About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
<TR>
- H3 @5 d9 x0 |' y<TD><PRE>Method 01
=========

This method of detection of SoftICE (as well as the following one) is
+ l5 O) l6 h" G. r5 g5 aused by the majority of packers/encryptors found on Internet.
) D! G  U& [: j0 K5 iIt seeks the signature of BoundsChecker in SoftICE

0 l8 K! N8 u- J6 v# u) }2 {    mov     ebp, 04243484Bh        ; 'BCHK'
1 d+ M3 V6 ?$ f9 A+ T8 Z    mov     ax, 04h
5 h/ J, s* b: u1 p* s    int     3      
& P$ b0 h) A4 R4 c2 B    cmp     al,4
    jnz     SoftICE_Detected

9 R8 k8 W& h, @  F* [, ____________________________________________________________________________

Method 02
=========
6 o, s0 p/ d# H( H, T! T+ r1 C0 f  Z
0 X. ~2 l4 w& e# D: FStill a method very much used (perhaps the most frequent one).  It is used
% {/ J! F8 g1 R/ A9 A; x# \; tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  v8 L( a! w% q8 por execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
' m: H7 T' H/ `" K: ?
Here is a quick description:
: P( j/ d' e- P) z-AX = 0910h   (Display string in SIce windows)
1 V, z/ S0 w$ y( k. K-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
7 m( g0 y( z1 Z% H% Q5 h3 C-AX = 0913h   (Set Sice breakpoints)
3 |  r/ v2 I- e4 O5 }+ W% R-AX = 0914h   (Remove SIce breakoints)

Each time you'll meet this trick, you'll see:
3 A* U- F3 W# ]: I3 @-SI = 4647h
; {. c+ @8 A0 j, U$ W-DI = 4A4Dh
+ K* I( b! j8 a1 q( l- t- y' bWhich are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! s) v5 W4 g6 V0 [7 j
6 Q( |$ M0 e: E0 p. {Here is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:


4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 C" [2 E+ p/ V' R5 X% k1 d4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! n+ ]6 J/ X7 k" H1 Z% G4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 }$ ~; H! J/ n) C: J4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 X1 M. j* d2 i  e7 @+ H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
6 f" u, P2 R% K; t. {. @1 q" Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

2 r8 Q4 y$ }4 ^# k* ~; r8 P7 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 o9 h- K; I( p1 S4 v" k  a___________________________________________________________________________

5 X7 N* |7 d( \" {% A
Method 03
% R4 I1 r* C. X& Y) n& ?=========
& F, x$ a7 p- Y5 J
) [  _5 d+ m5 h: |9 k* ILess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        
! r  f( m! \0 {
0 [# S/ X! J2 c) E6 D    xor     di,di
% o; H; N& i' S  K3 r    mov     es,di
    mov     ax, 1684h      
/ g1 _  ^# i4 ~4 e    mov     bx, 0202h       ; VxD ID of winice
  Z; A  @5 W! S& Q- _6 o$ h    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 Z( T6 D6 l0 s3 A& k& T$ @    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
8 H1 N+ Y0 _: w
! P- o9 x( s- F+ U* ~3 @7 u  E___________________________________________________________________________
. `) J( I2 D# t& a4 @
Method 04
2 r+ e' u! w" h; N* o8 C6 G0 ?=========
3 e" `$ w7 V  |9 z
Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.
, U9 Z# ?9 L" |1 i$ U1 o* N, |
8 |. P$ l! ?7 T. L    xor     di,di
; }4 V; y3 Y; z; I# a) B    mov     es,di
( G+ }4 r4 g, D7 {# |) R    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, p0 h$ q2 t3 z  n    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected
7 z% _0 s7 o. ]2 A+ c: O3 }/ U6 D
% w$ \# _: {+ N" ~0 v' a' `# z) z__________________________________________________________________________
3 ^+ n; R! u, E- d! @! ?1 [' g

Method 05
- `- f0 N, S+ s8 r% x=========

Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  

$ h; ^- d& t( m5 B2 IThe following one is the simplest:

    mov     ax,4fh
5 Q9 V8 F' t+ }. J    int     41h
* y& y( H5 [* b9 u) V/ Z& x    cmp     ax, 0F386
    jz      SoftICE_detected


Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):

8 P- l% G+ p1 j) Z+ `) ~, }; K    mov     bx, cs
0 N5 j, t" b7 W6 d* ^7 O) a    lea     dx, int41handler2
7 M4 P; M. ]6 i    xchg    dx, es:[41h*4]
* I% @4 @; h5 E! H. d3 ?+ t    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
/ G: w& W" L6 a, ]2 o) }    int     41h
    xchg    dx, es:[41h*4]
8 z+ a/ A; \; y4 \! u2 }/ O3 I    xchg    bx, es:[41h*4+2]
6 K, ?1 l& m( ?5 @1 [( |    cmp     ax, 0f386h
# g' a% E( T: G    jz      SoftICE_detected

4 }! H5 {8 h" w: Z. n8 mint41handler2 PROC
3 y' G& O, j& P9 g1 O2 c- h    iret
int41handler2 ENDP
7 S& R& @/ a( m4 C

# z# W+ Q+ y6 ?& i9 k: ^_________________________________________________________________________
* N0 e- [, D8 `& M: S& r

- B3 n: L$ `& N: X" k: e5 AMethod 06
=========

, \2 N# d& [+ g: P4 m0 n( g
2nd method similar to the preceding one but more difficult to detect:


int41handler PROC
6 q# }7 B& p$ P6 ^, F    mov     cl,al
    iret
int41handler ENDP

( \  T* k' `2 H5 f$ J
    xor     ax,ax
    mov     es,ax
  l2 }/ ~) V6 b* a5 U6 h    mov     bx, cs
    lea     dx, int41handler
    xchg    dx, es:[41h*4]
3 ]6 w5 }; p2 }; V# M$ s    xchg    bx, es:[41h*4+2]
    in      al, 40h
! G* S& |( z& N+ ^' C    xor     cx,cx
1 d4 r% L! P, ]6 t7 Q  \! q- H    int     41h
    xchg    dx, es:[41h*4]
* Z2 c0 e5 T$ Q( j% n% B    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected

_________________________________________________________________________
, ]# G" \& Q& F" V
Method 07
7 X. |2 s. P4 F' Y. Z=========
3 A. X+ r7 C: ]' h
Method of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
# V+ m( j$ p" j. N    int     68h
. b* P  n" O0 K( h: t    cmp     ax,0F386h
; O+ m0 i# K3 |+ @" U    jz      SoftICE_Detected


- k1 n. C! P" Z( e# p# Y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( Y: a& o1 _- l   app like this:
: J  B7 Y% Z" K9 d- y
7 [: l/ k5 z, S' c3 H& e   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  U& Q3 k: D2 g0 m  b1 m9 d0 L   located at [ebp+48h] for 32Bit apps)
  D# i, f3 }! Y  v& w__________________________________________________________________________
) g% I( q& J" J$ Y8 E8 H7 V

2 V0 o% Q  b" K9 F$ HMethod 08
3 B  F# n3 c1 o4 u8 p7 O=========
1 ?" Z/ c2 `6 v& S+ Y- K) p1 L: A# H
It is not a method of detection of SoftICE but a possibility to crash the
, [6 b. c1 ^0 n3 vsystem by intercepting int 01h and int 03h and redirecting them to another
routine.
: N7 c4 J; e: q9 R) _( z2 q. }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 L  h7 Z3 F+ J4 V8 p, L5 p2 c2 w/ Nto the new routine to execute (hangs computer...)

+ r0 V- L& P* P. s+ e+ o3 X    mov     ah, 25h
1 D8 }  e. b/ P/ Z) ?& C3 q    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
    int     21h

; _/ ]4 \4 s$ M1 z* ~__________________________________________________________________________

Method 09
=========
5 u1 Z* N' ?0 T/ \
2 }- J1 M: Y1 {4 o( QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 m% }5 f# w- A6 A, r- A8 r3 Z5 Q# e4 XThe Get_DDB service is used to determine whether or not a VxD is installed
3 Z/ y1 P' `; J# [" h/ G. dfor the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.

   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" T5 z$ q1 q" o, g+ A; n* \( A' r   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 m! L) R( L6 r2 c( _6 u7 h+ W6 k- i   VMMCall Get_DDB
& z5 I2 L) K) W7 r0 q2 f; }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! Q$ d; F9 g0 o% H% I9 S
Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 Z! w2 n1 [! E2 V/ V, D8 H5 z0 ?
__________________________________________________________________________

: o2 c& L" s' G. p- o" |! ~Method 10
=========

- A' a/ ~/ s- q" W. O  T1 e=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!

This trick is very efficient:
8 M# p( o1 ^) Wby checking the Debug Registers, you can detect if SoftICE is loaded
/ Z1 h- `- S: \" i: O8 `, _% n3 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% m8 T1 _! V2 i& l" U" Y( s; ~1 N$ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
$ \* s- m3 m  I(clearing BPMs for instance)

__________________________________________________________________________

3 \& K! S, o8 }6 V+ JMethod 11
=========
1 ~- Q# v5 G% m3 U/ m+ Q* F) ?
This method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
7 a/ f8 ^- q) s, Q1 u3 RSymbol Loader to check if SoftICE was active or not (the code is located
  f8 f$ X: F+ f  w8 Cinside nmtrans.dll).
0 Q3 f2 q% s* u6 i( T0 Y6 r/ A
5 u1 J  |- P2 o/ v8 J- E# T- w+ DThe way it works is very simple:
: @% Y( z0 [; \6 a% f4 w3 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):
" L# A- K$ n4 ]) N( I' L
! y% i$ v; S* r# ZBOOL IsSoftIce95Loaded()
{
( |% C# D+ P  b4 f( q; S   HANDLE hFile;  
: u0 b. r6 A1 V8 |4 _0 n  D- {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. }3 N8 H* K9 V2 j( t0 r, K                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
7 t5 P; T) D/ G4 p0 _      CloseHandle(hFile);
      return TRUE;
   }
2 r. b' u( _6 I% k. k* E% C) J1 H   return FALSE;
}

Although this trick calls the CreateFileA function, don't even expect to be
) [4 j$ p. }  [able to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& t( d1 b9 w2 bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
, e' G! r* v9 l0 f4 c% aIn fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 ?. B: K- S6 Q  @* b- {! i9 [its handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.


2 g$ j3 Y' k5 d$ e  P  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
" ^& n+ J* I" N. E- U% q  00401071:  cmp       eax,-001
  00401074:  je        00401091

) B9 H/ u4 Y3 p9 L1 ^: D" [" k9 I* k
There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
/ I& U2 X+ A  H
; c: Z. }- o" a4 s# J. E' s1 l% \-The most exotic ones (could be very slooooow :-(
( l, Z% @/ W  u2 d6 X4 g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  V+ @& T2 Q2 F, ~8 n     ;will break 3 times :-(
5 w( {: c* Q9 k. S: Y4 s
  s1 ~9 A% S& K2 m" S1 B-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& Q" G( ~" |2 `6 W5 Z: b! s
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
+ U1 ?  Q3 R" r1 l4 h2 S
-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

( v0 {2 ?. C0 c0 Z7 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
0 p7 e( n+ r. p- g. \
   push    00                        ; OF_READ
5 l2 L* k4 v# Y8 F9 ^$ i   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
   call    KERNEL32!_lopen
  |2 M. R. N' d9 T) ]/ Z   inc     eax
2 |) X' D) Y0 l- L   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
) f- m6 _  _5 M0 S   push    eax
   call    KERNEL32!_lopen
   inc     eax
   jz      006505ae                  ; not detected


3 u. r% }8 ~& w; v__________________________________________________________________________

4 v4 c$ z' A2 I+ FMethod 12
=========
$ O7 ]2 o. w% K
3 J# S/ \1 H3 V' d5 Z( EThis trick is similar to int41h/4fh Debugger installation check (code 05
/ M- F% K0 M' w3 b- H- e9 W&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& X( x4 b4 f1 ?- ^0 b  v* s% ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

" i5 G9 u; _9 V% V, R6 z) m5 u   push  0000004fh         ; function 4fh
* c4 Z4 t, D. h' a) G& g   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 p$ u, j4 e* V$ @                           ; low word specifies which service
, F/ [8 b: n, V0 u                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
+ J  v- [+ H& C4 F   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected
2 o, M" {  W; z% r* [
. d$ n8 B- ^9 K, ^8 ?- bHere again, several ways to detect it:
$ Q' b  n4 k2 F3 R3 A2 e
$ `# Y: U5 ~7 ]* u    BPINT 41 if ax==4f
/ ]  C& P! d, S, l+ n" O5 c
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

% {5 o  Z  l8 ^$ @! i; U# B    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ O* ~% p) I+ U9 u- n9 ]
; u: D5 m8 U# G9 }4 M__________________________________________________________________________

Method 13
=========
% |- J" _# r0 ^  k
Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

# P- v7 y; P8 ]0 m: a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" T$ _; l8 _3 q: C3 S\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# ^- t, T! p3 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe


  ^: g0 m% F4 {1 _$ ^Note that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

Useful breakpoint to detect it:
: y( b0 _' w9 T
: Q3 J9 E5 o4 F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________
4 ^- m$ G  l, j/ y$ _) q( y
% M9 N% v; A* P1 [, [; D
% x% g' _# `0 l( R+ RMethod 14
=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).

, E4 k  m0 S5 r3 ]   VMMCall Test_Debug_Installed
+ t) L& `, O, r5 B  Q" u8 f! t   je      not_installed
. f0 L$ A, b5 e' W5 K2 I" u
' w3 ]  \- _* N+ H1 Z( ]7 K, A9 JThis service just checks a flag.
4 j* o/ @2 {, E- h! ^</PRE></TD></TR></TBODY></TABLE>