$ a5 O" [" Z3 ^This method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
6 `8 N! x1 f5 F; ]5 K" xSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).
3 Z$ S/ J8 X( _/ b+ M/ b! y' H3 s
The way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.

1 \. p6 _: T8 U- O, S1 AHere is a sample (checking for 'SICE'):

0 v- |$ w  v3 eBOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. s. ^; O; F  M) v7 Y8 r' d& O9 j3 a   if( hFile != INVALID_HANDLE_VALUE )
7 N& k) l+ n. s, }   {
      CloseHandle(hFile);
6 E) V5 U5 m4 }$ J2 f: A' x, C! M      return TRUE;
   }
   return FALSE;
}
8 M7 U4 B( I1 F+ I/ v
/ m9 G# ?* T6 ?9 W% wAlthough this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
6 c9 w7 Z$ h$ e* u, E8 i2 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
8 ~( F( ^' w0 T- }# O: }8 rIn fact, its purpose is not to load/unload VxDs but only to send a
! x, E5 M" t7 PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& z0 B$ R$ V( L8 d% x+ tIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: @3 B) B+ h) s# M( ]9 Eits handle to be opened and then, will be detected.
2 D& i$ n$ R# e: F2 l" g( [7 EYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
2 t0 l4 H# k! @  b+ B- |, y5 `
: D4 _5 L- f' \+ p2 M
  00401067:  push      00402025    ; \\.\SICE
4 Y$ U! D/ p* n" Q  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
6 j* ?2 T+ n/ s  00401074:  je        00401091


! U, B9 i" {+ t0 U+ `3 sThere could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'

' N; u3 Q2 z4 m4 X5 t& o9 b6 C-The most exotic ones (could be very slooooow :-(
2 X2 @. N7 A; D4 x1 ^* y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 o" G/ b( y1 B6 T+ @7 |; \, Y     ;will break 3 times :-(
6 H0 m; a7 |/ i, G6 [7 S
& |0 F, U' L4 k  C/ }-or (a bit) faster:
0 D7 z$ `9 D3 g' K0 T   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

; F  c: v7 f+ j* i5 r" J  H" f   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
' z+ h+ k/ b0 Z5 B1 D8 n
1 [) d3 h# U' @* `-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# b5 I" _! Q" }  \, W; O, \
4 K& P1 q' G, {8 G! r5 `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# S. k* z7 S* z) r/ \+ Hfunction to do the same job:

* R  y7 S3 l. Q   push    00                        ; OF_READ
* G3 B8 }! J  S% _# s   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
5 t2 B( D& B/ W4 I+ @   call    KERNEL32!_lopen
   inc     eax
   jnz     00650589                  ; detected
$ P8 |9 `' L; o3 U9 C9 _/ h. P% \( v   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
   call    KERNEL32!_lopen
   inc     eax
   jz      006505ae                  ; not detected
2 Y6 w- J+ N3 a

__________________________________________________________________________

! {( ?5 T  e; H! \0 kMethod 12
# k* O$ a* w  R=========

This trick is similar to int41h/4fh Debugger installation check (code 05
! M$ ?7 [* V" [' m$ T&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

$ }1 t1 p% W4 X2 F) A5 T5 q   push  0000004fh         ; function 4fh
3 x8 q* H+ t2 p   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
. H) K, u5 d1 x# S+ C- h   call  Kernel32!ORD_001  ; VxdCall
, o! M4 X; C. v5 y5 c! L   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected

Here again, several ways to detect it:

    BPINT 41 if ax==4f

    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% k% f6 P1 N6 l3 l+ g. i
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 x- q/ B# Z$ I
; C( t( h, w/ ~$ r' |- Y__________________________________________________________________________
4 u$ V- H2 S3 U
Method 13
=========

Not a real method of detection, but a good way to know if SoftICE is
% }  S) X- n1 C1 k& s- jinstalled on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :
' L, J8 I8 T5 a1 X* V( z
# B) f- b4 g' A  P5 v% X9 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 O  _4 D! c# e  D# h) j* j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe
5 O1 C# a( E! Z& A# c1 ~
: `! f" b6 R5 d: n1 ], U/ Z; g: \2 I
% Y0 @6 B6 V+ @, JNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(
. n5 H5 X7 f8 x7 C
Useful breakpoint to detect it:
1 z% X" d% u# T9 e
$ T1 X5 r! {9 }7 r+ g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 {( i9 y) s) s* j6 _& V+ G
__________________________________________________________________________
7 ^) ]' ^9 |! k( B( `+ |3 |( M

Method 14
=========
9 U- C0 r4 x1 U( I& m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. k( G& H8 j, \/ x! U: vis to determines whether a debugger is running on your system (ring0 only).
2 n# ~( v/ k& c9 l
   VMMCall Test_Debug_Installed
  A6 E& Y5 Y( S; I+ @   je      not_installed

; H" Q* p' o- W5 F& |- ]# `This service just checks a flag.
8 @9 a) V# k) R+ A' Z$ G4 ?/ t</PRE></TD></TR></TBODY></TABLE>