About anti-SoftICE tricks

<TABLE width=500>
: }' S4 T: w" {: y; l* z8 F<TBODY>
$ s8 a0 a2 |' F' O  t6 B<TR>
% L  S( A2 ]4 t6 O$ Z<TD><PRE>Method 01
=========
( t* B; ~8 y' A$ Y4 S, Z
# _  x3 g8 C  v: `% R1 v; g4 jThis method of detection of SoftICE (as well as the following one) is
: |/ R0 ^; o+ i2 ~8 qused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE

& @# B, {4 Z# `$ F5 E* e    mov     ebp, 04243484Bh        ; 'BCHK'
. y$ X3 {* w+ f    mov     ax, 04h
    int     3      
    cmp     al,4
    jnz     SoftICE_Detected
$ ^6 h, W# v/ j/ F/ A% s; z
3 r. e) H5 n+ s9 U; d  x___________________________________________________________________________

Method 02
8 a  M8 D4 X3 v  O0 M3 g: J=========
+ D4 I; M9 h7 q' W+ F, k$ P
) a' G& p3 K- G6 p. ^Still a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' |4 n0 y; N+ V% f" T& |9 |or execute SoftICE commands...
! ]" g$ H0 J- d3 `; d" \It is also used to crash SoftICE and to force it to execute any commands
+ Y# O6 V1 w% m1 |  Q; ~' J(HBOOT...) :-((  

' J& t* p6 h% N6 J% DHere is a quick description:
( e6 g4 \  {9 ^+ w* L( W-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
# F0 A! B$ W. f1 w-AX = 0913h   (Set Sice breakpoints)
4 c4 r  b/ \, H0 k# f+ N, Y-AX = 0914h   (Remove SIce breakoints)
/ y, a6 C9 P1 J) N3 A2 s
Each time you'll meet this trick, you'll see:
3 \- ~" ?- ]( ^2 g9 C! E9 G3 p-SI = 4647h
. L2 M# W9 O6 }' a/ L" d" g-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
9 F2 ^# K! k0 E7 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( Q" v. H6 s. L7 o
5 F, Y3 \' L- [2 A4 k1 r2 l8 X* yHere is one example from the file "Haspinst.exe" which is the dongle HASP
! u  _, j) Q. \3 PEnvelope utility use to protect DOS applications:


4C19:0095   MOV    AX,0911  ; execute command.
7 z$ P& O$ V) N; I6 L" k# f4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 u6 e' W. _) x  C; R2 ?# t. Q4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 S3 _  B1 i; g6 l  f( ^4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
8 r* P/ J0 H# A' G" K9 ~4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) y. F2 N% k, U4 @3 K) p4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, `& W( C- w# `# n+ n# x4 T% ~
" E7 d4 r2 N, E! k; yThe program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________
) d& w* x0 n. ?2 ~4 T+ T1 m' }1 c2 G

Method 03
% w6 ^9 W5 P4 l+ Z& c=========

Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% z( d. O! y1 Z3 y# c/ F+ b(API Get entry point)
        

1 U' f, i# t$ X    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
) u+ g; B! G$ e/ T    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  I/ k, U+ i0 I  \- ^    add     ax, di
    test    ax,ax
+ ^' L% y  P! F8 Z! S  O    jnz     SoftICE_Detected

___________________________________________________________________________

Method 04
+ M1 Q8 f: F, Q3 ?0 ]=========

. T* A1 I0 Q3 D  KMethod identical to the preceding one except that it seeks the ID of SoftICE
7 f0 A/ p$ ^6 [- DGFX VxD.

    xor     di,di
    mov     es,di
: E7 u' z- j. ~; W# E' C8 x& Z" ?    mov     ax, 1684h      
, P" D2 d% p8 x4 G    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
7 n, O) z2 p/ Z/ {3 Y/ M    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 }" x" w% Y5 }, u, ?    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
9 s! O0 Y9 I- L9 Z, V/ I& a( Y
__________________________________________________________________________
- ?  [" u! b6 C* U! O& L, Z

7 m5 M# s9 s! NMethod 05
% [6 s5 M. J0 Z6 O) P5 ~# X=========
, w$ Z0 p$ o8 K! Z  c- |
+ y: J- x5 g  q* aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 b* n! U7 `. A& J& e6 w- \  n+ e  Ndebugger. It calls the int 41h, function 4Fh.
, ]" J9 @5 I- h: a9 y7 [There are several alternatives.  
1 c- ?, ?- s- Y
$ x% A) j0 {( z7 E8 f  C; I' eThe following one is the simplest:
1 {7 y2 q8 n3 r) }4 n$ |4 X" }
% X5 M& `; t( {9 X- s: q    mov     ax,4fh
6 H2 Z) i% U' @2 S. O    int     41h
; }2 Z" V8 L" {- k7 \$ c    cmp     ax, 0F386
    jz      SoftICE_detected


Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):

    mov     bx, cs
4 h" b4 A6 }2 K: h( O    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
3 h% q- c/ l- W( X7 I0 R% f    xchg    bx, es:[41h*4+2]
$ }# x0 I; Z8 e# t) k    mov     ax,4fh
' ?5 j/ u3 h5 _0 X# F9 A    int     41h
8 C8 Z7 L( E; p1 s/ r    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
8 o* `+ d& G+ n8 H! A$ ~    cmp     ax, 0f386h
/ ^# z# k8 C+ x1 G1 h    jz      SoftICE_detected
2 d# Z& y  _+ Z+ c( O! N- ?& Q, W+ ~
int41handler2 PROC
1 p9 H+ U: F1 Y& t    iret
1 M' N+ E$ P: F- x0 @int41handler2 ENDP
3 W3 A  @" Q% |1 `0 }* |; j
: W6 |) P" v' C% h( J# Q
3 Y/ X) ]/ m% S/ f_________________________________________________________________________
  i% m* y' C; s$ h6 S
% y2 r$ j# z9 w8 j2 k1 m
1 N1 k3 R0 a9 c- L6 h6 }Method 06
=========

/ O& L" k1 |$ j  A5 |& Y
2nd method similar to the preceding one but more difficult to detect:

) W& Q+ H9 v0 [
int41handler PROC
( n: `( m, |9 J! E) A5 z    mov     cl,al
- {+ z, N6 v, x4 K& y6 j    iret
int41handler ENDP
' \5 B; x, |/ ?, M
. X3 ^( A, o, {$ w# S
# L% `; i' L' h0 ^: C2 Q    xor     ax,ax
    mov     es,ax
0 a1 D* L6 t3 ^    mov     bx, cs
    lea     dx, int41handler
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
/ V: _2 ^' K# C) e, C7 n( E    in      al, 40h
    xor     cx,cx
    int     41h
5 f* j5 V0 |! ^* v8 P    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
7 k3 e" U; [5 @" \    cmp     cl,al
    jnz     SoftICE_detected

) L4 b! Y7 z2 b* M. G, R_________________________________________________________________________

, R9 y: w# `* b! Y0 cMethod 07
=========

Method of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
    int     68h
    cmp     ax,0F386h
  J( s3 j) y8 g    jz      SoftICE_Detected


=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- ?0 Y6 s- y- l# U4 m2 O: v   app like this:
7 L$ s- n7 G: \9 z" D
$ \- h9 a6 N- v! E2 I( D   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

) R+ Z, Q. K- \$ z, G1 \: p
; ]& i+ ]7 H# AMethod 08
; d; \* Z4 v6 F3 Q' ^8 T=========

9 c4 d# B! ^$ o, qIt is not a method of detection of SoftICE but a possibility to crash the
! `  ]0 t( K. s( K- Ksystem by intercepting int 01h and int 03h and redirecting them to another
  C( V$ i' ^* a' Zroutine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 S9 ^* _, Q6 ^- g8 P8 Qto the new routine to execute (hangs computer...)
% J1 d% q# t# E& v
/ T4 s1 X7 d) O$ t! n  Y- w- B    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
    int     21h
- L0 X# f# o6 ^3 v9 s' {+ S
__________________________________________________________________________
  S9 ~. Q: c5 K$ Q6 ?2 c
Method 09
$ X1 @$ Q  D, \6 F& T% S7 y1 o1 E=========
3 D: f6 H& \, Q# \. E7 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
: f3 m3 S4 `0 U# t9 a/ g; xThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
. D0 W% G. K  `% _7 }' e1 _
; q$ A" {! `5 n, b' k7 t, L   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
9 i) o8 I# K1 c8 Z; F) C- ^( m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

$ f0 q' A( k6 e& E0 W' q' Z  lNote as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________
; e; k( A% \# e8 H8 E7 Y  h9 _
Method 10
: x3 f6 \+ Z0 O4 A/ h  y=========
4 q: f& Z" v9 y) b1 p. F( |
- H4 H5 j1 h  C( x=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
  L. J$ @+ h* R9 ?2 y# d& ^
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
! k& Q, ?* R+ r7 M0 `# @: ^2 O) t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ ]5 }' r- h3 l" zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
* d% [; Z) A6 v9 e& o(clearing BPMs for instance)

__________________________________________________________________________

7 N' W) g& s) `8 z6 sMethod 11
6 U4 G4 w+ y8 i# j2 c' k" o=========
  M3 P3 O$ z  K  O; F6 ?* d& I! u
9 `, o2 a( R; c" Q9 A- MThis method is most known as 'MeltICE' because it has been freely distributed
( C' J( [9 f: `/ R: Y) Pvia www.winfiles.com. However it was first used by NuMega people to allow
8 Y3 x) p* ~/ E. R8 VSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).
* v6 ^3 @' g! v: G* n( m6 _
/ }+ {# G  x" r2 n: [4 a6 u3 d" h3 BThe way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
  ?0 m6 |; G1 p0 W
Here is a sample (checking for 'SICE'):
& Z7 E2 W5 `. U+ P( F
BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ W3 J# l# ], ]4 d/ R7 y! W. f   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
      return TRUE;
* [1 j8 T( {/ E$ Z   }
. O  R$ G) F, t+ N   return FALSE;
}
# a4 N( z( i! t' o
Although this trick calls the CreateFileA function, don't even expect to be
2 r. s  J* t) S4 ?, V" oable to intercept it by installing a IFS hook: it will not work, no way!
- S* w% C: @' WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! g( r5 J9 ]* M7 U% Z- pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ]( T! z5 a% v" y9 xfield.
In fact, its purpose is not to load/unload VxDs but only to send a
  R2 Q9 Y' \+ P" e& [( CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ P4 ]+ r2 f" N' ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 j* ]/ E  D. P$ ^. ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 o* a' t+ @5 @9 uits handle to be opened and then, will be detected.
& S' c2 n; x+ C$ {, H0 KYou can check that simply by hooking Winice.exe control proc entry point
9 c6 \) j, E6 A7 r. m# d  iwhile running MeltICE.


  00401067:  push      00402025    ; \\.\SICE
) P* q5 {4 C8 \9 r5 o7 Y% L  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
  00401074:  je        00401091

/ x4 f. Q$ A. M* `% \5 g
* U; I% X* g; X- [% H! ?There could be hundreds of BPX you could use to detect this trick.
! f0 d: Y/ o$ ]: {7 S-The most classical one is:
1 Z  B0 n$ ~/ y7 {* U3 g  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
# y' ^* c7 I# R: c1 s+ ~2 h9 R
-The most exotic ones (could be very slooooow :-(
$ o4 I5 ^3 _& D. Q. e! \) S   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 y4 r6 \6 z' x) h5 z( N     ;will break 3 times :-(

-or (a bit) faster:
* m. l7 }4 N' D3 h9 H   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& W" k0 w8 O% o8 y: A
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

  w' {, ?  u8 S-Much faster:
6 _( M$ X- u$ z1 s/ S9 x9 t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

( \7 B6 r; S3 k9 f$ FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
; e3 g/ r4 F- h4 A7 g; ~
   push    00                        ; OF_READ
0 ?0 |8 Z+ E8 `2 }/ I) r/ B5 G   mov     eax,[00656634]            ; '\\.\SICE',0
1 T% t6 A! d1 \9 d6 h   push    eax
3 q% Y. g) ?" H3 K, {# E   call    KERNEL32!_lopen
   inc     eax
   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
- y6 |# `2 r" @( }* r4 k   push    eax
   call    KERNEL32!_lopen
, |3 R: S' x; s( M' o   inc     eax
   jz      006505ae                  ; not detected
& f/ g" W  q% {* f
9 a) J- @* K0 C% H* z
2 M) I$ a$ F7 T% V6 a__________________________________________________________________________
1 ~& c" S" q2 e: U! P& X
! _  d# \9 S% C# a4 iMethod 12
=========
; B* O, q6 a" [) A1 S0 F: D
This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& l& J: M9 [$ o$ vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
8 h4 Y+ T  f- j  O- |9 W2 ?   push  002a002ah         ; high word specifies which VxD (VWIN32)
& u! W1 b* A6 B$ F& N6 o                           ; low word specifies which service
& l7 D, O8 n& R+ h1 ?; R! {/ \& ^                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
) Y$ g, U7 R& r! U0 q   cmp   ax, 0f386h        ; magic number returned by system debuggers
- F9 E$ A. _+ F# u6 b) C   jz    SoftICE_detected
6 o( ~, X8 _) T/ N
Here again, several ways to detect it:
7 r1 T& g% W4 Y9 D: C" o7 H+ O
    BPINT 41 if ax==4f

" M; r7 y8 u; K0 z9 S    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 J: d: ~! i- m
6 N2 {. z( E; {5 D! r    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; p! V& V9 o1 h- _  g
  _& ?7 ^  E8 o, x__________________________________________________________________________
% s" |3 A/ |9 b6 Q
' ]& i& n' Y+ x! s+ T& q! E* {+ c' hMethod 13
=========

1 i, F- o! O8 Q+ B$ ^Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :
. F7 |* c! a$ k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 J4 y6 ?2 |4 P% [0 @$ F\App Paths\Loader32.Exe


Note that some nasty apps could then erase all files from SoftICE directory
: W* U6 h; c5 ?0 Z9 `& j6 }$ W(I faced that once :-(

) J/ A& R& o8 `6 v. ]; a. NUseful breakpoint to detect it:

6 n8 u4 ?  o; i: ?( w     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 u& S3 _. m/ X# X3 D
$ R! c( ?5 e2 Z! a__________________________________________________________________________


Method 14
=========

  N  b1 A3 j0 h" `6 p  _! RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ?! K+ j; S5 w3 v6 d$ mis to determines whether a debugger is running on your system (ring0 only).
- A. W3 i* I4 G8 `
- I) L9 n, U+ X/ Z' _8 V6 m) P   VMMCall Test_Debug_Installed
7 T' r+ L' L0 w3 F) j   je      not_installed
4 I! b" @% o2 L) V7 ~& N
$ P' d( T: G. ~7 l' gThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>