About anti-SoftICE tricks

<TABLE width=500>
) t! g* k/ f' T7 }: E0 F<TBODY>
<TR>
<TD><PRE>Method 01
=========

  @7 t( R9 a' A$ n7 H! g5 TThis method of detection of SoftICE (as well as the following one) is
9 k5 W, g- a  R, Rused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
7 V4 h  Y/ Z: U: h+ m6 B. ~    cmp     al,4
    jnz     SoftICE_Detected

9 S' V/ y9 m6 F  O0 z: c9 D9 b___________________________________________________________________________
7 j* Z9 i/ Z# n9 o
Method 02
=========

Still a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# n- X+ H5 O. P; sor execute SoftICE commands...
0 d, j. w+ R9 o4 UIt is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
2 X# J% _# _# S4 |+ P0 ^1 P* r
Here is a quick description:
-AX = 0910h   (Display string in SIce windows)
  U, s! D& a* ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. W( W& W7 ?  O3 }) q-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
' n9 ]  p8 y: ?5 [+ ]: ~! }1 E- F
Each time you'll meet this trick, you'll see:
5 \+ u! _3 A. z. D6 N% ~-SI = 4647h
-DI = 4A4Dh
& N: e0 V# c' N' f- Y+ KWhich are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

. Q9 q1 ~+ X2 T; eHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:


% R9 r6 k' ~) V& c4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# ~* j5 J: J+ g8 [7 l2 E3 F4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" y( h- N/ `, m) u5 K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
( T" C6 K! h/ n6 T! ~4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
* S4 f& {+ T4 }0 l  j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 |5 g& H) v6 Y2 r" y- M# G, i' w0 }4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

5 C$ ^$ \1 f$ ^3 I+ gThe program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

9 j% [; o( A7 f, m  o
Method 03
, _: a- u8 x6 t) a=========

( B/ X' J; J- ULess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ H1 ]! ?# Z  `  S+ l. o(API Get entry point)
+ e& u7 l$ E. R. {: Y- e        

    xor     di,di
    mov     es,di
# p3 a! A9 G! x4 c) P+ @5 R    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
/ u, A' d* i% A! T( z3 _    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 f& c. _( W, a% M1 p8 D    add     ax, di
  P& X2 l3 R2 \) d9 h    test    ax,ax
    jnz     SoftICE_Detected

___________________________________________________________________________
) N3 K$ u2 g7 [; r% [$ B) S
Method 04
=========

Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.

    xor     di,di
    mov     es,di
    mov     ax, 1684h      
* m- h' P% C/ j3 r" R! q$ j6 p; Z    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 }( C+ S8 R% F2 P& y    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 N; x, g/ g9 Z    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
0 Y: e* _1 B' q$ O+ [
+ h/ b8 F6 M9 R: h! \  R# c__________________________________________________________________________


Method 05
# g# I+ X6 o2 p* r: p  q% y. T=========
1 T5 j0 {! h5 C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  

The following one is the simplest:

- K, P( l6 f; \" r( d3 }( [+ Z0 [! D    mov     ax,4fh
    int     41h
: v8 t+ j7 a% H$ ]. o    cmp     ax, 0F386
" F# p: _4 Q0 G" _9 y    jz      SoftICE_detected
% m; O7 w* O5 Q- W

8 u1 L# A" P9 r3 [% z/ vNext method as well as the following one are 2 examples from Stone's
/ l1 d; {8 j/ Z: ["stn-wid.zip" (www.cracking.net):
% A* F( d2 n4 }: T( c+ S
; s0 ]% H4 b% W. O* h/ s8 F    mov     bx, cs
% k. F( a- k7 ^5 Z6 F    lea     dx, int41handler2
" q. b3 ~! y5 D3 a' T    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
0 X4 \9 v' a' O0 f    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
    jz      SoftICE_detected

7 U7 f6 M5 b, Y9 Eint41handler2 PROC
8 d8 @: P9 q( T/ r    iret
int41handler2 ENDP
; Q. n. w, ]0 z3 \

_________________________________________________________________________
# j! |! I# F: E" S. A+ _2 T2 Q
# d7 y/ A' S, X  x3 I
Method 06
. _) ]: u" M9 B=========


2nd method similar to the preceding one but more difficult to detect:
2 S0 I. b# f9 U! k

int41handler PROC
; R* O6 ?/ p. Q1 Z9 ]! V; s    mov     cl,al
    iret
4 c, S# r: i8 v' Sint41handler ENDP


    xor     ax,ax
  g8 }) X' V0 f& W    mov     es,ax
) k5 q0 Q* z( |! M    mov     bx, cs
    lea     dx, int41handler
    xchg    dx, es:[41h*4]
: ?! C' L0 H5 |) x3 T    xchg    bx, es:[41h*4+2]
    in      al, 40h
! Y2 K+ V9 [0 n5 D" L8 L/ K    xor     cx,cx
    int     41h
0 E9 I9 e$ l/ F& Z. M. Y    xchg    dx, es:[41h*4]
8 \! F8 u5 W" M. s/ M# e    xchg    bx, es:[41h*4+2]
3 c0 c2 R8 |# X2 g    cmp     cl,al
# P) e( ?. A8 y- }: x" e    jnz     SoftICE_detected
' X5 R( S% H0 z  e
_________________________________________________________________________
$ ^" u1 v( Z+ P% Z+ O: X8 q0 ~; ~
Method 07
=========
8 `# v; t6 E8 o* h  u
Method of detection of the WinICE handler in the int68h (V86)
! W. S0 z/ r. D4 {# C
    mov     ah,43h
    int     68h
3 z+ p$ }# C* z9 e" X    cmp     ax,0F386h
    jz      SoftICE_Detected
9 Y0 z! X5 S' `

=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 L! T# O' [% s  O& r: H* p, X# t7 \   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
' r7 q1 k6 J: t9 ?- W/ E   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
4 i+ v; j" x2 f. J& K

7 k. X! W0 L& C; f# f5 X, FMethod 08
/ [2 z( f0 z1 E=========

It is not a method of detection of SoftICE but a possibility to crash the
' k$ z! A* U! f, Xsystem by intercepting int 01h and int 03h and redirecting them to another
: v, ~' H: t) E  u5 n( nroutine.
# f4 |0 m, C1 aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 O* e) s+ j2 Oto the new routine to execute (hangs computer...)

    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
    int     21h
; m6 a1 D3 X2 l4 n7 D+ P) c8 g( G2 C
' w; `7 }! ~1 g. }__________________________________________________________________________

9 I8 I, ~+ k; K: P( F8 v, `7 |Method 09
' _* E% P* m" p9 D* ^/ b: }# Q2 Y! J7 H; ]% u=========
  [) f" |6 {' c+ V6 }0 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
* [6 W( }! c' i6 i5 M" _+ ~4 BThe Get_DDB service is used to determine whether or not a VxD is installed
8 O1 \+ B- C* [3 G; e! h& I, hfor the specified device and returns a Device Description Block (in ecx) for
6 X# B! t' ]& i% Y- p8 I+ `that device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 i; a/ }3 f- d/ a& a+ O   VMMCall Get_DDB
* I. V7 Y0 Q# F( `& M% O0 P   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________

Method 10
. C- S% e5 s. k  p=========
4 U: f6 r. l1 [0 R( N  D* K# @
  r8 s4 O' T0 {3 P+ w3 x: a=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
+ x+ r5 o% K2 p5 n2 [5 W) L2 ?% j  SoftICE while the option is enable!!

! Y* U7 ~8 g4 PThis trick is very efficient:
9 s/ ?5 Z+ T4 o' oby checking the Debug Registers, you can detect if SoftICE is loaded
/ y% w1 g, g5 E9 q& H+ Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- P& s  u% K3 ]" T4 c+ Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)
, c& y: C1 B) u
% i: U2 F* m7 M: g& a__________________________________________________________________________
; h, k* b' c. i& `; w& \
Method 11
( v& O  T. t1 X9 p. Q=========

This method is most known as 'MeltICE' because it has been freely distributed
/ n3 k' s- `" `" v+ }via www.winfiles.com. However it was first used by NuMega people to allow
0 }. O' @. R! E# L' KSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).
( q5 v/ `. u6 j# Y
8 d: ~9 \% }$ N9 yThe way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):
/ E2 K& w) S& n5 e
! ~# h; k- I$ b% I: r8 NBOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
9 [7 r7 `8 l' |  B, Y2 b   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ e' k. ]8 K2 i8 B2 o2 _* u                      FILE_SHARE_READ | FILE_SHARE_WRITE,
& J- ~" d0 }: g/ ~3 K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
3 B  ?; B6 u: ~, n" I1 [) H2 }6 V      return TRUE;
   }
& |, [9 U3 [7 |, m   return FALSE;
, r8 {2 M% h8 d/ O1 i1 i  G}

Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
& K+ R6 a$ K1 B: u5 `1 Z6 CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; B- ^5 s* Z1 _5 o: f' l% Ffield.
  i; u, {3 a( B8 k3 RIn fact, its purpose is not to load/unload VxDs but only to send a
' T1 b! F. |( |+ y) Q  FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ u' g" R  G+ V3 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. g4 S7 s$ b& e; M# K9 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) |8 Z+ `. P  o) Z% C! O/ [5 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" x( K& J, U& {; s, Gits handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
, N- v" ^4 ]6 Q7 uwhile running MeltICE.
2 [6 U: K& o+ J! Y& c- |
) v0 ?+ ]; E0 T; `
  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
5 M7 g; K2 Y  L( e5 g) ^+ ?8 M: X6 |  00401074:  je        00401091
! x- g$ P+ A# H0 {4 @
0 G& v( t& c& ~8 @- D: e) |5 t
There could be hundreds of BPX you could use to detect this trick.
% C; p) L% r. {5 H-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# g6 i4 g+ G: j) X9 Z    *(esp-&gt;4+4)=='NTIC'
$ J. l' c: }+ |0 f) j! |, K7 H  E% O
4 e2 f' ^6 [# X-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(
4 v$ R& @. q( l# H
-or (a bit) faster:
6 P& |2 V' T. }& g" T+ \! a$ R% J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( N) @( O5 S8 b     ;will break 3 times :-(
& ^9 l0 R: M. z% A! u+ f
7 @; |, ?& j3 ?3 q6 f: d-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. q9 d! O2 q" [
2 q/ X6 z& x, H' X. n" n9 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
! \8 s" P( e& Z$ [( a
   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
   call    KERNEL32!_lopen
   inc     eax
" x  \6 q* G) g( L8 ]   jnz     00650589                  ; detected
   push    00                        ; OF_READ
3 W, D9 R9 e' Z   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
  M, Z7 R$ s% i6 |6 k8 g, r4 f2 Q4 p   call    KERNEL32!_lopen
6 T1 ^, h& ~  I. G" f/ ?& `   inc     eax
   jz      006505ae                  ; not detected
6 G' Y) ^' P5 _$ F3 W9 ^3 D3 B2 h
$ v$ h  F0 |/ U3 z- b1 I
; [# T$ C' ^& a7 c  ^# W' L/ g__________________________________________________________________________
% j4 f  R3 F5 b/ H+ p: ~; X' p# S
Method 12
=========
1 I, |0 s' K3 e! N1 O
This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
5 I. F! O# c2 M! Y2 X3 }6 m9 I. W   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ J9 L2 M6 \0 }3 E! N4 G                           ; low word specifies which service
3 t* x/ F7 u- d" \                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
  C% X# }' Q  U5 B: ^   cmp   ax, 0f386h        ; magic number returned by system debuggers
6 k, e$ P* C3 d; m4 X9 {) h   jz    SoftICE_detected
; M: \1 \& r9 N* r2 i
Here again, several ways to detect it:
: K: n( d. p6 e" L' r. H' o! i
    BPINT 41 if ax==4f
  L; O. e! C5 ^
# w3 c3 {/ i# K; {    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' W% ^1 G6 T" V! M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
" d8 y8 S4 K4 k0 {& K
; ~+ n7 f' Z- x, l. B    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

" f/ \4 ^! t$ m- P% h# K; @' h+ b__________________________________________________________________________
* J. g$ s7 C" f
Method 13
=========
) P7 W4 C5 j4 P8 M
Not a real method of detection, but a good way to know if SoftICE is
5 Y9 K( m! S) K) o% Oinstalled on a computer and to locate its installation directory.
1 A% E( J0 @4 }It is used by few softs which access the following registry keys (usually #2) :
4 q* r! Y5 S6 \. Z# L! ~
) y4 G" ^  R" e; Q. r6 h, c" j9 O- Y" ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe
6 Z, B  u* w5 V

" i; }, }1 l6 M2 a. M! T: ANote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

Useful breakpoint to detect it:
% O9 y& B' U$ S  N' d- Q4 F1 J( Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________


Method 14
* k: ^4 @) e, k" ?/ R=========

3 M* d# i: Y# i( c' Y& E% ~5 ~7 K! o9 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) r6 X  ~- ]2 g. \& J3 _is to determines whether a debugger is running on your system (ring0 only).

' i& L+ ~. A" h; |4 w   VMMCall Test_Debug_Installed
   je      not_installed

7 u. D) u6 u8 Z& Y+ qThis service just checks a flag.
' Q) y, I: T1 [7 i0 f6 i# ?8 p</PRE></TD></TR></TBODY></TABLE>