About anti-SoftICE tricks

<TABLE width=500>
& m* ~" v# e& P, j' O7 B8 E<TBODY>
0 i& `  H! A+ ?6 K( E<TR>
6 [( n" N9 K; k) W; d<TD><PRE>Method 01
) b, Y" L' B: Z* }=========
2 F2 i7 T  o0 [
( M  n( A# B/ t& I! l; MThis method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
    cmp     al,4
    jnz     SoftICE_Detected

___________________________________________________________________________
9 A$ e; _! D/ v" x# y9 M
$ J9 R3 f. p; n% h5 t0 bMethod 02
7 E. ?$ v' l/ W$ j=========

Still a method very much used (perhaps the most frequent one).  It is used
2 ?6 S& o5 F4 q( @  \! Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
% i1 F( h1 z$ U% \It is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
& ~# r& P8 N" M# d& N: ~
7 }, i. V# }# V: U3 yHere is a quick description:
" s. m$ P. v! D4 _, ~% v/ a-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
; P3 w7 k. r6 h8 }; ^; s/ U* R* b-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
- p: m8 b# Z  M. Y0 h
% y$ p* `( ]+ ]1 h3 uEach time you'll meet this trick, you'll see:
-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' q+ h' [( o. @, }. {+ a+ a
# v9 y1 i' O1 FHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 U# `' w" l: d5 L' o: O2 FEnvelope utility use to protect DOS applications:
! a+ n9 Y0 `: X7 C8 B. \% q
' ^' X6 t1 h4 G" S1 C0 q
/ c8 ]* s; O" U1 j3 [) U0 }4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: `! W: T: `. S! N$ f2 b4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* u8 o; w) x& W; w4 f+ |- s4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! d1 Z4 i4 d' s7 d  A4C19:00A4   INC    CX
4 V" X+ B' A9 r0 g- O3 P, l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# K8 w) I/ q8 C2 R0 g4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( v% P/ \$ D4 H/ g
The program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

; ^  K, }0 U) Y" T: a/ i
Method 03
=========
/ v# r8 X/ O9 n
/ g% Q% l, n6 MLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
" a. W7 p1 Y$ p1 p! b, x' M2 {. \        

    xor     di,di
3 F$ Q+ b' T- u; j' D$ \( p) w/ W4 b    mov     es,di
4 Q" {- J- I0 D8 G    mov     ax, 1684h      
! D) V0 N7 Y. t. ?' G7 Z: A    mov     bx, 0202h       ; VxD ID of winice
  R. U; E; T% \' K$ L4 O9 d    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
( V/ o  {2 `3 G) M2 z    jnz     SoftICE_Detected

___________________________________________________________________________

Method 04
=========

0 Y2 ^7 X* D, ?% ?Method identical to the preceding one except that it seeks the ID of SoftICE
1 S. L9 @; ~! r% W  G9 k9 uGFX VxD.

    xor     di,di
    mov     es,di
    mov     ax, 1684h      
; {) F4 K7 \' V7 w. @% O    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% I! P+ ?/ A8 N. L    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& f+ V, c* u! @! X0 {# i  c    add     ax, di
    test    ax,ax
6 g4 N, m( Y! i' {% n1 F    jnz     SoftICE_Detected
5 N4 F2 m$ M3 y) Q. z
0 f% t. j, Y; b6 Q5 A0 t( z__________________________________________________________________________
! P  U2 x  R. N! c* [  C9 L

3 c9 a; F: \4 D" [Method 05
=========
4 {+ {7 R% A6 g, J; ]' J1 A- m6 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
6 }! A3 F" k; c" n. hThere are several alternatives.  
7 |  o, ]- w. a8 m  M
9 x* s3 j8 B6 F* NThe following one is the simplest:
1 p0 U& i# A5 l! I
: v% d9 K( c: |    mov     ax,4fh
    int     41h
' ]$ m; D/ }- q6 S  X    cmp     ax, 0F386
    jz      SoftICE_detected
, a/ h$ C9 b; @
; K- v4 t3 m9 g5 C( [
Next method as well as the following one are 2 examples from Stone's
3 u$ x+ f. a5 ^- j"stn-wid.zip" (www.cracking.net):

7 b& F6 ^1 F& i/ K, z    mov     bx, cs
    lea     dx, int41handler2
2 u; M% V, y) K& Q) P    xchg    dx, es:[41h*4]
$ @: N9 Q! O8 G) l8 z    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
+ s# Y7 Q* y+ N. q; z$ g    int     41h
5 b8 g; t+ G" l    xchg    dx, es:[41h*4]
+ I% ?( V! s) A# O8 q    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
" z3 n. e& D5 u    jz      SoftICE_detected

9 V: t6 j* o$ C. d4 ]$ kint41handler2 PROC
, p/ B! o! c" O# F    iret
int41handler2 ENDP

: k2 W4 {( j6 b, R0 k2 N! |
_________________________________________________________________________
" G" F* o; q: Q# I$ w- k8 F. r3 G
& r* {6 u+ ]/ s" C0 _+ i! }
' X; U; S) R5 a1 tMethod 06
) o" }" j; r7 g/ L0 w=========


% D3 q2 ^+ O* w8 ?: Q# C1 x5 y$ l2nd method similar to the preceding one but more difficult to detect:

* c: h: a' A' {6 E
int41handler PROC
    mov     cl,al
    iret
9 S0 S" L$ X! |. Oint41handler ENDP


  h, m" l$ `( `9 ]5 c$ r    xor     ax,ax
    mov     es,ax
) \. M' B2 E5 Q4 z! V    mov     bx, cs
    lea     dx, int41handler
4 Z' Q  ?5 S! b/ Y- M    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
- W$ n4 @* T: M: j0 B- i- |" v    int     41h
    xchg    dx, es:[41h*4]
! g* I4 t$ R4 E' a8 I" J4 x: A    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected

( S/ `! |. t  \. `$ R; I_________________________________________________________________________
2 E  x. t2 y: v0 o4 ]
( A  x2 D% z& c) R, OMethod 07
$ ?/ x, f6 u. l=========

Method of detection of the WinICE handler in the int68h (V86)

4 ?* E5 K5 M; R# F    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected

( @  r1 C: R1 F# _
) j: [& Z* v3 `9 J+ y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; T5 ~: k! ~, G+ l' _7 U8 x   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 m/ j1 ?# S; H, b   located at [ebp+48h] for 32Bit apps)
' o! J7 q8 Q& ^% ^9 ?) g/ {__________________________________________________________________________

$ S! o& |/ i) G9 b9 F& N) b
5 F3 u7 ?+ X4 k+ F- gMethod 08
3 `) a# G5 C  A, p( ^) F% l) e=========

4 L5 D( S8 @8 |. c& ?* kIt is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
routine.
7 f6 n" f. j) a: R# e( n( ~/ y, |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
    int     21h

$ z# f* b2 C' H! M  ?__________________________________________________________________________
3 i8 i5 B9 H8 Z2 u
Method 09
- }2 n: p+ _" Q; P# [=========

This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! H. D$ R6 v1 }8 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 }, C; v5 S0 z7 tThe Get_DDB service is used to determine whether or not a VxD is installed
  T6 O) P2 N! dfor the specified device and returns a Device Description Block (in ecx) for
& j% m4 p- F9 [) Q  l/ r, bthat device if it is installed.

, J& c6 D4 d) I* D: ?+ C   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ I7 F, p; u* H7 B/ ]' p   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ W2 {$ C1 w1 |
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________

! w' _/ T5 @9 e% n' T5 [Method 10
=========
& V& q: _( k6 x
9 o8 R/ }  s! |4 D! O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!

. r3 H6 m# }( G, BThis trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ w  i' h/ m' R3 j7 ?value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)
5 L1 W& o; \7 f) @$ M: p
__________________________________________________________________________

Method 11
$ s( j- w; w& ~( b$ [/ {( O=========
" i" T* `- m7 T7 B2 z% G
6 F4 c& P& |9 O' b1 `  fThis method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
; u. K% b/ M7 O8 E& NSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

, `/ Q% V, R( F' b: N) \8 {# ~The way it works is very simple:
" [& W2 U8 D" N3 r* A( EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.

. f4 @; r& [% o+ v- }Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
% T8 h& E5 V: _3 {1 `% i{
   HANDLE hFile;  
: b8 C: B) @5 R% A  D+ X  l   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
; S' H# F8 M6 G* e1 `      CloseHandle(hFile);
      return TRUE;
   }
  ~, m; V& [! L   return FALSE;
( g- t' L. C0 i9 u- F}

Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ j9 S" Y+ S9 p" C* o+ C$ rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, i$ r6 p# Y: u3 x$ @/ o+ @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
! p( Q' Y  L3 ~8 wIn fact, its purpose is not to load/unload VxDs but only to send a
3 L, g1 n/ x, J8 S! W& W4 u' E7 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 F. r; O7 O/ ~/ Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, F' }# a( y& ~! vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ @1 A4 k, ^/ p. ~its handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
; u% b6 ?8 F; ~+ H* G( `while running MeltICE.
  N) H8 P. M. q8 d( m: Y

0 Y* t. ^2 |$ D& h; b  00401067:  push      00402025    ; \\.\SICE
7 J/ }/ S, F3 W! y! l  0040106C:  call      CreateFileA
, H8 f. f8 V9 v  |: f  00401071:  cmp       eax,-001
, R8 b0 }8 Y1 c. ^5 u8 N. _& i+ x  00401074:  je        00401091

' _/ K4 }" H# J% M1 L
There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
* @- C! E( s& H2 |" V4 v
1 Z& g- u. l7 m1 c-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(

-or (a bit) faster:
. o+ a, W- b* u$ n   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

: E; e& f8 ~  k8 J   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 Y: y& [& A5 T$ Q2 }+ S! [5 l6 d4 o     ;will break 3 times :-(
' [. o; a3 g1 l1 B0 K+ ^6 y6 U
-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

6 c9 r/ b# e+ X7 m) ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# I( T* {8 q* {3 ]) Z) Dfunction to do the same job:
% q; F% J; _. j5 L8 G) C
   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
1 R0 W% ~4 j2 Y3 o0 ?! \4 \   push    eax
2 J3 z; O! D1 P3 i   call    KERNEL32!_lopen
   inc     eax
   jnz     00650589                  ; detected
6 ]* |2 l+ r; R$ @' c   push    00                        ; OF_READ
7 U2 m# l- m, ^3 I) P) p   mov     eax,[00656638]            ; '\\.\SICE'
& t( H! m6 V6 p  f   push    eax
8 ?2 Q1 S  x! _2 h3 B/ a; v) @. m   call    KERNEL32!_lopen
   inc     eax
* ~6 i, ]; @0 ?" Z5 }5 B   jz      006505ae                  ; not detected

# Y/ W$ U" _# h* |, L
$ s0 J4 J2 m2 Q+ n- @" w' C__________________________________________________________________________

Method 12
2 [0 F2 W  R+ s" |8 l7 g& v=========

This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
6 H; l4 a( u3 d5 e, l" e% g   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
' Y6 S* ~4 i' b/ B                             (VWIN32_Int41Dispatch)
6 F- ~" x; ]: N; O8 \( L, g   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# W, J% j  L6 {1 p$ t   jz    SoftICE_detected
2 w  c6 r5 F% r! B. i, \& D% s
Here again, several ways to detect it:
7 r6 l, k3 ~" r$ e& D
' N0 B: i4 a2 U9 N3 b    BPINT 41 if ax==4f
8 W* P' f( d3 ?& B
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 }5 K$ C3 @# _  F
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

" ]0 `; i4 n2 J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 B: N1 j6 O5 c% n& O
! e* k: G% n7 z+ Q% ~__________________________________________________________________________

Method 13
* O& Y+ S- d$ r4 J6 g7 m6 d( k* ^=========

; i. o8 r* P5 O, |Not a real method of detection, but a good way to know if SoftICE is
8 H/ {5 ~* J& g7 @5 binstalled on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

, ]9 T9 D" c8 W" Q0 M( p/ Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, C9 A# p6 ]$ s5 B  ^\Uninstall\SoftICE
" ^! p+ X. P, N# ~# p8 c: U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* x3 \  j) f3 a. m, u\App Paths\Loader32.Exe
% u+ N* O! d% r; A

4 c9 ]# x  I" j, {- gNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

Useful breakpoint to detect it:
+ E- S. D: C2 `4 o# [4 a0 s
3 c8 z/ x6 L) y& e4 Z* k) ]! A     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________


Method 14
+ ^% A6 k7 X6 u7 G' E: K=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, s6 C2 h. U0 ~: h" |  _is to determines whether a debugger is running on your system (ring0 only).
' ?) T, E5 m  {# A; r+ n
0 G" V. W) H* H8 @0 ~2 i9 `* U   VMMCall Test_Debug_Installed
   je      not_installed

0 U% k5 l* F* n9 \9 {/ F+ BThis service just checks a flag.
, j, |5 y* R' a1 D6 Q! g</PRE></TD></TR></TBODY></TABLE>