About anti-SoftICE tricks

<TABLE width=500>
. m5 \% Y+ Y: k. M7 B<TBODY>
<TR>
6 G  g2 q# ^9 ]0 s7 \9 g<TD><PRE>Method 01
* W" \) Q# e1 `- c+ o7 W' x=========
2 [+ }# K. t! \0 x( ?
+ @; G/ G  q, f3 A' Q4 qThis method of detection of SoftICE (as well as the following one) is
4 K9 x0 O, K1 E, ^$ _- l6 nused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
# m4 O& b- Y+ r7 H, F! v    int     3      
% D" n3 m) b2 U) g+ G$ [2 R* f; ^    cmp     al,4
    jnz     SoftICE_Detected

6 p3 [8 [3 j2 Q2 M& m8 s___________________________________________________________________________
: l: ~2 M( r: `% |% T4 x  b: }2 ^' I
Method 02
! s! _# k7 i% [9 |=========
2 B% U: n% N! O! i& w. M
0 Q+ K$ m2 G( q* t; r! c/ P3 HStill a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 Y& T' l' \$ W' s9 i6 |or execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
+ f- J1 N- N& ]( K% w(HBOOT...) :-((  
6 m& V, n/ h$ `( C0 H
+ _3 R/ y2 d( ZHere is a quick description:
3 u: K+ E& d" c5 e/ Y" f8 q* Y-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
7 \- p% Q5 S+ Y3 c4 G5 b-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)

! Y4 m" i5 j. A# N* a2 j% o4 zEach time you'll meet this trick, you'll see:
-SI = 4647h
2 ^- v4 }& P; s4 O; m+ x# j-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
% e0 i4 V/ W7 f1 H; y4 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- I5 h# u% w# Q( Q8 }: R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 A: T$ l8 e/ c* ^) s! `6 D* UEnvelope utility use to protect DOS applications:
# f" W  |6 }  c, @7 m
: u* H% J% z# L. f* b
4C19:0095   MOV    AX,0911  ; execute command.
' v+ f3 k" F0 q8 |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 a# H3 R8 G, E6 C- r# p' f- q( E4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 k4 o) A* a3 G1 ?# G  Z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! q! @% x' Y( W6 \  C4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! y" J7 j, p* j, z. K) j9 M4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' e% [: h# b8 O3 N& n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

# s2 j1 M- |; x( h, K$ G# nThe program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

; c& |9 N! i  i# P7 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________
4 ~/ W$ K4 F( Z5 f$ e; C

, r1 X$ \: M! [7 B. E) TMethod 03
=========
+ j& X( w2 u4 a* p3 ^# O! g5 X3 N& S
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, U. n  C/ ~3 w) y- A7 k! X(API Get entry point)
        
- Z! K7 k  j* L( s; ~- g" ^: b
1 |- G( l; N7 c) S8 P% e) ?$ \    xor     di,di
7 G; c4 x5 Q2 n+ D9 }. |    mov     es,di
    mov     ax, 1684h      
7 F/ O/ `* `6 w3 `+ {: U2 R4 p* N& @    mov     bx, 0202h       ; VxD ID of winice
) v1 P7 R/ v1 r& j% R    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
) N; E" j) J- ^! U0 ^; f
___________________________________________________________________________

1 u) \1 `/ m% ]0 uMethod 04
=========
0 Q( H5 f5 A+ h# E" ^( w
Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.

& Z8 Z+ R6 {. i) r  I1 h    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, ~5 j- z  b! U0 b    add     ax, di
2 u; u( c- S4 ^& ?- q* o3 d    test    ax,ax
4 g" L: h- d+ e  [    jnz     SoftICE_Detected

: s# l) l2 j2 k. `/ v) _$ C9 _$ c__________________________________________________________________________
! U7 i. v8 _) R) p

) M- K& y8 R0 J5 }Method 05
=========

9 x3 H' j6 f1 }Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
) T4 K; {/ P$ nThere are several alternatives.  

The following one is the simplest:
! K4 U' T- r: d) t' o- k. R7 _4 r
    mov     ax,4fh
5 J+ ^4 q. o. _" U    int     41h
& ~4 q- S4 n9 O+ O: Q8 z    cmp     ax, 0F386
$ f; Y$ {& L, B0 }& @7 ^    jz      SoftICE_detected
% h% _( }5 U6 j% Z: T

* U/ Y$ c/ C, I( s8 KNext method as well as the following one are 2 examples from Stone's
) s" X$ i  }' P8 e1 ~+ ~"stn-wid.zip" (www.cracking.net):

8 S+ v  }# }7 k$ R- U    mov     bx, cs
    lea     dx, int41handler2
1 a+ b4 g* v$ h/ S! i+ E( c    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
" P1 k8 Y# R6 H2 V    xchg    bx, es:[41h*4+2]
2 V- e1 y+ }; \' z) p% Z3 Y" R& J    cmp     ax, 0f386h
    jz      SoftICE_detected
4 U. g/ c& D* f$ {: G' _$ N: I
9 l2 R* r6 q) G' }int41handler2 PROC
    iret
int41handler2 ENDP
  y! n* z6 l. [' f

_________________________________________________________________________
. W  u0 J5 t& M$ o5 I

7 V; u! t- d' P: pMethod 06
=========


9 l# A# s9 v4 v% w; v$ I2nd method similar to the preceding one but more difficult to detect:


int41handler PROC
4 v1 t9 P" _4 u% h/ Z! \0 \    mov     cl,al
% Q2 y6 t2 Q% K# v* F    iret
1 o9 z: n& U/ V3 N: bint41handler ENDP

% ~+ q$ a4 ]2 I1 y" j$ y  x
4 ~; Y; V5 F& _5 u) Q    xor     ax,ax
. Z+ _& l( ]. m  ^; a    mov     es,ax
- X  g* V$ Y& |; o    mov     bx, cs
    lea     dx, int41handler
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
/ u5 l5 R" ~# |    in      al, 40h
3 ]" V! ?" T) a7 k" t    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
' ^0 h; m; \7 I    xchg    bx, es:[41h*4+2]
  j- k% V6 X- n1 }3 j7 H  m4 Q$ ?: H    cmp     cl,al
    jnz     SoftICE_detected
# A* ]3 S' y+ {! j( O0 T2 V& c( ^3 R
8 |0 H/ z$ Q9 ]& W- C/ l1 E_________________________________________________________________________

Method 07
=========

Method of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
- j* `  U+ Q, b5 V. \0 c3 l) E( W1 Y    int     68h
5 [! C6 w( T. w0 F- m    cmp     ax,0F386h
    jz      SoftICE_Detected

$ w3 P6 ?2 B2 [5 }! B  L
% n6 M4 g" q0 ~4 W  b=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:
+ k2 m8 u( u- l6 d1 A8 e
  I% _) G) s) S% O3 d: i# t   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ Z- V  _+ u4 ?2 `4 L6 x: u   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
9 _' v# Q1 U# ]4 N/ w
: r5 A: L" {; J9 K2 u1 \- k
3 L+ u! b+ R" c9 O$ I; CMethod 08
% _& ^7 X3 o; J0 r# U! e; W=========
* c, A! m* n# t8 q, ]$ `- C
It is not a method of detection of SoftICE but a possibility to crash the
( b( }) T3 A9 w0 i% f4 V5 gsystem by intercepting int 01h and int 03h and redirecting them to another
routine.
1 r1 ^0 z! \* C- y' WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

6 W# X' J9 n+ N) l: q' m. M    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
; l8 M6 u; d! U$ u1 S5 f$ s5 I$ s4 R5 j    mov     dx, offset New_Int_Routine
& V7 k0 \: E( ~; h2 l, o! I    int     21h

8 B0 l% P, y' ?5 ]# q__________________________________________________________________________

% H" Z6 l) C9 I( i7 A& jMethod 09
0 {! J& W  F6 w0 p( i2 H  B=========

, \, ]7 t! v7 g& W* _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ y. ?5 m: L7 n. D6 T+ a; C0 CThe Get_DDB service is used to determine whether or not a VxD is installed
3 m0 e  a9 l8 w9 z' X# w$ `+ u5 |& ~for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
2 ^" i1 n. \3 y  F   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
( g/ W+ v1 u  ^. t
__________________________________________________________________________

* O, M% Z1 q6 k6 v) s' uMethod 10
=========
/ l( a3 Y; ^/ L; ^6 H8 S% j
* [  \& E, Q+ `=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
; i& U8 t- b% B8 j5 [  SoftICE while the option is enable!!

% g1 i0 T1 b" X  jThis trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
' w5 Z- X# U+ D! I8 v# T1 ?, K' L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 ^9 t* I, G. R2 wvalue (in ring0 only). Values can be manipulated and or changed as well
  H- [& K- D/ C5 O(clearing BPMs for instance)

__________________________________________________________________________

Method 11
) R5 q4 ^5 l; ?$ I=========
# g- D0 H6 [  F, ^1 [6 n5 L
This method is most known as 'MeltICE' because it has been freely distributed
$ V+ z' k) S5 ^. N0 U$ e: b: Z% c! kvia www.winfiles.com. However it was first used by NuMega people to allow
3 C9 a7 X( w! O: eSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).
4 W/ a0 y- A. Q& ~/ u' n
9 q1 v' U/ W! N# n/ }; }The way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
- |7 s9 h, |0 P# f/ |8 t& p
Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
{
7 {4 E8 t2 }! e* E7 e$ k   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" \. M1 I: L3 x# Y5 @                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
' G9 z+ q* c; k3 x      return TRUE;
   }
   return FALSE;
}

+ O  C# A7 q5 v5 FAlthough this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
  |8 F# X) M, |0 G. G& Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! c) {* i8 e1 b8 ?3 m# ?" m$ Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
In fact, its purpose is not to load/unload VxDs but only to send a
9 F, Q8 J* m1 [1 ?, ~  ]" }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- |. }' @2 U" F; h: b8 k2 }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
/ \2 ]! L* c+ f/ XYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
7 z1 K1 C1 B+ R: f+ }; _& K# O/ d, T

* u% M$ C' N! W' t: p4 Y  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
' `1 s3 Y+ e1 k7 y* G. x1 B7 Z8 J  00401074:  je        00401091


There could be hundreds of BPX you could use to detect this trick.
9 ~3 h4 f& P; F-The most classical one is:
: J% W* w1 v# |; v  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
! N& \. W* e' W) |
-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 W: ]% t2 K  r2 t& h, [     ;will break 3 times :-(

-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 g6 m2 ^. G" d; _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

-Much faster:
5 H. ]% [& L+ L; X. _7 i& _- c6 e! ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

/ @- l" Z' [+ {+ G& zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:

: b0 I0 |2 C" h. [! d0 @  }9 d   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
   call    KERNEL32!_lopen
! [8 G/ f, M! W: L% q   inc     eax
   jnz     00650589                  ; detected
   push    00                        ; OF_READ
2 K) w1 l: ]* @/ |   mov     eax,[00656638]            ; '\\.\SICE'
+ `7 r- O# C5 F1 D" t- N% I! y" Y   push    eax
; v- v/ w9 J( E6 v. _   call    KERNEL32!_lopen
8 `& A& @) F# V5 m0 H   inc     eax
   jz      006505ae                  ; not detected
; @" ~6 A+ g! [5 A5 p
) e* r, h, W! i6 m/ N7 ?% e/ U
, D* d/ `7 e2 d$ D) S' s+ e__________________________________________________________________________
3 B. W8 N2 q( s: G( l
1 D* _* `% g/ x: SMethod 12
=========

This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 {: e% |; Y2 s: q. A# B
   push  0000004fh         ; function 4fh
; l. e, S% R9 d- ?" b   push  002a002ah         ; high word specifies which VxD (VWIN32)
; W# t% u! U' e: P6 z  c                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
7 B7 B. S; W, J0 F& Q   cmp   ax, 0f386h        ; magic number returned by system debuggers
% d/ Q! A0 ^% P, m& F3 N! t5 @   jz    SoftICE_detected
% U/ ?1 J6 d- u% s5 e% N0 u) D
9 I8 x/ e2 l0 n- o4 K% L& g& mHere again, several ways to detect it:
8 T+ C# B* w5 D+ H
    BPINT 41 if ax==4f
$ L9 ^; _  Y2 I5 S5 f: ^" o  W
5 D6 \9 |# F; D7 @  Y& n3 C    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

6 W5 M8 e+ U/ G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

5 y6 I% X) D, U5 k  V' j    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

" E' @4 {( D( F1 Z. u% t6 t% Z$ g__________________________________________________________________________

Method 13
=========
$ ~; z8 ^$ t+ h
Not a real method of detection, but a good way to know if SoftICE is
& ^; Q& S- U" [% Rinstalled on a computer and to locate its installation directory.
& A" e. S3 U$ c; K: W9 S1 iIt is used by few softs which access the following registry keys (usually #2) :
# _5 t) ?) W* d+ ~9 A6 @2 i3 r+ \/ @
2 P( _  S, O& C9 H& y, t0 r4 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 g% }; K/ Y7 I7 J\Uninstall\SoftICE
* z; r, I+ D( i4 `& d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( w3 }2 {% n3 v0 G! r# P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe

3 j% h8 U: J4 b9 @* C$ u3 S+ F
Note that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

7 T( i* E" s& ?" a/ v* [Useful breakpoint to detect it:

     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________
3 e8 Q, ?1 W1 t/ i& }, d$ f3 m" ^$ E
0 j1 n/ C  _4 `) R) R* O: |: i4 q2 _) I' Y
, m: P: r/ P) q" `- K% [9 k  |Method 14
=========
  j8 M# c& k. ~( A3 ?/ y, ^3 ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).
# j- L* E$ _6 ~) \+ Z7 a+ {: ^+ C
   VMMCall Test_Debug_Installed
9 T7 |+ `9 M) F$ G   je      not_installed
$ y$ U7 f5 \: j( A
This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>