About anti-SoftICE tricks

<TABLE width=500>
5 O& E6 R. m3 o<TBODY>
<TR>
$ {9 C8 k7 I* T3 C3 d2 L' s<TD><PRE>Method 01
=========

This method of detection of SoftICE (as well as the following one) is
9 ^( ~" B* g. C3 D- m; Zused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
  H+ ^( F3 o2 H1 ~! `. {+ H) d
    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
    cmp     al,4
! v3 t" v, ^% x1 F6 i* u+ h    jnz     SoftICE_Detected
) b* @; |* n' T* N) _( Z
___________________________________________________________________________
4 i8 j- Y  }* E& t# F9 m1 [' O
Method 02
=========
" _, w# ^) F. v0 x3 h
6 [! X6 v% M6 Y: _Still a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
6 l) p% y9 |( |/ B: cIt is also used to crash SoftICE and to force it to execute any commands
% ?% J* ?5 H. G  h0 D# @(HBOOT...) :-((  

+ h4 {+ T+ e) ?) @3 R; \5 iHere is a quick description:
- B. A2 _; W! e  t" i! N-AX = 0910h   (Display string in SIce windows)
' \) b. i: @3 \# D9 z3 P* Z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 C5 Y! C8 M5 i* C4 O. i-AX = 0912h   (Get breakpoint infos)
: P+ m, {+ T$ e, X% i-AX = 0913h   (Set Sice breakpoints)
% d, N8 \9 I' |-AX = 0914h   (Remove SIce breakoints)

" }8 \" S: L) ]9 A( W1 _# E# _0 m6 UEach time you'll meet this trick, you'll see:
-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

/ z$ }: V# d2 ^, ^0 tHere is one example from the file "Haspinst.exe" which is the dongle HASP
, |" y; Y0 `9 HEnvelope utility use to protect DOS applications:

9 \* Z' E- ^% N4 `( [
  l- r# r6 U: F8 K) E6 C4C19:0095   MOV    AX,0911  ; execute command.
7 [9 y# V9 |' w' [! L1 C5 s4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( b" D# F5 s. ]! h) R4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. f" U, Y% K; z6 c4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( ]6 n2 O+ @" K! S' L( G/ H; j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 B) a! n7 N( _" b" ?
The program will execute 6 different SIce commands located at ds:dx, which
/ l4 l, K1 K, ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

# `6 t0 w- l4 q: `0 U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ |) }% s* p5 O/ i: p! ~___________________________________________________________________________


# D  v; q1 x7 Y* I! V- BMethod 03
8 D5 ^* q! E" ~2 ^) ~% l6 a=========

4 H5 t# A# c0 J6 J% fLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        
8 p# f9 r9 g. [7 T; P! A! a
    xor     di,di
    mov     es,di
; d( C, u% w! R9 h" L7 o3 f    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
& K- E4 o5 |. v9 Q: {' h  Q7 l    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
0 J+ D4 `3 g) E+ C    test    ax,ax
7 P# ?5 u; x! b0 d# H3 m+ ^    jnz     SoftICE_Detected
% n. j8 T- v# [
___________________________________________________________________________
$ ]1 y! b6 i' j& O8 r! s3 h
* o0 E0 c% r  Y0 U8 F' ]3 s! R; K( b. lMethod 04
  v8 N1 {# Y- \3 W6 i! a=========
" [4 O; b4 s, l8 p6 z
Method identical to the preceding one except that it seeks the ID of SoftICE
1 o4 \5 B0 ?7 ?* I5 ]# x8 g& r; QGFX VxD.

    xor     di,di
    mov     es,di
    mov     ax, 1684h      
8 l7 j4 u$ g( Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
, j& \8 t# `$ q# C* s7 ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
2 M7 J& t0 s0 y- e) \4 P    test    ax,ax
* O, U( b' T; h" F+ j    jnz     SoftICE_Detected
5 J' `  [9 Y( d8 N& ^
" ~9 h; G- @& A! `5 l! c4 L__________________________________________________________________________
! z0 s# ^% H+ `* a

Method 05
. a# ^. g2 o7 @- g; S( }=========

  D, R8 P# {5 M8 Q# o8 {* uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  

The following one is the simplest:

    mov     ax,4fh
4 ~, c% |; h! C    int     41h
" {' Z7 a- \2 ?    cmp     ax, 0F386
    jz      SoftICE_detected

* j2 ]$ j7 `9 y0 m
, S0 {" o& w" p6 @7 cNext method as well as the following one are 2 examples from Stone's
4 a6 F9 i! I* a4 b& `) ~* b"stn-wid.zip" (www.cracking.net):
* |# E0 O2 d' r0 t2 d( U/ ?
9 @1 t6 M' `: [* ?+ J+ \    mov     bx, cs
; n8 {+ w) Y. w9 f; Q1 Q4 u# O) l    lea     dx, int41handler2
+ e- s! Z4 N+ G8 m1 z% L1 o' u    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
, @, Z, h$ [& _5 C& L    int     41h
/ F  L: x6 r! @- t7 t    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
/ y+ e' R7 B9 s: O' J1 X    cmp     ax, 0f386h
; }- O3 c& Z0 m' c    jz      SoftICE_detected

int41handler2 PROC
    iret
# r) n. E$ B% ^int41handler2 ENDP


4 m  S" q; P: \. L_________________________________________________________________________
7 ]5 f/ Y: ^8 m, U" @2 A  Z5 S
' E1 Q" X% g# L) j, \; E& `
& H  b( }, j# uMethod 06
=========
/ F; D& ]4 _( L; |; D) Y. I5 r

6 a0 b1 R( }$ ]! ]/ U2nd method similar to the preceding one but more difficult to detect:


) v) p) |( J! n4 W: wint41handler PROC
    mov     cl,al
    iret
8 q  Q' a% `$ k" O2 P$ g+ a- L9 dint41handler ENDP

( X6 n/ G7 `2 y; s* x
    xor     ax,ax
! e+ t1 s  p6 ]( v    mov     es,ax
    mov     bx, cs
" \, e2 ?- x! A9 b9 p+ u  r) G    lea     dx, int41handler
/ L' A0 T6 [4 q" u+ i/ V3 f    xchg    dx, es:[41h*4]
3 E6 M9 o4 o7 K; Z8 v, D; d- R3 ^    xchg    bx, es:[41h*4+2]
    in      al, 40h
, L# o& N( \5 m, y    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected
; w, Z. l% E) y
' ?% w( ?7 G! a- a, l_________________________________________________________________________

Method 07
: I/ @+ f. W: l; Z+ x5 H. E=========
. j& s  m# A2 l6 O( Z
Method of detection of the WinICE handler in the int68h (V86)
/ ^7 ?$ `( f9 j9 q
& G  D, |; b1 M6 ]& Q    mov     ah,43h
    int     68h
' y; n4 E6 {- l6 T' l+ ^    cmp     ax,0F386h
  k2 K  q& M$ R) E    jz      SoftICE_Detected

# T' V  {/ y; ^2 ?
  H. D; k0 y" S" K) V0 \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- i6 ?5 G$ R" Q* r8 a7 Z   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

* M# ~6 [# {1 a: @
: V" G7 c1 c& vMethod 08
=========
% P: c6 C8 D1 G+ E( p3 N
/ H1 X3 a: V9 p) F5 k/ vIt is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
  n# R$ f& y. f! Y+ t8 [routine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)
( a# X) w8 `4 R1 H
    mov     ah, 25h
# o: B1 \" S% o! ^" k! R, l    mov     al, Int_Number (01h or 03h)
5 z; ^' s- I0 `7 S& u; A( L    mov     dx, offset New_Int_Routine
; b3 ]8 ?, `$ h* k% q+ }    int     21h

__________________________________________________________________________

Method 09
=========
" W  y% m: K) S  G2 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 P1 ~# ?* ?; x) I& h$ [: Z" dThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
; v; J( q7 [4 Q" ]
. g. R8 u# `3 w# ]  P   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 l, i6 M% `+ V& S/ A9 c   VMMCall Get_DDB
. I9 w2 r, Z# B7 m/ o/ d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* v: m5 v6 y  c! a' I6 ?5 @
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 b- ~. q0 g8 ]* \* v5 I
__________________________________________________________________________
! [7 }: }# F& y# m6 O! _+ P" a( ^
Method 10
4 y# l9 ]6 a2 t+ Q; H4 a=========
9 b) k, ^1 B  ]8 G' W1 ^
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
9 i6 Z. p5 @1 \. F
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 K0 ^  F5 F8 L9 i# Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: s( H2 X4 S/ c. y1 W4 A; dvalue (in ring0 only). Values can be manipulated and or changed as well
1 A% v. {& `' p/ r(clearing BPMs for instance)
& d7 {9 o& L7 P6 y( G' l& I
( a, [1 V8 w! I- Q  ___________________________________________________________________________
& T2 S1 W) S  |& u0 ~2 K3 n
Method 11
=========

/ A, _1 Y- a% h2 q" o7 kThis method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
. f. u% f* D  I0 w: {8 _$ ESymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

The way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
; l$ W3 H- u( n, |5 y
2 x* M( H% f- g$ I( dHere is a sample (checking for 'SICE'):
& R+ s: c6 }, h  Z. y
3 w* p+ z- N/ c$ j1 d/ s' v* dBOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
4 \* Z- ~5 u6 R9 \7 y+ ]; p+ X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; J) d# Q; d& G- o8 ]$ A2 E* C                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ @$ X" y- I0 P4 ~9 n                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. A, s. p) z, H! |& K3 K* D  q   if( hFile != INVALID_HANDLE_VALUE )
- X/ F, x: `6 Z; G1 |1 ~* B9 X   {
      CloseHandle(hFile);
: s( Y. @9 b0 \; j" J) V      return TRUE;
! J6 a- [8 B# z   }
   return FALSE;
}

Although this trick calls the CreateFileA function, don't even expect to be
8 \' l( r/ M( C( C+ t  V5 ?) dable to intercept it by installing a IFS hook: it will not work, no way!
# V: f5 b9 ?% R2 K' R& q3 FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- Z( s# g# c( E  T: F. `" z2 @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 i( @8 v9 C: f' ]' s. H; o2 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ }9 Z' H% j: A$ g, @$ A5 |  d+ D" kfield.
In fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( f0 T- h$ i# n" ]* o  lits handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
* H( E8 y+ S  K/ B8 K: [. z
: z  I  b0 K+ L7 i% j, t& s! m# j
  00401067:  push      00402025    ; \\.\SICE
& ~0 b) K5 E1 n1 z( J" l7 S  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
" O2 h" `' {# g6 K3 c% ]  00401074:  je        00401091

7 |1 m* t+ S3 T* o& M
$ Q1 d3 y6 ^2 lThere could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
" K7 u& f' q/ |& C7 O
# U. ]5 s# \# I( `/ P' D-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 n8 z* v; V* X4 i& ^, C     ;will break 3 times :-(
6 N6 p/ a( N/ F0 l9 N0 l( A
-or (a bit) faster:
/ p, V+ D1 D! |+ x* ]   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 k4 h2 x7 Q0 i5 w, [) w3 ]2 u! U
# f( ^% O" `, b  N3 p  P0 d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
+ B* u8 W. O! R+ }" E
-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ m; A' i9 q7 l- S9 @2 ^1 lfunction to do the same job:

   push    00                        ; OF_READ
( P" O# ?' F* K) F; K3 k) B   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
6 ~" X1 z+ P; n! Y   call    KERNEL32!_lopen
   inc     eax
5 O! s3 v( `: `* o3 t6 X9 k   jnz     00650589                  ; detected
2 s7 a. Y( `' s) E3 q   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
: E- {  a3 @0 h+ O; H   push    eax
   call    KERNEL32!_lopen
2 \0 O& j9 l: u3 y7 O0 b. L   inc     eax
   jz      006505ae                  ; not detected
1 F) t0 c+ o$ e. N
7 Y+ Y8 ^2 `( y; N2 B$ F
, y: v4 G4 R. i5 e* d__________________________________________________________________________
2 E1 S# J4 E7 x5 v5 D# v+ x9 W
$ e5 n# x! a( J, Z% k) o' \9 xMethod 12
, _: z2 f" r% k6 f6 H* ]% d" K=========

. C5 T4 y% D* E3 d+ @This trick is similar to int41h/4fh Debugger installation check (code 05
' ?. M" Z& I) O8 C2 M  J&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

) P1 C6 M7 |# J   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
+ B4 A. E! f: q" i   call  Kernel32!ORD_001  ; VxdCall
. T( M8 C, B# G7 j8 `+ R   cmp   ax, 0f386h        ; magic number returned by system debuggers
( J" L; Y0 k# K+ p- K& _   jz    SoftICE_detected

5 V3 V( z- v6 z7 ]Here again, several ways to detect it:
1 J/ a2 b+ u7 `. \9 L% g+ ]
; R1 `5 C- v4 y1 V* B4 ^    BPINT 41 if ax==4f
; e' c# C) f% e6 @! r* \4 {9 A$ k
' i* S# U; d% D5 \- S    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

& v# I* P! q# S6 Z  k    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; R7 E4 }+ O+ w& z
8 Q5 V- [' v, U  _4 ]' g5 ?7 L    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

7 k' I, F- e- ^# W% i2 e__________________________________________________________________________
  R' ?0 i' i$ I* Y
3 ~" D6 B* h' I3 `6 i/ jMethod 13
* q% S: z2 {; c& q$ j/ s; ~9 p=========

$ U0 Q4 Q1 E3 V: g  yNot a real method of detection, but a good way to know if SoftICE is
3 O$ T* Z$ @" u6 [7 _installed on a computer and to locate its installation directory.
  j- \: {% r( v( r! fIt is used by few softs which access the following registry keys (usually #2) :
- j6 B+ {$ O7 M, k" K, y: ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% P' Y. i: q$ v5 h  ]\App Paths\Loader32.Exe

% n5 a6 V! P% @# D" `; a: s
Note that some nasty apps could then erase all files from SoftICE directory
1 N$ V6 M  N' m. l# g(I faced that once :-(

  T: k9 F& r& `1 j5 yUseful breakpoint to detect it:
; Z9 _7 O" @  M
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 [& z, `$ a9 T& a
1 ~  b; P5 f" B. L) D: d__________________________________________________________________________

1 W. ]1 ?' O5 D. N
. R$ e9 e  N* J1 j* ^& h9 L0 tMethod 14
+ n% d9 ]8 h! {7 D# [=========
9 N9 i) ]' X8 F  {: M- j) [
' @* W1 t/ y, w5 M; HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ~1 ]1 z; }! y& @/ i/ r0 Qis to determines whether a debugger is running on your system (ring0 only).
: y0 f7 @$ |3 k: \) z! R! Z
7 J, ^& K, @8 Y+ C" [2 s1 g   VMMCall Test_Debug_Installed
1 ^& L& h  z+ Z2 }3 v& z- ^8 [  f# l   je      not_installed

This service just checks a flag.
2 n6 _1 ~) M+ t</PRE></TD></TR></TBODY></TABLE>