About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
- x# Z: p3 _6 i1 n<TR>
<TD><PRE>Method 01
=========

This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
/ v7 T; r6 K, q1 sIt seeks the signature of BoundsChecker in SoftICE
& M' `) q/ n6 y  s) ]2 V; c5 y
# B) k+ k" X9 ]! H! r    mov     ebp, 04243484Bh        ; 'BCHK'
2 ^1 S5 a+ N# e! v* r7 c0 ]! U    mov     ax, 04h
5 ]$ |- A+ u/ S% B9 t' n    int     3      
# L* I/ f, k% o; D7 f& N5 l' t    cmp     al,4
    jnz     SoftICE_Detected
: h$ t9 h# M" G$ r5 X4 h1 s, _
___________________________________________________________________________
1 i+ ~" |9 l# A* T0 i1 `7 ?5 F# d
0 l: P9 J1 ?  t) [' BMethod 02
: j  K# @$ r! y0 `, i=========

6 T) J! f: b6 j8 O  N8 N' p0 C: AStill a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ m0 p& `. v1 Z7 f! k. @0 n6 aor execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
# u' S/ E  \0 }' y2 _* \
Here is a quick description:
-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* W' [+ O" u+ w" D8 [+ n/ N  r. C+ `-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
0 T. w) [( }! J8 [. @-AX = 0914h   (Remove SIce breakoints)

Each time you'll meet this trick, you'll see:
- W( A( N7 F2 G-SI = 4647h
: c6 e3 ^6 i6 {* D1 X3 |2 Q-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

4 r, t) d; K. h7 y0 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 f3 n4 o* ^2 U9 `$ I9 I6 ~5 nEnvelope utility use to protect DOS applications:


) @# z1 o3 g: Q4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" w) r- d# S3 H3 I4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
$ |- M/ X& f0 {: [) ~' e; V3 E4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: ~! R" w. F5 x8 @8 t7 a4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

1 |5 H- g5 U" [
Method 03
=========
! n" d  w5 B3 R9 }0 }* K
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' P* n% S9 H# j1 q4 o(API Get entry point)
        

    xor     di,di
    mov     es,di
) B- E! W+ u1 V7 u" T    mov     ax, 1684h      
  z9 [, C- t& [! y; v( e* D- D    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
( B( c; F  X* _    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
1 b  |+ b  ]8 F. `    test    ax,ax
    jnz     SoftICE_Detected
  `9 [5 Q1 _( b
1 [% h0 L; O3 l* Z___________________________________________________________________________
8 q+ _# ]) X, d; u' j, p
3 E' |. W& X0 q) g! \- [$ q( A$ }Method 04
=========
( ]5 G- o5 S! c
2 H; x0 ?4 G' yMethod identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.

    xor     di,di
) v$ q5 L6 \" ^1 ]- G# Q. C9 H- W    mov     es,di
    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: ?; A1 ~  O" L    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 j. M/ C3 v* j7 D8 f3 [4 {    add     ax, di
    test    ax,ax
( Q1 o/ ?# X( x9 u. Q; X    jnz     SoftICE_Detected

__________________________________________________________________________

' T( A! E. v$ v+ L
5 c" Y1 d( _9 @Method 05
=========

5 X7 Z) G( Y, ^0 n5 p: A' UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ [0 f7 s6 X( k7 bdebugger. It calls the int 41h, function 4Fh.
- p: d  _# l# b( D) pThere are several alternatives.  
9 V$ m' G% [, ?! i
1 E# e7 E# B) \* kThe following one is the simplest:
0 j( {1 ]3 R1 A9 U' k
, G# D& n/ ?/ d8 `  s9 @    mov     ax,4fh
% _8 D0 }9 o4 Z: E$ }; \1 _" j% h    int     41h
; j; s1 b2 V3 {    cmp     ax, 0F386
8 J/ r  l  {, R    jz      SoftICE_detected


6 i" n5 E: Z! O5 J9 v1 i; N/ B9 _0 pNext method as well as the following one are 2 examples from Stone's
! j( Y$ `# `! ?' Q"stn-wid.zip" (www.cracking.net):

; u2 @2 E- N3 }+ ~. |$ s    mov     bx, cs
% _8 x0 F! e, ?9 Y9 l9 j    lea     dx, int41handler2
1 w7 v% W3 k  j" d4 I8 D    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
/ z, }3 B5 k; Y    mov     ax,4fh
    int     41h
4 }# P0 j" T' s+ h    xchg    dx, es:[41h*4]
" ^- T! S& E& a' f1 P    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
+ k; @" y% Y$ x& b    jz      SoftICE_detected

  O% C2 L- {. D- S) H7 pint41handler2 PROC
5 H$ y  E# @. g2 s. Y# N" t    iret
* N  w+ u2 b9 S( u2 V0 `. H  L! Xint41handler2 ENDP

2 u- B# j4 f1 k7 s
1 A. B' B! I5 H& ?# [) o_________________________________________________________________________

% N) g% o+ V/ a* n
1 x" O9 }; g$ y( D- W8 g' nMethod 06
=========

1 H- i! [% ?+ x; K0 @# C2 f
( Z9 o/ [' {* W6 `  u  _2nd method similar to the preceding one but more difficult to detect:
9 Z6 N. J. W( U/ R/ d! o3 h

' }0 w' [2 P# L1 B+ d' n! Jint41handler PROC
    mov     cl,al
    iret
int41handler ENDP


    xor     ax,ax
& v3 m7 t& r: P- q    mov     es,ax
    mov     bx, cs
    lea     dx, int41handler
3 ]5 J% t; ^, h, {$ Z0 E" n' ?  P    xchg    dx, es:[41h*4]
$ l! ]2 O+ T, w: T) @0 L$ S$ q    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
- y5 n. Z, e' f- M; n" _, y7 H) V0 W    cmp     cl,al
1 l, P/ e4 }6 L; L) I! D& k    jnz     SoftICE_detected

_________________________________________________________________________
, i4 K8 }0 a+ ~. ], r
& Z, p1 C- J! h9 `* [7 uMethod 07
1 w' Y- q; ~( ]: l2 v6 e1 I=========

# Z9 Z. \- u% v) j' uMethod of detection of the WinICE handler in the int68h (V86)
, d! c4 U5 i8 P# _( Y
    mov     ah,43h
    int     68h
2 \; R  ^6 h- |6 p    cmp     ax,0F386h
    jz      SoftICE_Detected


=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ X0 w% V2 \4 U5 f   app like this:
4 b5 P- q% E; o
   BPX exec_int if ax==68
/ v8 ]; g+ B8 z  A   (function called is located at byte ptr [ebp+1Dh] and client eip is
& T, _" Z0 M. ]- {6 F: x5 a% M   located at [ebp+48h] for 32Bit apps)
7 m4 A; J, o& h__________________________________________________________________________
1 q3 ]5 U4 g9 o( R! y
; {* X! a, p# h' R1 S4 T
; b1 l( H/ I% n1 gMethod 08
=========
' J) }  \( Z' P& F  I5 ?  B& }4 I, Y' _
It is not a method of detection of SoftICE but a possibility to crash the
$ l, `! {, s3 E2 K5 k7 zsystem by intercepting int 01h and int 03h and redirecting them to another
routine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 a& Q. V5 s- Rto the new routine to execute (hangs computer...)

    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
* Z, d: R! J$ [4 M, Y& l    mov     dx, offset New_Int_Routine
. v% F/ D! M2 f0 N2 n" U, K0 T/ U    int     21h

% r) [7 v7 h, ?% M3 M: M__________________________________________________________________________
/ Q) F* C- N' v# j. e& C
  S1 H8 J* m% {4 CMethod 09
* p' }) o  S0 ]4 d0 h! _0 [=========
4 O9 ]) k# K- @" [1 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
3 V' @( m! h6 u1 Y: kfor the specified device and returns a Device Description Block (in ecx) for
0 U, I4 V4 ]8 n' X7 q1 q7 y% {; B! _that device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' c$ X8 i; l( b7 f
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________
0 p7 u5 k6 P6 a+ I' d( A
Method 10
8 |& U/ Y& @$ o* N* g' P6 I4 N=========
7 \2 M; z! ]) ]8 O+ M+ F7 m
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 h- Z. l6 a. M+ H8 @) a  SoftICE while the option is enable!!
- f+ ^+ `4 ~9 b! ^. [! G8 ?
This trick is very efficient:
5 M! I+ g' @) N6 T5 i5 _  h3 qby checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: w% T- ~6 y# h$ }9 \' Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)

/ K9 e% q3 g+ Y* Y8 s, b2 g/ q__________________________________________________________________________

& {, I% o2 [2 S8 \6 T4 ZMethod 11
=========

# W; P, u+ f4 F( e7 zThis method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
. Z4 g9 v, F% n1 G/ qSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

The way it works is very simple:
* R/ m, o- V0 g* r* EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
: o( @6 p$ y# V; p4 _9 C+ Y* B{
3 g, L- w; g# O8 s' P   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* u2 p- x& O9 V                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 I; t& \) G& {/ l( Q5 Z  ?   if( hFile != INVALID_HANDLE_VALUE )
; A6 Z4 g; s" \6 O8 ~9 z# K4 v   {
      CloseHandle(hFile);
  c: [5 D3 @+ ?/ Z- E      return TRUE;
  B, R2 g3 g) m% I; M   }
   return FALSE;
}

Although this trick calls the CreateFileA function, don't even expect to be
6 ]6 ]4 z/ O( r5 Pable to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* l$ F9 c; X0 g/ n7 V7 D3 bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
0 V1 u2 Y5 X7 [8 @  [- RIn fact, its purpose is not to load/unload VxDs but only to send a
7 p6 O3 \. S0 q& O9 I, X; i* TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* q# ?/ N- J8 Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
6 d9 j& a- U0 C( w, Z, |2 q; BYou can check that simply by hooking Winice.exe control proc entry point
( p6 ~5 d  _( ?8 B. X  Z. W8 Rwhile running MeltICE.


  00401067:  push      00402025    ; \\.\SICE
! X2 V" Q. R$ x0 E0 P' Q7 J+ S6 f5 n  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
$ ~7 u2 c! |5 q* P: K0 q8 T/ d  00401074:  je        00401091
/ k7 P* s$ ]# {2 P# b* f/ ^

There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
7 ~" q" o$ f- ?( `  F8 I' M. |
) h' O* Q5 O8 x( i1 J+ b-The most exotic ones (could be very slooooow :-(
7 J0 H# z  X5 N( b( g2 I+ v+ H7 k2 g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(
* p5 m- G& _! l4 [( g7 L  A
-or (a bit) faster:
$ O9 D1 d8 _- m5 r0 u   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

$ V3 R/ F! w2 I3 C4 r   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

3 e( \: X$ [+ I! u$ HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: N5 B6 u/ i+ J( _5 m- N) k; Pfunction to do the same job:
) v7 m  g& `+ P5 @! o
   push    00                        ; OF_READ
  t) s. Z2 L6 d7 Z  E3 [' U& i4 [   mov     eax,[00656634]            ; '\\.\SICE',0
+ N1 i  t  J* O   push    eax
   call    KERNEL32!_lopen
   inc     eax
+ R1 e  R% u$ I, l. k& A   jnz     00650589                  ; detected
   push    00                        ; OF_READ
& T! M9 [, w- [: W$ |( {7 o   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
1 s5 F" B5 O" O7 X9 [0 w  L   call    KERNEL32!_lopen
2 a, j  b& c/ F& P, a) X   inc     eax
8 j5 {0 a5 m* w1 J) F6 g, J1 n   jz      006505ae                  ; not detected
3 H$ l) D, i, R+ a4 ]. M

__________________________________________________________________________

Method 12
=========
2 N$ o$ p/ |; y, b# `, D
This trick is similar to int41h/4fh Debugger installation check (code 05
4 E& P$ _# b9 U# R6 T9 Z0 j&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% @/ n& W: V5 X4 E$ |9 ]) i
   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
& F: O  y; O/ P: Y- ]+ d% J! D' w, ~                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected

& d3 ^4 [$ F9 G3 J% c( pHere again, several ways to detect it:

. [+ n, M! ]# B    BPINT 41 if ax==4f
/ c. N8 ?5 T& h. O: t2 _! Y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

3 Z. [0 h9 r. [9 e5 G2 m    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* ~5 l1 c5 j8 F. i" v( C5 D" U( i
( Z. Z6 B$ w; t, F1 l% K& n__________________________________________________________________________

Method 13
=========

" O1 z+ E4 L2 w- u' \9 Z6 v; BNot a real method of detection, but a good way to know if SoftICE is
8 [! W' a( h$ f5 J. Jinstalled on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

: k( d0 H. O9 I% I3 @. }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) x, M- m1 M& w" O6 O# B1 U\Uninstall\SoftICE
4 u: \" R0 r# N3 G5 i" ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ?/ I0 Q- |# }0 W; B; A\App Paths\Loader32.Exe


Note that some nasty apps could then erase all files from SoftICE directory
# y& R9 x( Z- d6 `, Z6 D0 j; l(I faced that once :-(

Useful breakpoint to detect it:
9 c5 B. E% w! \. E" @+ @
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 b0 C3 |$ G' d% j6 i- p) |
__________________________________________________________________________
: Y- n" B' A# I0 P8 j1 }  A5 W: ?1 i

Method 14
=========

$ O& I9 h, A2 _% A1 i( aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).
. H6 B, {. _4 q& J4 W; C
   VMMCall Test_Debug_Installed
   je      not_installed
" v+ F* |* A4 E
' N, [6 R0 D3 W2 LThis service just checks a flag.
5 J8 F- L0 k" S. I9 G</PRE></TD></TR></TBODY></TABLE>