About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
<TR>
* Q# P! a* e' A: w5 S<TD><PRE>Method 01
=========
3 V4 S- M! o$ Q+ i/ n" Z
- p' [* A) H3 f3 I2 e8 eThis method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
% x$ V5 Z; u& ]7 t. O: O
    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
0 |2 K$ J+ l! {$ ?6 u    int     3      
    cmp     al,4
    jnz     SoftICE_Detected

, H+ G- l$ j1 m! e# E! A6 d1 \___________________________________________________________________________
3 u; S2 a! R8 U* \4 L. F8 Q
" L5 b: T9 `0 m& x2 ZMethod 02
' N/ e. ^3 u8 s=========

Still a method very much used (perhaps the most frequent one).  It is used
9 ?% c% J  `; V1 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( h9 Z# h& F/ F$ N# a6 t) Gor execute SoftICE commands...
* M3 m) [8 A  d( u0 PIt is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
  }! M: t; ?$ A
Here is a quick description:
$ s! c! |! e5 W$ x' _8 ^$ R- w9 p-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
8 Q3 z0 R0 G# K: S0 p-AX = 0913h   (Set Sice breakpoints)
5 |$ x, f, s# N-AX = 0914h   (Remove SIce breakoints)

4 [) |+ a6 u9 r* V0 Y9 P$ jEach time you'll meet this trick, you'll see:
2 d- }' B6 o- t: r- P8 N-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
6 k2 J" I7 S/ ?/ |( K6 ?7 T$ kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.

1 E/ q: Q) G6 M0 OHere is one example from the file "Haspinst.exe" which is the dongle HASP
( Q/ ^- }* b, O/ l3 UEnvelope utility use to protect DOS applications:
/ T+ P$ ~+ g3 Z6 o$ c& H% ]6 j

! V/ l: n) ]+ H1 z( p( S0 g- C( n4C19:0095   MOV    AX,0911  ; execute command.
' O' i( a5 x0 m9 ?- {3 K' Q8 Y7 G4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
. `1 [6 b# B3 G& Z% x2 S% ~. E4C19:009A   MOV    SI,4647  ; 1st magic value.
  E2 ^: x& w/ d, Q$ ?4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 c$ y& E$ R, h' v% i4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
# B: ^0 i# L: m& Z6 d4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 _. ^9 {' Q; i. P/ }3 P' [4C19:00A4   INC    CX
: m3 K8 O1 u. |6 O& o0 O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
+ i; f3 e$ Z+ |9 J+ t: [4C19:00A8   JB     0095     ; 6 different commands.
. i) a* g" u8 b/ g: w0 @5 M! `4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; ?# f8 ]( D4 `% j/ i( W4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

8 `0 e1 K4 R& }& d0 jThe program will execute 6 different SIce commands located at ds:dx, which
/ v; d+ i+ W2 g3 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* c9 k/ K9 A2 L( G4 v___________________________________________________________________________
8 t5 s: i+ f2 l* Y4 ?

& W0 s" B' Q, \% v+ t( UMethod 03
=========

) A3 S* D# D# d7 t  MLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        
, }! S! S( R, ?* z: ~& j- B
    xor     di,di
    mov     es,di
/ p$ e+ s% u7 m! _) n. i    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
; [  w- M% m# K& F    test    ax,ax
  s, T3 z! [" Q  v. L0 n! A    jnz     SoftICE_Detected

___________________________________________________________________________

Method 04
& L% C3 K9 D( }; @9 J, w=========
4 o6 e& M3 P) h- O' ~) x  i+ q8 J
+ f; [" j2 @2 `0 WMethod identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.

6 X6 n, S0 |* E    xor     di,di
    mov     es,di
; K6 l. k1 e+ y9 G  S2 R& A3 {3 H    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! [  K- H* o! M. P    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
; j4 t$ w. f8 K  G! z7 u
__________________________________________________________________________
) b( }7 f- B6 b" F6 G5 A
8 r* N+ g4 O# }. r! g
Method 05
=========
! d( X3 S, A( t5 D2 G& Y6 B. P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 P- c5 x$ r5 ]  E0 y. ldebugger. It calls the int 41h, function 4Fh.
( _6 i9 B: m  U, P8 ^" k6 WThere are several alternatives.  

, D: a- D& S2 Y" qThe following one is the simplest:

0 t) }, _6 ~6 U- M3 C    mov     ax,4fh
    int     41h
( s8 Y  w5 {/ b3 c5 B    cmp     ax, 0F386
% U( S( a& R9 m+ ]2 x    jz      SoftICE_detected
" l" s7 w) ?/ K1 H+ N0 z1 Q0 Y
5 m* M( m. K$ {1 z; Q1 [
" D7 S# I! x- o* C  sNext method as well as the following one are 2 examples from Stone's
% m, f4 K( r. F+ f$ ^) v0 T7 w3 r6 Y"stn-wid.zip" (www.cracking.net):
; u4 \2 Y# i: K. Q, S
    mov     bx, cs
9 T4 B, y8 e- |    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
1 w. r, Q/ a& o& A+ o    mov     ax,4fh
    int     41h
. W& d3 V/ w/ A% D% z! [    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
  e. I/ H# j9 n( Q7 Y    cmp     ax, 0f386h
    jz      SoftICE_detected

int41handler2 PROC
    iret
int41handler2 ENDP
9 @# o+ P7 ~2 |  ]1 e" v
* b% d/ t! l5 F5 G  S+ a
) j/ T. m, ~' E1 E/ e- Z_________________________________________________________________________

) h! L9 C* H1 L
/ h2 x3 s8 Y& A6 i9 X+ C  Y- X' BMethod 06
=========


; M2 d, }* k* v$ f- u0 j2nd method similar to the preceding one but more difficult to detect:


int41handler PROC
    mov     cl,al
    iret
int41handler ENDP
. ?, G: ^$ a) l6 K& \- C
+ O. A  V: H  W+ P" b
; Z: L; ~7 H$ s9 D    xor     ax,ax
    mov     es,ax
    mov     bx, cs
# P9 z! I8 f9 ~6 d  q. X! U    lea     dx, int41handler
    xchg    dx, es:[41h*4]
) ?; Y! x: S& D0 F2 f  b! j    xchg    bx, es:[41h*4+2]
" y; U5 g3 `3 V5 w: [/ z$ [( v    in      al, 40h
    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
/ e1 w! N/ y/ g& [    xchg    bx, es:[41h*4+2]
- G8 T. ~# f# f0 h# C    cmp     cl,al
3 n5 g3 Y+ k0 ?# j8 r    jnz     SoftICE_detected

, M* J, N0 W% C' d- O. B_________________________________________________________________________
8 @) f+ S! g8 z+ T/ g/ O6 x6 c
Method 07
& E. R9 V- p% k! c=========
9 I/ M, C, ^) m8 I  s) |
3 p) ?; R( R, A' D' AMethod of detection of the WinICE handler in the int68h (V86)
# ~) ~6 L4 z" |. n. S8 I' H( F9 |4 P
    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
8 ^+ e$ Y) t1 e% U7 |

, i2 Z+ d) T. X=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:
$ s( c5 l9 i8 E  i- h
   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

& P% {  |9 z. G" X
Method 08
=========

It is not a method of detection of SoftICE but a possibility to crash the
8 Z/ i  a2 k6 k% |% Esystem by intercepting int 01h and int 03h and redirecting them to another
routine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)
1 E( j' l% p# h- t0 S2 X
    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
( E; o/ L# r% z1 F# @5 h; i; S3 I    int     21h
# \/ P! D; ^& Y2 C+ W) S/ O% e
8 k% `5 s( [% y( n. l__________________________________________________________________________
$ I5 `( ]3 s. u+ X0 F5 T
# L2 F* B3 l7 KMethod 09
, O9 R1 i5 C3 J=========
5 j$ }/ n9 n' R; {0 G% B6 k
. K" H- R7 ?& Q. m& l+ @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
. r% N, z: Y8 e& jThe Get_DDB service is used to determine whether or not a VxD is installed
) \3 g' Z  X8 @) r" z0 a/ T$ L8 _for the specified device and returns a Device Description Block (in ecx) for
7 _8 n+ P( V* j* w) o# l# Z& N0 kthat device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
5 Y% S: B0 ?! V& U- a- U   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" h% k% J3 M9 \4 O7 M( D
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 _$ d  }* U3 f% p& D6 U* R
__________________________________________________________________________

Method 10
( L2 f% Z1 g4 w) Q: g/ A+ B=========
' r/ M; z3 @2 J" T6 S- S
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
" r: u: Y0 h% Z$ c' a0 S5 P
: H% c; S$ u! }3 z% M2 r, |  [9 V5 LThis trick is very efficient:
) N! `( y. ^6 E* s8 p& G! ~" e1 eby checking the Debug Registers, you can detect if SoftICE is loaded
, b: H' p4 v' W9 y, @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 ?/ q: T& P, K* W- }1 c. K( sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
. b) k" K4 ]+ B(clearing BPMs for instance)

__________________________________________________________________________
1 S1 @  n6 I$ y6 Q
4 W7 k& \) B, M8 ZMethod 11
2 g( d+ P/ Z3 {% I=========
0 _9 S4 k+ w/ t
This method is most known as 'MeltICE' because it has been freely distributed
9 C6 ]+ I8 l1 ]via www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).
; d, Y7 z0 f" N. P6 k' @! }
The way it works is very simple:
3 M  A& k4 m8 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 Y0 c9 m- z" C" O/ xWinNT) with the CreateFileA API.

2 y5 G6 L* b' @& E# F9 ZHere is a sample (checking for 'SICE'):

; ?! ~0 e. p; |$ W! N, X( r7 ^BOOL IsSoftIce95Loaded()
) `4 g5 g. N3 ~  M2 l{
   HANDLE hFile;  
1 T* y1 L6 r' F1 r7 y# h   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( U0 I4 r! r9 J/ R- u1 j                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! B0 u6 |  H3 c' v5 |# s2 }   if( hFile != INVALID_HANDLE_VALUE )
   {
; z# u+ H& ^$ ?1 b% o* Z, d      CloseHandle(hFile);
      return TRUE;
   }
3 V7 R3 B: i" M3 {   return FALSE;
}
, ^1 @9 U# \6 a
/ [6 ^+ i- U/ C% p& m8 HAlthough this trick calls the CreateFileA function, don't even expect to be
. v& p, k  c' Q! I  A3 Wable to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. j! H+ K; D! \$ i! m* lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" Q" P% H! `6 U2 Ffield.
In fact, its purpose is not to load/unload VxDs but only to send a
0 I; M' H0 y7 zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 T  v# x# s) J& [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. T' G; J: @# a* r; W, b  I, oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
4 r7 z2 d% O$ V, X2 l: a" ]+ q2 tYou can check that simply by hooking Winice.exe control proc entry point
3 j% b- j6 {) U- q0 kwhile running MeltICE.


  00401067:  push      00402025    ; \\.\SICE
' U: e2 D* ~& y' M  0040106C:  call      CreateFileA
+ F7 c" d( R# [4 E) P3 }* ]  00401071:  cmp       eax,-001
  00401074:  je        00401091
1 r2 E6 W4 h- |$ [. E( Z3 |

There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
0 U; J/ ~2 A+ @' h  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 b6 H5 O# V3 O, W$ P- k    *(esp-&gt;4+4)=='NTIC'
' t6 b2 p  D0 l/ Y3 U
-The most exotic ones (could be very slooooow :-(
* V5 W% g% |- B0 `7 z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(

-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 ^* ~6 _8 Y# Y' n- C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

-Much faster:
: `2 B' r( E/ ^6 v& ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 \) D; N5 A( n4 |0 L
4 U6 w/ H. [1 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 k) P7 e* c5 w- x% a7 j" Gfunction to do the same job:
( [' U2 g( i$ Q' A* ]9 u" ]
0 C& ?# o- p: w   push    00                        ; OF_READ
2 ^: l" y) ?( M) @% F; w0 A) r   mov     eax,[00656634]            ; '\\.\SICE',0
$ G& n+ c  U6 P, H   push    eax
' q" ]2 u; `6 O6 Y9 h   call    KERNEL32!_lopen
+ W3 ^9 F. Q8 K9 f2 r+ e) \   inc     eax
   jnz     00650589                  ; detected
& b% l7 K* N/ J4 h% }" Z0 ^. k   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
/ t4 O% \6 z. V4 o9 e$ e   push    eax
4 f% T; O- y+ a' F$ L3 \, R( [   call    KERNEL32!_lopen
   inc     eax
   jz      006505ae                  ; not detected
6 d& b9 D" i5 y: c
7 K5 z$ \7 b1 w$ a* r+ i
__________________________________________________________________________
/ d0 M8 |# u% b2 S) N  x& T4 B7 C
6 A" m3 W2 P$ n4 \9 N. N6 |Method 12
+ D# q) O! v% c- V0 k' Q2 t=========
* I$ _" L9 d8 {; I; W, F9 n4 D2 D
This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% E, c. Q/ M* s4 D# j7 X" Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.

. q; @& b. z( l$ r" l6 i+ j   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 x4 V# V0 F3 R- F; k7 R) G* J1 i                           ; low word specifies which service
" }" U& o1 p! r                             (VWIN32_Int41Dispatch)
: q" n: E; d9 h% `9 ^   call  Kernel32!ORD_001  ; VxdCall
- Z: P2 u5 v) s% l3 W   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected
+ p* _- v, i5 f; Q# X
Here again, several ways to detect it:
6 k5 j! Z5 ?( x( l2 }% O' }
    BPINT 41 if ax==4f

+ C( H3 J7 Z* F- [% l    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& W$ R  M5 E: R0 s
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* B! B* d' S& v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

__________________________________________________________________________

Method 13
=========

0 v( C1 b% W' `8 ?! e" l$ }& eNot a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
  P, J( V( f* m9 l9 H, Q- O3 U. F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ?" \+ M0 o: @2 H, _3 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe


Note that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(
/ ]. e+ u/ e+ a! }! R
6 ?  a7 P( c* ]9 ~Useful breakpoint to detect it:
5 T- v& }$ K$ M' Z0 q2 W1 L1 I" n' B
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 v$ V0 m0 b. j% j
, H, d& H# Y% p( r__________________________________________________________________________

$ _( |+ E/ h/ j) ?& f9 B: m
! v3 Q; T2 @; F, p* l+ I2 WMethod 14
=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).
5 ]* I& V& x& g/ }6 @2 }
   VMMCall Test_Debug_Installed
3 [4 A. k( ~% `' K( R   je      not_installed
( @* i! p0 t0 m' G* k5 j' \' A
' x( D# l+ X# \This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>