About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
! i& `7 O+ D6 ^  u9 X" T<TR>
' H( u  Q: X/ l/ G* a1 X; Y<TD><PRE>Method 01
=========
0 a5 b7 v! \5 q* K1 Q# i
This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
  [: @9 X, ?8 Z/ LIt seeks the signature of BoundsChecker in SoftICE
7 |9 {: u- z2 \& m& }- v
    mov     ebp, 04243484Bh        ; 'BCHK'
4 e) X6 I# A. \8 F+ W$ o( x. ?    mov     ax, 04h
, [. X6 ]$ ]. y3 }    int     3      
  K% y* m0 H2 a% Y" D    cmp     al,4
    jnz     SoftICE_Detected

/ x8 `; `8 Q8 ?3 ]2 V___________________________________________________________________________
& |/ |4 K( B' v* B' K5 T2 l  E
Method 02
3 v: j1 Y) J9 A=========
) h% U! \$ Q/ m9 H( Q
  t( l4 b: J+ n4 X9 m/ P) gStill a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
5 p+ y$ ^$ o' s9 C3 {' ]0 OIt is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
! F6 a$ [! @! {: y# P: ^
6 h1 p( D2 G6 u- X$ p8 X6 FHere is a quick description:
; Q' A& Q3 o* B. T* z! ?. G-AX = 0910h   (Display string in SIce windows)
5 C& D* Y  u. z/ `" n) c-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
2 W& J" O! x: X0 b! r+ J6 n-AX = 0913h   (Set Sice breakpoints)
; a2 i( m' z& Q8 Z" ^-AX = 0914h   (Remove SIce breakoints)
3 U  F: q6 A( Y9 |9 s) h2 I( y5 o
Each time you'll meet this trick, you'll see:
-SI = 4647h
! M- w8 x- J# ^-DI = 4A4Dh
% ^7 d7 N$ b+ P9 X8 k( C; }Which are the 'magic values' used by SoftIce.
) K* B' O# u: g# m# c' _For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 X  d+ l, T2 A9 y
( ^2 [) {, M+ c& {: THere is one example from the file "Haspinst.exe" which is the dongle HASP
  ~+ \1 b* K1 D$ y6 j6 SEnvelope utility use to protect DOS applications:
( q9 a7 O. A% z( S( q
+ I) x, S) p- E( G: @& ^+ m
4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
4 `, q5 x- K/ H9 {* R5 C% i7 [4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 p9 d; O- o, z- S& V3 |4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 n3 ~+ E9 W/ j6 Z& n4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
7 W' V7 q+ e* _, N% g( T  {* d& `3 [  ?4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 I6 Z. P5 V2 ]4 Z
The program will execute 6 different SIce commands located at ds:dx, which
+ {3 C) ~, c( X7 P  Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ~8 R' F  p7 Y( W7 B8 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

6 T, W" w3 F5 s+ G' C
Method 03
  a: X' k: \* ?9 j$ m=========

Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
7 G/ ~. t  {9 v5 @        

$ @* {0 E' c* x  U& E    xor     di,di
% ]& d- A! L4 o    mov     es,di
    mov     ax, 1684h      
, i# g, i& z9 J. @    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) |2 P( R5 v2 {0 {" Y    add     ax, di
' `9 b  g- S6 d  `7 \# W. |2 P: z    test    ax,ax
5 N' X) p% N0 m) v* E( w2 k    jnz     SoftICE_Detected
( @- P" f7 x8 K0 |
! i. e  \" U% s& X___________________________________________________________________________
' [1 B# e9 [4 C" J/ F! \
& q9 }! f9 o0 Z  w% pMethod 04
=========

Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.
5 S; j7 _8 h3 `% w9 i
    xor     di,di
2 ?  ?6 u: M/ p2 b& E$ U) H    mov     es,di
    mov     ax, 1684h      
6 h" I) V: Y0 M" h# X+ [# Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 ~) z' \) e* c: i' o$ ]1 G6 i$ y    int     2fh
% e3 a' Y; N5 Z  [0 s    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& n+ r! n  ]; O' A0 A! y. C6 w8 P; p    add     ax, di
    test    ax,ax
4 o1 v3 J5 q9 V8 ^    jnz     SoftICE_Detected

9 ^4 y. x. J! m- y* H0 y' y, g__________________________________________________________________________

; Q; {! \; ?$ M
  G, f" }6 ?7 @; {; Z- L& oMethod 05
=========
' ]3 O, z3 [5 \6 ~8 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' @0 B$ Y: l/ d) ^# u5 M8 D1 gdebugger. It calls the int 41h, function 4Fh.
There are several alternatives.  
$ b0 u! z; ], V+ q8 x6 O  Q
The following one is the simplest:

    mov     ax,4fh
" y# i" U6 v+ e' b0 U    int     41h
* x% g. ?6 s1 x  ^    cmp     ax, 0F386
    jz      SoftICE_detected

! {+ a7 R9 h( ~) d% U  h9 {9 e
Next method as well as the following one are 2 examples from Stone's
- q# t! l! M, Y$ W! B, g1 G"stn-wid.zip" (www.cracking.net):

    mov     bx, cs
: ?8 s/ E; h, V7 k! L    lea     dx, int41handler2
# I2 d) I- y& ]5 ]    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
% U9 g# u' B9 v$ I, J    xchg    dx, es:[41h*4]
; J  G) P3 i5 Y    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
  B2 v3 R  @6 j2 Q    jz      SoftICE_detected

int41handler2 PROC
! W$ T' T6 {6 z) s    iret
int41handler2 ENDP

) V- u4 ~5 Q+ D! A, ^5 T0 W
  K1 _* R9 i- T1 __________________________________________________________________________
% `. M% g. i* N
7 b# W) t6 @2 b: s
5 Z/ W- ]  p8 ?* o' Z" NMethod 06
* R8 o3 R" ~" _& A% L0 }=========
- B. Z& L2 S: j. d( R. |

2nd method similar to the preceding one but more difficult to detect:
! o/ b+ F: T  M
: T+ `4 O  C0 H6 F
# C1 z4 h4 A' K+ H: u4 [int41handler PROC
; u& R! }4 p. t- A    mov     cl,al
    iret
1 R/ @, M+ k) q  A0 Eint41handler ENDP


    xor     ax,ax
; O+ T" c- H1 Y/ F2 v% u5 _    mov     es,ax
9 V' c: _" S2 \3 ~+ S+ }4 Z    mov     bx, cs
    lea     dx, int41handler
3 E+ B  _2 e- |; n$ c1 h* P    xchg    dx, es:[41h*4]
' b; U& _. ]" F3 q) O* V    xchg    bx, es:[41h*4+2]
    in      al, 40h
    xor     cx,cx
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
7 y/ K# Z- p; ]2 d8 ?    cmp     cl,al
6 g: L" n, g2 T+ r  x+ e. \/ K- ~    jnz     SoftICE_detected

9 Y1 d0 Z# b- x$ X_________________________________________________________________________
3 r3 w+ l  K' e: Q2 p! f
* z: Q  S( i( t4 f# _Method 07
) I5 x5 S. q4 I: g. P4 m=========

Method of detection of the WinICE handler in the int68h (V86)

) K# c9 [. g6 Y9 l  ?" l3 u( A    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected


! ~9 G2 @& s. U4 w% }4 c=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( X& D3 C" D2 N; A, j% m2 K) l/ Y   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 r+ c9 y, P( h0 [8 m   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
1 X) l7 M6 H9 }/ x

( f; _* i  M3 H# qMethod 08
$ J6 R, W3 R( b=========

It is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
5 s& i9 z. n# uroutine.
; c1 c* X% i8 b, R+ BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)
. n/ L# ^) W7 Z, s9 z
4 S- f0 f/ Z/ y1 Y    mov     ah, 25h
4 `  F% a7 U- i- a    mov     al, Int_Number (01h or 03h)
2 q: G3 M$ H4 Y8 g    mov     dx, offset New_Int_Routine
6 y8 I$ }# z" I4 K, I5 ~$ J    int     21h
9 B* u6 d, z( T, i/ o7 b6 [5 E
__________________________________________________________________________
( z- Z) h5 u0 _+ g$ m. m
Method 09
* }* R% P* R; p8 u  ^=========
0 U/ F4 q. M, b' o  A% k$ n
( ~% J: ?8 e1 d3 g; L4 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
, j9 ^; ?2 u& t3 @7 U7 `+ wfor the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
$ y$ p& q" A* ^7 Q! E
7 W0 s  g8 `  `1 H0 I$ |  F3 F: _# j4 z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
4 M' X, b5 Z2 z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________
: F, Y: _, d0 h  D
' ~2 W4 m! J! yMethod 10
=========

2 Q- W' P& m: H=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
! d! _7 D; `& e% v" O; S( ?
( [2 r  n, X* E: b4 BThis trick is very efficient:
0 V) Z: u1 T* _  _by checking the Debug Registers, you can detect if SoftICE is loaded
% J+ D- z' d0 q" J+ a8 j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 O5 K: [' W5 [+ t2 M+ P* V3 q7 }there are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
" s5 z3 w% X; a$ E2 w7 K% [" ^(clearing BPMs for instance)

__________________________________________________________________________

Method 11
  W: g4 s  [+ E. F# M=========
: }; L, X: p6 }: m7 y, w
# L) _( u5 P3 c. @7 [; aThis method is most known as 'MeltICE' because it has been freely distributed
, C7 ^  B9 a+ W# Qvia www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
/ ?& h+ r" Y1 |. finside nmtrans.dll).
+ A) G8 l; m8 t; j) w6 E2 g
The way it works is very simple:
* v" x6 w. h$ t0 a& }/ JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; Y# @( k: `" G- e9 b- Z) p! P/ HWinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):
. F% b; [$ o* N8 a; u
BOOL IsSoftIce95Loaded()
  J# b) ]9 k1 `( q/ H9 g{
% w4 j, i0 r. w0 P) x   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ S% I; N2 r, l% u6 O, \# e1 F   if( hFile != INVALID_HANDLE_VALUE )
   {
' @# V* R% f2 ~. T5 v8 b$ ~) E6 H( B      CloseHandle(hFile);
# c8 `$ r  B5 ^* K; r& ?2 E; l      return TRUE;
! f5 B" Y$ T0 o- z' L# L   }
   return FALSE;
' ~2 }' F4 n3 p4 E2 S6 L}
: \! Z$ t9 ^8 [6 i
Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
2 ?/ G$ f8 r2 B% {- f6 U% J" j6 {7 WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, T  }* v  E( band then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ~* l9 C2 p3 d8 h0 W2 S8 O8 i/ efield.
In fact, its purpose is not to load/unload VxDs but only to send a
( l8 v0 Q! n  J6 a3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 u' q7 l1 ~- ]' ^% AIf the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
2 y( Y4 F7 Z% }) G/ [( t. LYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
, x# S* u  G. W$ ^4 e
6 z# S6 G$ E* G' E& O- d
  00401067:  push      00402025    ; \\.\SICE
4 R" i  p: Z8 t" @$ H5 C# n8 O  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
2 H# \" G+ X+ }. |# |! _  00401074:  je        00401091

) ^" ]( N: G: I: T% x
% ?* t. ~6 w4 v! R3 h! I( HThere could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
6 q  O' f0 a' {( e! ?    *(esp-&gt;4+4)=='NTIC'

2 ?2 V# D- K0 F! T-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 p& z# `6 M" d     ;will break 3 times :-(

-or (a bit) faster:
' X( V$ s. w9 u( U3 V   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# w! c1 R1 i4 w5 x5 J( w+ M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

- C& i8 P" W) Y' W% s4 Z! tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: g4 J5 T  N' b3 o3 ^function to do the same job:
5 {+ l5 _/ S# [% N1 g* Y8 u1 K) V" Q
   push    00                        ; OF_READ
# \0 x' p. x2 \, x   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
   call    KERNEL32!_lopen
8 I2 s4 L! N/ Y9 B& }   inc     eax
% i: f" }, ~9 N* D   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
9 E5 S9 H( z$ r" m) @7 h6 Q   push    eax
) }- _8 h$ |+ ~# t# q   call    KERNEL32!_lopen
   inc     eax
/ x, h* ^- ]' g& R- i) d   jz      006505ae                  ; not detected

2 Z# S# ^6 e& Q, c
__________________________________________________________________________

9 d: \3 N8 J0 _$ D9 w* A# _: bMethod 12
=========
: x1 n0 _( ]$ g  Q5 \
. ?9 X! f$ A! l, g0 n4 dThis trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

$ S) P7 d, H( D& J0 a" w# F( W   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
  n$ H% q, j0 I( x* D, z                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
- Z9 |5 j5 A3 `1 ?6 B. u   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected
  O4 _9 p2 I/ A) k) R- @
Here again, several ways to detect it:
0 J9 b0 Y* n9 P- J" h- ~+ K
, P( O) o2 K0 |2 u5 {1 G    BPINT 41 if ax==4f
* E  b+ Q- x6 m! x. [* ^/ p0 B- X# _
  M' z0 e' Y2 l: r( J1 j$ x    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# e6 b2 r+ F6 K. W
+ J6 G1 A3 D- E' B0 l$ w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ B0 b2 G$ t1 c8 }
7 c7 h  ^9 n5 b% U8 B    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

__________________________________________________________________________
7 r; x7 X2 b. |$ Y. i2 H
Method 13
=========
: ?4 b  J# l& w5 k1 s* H
Not a real method of detection, but a good way to know if SoftICE is
8 w8 ]# J5 G% H9 v7 ?0 W* yinstalled on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
8 w4 K# O( e9 j% u# `; o; [+ J* \; ]/ x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 d0 c- I! M* q* Z+ X8 O\App Paths\Loader32.Exe
$ l8 G' z/ S/ ~; f  c- A8 n

Note that some nasty apps could then erase all files from SoftICE directory
. U2 h( n# I3 g4 }$ w(I faced that once :-(

. ]# ?2 K- B1 ^& }7 o9 s' }Useful breakpoint to detect it:
/ b- D+ K% ?; A/ z4 @5 m) Y" c
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________


Method 14
=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).

   VMMCall Test_Debug_Installed
6 R' L8 z" k4 I' X5 I, F   je      not_installed

7 z! V: g9 g# W- v( e$ XThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>