About anti-SoftICE tricks

<TABLE width=500>
( Q9 G  V3 ^7 X<TBODY>
<TR>
<TD><PRE>Method 01
* \4 b+ P% U1 y=========

This method of detection of SoftICE (as well as the following one) is
4 x- p9 b' K# _5 d5 Dused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
+ t  y% I& j' e
    mov     ebp, 04243484Bh        ; 'BCHK'
6 {$ a- f& ?% l. o1 C4 q    mov     ax, 04h
    int     3      
    cmp     al,4
, c/ R( a% J1 g4 }, F2 ~$ J( z" v    jnz     SoftICE_Detected
, U+ n: p/ e; O, x+ e1 e) e
___________________________________________________________________________
' ~: l0 q+ Y$ z: r  i- R
/ k! C, }' e8 yMethod 02
=========
$ v& r; S9 V4 q3 S- G  }
# e3 K% U* b! y. sStill a method very much used (perhaps the most frequent one).  It is used
* [3 W/ n; H! Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
. u$ `6 N2 c4 G3 v% c+ P* L" U1 B: `It is also used to crash SoftICE and to force it to execute any commands
; \$ a  X$ ~  k& P; T+ D(HBOOT...) :-((  
1 K0 s; S# B3 y& d. p4 H7 t
: y# q% W1 ], U+ A. e0 I# D9 W9 [( y8 D" OHere is a quick description:
- z. {5 f# I2 Y9 ^. Y6 z-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
6 q5 l2 w# X# m$ O3 g: ?-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)

6 V# F9 G( T+ w# Z5 ^Each time you'll meet this trick, you'll see:
-SI = 4647h
" r5 L( j( X4 s8 g) I8 u# d6 `-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
2 U( ~% m/ j2 b+ [7 K2 T% y/ _: Z1 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 U2 x. K  c) }; R9 j  e4 y
; K% y' d; Y: V# s5 v; [: O( ?( tHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:

1 B, X; n2 }8 I9 _% ^" u; v
9 n' a  B& K5 L/ B' G3 ~6 d) n4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, H; u9 ^9 ~3 _1 y0 u" _* l) _4C19:009A   MOV    SI,4647  ; 1st magic value.
) Q4 s! [+ S- A8 n2 a* e; `2 |4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. t! k( p: \$ c4 _4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 f/ m1 S  X0 w6 r9 s1 j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# R8 z6 y9 @) x4C19:00A4   INC    CX
( E0 p* w. \" o) f2 \, {5 N% N4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 G2 a8 t% S+ R" s; `' u: z4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

1 Q7 M% h# d! c4 B' M) w( `The program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

0 G9 o( h3 {* f4 ]( K# P: |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________


2 ~' G! L# }% A# m) dMethod 03
$ i  [, Y$ o. h; g( e4 H=========
: Q  b; A, `1 G! @4 D5 e
# M& U1 I/ q' C- ?2 O# e/ q/ ]Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        
* _2 f) _8 }- w2 `
    xor     di,di
    mov     es,di
+ O, ^/ r* u: o- f    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
- ]+ k2 L8 v4 m. z    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# x) t/ N# ]2 C& R    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
6 }6 J8 }2 M6 h! A5 Y
___________________________________________________________________________

, v6 W/ O& T% h/ [" |$ RMethod 04
=========

' ?" f: g0 L' f( N+ W( x8 |Method identical to the preceding one except that it seeks the ID of SoftICE
% _2 A8 |( Y0 N5 A- s% y# gGFX VxD.
7 P; T" J+ g& N7 h6 p  N9 x# a
    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) Z7 M9 W0 l$ F/ Z' i4 \9 ^& z4 s    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

__________________________________________________________________________

/ W0 j: i+ C2 L4 x( |/ q
& F7 s7 m- Z' b$ a! gMethod 05
=========
& ]# a0 d4 y3 L
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" q* t! O  `1 ddebugger. It calls the int 41h, function 4Fh.
! ?# w- y' b: B% w- z( K+ eThere are several alternatives.  

: @( i0 q1 x) q6 W4 k; \: AThe following one is the simplest:

1 [% G) G/ v2 o7 x# J& d+ s# l+ A    mov     ax,4fh
    int     41h
    cmp     ax, 0F386
    jz      SoftICE_detected
+ T5 M$ W- a' m$ K' O& ?
  G5 C& T7 j  o! Z) W$ _2 A
- r8 y7 V/ A4 R* VNext method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):

( Q9 W, P# Q7 l1 a6 s1 I    mov     bx, cs
    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
1 Z' X* I% w4 I    xchg    bx, es:[41h*4+2]
" z, f/ s4 w3 p0 M4 x. `* f2 }8 [/ i    mov     ax,4fh
    int     41h
$ V( l6 R- m0 [    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
4 u# r8 H& r. [- L( V+ A1 X, N    cmp     ax, 0f386h
1 x0 q/ ^, o6 t3 @# e! |    jz      SoftICE_detected

# F! e! x0 P! c( `5 [& E7 Lint41handler2 PROC
8 C9 @) H: u% t0 _$ {) j8 \- o    iret
5 J% \$ L- y; ~- a, F( j) T  {int41handler2 ENDP
- P- J; f: k( H; V) u" P

6 H+ m, d; o2 c' V6 M_________________________________________________________________________


Method 06
" K8 ?! ^. i8 D  j3 ]8 W9 z=========


2nd method similar to the preceding one but more difficult to detect:


int41handler PROC
; S- a/ w; l- y' }# ?4 A    mov     cl,al
    iret
int41handler ENDP


    xor     ax,ax
9 |/ c1 {7 h# x# K4 V7 o& w' f    mov     es,ax
1 e9 H+ a" u) U$ K4 p8 Q    mov     bx, cs
+ W8 k" b' R/ E: y/ y# R    lea     dx, int41handler
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
3 ?: y) K5 {2 d* A    in      al, 40h
    xor     cx,cx
0 c5 _4 Y9 n3 c5 D: y    int     41h
* N! a+ i( p5 h1 x    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected
' S% d/ X$ u) }6 m
_________________________________________________________________________
1 B9 H& ?2 J% [1 w
4 V' I) ]  T2 @9 `; b0 q* l5 N0 bMethod 07
8 F$ j! C, Y  G; H- Y=========

Method of detection of the WinICE handler in the int68h (V86)

  A) r  J8 y  ~' O6 J    mov     ah,43h
, ^5 m, D; `1 {% |0 O" H    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
8 O0 J0 P! D- G2 d' E- M- }

: E% Z  U# a8 N/ I5 b=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 _% ?2 k/ w4 i   app like this:
  B$ r, a& Y+ {% M. Q6 i
   BPX exec_int if ax==68
( I9 U$ ?: V; }6 U  y: A   (function called is located at byte ptr [ebp+1Dh] and client eip is
% w! R/ q* G7 s) i2 ^   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

1 l. L- Y* x1 [. m5 p9 I& L
Method 08
9 {: k/ y& R: k3 y5 X=========
. Z2 V" W& M  F. ?8 A/ \$ v! v
$ M- b6 ]3 m1 V3 @) XIt is not a method of detection of SoftICE but a possibility to crash the
. C  D5 s$ z: ^# y1 f3 a3 Lsystem by intercepting int 01h and int 03h and redirecting them to another
3 x; C5 m5 d5 z, I4 |routine.
7 F; U  |$ n( r5 BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

8 [. s" c+ z4 H8 V9 N+ o1 L4 o0 C    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
2 J. ], p- }/ Y* M8 u    mov     dx, offset New_Int_Routine
    int     21h
. r" ?9 c9 Y1 ]+ S& A$ ]
__________________________________________________________________________
( H  r7 j2 f2 H2 v
Method 09
9 C* w; a1 Y3 o  U8 \( T6 a" V=========
3 x+ P$ ~& K8 V  o. V
) d  |: s  U4 A8 i  PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! Q  m- F/ c# X! S5 ]) u2 [" gperformed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
& r9 @' E+ v$ d* K! L) ?7 J8 g4 w5 wfor the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
3 f* m6 @0 ]' F4 t: A) M- ?) H
! t* \' L4 j! ~# R) j9 B: ~6 o   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% Q1 C7 t1 U; }( X: k
& @2 x- l) l1 L: v/ c3 @, JNote as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
5 H1 ^& |& x3 c- _- w9 `
' m: @# z9 Q0 `1 Q7 {8 ___________________________________________________________________________
% `- f3 ^  _5 s  A$ g
Method 10
=========

=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: }" Y6 s% j2 z! x, V  SoftICE while the option is enable!!
" B9 N8 d0 `- b
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 x% t' }1 G" M  ]there are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)

__________________________________________________________________________
8 a+ k# e3 R& H- g
9 x1 g, o& R/ P) oMethod 11
5 ]2 I2 N$ _9 W2 J! v6 P=========
# y5 c+ g' r2 C
! A  R6 R$ n) l& k6 D: f2 i1 C5 ?This method is most known as 'MeltICE' because it has been freely distributed
: z/ R5 _# ?, F, z5 dvia www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
8 L5 Z+ V) F4 ^3 ~9 c7 `* Linside nmtrans.dll).

  Z: D0 L* I3 q" ?8 A2 C9 b, P9 qThe way it works is very simple:
& ^* i# F5 f! tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
" o7 {/ v& Q  g9 P- h' ]  O" u* J
) ?" ?* U' k( ]9 a2 _7 ]) i$ r  bHere is a sample (checking for 'SICE'):
0 t: A5 B+ R- @% M
8 N9 S1 \1 d- [5 I1 g6 uBOOL IsSoftIce95Loaded()
. b( u; V0 l" l( P8 L" @& D{
; k. P* O" E# _   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& J  D5 J5 l( F/ X, H5 ?                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( Q, H$ y7 D4 N2 |. r, A: E2 K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
) ]8 `; I; b( v      return TRUE;
( c, D/ U' x$ `4 L   }
   return FALSE;
! Q' ^$ f& D: k/ g0 I6 i# x}

Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
& D6 F+ ?) A8 [) I. a8 G3 @In fact, its purpose is not to load/unload VxDs but only to send a
9 ^& }, @( C6 F4 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% P1 S/ ], ~) V! `its handle to be opened and then, will be detected.
: q1 d" w  m! ~2 L3 {* K7 PYou can check that simply by hooking Winice.exe control proc entry point
2 B  ~4 l- J& o& }while running MeltICE.
9 f( U# n3 a1 i9 Z

( K  Y) b" U$ t+ u2 ^- a  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
( D9 U+ b$ b8 F  00401071:  cmp       eax,-001
  00401074:  je        00401091


There could be hundreds of BPX you could use to detect this trick.
9 t# n( R7 I$ @$ e-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
/ S/ M$ m  ?5 S- _    *(esp-&gt;4+4)=='NTIC'
9 B- A0 r9 o9 F, V1 V8 Y6 S
, G- x9 ]- [9 ]6 x& O  @: l-The most exotic ones (could be very slooooow :-(
& T( F; q1 e( F: {. i+ s% Z: D- R2 ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" T' Q# x& v. n) \! X2 z% U! g     ;will break 3 times :-(
. P! f* D* c6 _2 A  l
4 z, F% t2 T0 v8 ?-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 L+ B7 [; o: W; a* [2 u8 e     ;will break 3 times :-(

-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

1 Z1 C- V# H" x0 U% iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ @+ `9 ~! \0 ~& m6 r6 b& L9 @" xfunction to do the same job:
4 v( p3 s6 J. e' |. e) ]+ T4 x8 ^
; X& h, Y4 d3 t   push    00                        ; OF_READ
" ~  }7 X7 M- y# s9 m' s   mov     eax,[00656634]            ; '\\.\SICE',0
3 h/ B7 l, Q) s: X. a- X   push    eax
# B( x3 _$ b- Y7 n+ N   call    KERNEL32!_lopen
   inc     eax
   jnz     00650589                  ; detected
# F4 P3 j5 k7 v, j   push    00                        ; OF_READ
/ q$ w2 h6 G; g9 {* \   mov     eax,[00656638]            ; '\\.\SICE'
9 ]$ Q) Z% ^# [) Y   push    eax
( R+ m$ P+ P' J" q% d7 B   call    KERNEL32!_lopen
   inc     eax
   jz      006505ae                  ; not detected

: s5 R" `6 ^& A0 _
__________________________________________________________________________
) W5 N) v5 r2 @' d1 W
, K% S( u! d5 l8 \! m1 w& rMethod 12
=========

This trick is similar to int41h/4fh Debugger installation check (code 05
, X/ S0 a+ T, d% ^( e&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 q; S9 Z6 u- a! Y
+ w( l' A. |9 ^& s1 u  |   push  0000004fh         ; function 4fh
- o! H. K" P( U- c4 {   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 N& w7 ^# W" o, z2 z9 u                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
7 k, U6 |! w. f" ]# J   call  Kernel32!ORD_001  ; VxdCall
* k5 Z7 T, I+ k+ Q   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected

, L' G5 E+ W5 X1 AHere again, several ways to detect it:
! d. H( f4 z4 E- l
    BPINT 41 if ax==4f

0 G3 _+ G3 |6 S* z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; q/ v: E& b/ N: J
2 q7 F, G9 v4 j. s0 C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) M1 ~; K8 t" m" W$ z, _% L
2 }+ V2 K" Y4 I+ ~5 N$ D; w0 m( ?__________________________________________________________________________
3 Q1 o- C/ @& D6 p2 ^8 x
4 h7 r$ e8 v5 G" V- x+ OMethod 13
8 w5 A1 M8 T( y- s- Y$ x4 y=========
, D/ R& R2 ?, |% k# ~
Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

$ P- s) ]& p, }; c% e$ S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, {" Y( c! y' @( i0 ]1 x\App Paths\Loader32.Exe
0 p- F/ l5 Y1 r% f
& ^/ d# M/ f+ R9 G
0 S2 {# Z2 ]( a' B0 o. fNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

Useful breakpoint to detect it:
" r8 w( H# p0 x5 j% I. ~
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ E  G: l: q1 G/ ?" {
__________________________________________________________________________
) @6 y% r* g# [) U2 f4 A

) b4 O& j0 d: eMethod 14
=========
; G. c' r0 S* _: L0 w) u2 m
8 ], x! b  M- d* WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).
( R" T6 K! V' Q: ]" i& p+ g5 O3 b
: i6 o) r& X7 W1 C5 g   VMMCall Test_Debug_Installed
   je      not_installed
9 `4 \8 o; g; B
+ m6 ?& T( H; R# h% Y6 qThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>