About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
: A) {3 a6 C( A& h9 a1 K<TR>
* h! W1 Q( o" B" \" I% J<TD><PRE>Method 01
=========
$ P9 k- \1 ^* C- z9 E! w3 k
7 c$ _/ A: y6 D' L: I8 _" ^This method of detection of SoftICE (as well as the following one) is
6 r3 T' k8 t5 Lused by the majority of packers/encryptors found on Internet.
: o- f( _8 [" bIt seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
# e$ F$ z* r2 k: z- ?4 E3 R. Q0 z$ @( f    mov     ax, 04h
    int     3      
2 r, l: F; h0 B8 o    cmp     al,4
    jnz     SoftICE_Detected

; N" V' M5 x) z$ b: s$ ?/ t, ?3 a! D$ i___________________________________________________________________________

; p: R' L0 [, @# }% bMethod 02
: s' l( f( L, Z) H=========
# k7 O2 X4 [1 e
7 D# Z3 Z/ x2 J; a/ v- nStill a method very much used (perhaps the most frequent one).  It is used
  ~3 V3 X' N3 ]+ r' s% q& Q# T% Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ Y& p6 S% D! c/ X7 C( H% ~or execute SoftICE commands...
6 v3 X3 U8 o' {# P7 W6 m# s& k% NIt is also used to crash SoftICE and to force it to execute any commands
' Z0 T0 r' v8 I: u! v3 T* j0 h(HBOOT...) :-((  
5 |# q  t) R% T# _, y1 N
4 g! u3 P: y. ?3 J; L- r* {/ kHere is a quick description:
5 T3 V( c& F& i5 c5 E. S-AX = 0910h   (Display string in SIce windows)
/ M2 |: Z' x! U-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
+ H  T* i1 i/ D3 ~-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
8 s/ h0 v/ R( W
1 S6 r) i; @+ o, HEach time you'll meet this trick, you'll see:
) q) x* P; b8 }9 d( A-SI = 4647h
/ E6 y. x; D9 E+ X1 \1 G/ O/ X6 V-DI = 4A4Dh
: s+ Y: Z( Z" M; WWhich are the 'magic values' used by SoftIce.
# R! R, ?: H6 _- k! u4 NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' K& _$ l- i& X# @# w
1 y* O9 P& Y; j  t0 l- g; b8 CHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:
4 [* E0 r5 N$ p  D

4C19:0095   MOV    AX,0911  ; execute command.
' S4 S2 j4 {/ }$ V, J+ Y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ t3 u% M* X/ U% a( C! @6 G4C19:009A   MOV    SI,4647  ; 1st magic value.
1 d' r# E2 Q4 U! m0 ]8 F4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
: N3 Z9 o1 t% a$ C, l+ B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
5 {$ s, o, ?% h+ Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 q5 x6 s8 k# Q' v3 c& _6 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________
1 B9 x* n2 G# n% W
4 g0 ]" i! M8 b" I  t; u
Method 03
0 p! X3 _( p' R) T# \" r: @7 k=========

2 g, Q% o) q# A/ _' ?/ rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 F. P) x" M+ v4 c& j' ]. T# R(API Get entry point)
        

$ X4 C. I) H* P& c! E3 s    xor     di,di
    mov     es,di
" p# _# M2 j# s5 l    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
( G+ I! I, h- R4 _' s    int     2Fh
" J5 M2 _3 s7 [$ s4 m% Q( ?* Z; G1 c    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
7 o. J+ x) k- @, L$ W  l- x    test    ax,ax
    jnz     SoftICE_Detected
% G# G8 K/ Y; c' G& Z, i
___________________________________________________________________________
4 k1 v7 g( @8 e6 `1 g4 V; ^: T5 h
1 U, r4 q: l9 kMethod 04
=========

/ \" {% R, ^3 F% c" @Method identical to the preceding one except that it seeks the ID of SoftICE
$ @& D+ K: B) z3 m6 yGFX VxD.
4 d. f3 \, j6 I6 h7 ^
2 ~3 x# V/ U: c7 V& L    xor     di,di
    mov     es,di
4 s7 g- h( U, k$ A8 e! ?    mov     ax, 1684h      
5 Z9 M$ U6 _$ E) g4 g7 F9 A! [    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ h( M. ^7 D* m! n4 h8 M& T    int     2fh
+ w3 R' B4 A6 K" z- Z1 S    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ [" w$ i6 m& K$ D    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

& u/ W) k" e8 N: s" |3 g9 ^% A, `__________________________________________________________________________


7 \* I1 c* ?7 n9 w$ IMethod 05
' j9 X3 k& a% `/ D8 I5 D; [) y=========

2 j  O( M# Y+ _6 R# S+ r  {Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
- R5 @+ M  q3 U+ F8 ]8 uThere are several alternatives.  
+ j& n; A! i0 q; _
6 p  v8 F3 x* Q0 @- e; gThe following one is the simplest:

    mov     ax,4fh
    int     41h
    cmp     ax, 0F386
# s+ P1 Q3 f1 [/ Q    jz      SoftICE_detected
/ e6 P. ?7 j, q0 A
' ~; Y  L, w" u; j( O! S- C  t
Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):
% p* L* B" F0 L$ C/ a: \
    mov     bx, cs
    lea     dx, int41handler2
; h* z3 q6 h. W; z# Z6 m5 n    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
( \1 n7 e$ @9 J. z5 Z' U1 S: h% u    mov     ax,4fh
% Z) p4 K: `3 V    int     41h
    xchg    dx, es:[41h*4]
# I2 o& a. f) I    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
1 W# L2 q, m# m3 O    jz      SoftICE_detected

int41handler2 PROC
- J) Y1 f% d0 I    iret
  ?/ [8 d9 h/ N; _: l- c/ oint41handler2 ENDP

2 d" F1 o9 T& s0 y* l. c6 }: b8 v
* p/ o5 ]! O. M0 E7 A_________________________________________________________________________

: z  v+ Z! M% ]
Method 06
  r$ M$ \4 l: c. T: I& F. w# N" c=========

/ J* H; ~2 ]) U8 S
- k/ D  @- O2 ^7 J2nd method similar to the preceding one but more difficult to detect:
6 d4 r9 w, O% G1 r9 Z2 V
% J) S$ T8 \) @. j, u2 ?( v+ W
7 v, Z+ }- ~$ x- F' Z4 F$ O5 ]int41handler PROC
    mov     cl,al
    iret
# d; m% K. U+ M/ A) t- p  s* u% Tint41handler ENDP
' G: H( i' D4 `
# o, E  F3 m- @. A7 O/ G1 a
    xor     ax,ax
    mov     es,ax
    mov     bx, cs
7 S  W) `0 `3 t) k7 K  o' `6 n    lea     dx, int41handler
3 ]! H# v6 z+ g, [    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
7 u: x. `. g/ z) b1 c    in      al, 40h
    xor     cx,cx
; ?( s% r6 [, F* x; Y" q# |    int     41h
( P; a; Z" i6 q% Y2 g    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected

_________________________________________________________________________
7 _. N! z3 p2 U4 C$ a$ X
5 e5 O8 T8 v, R( f- i- [Method 07
=========
- y! \- L- n2 V- t4 y+ K  d
9 _) P$ M, _4 u$ F, J; [Method of detection of the WinICE handler in the int68h (V86)

, S& ?2 t1 d" S! H! n    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected


' R7 X3 n& C1 M) G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:

( ~6 @3 F3 a4 u0 ^1 z& J% j, u& s& w   BPX exec_int if ax==68
% G! g, ?. v! s) R7 A& `   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
# ]# Y# b3 [; y4 f* @
9 Z: U  [1 R% s7 X5 s
3 O' H6 M$ k* ?' q3 _8 C& U) m5 tMethod 08
: U' G- f  C5 l3 B3 q, p4 }3 l=========
1 E: Q2 _' e3 r
It is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
  m/ E  V2 \/ b& ?! droutine.
6 c3 H3 H* O2 M" ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% F/ {; K  a- d# Pto the new routine to execute (hangs computer...)
# O; r/ b* K& s+ W! V3 ^' P' B
    mov     ah, 25h
/ H# f) \7 H* O3 Q0 h8 o- I. p    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
" {8 ^, z) H) f3 d    int     21h
. c9 W; Z% Z7 I  n# t+ [
7 X, q# ^& t+ f. I  G) P$ I0 `__________________________________________________________________________

Method 09
2 z; S6 `$ y# w, q. ]8 N=========

This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) _+ a  e: a& h# e% Y$ G8 tperformed in ring0 (VxD or a ring3 app using the VxdCall).
" ~: @4 }6 F: kThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
. Q2 }+ y3 w3 E" J/ qthat device if it is installed.
6 t5 C# H, F. D8 e) B5 u  f) b, R
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
$ H! |; G5 k0 n8 G   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 X3 |3 e& J' ^, r# J( `0 j
, F. N) C  M# d1 ONote as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________

8 M$ S4 r4 y) pMethod 10
=========

  f. I: i$ Y: k=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 A! N0 K$ K! r7 f8 Q# S& @" @  SoftICE while the option is enable!!
) W6 F' Z. n) a. E% ?
This trick is very efficient:
: B: {6 n. x# l$ sby checking the Debug Registers, you can detect if SoftICE is loaded
9 q! R! F8 o, ]0 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! R8 O+ L- R. u7 B+ s: O& P8 E) Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" K' ~4 f% d9 E  y" b0 \7 d; r$ d) Wvalue (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)

__________________________________________________________________________
% S9 `5 d- @. t/ e# B* k, j7 h
- M- }4 q6 d; b: e% TMethod 11
  X* F9 T7 N/ G0 [% Y=========

This method is most known as 'MeltICE' because it has been freely distributed
3 X8 k, }# [; }4 w. v: d" pvia www.winfiles.com. However it was first used by NuMega people to allow
2 m0 h+ H& I! o$ G! o, |9 aSymbol Loader to check if SoftICE was active or not (the code is located
' G& V" g/ ~  N. _. E  jinside nmtrans.dll).
3 V- g7 q. t2 h
The way it works is very simple:
7 T8 `( b, |( j2 V4 l$ NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 [9 u$ ?; q9 q+ K1 {WinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):
4 c5 n  J$ b. K3 g
BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  m( X1 f2 h+ z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
6 k& N9 Q2 Y& r& f/ e: T3 r& Z8 z      CloseHandle(hFile);
      return TRUE;
   }
   return FALSE;
: ?) B5 B& F- j, @8 T% D  }: J}

Although this trick calls the CreateFileA function, don't even expect to be
3 c/ d& u" }2 c- D4 I& }7 N- hable to intercept it by installing a IFS hook: it will not work, no way!
$ l) R+ ^6 h' l% y4 b$ q% |  N& hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! e& U  I& r) z- Q; Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# M& I/ b5 r* e: o' M2 m, h2 ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
2 }8 h3 |& h5 o0 Q% s% e$ I/ eIn fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  Z9 E* a) u% Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( h$ c3 y8 x; D8 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
9 ?1 v" c- l: g* q4 Q. uYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.

0 t; N: ~) p1 A! r$ q8 F; k
2 X3 Q$ i1 l+ b; y- M" T6 v  00401067:  push      00402025    ; \\.\SICE
( `$ t/ I' k$ V  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
7 ]$ z" p& n, L  00401074:  je        00401091
7 ?, ]- h. b  o2 V5 ]
9 f3 B! s4 f$ u" V
1 @3 R* f, G9 Q; e/ v) b' H+ YThere could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
' r# F$ b& C9 a2 F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
! i* ^' N+ b6 `4 A3 S
$ {4 i' X; B+ U-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(
. q0 K1 d! Y) ~" R" _
& B' l  R6 \" v-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! E6 b4 E& R+ h2 Z6 `9 g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' l' T3 j+ P0 k1 m( O     ;will break 3 times :-(
' ~5 x/ w1 j% _# ^
, D4 D+ M' i, R" y-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 `6 I+ Z' U1 L* d
( J  v' |! Q- d9 L' k. iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 J6 V7 V, |9 h( zfunction to do the same job:
2 c% K: M' m+ ]: d+ s) e0 X( _
, N  F" R1 {3 X/ z8 W3 w, _   push    00                        ; OF_READ
+ O! Z2 X, t# I1 e& X   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
; N8 v+ ~0 E" g   call    KERNEL32!_lopen
. Y$ T. t# T$ k   inc     eax
- |1 d, V+ R5 U2 |0 `   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
$ i2 S5 `5 f- [1 H" f6 R   push    eax
   call    KERNEL32!_lopen
   inc     eax
   jz      006505ae                  ; not detected


__________________________________________________________________________
1 J6 [% \, ^' t, l1 |
  g$ R7 [5 v5 S; S0 m. I9 jMethod 12
=========

5 I# k+ y) \& C3 t  ?- h3 K( ~This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
  M# ?& ^5 F! L% N- o1 A$ Y2 H+ `   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 v" c) B6 D8 l  d: S" z                           ; low word specifies which service
: v3 G1 t4 ?4 b4 q                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
; y5 s3 N( a3 F9 x: T. _- }# D   cmp   ax, 0f386h        ; magic number returned by system debuggers
) Y) {/ C+ x# G  t3 b2 \   jz    SoftICE_detected

Here again, several ways to detect it:
# K+ X& h$ Z" r, t; T# o! G) e" B
    BPINT 41 if ax==4f
9 E0 S/ ^# z+ E" P/ [5 d- L
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" x/ |  V6 y( Q3 e, ^
__________________________________________________________________________
" S) ^( a6 w0 p" C  i( i; W4 Z
5 d8 w4 U8 I7 w5 {' k' Y8 t$ aMethod 13
0 x7 j' V& O1 s7 V% X" g5 U# n' x=========
& b* R' @3 e2 A$ w& [. l( m: b. U
Not a real method of detection, but a good way to know if SoftICE is
& }  M" p* I3 binstalled on a computer and to locate its installation directory.
# Q3 Z4 k0 s2 q- G7 i8 l0 e" ~It is used by few softs which access the following registry keys (usually #2) :

* Q/ a$ s8 t- `# r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* d- ?$ k7 n- O1 C# K\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe

8 b6 P/ h; w. c' b: Y
Note that some nasty apps could then erase all files from SoftICE directory
9 h0 I. y3 @" W! o(I faced that once :-(
1 S6 Q8 _1 \5 ^+ \
5 ^0 C( L  r4 O4 a! tUseful breakpoint to detect it:
2 |6 I6 V$ K# y9 b
: t; L: X( g: Q     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 @4 H$ g" T( O; ~
" C- X9 m6 |. }5 f4 J- K: {* g__________________________________________________________________________


5 _+ b% v/ X8 x! V. [9 uMethod 14
0 N; P0 x  r) a9 R" Y) q=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' \/ m0 P; @( y, jis to determines whether a debugger is running on your system (ring0 only).

# d! _0 }9 N: k( P3 b   VMMCall Test_Debug_Installed
0 q0 c6 M7 {- w9 {" ~   je      not_installed
* M5 j/ D. d6 r% h* M; V  O% P
5 b+ n2 w3 e/ j# C7 gThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>