About anti-SoftICE tricks

<TABLE width=500>
: S6 ]2 E2 ~& C9 y6 }& d  k$ J<TBODY>
<TR>
8 d* k" w0 D+ H0 z, v) B* N' \3 o/ P<TD><PRE>Method 01
" A  u: J! b8 a" Z( a=========

This method of detection of SoftICE (as well as the following one) is
: `0 ]( `5 E! J6 a" m& O/ |2 R: lused by the majority of packers/encryptors found on Internet.
( E0 ]% k3 C, a* @/ t, h7 |/ NIt seeks the signature of BoundsChecker in SoftICE

  b) l0 k! J6 Q$ H) m    mov     ebp, 04243484Bh        ; 'BCHK'
4 t$ u  y( F, y3 ?; C    mov     ax, 04h
) Z; i  r' C1 x% |& s" e    int     3      
    cmp     al,4
    jnz     SoftICE_Detected
/ m/ s8 i/ @- t! u% j/ `4 Q8 f+ K$ p
! }: M4 W2 t0 {1 B___________________________________________________________________________
2 S# C3 ~8 k5 g! g* ], O
: A4 x; b+ s: A  d- m0 g2 ^Method 02
=========
( k6 P$ U) q6 s- q( b- a7 A& @6 }" I* \
Still a method very much used (perhaps the most frequent one).  It is used
2 t9 K' D7 N/ R5 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" D; @, m. x" K# j9 g1 Y- y9 |or execute SoftICE commands...
" n8 s* v9 T$ k3 S& v" TIt is also used to crash SoftICE and to force it to execute any commands
: l2 ?% }; q: f0 [+ T% i(HBOOT...) :-((  
9 ~+ k9 F* s" p
Here is a quick description:
-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
* u& N# c4 s) v$ s# T-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
$ B1 ]% N. G4 l2 s0 l
+ T- Y  q! X2 T4 u. UEach time you'll meet this trick, you'll see:
-SI = 4647h
* T1 [4 o! h5 ?0 L4 S' h2 ?5 I9 J- [4 {-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
7 d: }1 ?0 |( Y5 H8 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

" X' Y9 V0 ^4 o0 n" KHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:


4C19:0095   MOV    AX,0911  ; execute command.
' F' ~" M4 B( B- M4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
. k) }$ d" ^) d8 B' C' T7 s4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ f5 n& m$ m& }1 M! x& d4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( j1 y2 J# s: _/ h5 t# [5 u) n4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 e6 s9 L8 U- q+ Y5 ^4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
7 F6 w/ R7 m4 o4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' p7 q% J/ z6 K4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

& ]5 v' L; U0 ^2 _! b' P' |The program will execute 6 different SIce commands located at ds:dx, which
; R& d0 S( h1 s# h$ Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 f. Q9 a! N, V# {# g___________________________________________________________________________
9 [+ q* L% x. g) R
  o, x& B2 K' E( C: P/ L
Method 03
=========
0 `) y% w  d8 i! U% _
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        

5 R0 N' Y/ d1 M4 r5 Z    xor     di,di
# G& @4 G$ w5 v; ]4 j* w6 F8 H    mov     es,di
' j. K; P/ @9 a+ u8 {6 N6 y+ @; ]    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
! ?$ u; Q) ^: Q# J) v    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

# D$ B) k/ x5 h6 ?___________________________________________________________________________
. P. _$ D4 @$ S0 B
9 O  g8 f' I2 d5 Q% [% vMethod 04
=========
" q- Z7 K4 r( ]" F, O% q
Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.
$ S5 M( J% v& L
    xor     di,di
9 U* \7 g" a4 A! N  G+ `2 m% V- k    mov     es,di
$ h( F' j$ u  q9 P0 K" ~    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
: r: @/ q! P2 \( e6 f6 u5 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
: D! H5 {/ @( e+ M* s    jnz     SoftICE_Detected
" o0 F+ L0 Q' U, b8 I% |% Q
2 G8 x% }8 m# w' l__________________________________________________________________________
- [4 w- q) ~$ H" L
1 G- s* y+ H6 i- v4 [
Method 05
=========

: h8 r. _$ w" |Method seeking the 'magic number' 0F386h returned (in ax) by all system
) [" q1 E) b* N  L& i. ndebugger. It calls the int 41h, function 4Fh.
# ~  N+ @$ |) \7 d5 |There are several alternatives.  
  R' s" l0 p% |* l* K
The following one is the simplest:
' X$ h! W9 U7 S9 h0 c! _. x
    mov     ax,4fh
3 t+ T! y+ X; m- L1 C2 y    int     41h
  H$ D$ B& ]4 u5 `/ t, J    cmp     ax, 0F386
6 i7 ~" L' p# F: @    jz      SoftICE_detected
% k6 \% j( G& i- }

Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):

    mov     bx, cs
2 U0 I# s/ ?" J    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
2 r/ \; n2 D. r+ s5 q$ K' R- w    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
    jz      SoftICE_detected
5 C3 |9 ~1 r7 c8 |; V% e8 X
1 g+ Q6 y$ _6 G/ N# j5 G7 hint41handler2 PROC
7 Z6 B) J5 K9 @2 Y. I9 p    iret
8 e! e2 l# C0 f+ Y' _int41handler2 ENDP
$ ]9 q+ y8 r$ Z& m3 h# Z. _- s$ k4 \

! l- M' }4 w7 p! t( U1 O0 J_________________________________________________________________________


Method 06
=========
( z9 _: ?, L1 t+ ]3 K3 g3 F; B( r, e

4 ^& x1 P* n: G1 z$ X$ ?( \6 ^$ @2 z2nd method similar to the preceding one but more difficult to detect:

6 a6 b9 m  v* @& n" P9 S! N7 D
. Q- q0 f9 H! ^) S: Zint41handler PROC
    mov     cl,al
* H: }& d, y/ S  A* n6 j" P    iret
0 ]0 i- ~0 T. @int41handler ENDP

- F$ T. x& i+ @1 e" x- D
& u9 ~; n1 x% }2 _7 N    xor     ax,ax
* v5 F7 V! T2 F    mov     es,ax
  d9 h6 L% B" i9 V, ?    mov     bx, cs
    lea     dx, int41handler
' A9 P8 M7 z/ s, e/ w) R6 U; N# K    xchg    dx, es:[41h*4]
$ p! o% F* C9 o3 B( ^, F: i    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
4 k9 Q8 o! i- b    int     41h
    xchg    dx, es:[41h*4]
6 S1 _4 e7 y! ^' F    xchg    bx, es:[41h*4+2]
  d$ t8 b7 d1 L    cmp     cl,al
    jnz     SoftICE_detected
) o# c, I9 d' @9 @. X( {! D
_________________________________________________________________________
0 J8 a, s9 z7 K- @
4 u* V' A+ l6 t* `4 c( zMethod 07
=========

Method of detection of the WinICE handler in the int68h (V86)

2 o: a0 v  o& x) O# p    mov     ah,43h
    int     68h
+ p. b2 O  \$ b$ M  p! |) D    cmp     ax,0F386h
    jz      SoftICE_Detected

: Q1 A' Z) \$ o+ K  |
$ @% g4 J' ]3 i% f- g=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 D, I$ e' u4 y7 W3 G3 T   app like this:
0 P+ n2 x" j+ }# J
" K1 d: z9 [1 \8 ?; W/ o1 U   BPX exec_int if ax==68
6 Y# T" a" R% C. }   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
3 @& M) v) f( l/ H! ___________________________________________________________________________


( W9 r/ o" ]; C( v' `5 |Method 08
=========
" \% V/ h4 d8 B! d* ?
It is not a method of detection of SoftICE but a possibility to crash the
# O# H0 N1 t9 rsystem by intercepting int 01h and int 03h and redirecting them to another
routine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 w- u- V& W6 U+ [" Z$ r$ ato the new routine to execute (hangs computer...)

9 w' q4 `' I3 ~. O1 |: r1 _' X    mov     ah, 25h
  Z5 N$ _) N0 D1 [* e9 y7 u5 x    mov     al, Int_Number (01h or 03h)
8 E( q- v2 o( ~) ]) t. p! s, C    mov     dx, offset New_Int_Routine
! c' q% Y+ c7 w. j6 X* o; ^' c- F    int     21h
/ c$ M2 D! }7 ^
) M7 S% f2 G, H. K3 R+ l) V__________________________________________________________________________
) `: D. Q* R! @; i+ @/ b
Method 09
=========
! v3 T) W& d5 A. L: z% _4 P1 l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ _$ f8 v6 M" C7 U6 V: wThe Get_DDB service is used to determine whether or not a VxD is installed
  Z0 k8 o3 ~) I- S7 `' T2 wfor the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# g" N7 M. j& o7 _7 h/ V' F   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 u$ N+ v0 o- T! |* b
. j  H; w2 v  a8 C! K8 iNote as well that you can easily detect this method with SoftICE:
# W- }0 t/ R% I8 ]! b   bpx Get_DDB if ax==0202 || ax==7a5fh
- u6 W% e& H0 s
; l! P( i- M! }! d7 R1 s2 O; c__________________________________________________________________________

( F4 p; h( y2 X" s' s5 U* W2 qMethod 10
=========
: @- E1 ~3 w- u4 o1 N
& u: C! H" `& L9 V' Q5 h' F=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
  _- T  D& W) R
This trick is very efficient:
( b# o/ k. E2 }  N3 H& Xby checking the Debug Registers, you can detect if SoftICE is loaded
- p, [- e% Q: e6 p% d% Z2 d) n4 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 N1 u/ |6 Q- i6 Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
1 v& r: }. T: g' P! Q" r1 p(clearing BPMs for instance)

# }0 c) d8 c/ s__________________________________________________________________________
- d% X( i& X( B. w1 x. A- u; I
Method 11
) ]5 b2 H9 l# i' t5 Y7 n$ q=========

This method is most known as 'MeltICE' because it has been freely distributed
  Q2 f8 z& c  ~0 Q$ avia www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

+ u. H1 o* `( |* Y- XThe way it works is very simple:
4 ~) ^  N  X- ]& YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. {( {* U/ E# O6 M/ kWinNT) with the CreateFileA API.

" _$ b4 |! E! \. E: }" VHere is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, l9 P% u1 r3 u- ?7 U" K                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  l: p+ I0 O4 @6 M6 n) m3 [   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
( v! }7 O7 Q1 `' g8 n& Q& ^* S      return TRUE;
   }
   return FALSE;
}

Although this trick calls the CreateFileA function, don't even expect to be
2 k2 V3 W, V: g' y5 rable to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
In fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% v. ~8 J5 ^6 J" kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ V$ B/ J' z+ B4 P) u7 R& ~# @* B2 |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 m1 I0 o- ]3 D7 P( sits handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
$ a/ m5 ^  l9 V: x+ E" v

  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
  00401074:  je        00401091
5 |. C* Y  U" U% |0 J

There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
0 C: m4 o* T* Y& M  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
9 Z1 I, B9 c  w, t# p1 M) y* b/ z
0 V( I: {0 t$ z' D-The most exotic ones (could be very slooooow :-(
9 M; b' p: m8 G) _8 p   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(
& ], ^! V2 o6 K8 p
" O- O7 G: ^7 c: \% _+ L-or (a bit) faster:
0 h4 u9 w% _1 X  s1 j   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

  R, R$ v- }: p7 E) e: f6 v  q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 j8 ?' D- D& ]  k; K0 C     ;will break 3 times :-(
0 S% {$ O) {  R' c8 h1 c- W
-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, l# _& T( P& {! ?
& |: g" _, v0 E" e" |% ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
( g, ~% F3 w( t1 u5 u  E0 b) c( J
   push    00                        ; OF_READ
2 y6 U- z6 j2 x   mov     eax,[00656634]            ; '\\.\SICE',0
3 M" ^0 a. s  B/ T. C   push    eax
   call    KERNEL32!_lopen
   inc     eax
( g9 d; S  Y; E7 ]% I% `7 A   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
0 W7 S6 \$ a& J/ i$ T# o   push    eax
% S! {& Y2 G" z( j4 g# f   call    KERNEL32!_lopen
   inc     eax
& b2 w' U. i! M8 k" w7 ?   jz      006505ae                  ; not detected
8 w7 S3 p8 s9 s: r3 O* l

__________________________________________________________________________

Method 12
=========
/ P- S7 b% E* S0 L* x: C
This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ W8 u, |0 a0 A; l/ Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" `! ?9 y- o% v) ?
   push  0000004fh         ; function 4fh
* w" J7 W4 R6 [   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 u5 R$ h( }  l9 z* I                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
+ E# C6 N! L6 u( w( X' E   cmp   ax, 0f386h        ; magic number returned by system debuggers
* t+ _4 C+ u2 g   jz    SoftICE_detected
$ f& r* M; b$ J& _8 T
Here again, several ways to detect it:

    BPINT 41 if ax==4f
8 G3 V4 n( R, _' g- T
0 Y# k; c' I. o' ^  {    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

8 a) \( f5 t0 U& d9 w0 i- |2 L    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

5 Y" v" l0 q! J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

__________________________________________________________________________
5 h: m/ b5 c+ G7 x
Method 13
% z- z' r, A0 a8 F3 w=========
9 r! n. ]7 p' x" }. g7 _7 l
$ F& [/ i3 c; N! g! {Not a real method of detection, but a good way to know if SoftICE is
9 i2 h& o( e, f4 n. [0 Y+ w" Tinstalled on a computer and to locate its installation directory.
" U$ v5 b- u/ r. I3 X% wIt is used by few softs which access the following registry keys (usually #2) :

-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  B; V% I" X2 M& {: T, W4 U: H' f\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- w$ v" B9 ?4 {; g2 I! o\App Paths\Loader32.Exe

3 [) c8 l4 A  l$ |9 o. a: o
# F# w  ]# F/ \2 Z1 ~Note that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(
) a: I0 \$ y: ]/ K7 f. F
Useful breakpoint to detect it:

, E5 j. ~/ d2 I+ Q" j* h     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ E" i( {9 o) Q5 F+ y% z
__________________________________________________________________________


Method 14
=========
9 `+ \* R; p9 c7 f% v* o& s  c2 |
/ E5 G9 _. i& A8 N7 h5 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, _- B/ c; g! K4 ris to determines whether a debugger is running on your system (ring0 only).

$ ]6 t0 V* w9 u( Q# v) F9 T   VMMCall Test_Debug_Installed
; ^% s/ G  X& p- T- h; W$ k) x5 k" [   je      not_installed

6 F% x' [/ J- M+ g7 N3 V- p* TThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>