About anti-SoftICE tricks

<TABLE width=500>
, P. y2 {- G8 j$ l+ C: A<TBODY>
  Q6 H( o. ^, T1 K+ u9 g<TR>
<TD><PRE>Method 01
& h* T4 _4 i5 \: D% q2 W=========
8 r- ?( t, s/ D$ C* g& X# |
This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
, J. Q; w8 Y! O$ H8 V
    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
    int     3      
    cmp     al,4
: A3 B8 Z* b- p) ]3 @% {0 }    jnz     SoftICE_Detected
) s, Z6 N7 D  l0 H6 F/ O
# D& S1 o0 |( R  e___________________________________________________________________________
# D, p5 b) q% y6 R
Method 02
* p& s* x( t5 U: O0 ~=========
( @4 a& X: c4 q/ l& y  G
8 M1 d9 U- X5 j& i& a; LStill a method very much used (perhaps the most frequent one).  It is used
: l9 j# P2 C. _( q- s5 J& v) D" hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
8 Y% [+ ]; |; |! s( w& r% WIt is also used to crash SoftICE and to force it to execute any commands
; S9 B7 o2 C: P7 n$ ~  f) E(HBOOT...) :-((  

Here is a quick description:
6 ~( W" }/ ^' G* _( }-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
+ ~1 h; c# \$ I! `! L
) N) D2 u4 d) L1 `Each time you'll meet this trick, you'll see:
4 L  V% P% o% _! Z) g-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
! E3 m: M) a% A/ r/ OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 A3 I4 l1 x, h! e
& s- C% e( {% W. e! SHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:

5 B* T. U3 I. a5 _( |1 o- H
4C19:0095   MOV    AX,0911  ; execute command.
) Z% @2 b1 G, y# @/ v7 M4 v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# B2 `/ l" N. k! O4C19:009A   MOV    SI,4647  ; 1st magic value.
. f8 O. E' K8 W  [4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; I; E) w; B& ^) X! L4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- T! f) I  f  e4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' A; i1 O6 v& q/ D) A7 o* J4C19:00A8   JB     0095     ; 6 different commands.
; D& d: I( N& q' W& I4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% S3 ^9 Y' D6 D3 \! P3 j
The program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. Q$ I/ ~% r3 Z; j1 ]) p0 j! Q& o9 H
+ [; X) @# a: T9 s7 z: Q/ X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" v# l) \9 w' j9 E___________________________________________________________________________


Method 03
+ b0 \9 N! ?8 f4 H=========
1 s3 K+ ]( x* y7 K2 o
  c% U, |" h$ K3 }( P3 F, i+ zLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ V' f/ t9 G9 v; p2 q. F% P% y(API Get entry point)
+ `/ k- N7 [/ Y# `9 s" k' C& y        
! t7 U" A0 k' X+ a4 m1 U
' X  P2 A# u# H' ]' d6 v" _    xor     di,di
- x1 F$ ^' a# i    mov     es,di
    mov     ax, 1684h      
# r- C  t0 `$ H    mov     bx, 0202h       ; VxD ID of winice
. E6 ?, v+ T9 @" t    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' f; x  l: [, `( N1 ]$ X/ P    add     ax, di
! v% E; H  P/ G5 K5 a" b    test    ax,ax
+ r8 ^$ b( d# v+ d    jnz     SoftICE_Detected
( t+ y. @4 i% M# w  f$ I0 q7 W
___________________________________________________________________________

9 B% c. B: e8 EMethod 04
  {2 ~+ p- a3 c& H( d9 V% p* G=========

7 e: }+ R- C  I8 g5 ?Method identical to the preceding one except that it seeks the ID of SoftICE
: t4 t* F8 X- N& vGFX VxD.

; z3 L2 r, g/ p0 u% s    xor     di,di
7 a1 V, j% J) I% k* a$ D    mov     es,di
    mov     ax, 1684h      
1 N! @- s& V0 D, ]  d    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
4 M( L1 W0 Z$ T    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
2 S# n: E$ s6 y$ X5 V, g    test    ax,ax
    jnz     SoftICE_Detected
  |3 K* R/ U* H( K* J& `' V8 n
__________________________________________________________________________

( H8 r1 b2 f/ D
9 ^& C- s5 m3 vMethod 05
" G$ \! a9 I9 d* P3 f2 j=========

Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
3 `: V" N' }) e/ y: T2 T) |There are several alternatives.  

The following one is the simplest:
" p7 Z" }% A3 F6 B+ W1 s
    mov     ax,4fh
& }6 l# J. M6 d/ r1 b' X    int     41h
    cmp     ax, 0F386
    jz      SoftICE_detected

; l6 p+ u- N7 t% s+ Z( a
1 u) G+ Y6 m7 R2 k3 Q* CNext method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):

    mov     bx, cs
: e2 f8 x- I- k0 f, q9 L    lea     dx, int41handler2
: ?; \" D! p. o+ ]& H* d; j    xchg    dx, es:[41h*4]
, I1 u6 o* [6 m# b/ B/ R9 Q    xchg    bx, es:[41h*4+2]
8 X" h: B9 _3 X4 F    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
    jz      SoftICE_detected

- \* S* ^2 a3 U  D* b: gint41handler2 PROC
& j) O; k+ q. y4 Z7 ~" Q! s    iret
int41handler2 ENDP
" x: p" |- s7 m9 C8 @" v5 L
7 u( s) y. K& r" N: i. ?
_________________________________________________________________________

" T* P* I) Z% m! ^7 }
Method 06
=========
1 a% P1 A: E5 W6 S

2nd method similar to the preceding one but more difficult to detect:
+ Z& \: g6 w! r( k! Q
3 [# ^+ V. {* T; x
int41handler PROC
    mov     cl,al
/ A6 P& u, K" H' I8 y    iret
+ y0 L) x" i2 @( D$ }- Xint41handler ENDP
( t; W! X1 G. C6 a# a

    xor     ax,ax
    mov     es,ax
    mov     bx, cs
    lea     dx, int41handler
8 P+ Q+ z2 M. W2 j1 _! e; {! n    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    in      al, 40h
3 U" C% j; f" i: I    xor     cx,cx
, N2 }& e9 j0 v    int     41h
: s- T9 O  c+ @    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
5 H% y0 b' B5 E% ]6 |# T    cmp     cl,al
    jnz     SoftICE_detected
5 n: ?. N4 ?' e' S
_________________________________________________________________________
4 H6 j4 R6 {9 @" t% A+ t$ a  q
. x) c1 ?: w* w8 Y' B: Z, hMethod 07
3 d' w$ J! T1 N7 j- i, q' Q9 V! ^8 l=========

  A0 E* N4 b0 e- _- }3 hMethod of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
( q8 A- X1 W' N* _+ u9 J1 Z3 t
  {' W' q4 s) _2 e1 n& O" P8 {$ {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:

   BPX exec_int if ax==68
( g7 O) m8 K3 Z9 P7 }; f4 E   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

/ G+ [; w: ^3 E9 D) V; E
Method 08
=========
0 R" @; ], u5 h# n
1 u' F% @* r  b5 U$ l6 E+ WIt is not a method of detection of SoftICE but a possibility to crash the
. C! O7 \4 @% g" N8 ^system by intercepting int 01h and int 03h and redirecting them to another
routine.
5 u# e: N: j$ NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 B; N# f( n3 m+ f0 G* ~" Fto the new routine to execute (hangs computer...)

    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
5 m/ g7 Z+ ~5 z( P    mov     dx, offset New_Int_Routine
    int     21h
9 S5 W, j  {3 _' \
& u& o5 c! n! G9 H; Q__________________________________________________________________________
( Z/ R8 R: g% i; Q: x, H
Method 09
0 o9 A0 V) E7 [$ x=========
% j# _: m8 y; r2 e0 Z  o# O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 v; Q  K6 y% }6 t3 Z3 |$ Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
. t5 }3 y" J/ Y( E. C: a$ I7 }1 Bfor the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 C8 b% [% s, S2 W2 ~4 e   VMMCall Get_DDB
8 o' k4 V. _8 w) j5 G   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 \) H3 B0 N, _# m
" e- V- |* {$ ]/ e# u# w  tNote as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
' V$ w: R4 I! n- r2 @, a4 N: z
# t- E" O2 m; G2 F__________________________________________________________________________

Method 10
6 f  w$ c8 m* m; D) f+ F=========

/ g, P( s2 w. Z! e, z7 p=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
' b  `! u& R3 W& s5 m
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* {9 V% J: e/ wvalue (in ring0 only). Values can be manipulated and or changed as well
: N' W7 s- I$ _+ x' k5 r(clearing BPMs for instance)

# i5 M6 t0 R& ?  q& n* Y+ t__________________________________________________________________________
! I/ {: c' g- ^0 G  u; b/ ~
" i1 W# V$ b" s# x+ L% xMethod 11
4 D; P" {) x: ^( p4 D5 e- g=========
  m# R2 p; d' G5 a& G
This method is most known as 'MeltICE' because it has been freely distributed
/ e6 b7 _3 g- P2 j: evia www.winfiles.com. However it was first used by NuMega people to allow
( n: ?* Z2 @+ t" R4 W+ W: qSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

The way it works is very simple:
$ t: a* V, C% \7 V; t- N2 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
4 t& ~+ q! `- I; @% c3 O$ ?
$ X) S: e1 t+ I9 g% k& B, h0 z* tHere is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
. K) n7 J) P. N" u( ?; X& a, v   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
' V% f0 q- S9 N      CloseHandle(hFile);
      return TRUE;
   }
   return FALSE;
}
( F5 F" e: ]- j
" w; N  c3 X( `0 ^& ]) ?8 DAlthough this trick calls the CreateFileA function, don't even expect to be
  M2 |1 Q: j& j, }able to intercept it by installing a IFS hook: it will not work, no way!
* g8 `, |4 T& @& y* ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 D0 w7 y! m$ O3 U% xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 m4 ^" H6 Y1 r! D6 Vfield.
In fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 I. V; k$ [2 a2 [: h6 U( {( qIf the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
8 _* ~! \: y8 V+ k7 \/ l5 uYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
0 j3 z9 o' \' {4 _( f

  00401067:  push      00402025    ; \\.\SICE
8 |: f% E: Y; ?& }+ _  0040106C:  call      CreateFileA
% W0 e4 }6 z- Z/ X2 |' Y. `9 y  00401071:  cmp       eax,-001
9 [0 @( e+ v+ s" C; m2 Q  00401074:  je        00401091


There could be hundreds of BPX you could use to detect this trick.
& |3 h$ m; l# n( h# z) S4 {-The most classical one is:
1 [& m: R: n; ]  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 l1 T* J+ r' {' F, {* e9 I) J( p    *(esp-&gt;4+4)=='NTIC'

-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(
( J% m- g- T3 n9 b& r
-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ N% r$ G* {; V9 r, R+ g
( q4 g8 Q! [" e6 O7 ]   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
: ~+ L7 [% u) J' x  b
-Much faster:
9 g  J, k: A: F9 ]) y  S   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:

   push    00                        ; OF_READ
   mov     eax,[00656634]            ; '\\.\SICE',0
) u1 ?: G; F" G2 X5 R6 V, s4 c. ^   push    eax
6 N4 l  F5 G* v; s8 e% U* A   call    KERNEL32!_lopen
   inc     eax
; K" a  P2 n: M+ _, M   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
   call    KERNEL32!_lopen
9 w! ]; @* n. E8 y9 E  V   inc     eax
   jz      006505ae                  ; not detected
: c: ^' p; O4 B2 \" i" P% Z
4 j, Y$ _' w3 a1 q- D
. Z) a1 b9 v: J  b! [2 W__________________________________________________________________________
1 Q! l$ u* j, K/ ]. W5 b
% G" Y% t2 X/ x" _0 W* F* D8 ?+ TMethod 12
=========
( g3 P" e% D# S# A
" ~1 Y6 s$ N6 ?& \, l7 J1 QThis trick is similar to int41h/4fh Debugger installation check (code 05
2 _9 d! J. A( `3 ~+ L1 m- i/ _&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* E: F3 q3 N# B9 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. e, r' F3 Z* N+ ~0 z
   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
  {1 ]: I" n2 c' z6 b                             (VWIN32_Int41Dispatch)
0 s" M4 d; e* Z% k: a" [   call  Kernel32!ORD_001  ; VxdCall
+ c6 Z- Z% @# j& q/ C- I   cmp   ax, 0f386h        ; magic number returned by system debuggers
) k# A! j9 w5 |5 q   jz    SoftICE_detected
2 ?7 X: ^' ?/ e# i  G) g7 f2 E
" T9 N8 L" k! y0 O. x; f1 aHere again, several ways to detect it:

- u) q! [8 o' e    BPINT 41 if ax==4f
* O3 T' L) \8 c& z
# V; U) o! M1 n* Y8 \0 T0 |7 s" e    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) n0 O+ A4 o- Y8 L* B& m2 d% K
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; P- Q: U8 v: A/ K4 d% ]
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

__________________________________________________________________________
; D0 a4 D, b, M% x' E. ?1 x
  t3 Q# t+ `& a* p( {/ s: OMethod 13
' x- w0 {) T. H- S' {) k  w$ E=========

: Z6 Q* s7 _1 S) [. w7 ENot a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
+ O. }( {) X8 @: A6 V& `$ iIt is used by few softs which access the following registry keys (usually #2) :
, Z& d- }2 D4 o* o1 H$ @, X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
; H! G5 K, {# H, m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 t- y7 f" j  u; r# b' o( S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- u' j5 P' m; g5 \1 e\App Paths\Loader32.Exe

1 O) [1 f0 Q2 B4 [- j- L( X0 g
Note that some nasty apps could then erase all files from SoftICE directory
3 E" |. H$ K& y3 o/ @(I faced that once :-(
* @% n% o% O: r* {) Z5 t
7 K, t! s+ ]" X/ ^Useful breakpoint to detect it:

; |+ [! d; A0 i- j     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________
- r& j2 u) G* A% O' _

Method 14
$ Y7 `" M* c* x+ F& ^3 |# V4 A" m=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 }2 a5 U. y" P$ j6 f% B& _% qis to determines whether a debugger is running on your system (ring0 only).
8 h1 K  W) M/ _: X5 K
4 B' m& R1 e5 e7 b- L+ e   VMMCall Test_Debug_Installed
   je      not_installed
! q4 Y9 c' c2 P" _( l+ a$ \
This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>