About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
0 v) {3 h) t3 ^4 [<TR>
<TD><PRE>Method 01
=========
: D1 Y. ]6 Y% q6 A
This method of detection of SoftICE (as well as the following one) is
% b0 P0 g7 v& u2 ]2 j& U) aused by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
6 N, T" m9 _" `$ o6 c. j5 {
: a  h) F  }" w2 d+ q    mov     ebp, 04243484Bh        ; 'BCHK'
% n0 f$ ~. w& r5 b6 M& T9 T    mov     ax, 04h
2 y: r+ v$ c0 b0 [- a    int     3      
    cmp     al,4
2 p2 H" s2 u2 x  J    jnz     SoftICE_Detected
3 j9 _/ @( k% g1 o% O2 h+ D8 G2 L
9 N1 s3 g! d8 {0 N0 g* _; [1 N! c___________________________________________________________________________
; u0 j& R1 x" O& q$ X& p) s: B
Method 02
=========
9 A3 D8 Z/ C/ A: e) ~5 j9 O
Still a method very much used (perhaps the most frequent one).  It is used
  E7 q; `8 q8 L" c2 E; J" ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 J$ o/ Z) w- {( Z2 W( Uor execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
: R. @9 |7 ]4 X: ^
: n, x+ Y) H3 _: @$ AHere is a quick description:
7 t) s1 x/ t' r0 q-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
, K) R5 n% E! e% k6 ~
Each time you'll meet this trick, you'll see:
: v6 C$ f) |( n2 X-SI = 4647h
-DI = 4A4Dh
% R, {# a/ z) O& e+ |Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

6 U  X0 d4 T( t. PHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:
% Y  q( R* r# x' ~; z* l5 I% N
( a  `0 n. ]. p. R
# A" z5 [& n, j" X% O1 e! B4C19:0095   MOV    AX,0911  ; execute command.
, j  F! [/ v: ?0 g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 y* _9 c# E6 V+ C" v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4 B  S! \* r4 _8 a# ]4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 j7 y, F9 ]' O: L; ?) f( Y" F: u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

6 @0 `* m( h2 \6 e" a' u
: i6 o8 T0 {5 Z. i9 ~Method 03
=========
+ K* d/ O0 a' @7 r& t' ?1 U& z
$ d3 S. v  L: N8 J5 pLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 w- E! [: u/ s$ n(API Get entry point)
        

2 O4 H* z; a& d* u7 c" {8 R9 b& g    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
; Y: T8 ?; C) D4 r8 S4 _$ B    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' x' K6 x) C0 X' C! m* ]    add     ax, di
, h* N9 m. r- p  b+ I6 M4 ^$ U4 H, n3 ^    test    ax,ax
7 M' B4 s4 r! Z    jnz     SoftICE_Detected

___________________________________________________________________________
( ~. k3 [- R- q5 y: h* o
Method 04
=========

. D' ~. n; H4 h6 P" P; hMethod identical to the preceding one except that it seeks the ID of SoftICE
2 j: r, [- w  b) XGFX VxD.
' ]/ ^0 e+ x8 W' E! ^
% _  Y' R1 P6 ]6 ?    xor     di,di
    mov     es,di
    mov     ax, 1684h      
- a( S0 @. X$ ?1 a    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, m2 q; x6 v8 W! ]- a    add     ax, di
! J1 X( V- }2 ?, w# x) |4 _    test    ax,ax
- K' s) V4 t# S0 G    jnz     SoftICE_Detected
1 \, q( p9 k+ S# N0 {' o( K
! m. r" |$ _# N) o__________________________________________________________________________
( p  F- g# B2 D$ }" B4 c
, O- V4 Y( U' [0 Q/ m
Method 05
8 C' e; y- Q- G" L8 o, z=========

Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 x6 Y- P$ q* s# p  ~7 Tdebugger. It calls the int 41h, function 4Fh.
There are several alternatives.  

The following one is the simplest:
3 w2 d7 y% u% p6 i8 M
    mov     ax,4fh
2 b$ m0 \! ^' {; l* \/ e    int     41h
    cmp     ax, 0F386
    jz      SoftICE_detected


4 q  ]! s: k3 J$ o; j/ VNext method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):
  Q# u( l0 o6 h& c* ^- I8 }
3 ^5 {6 i0 X6 \, ]0 N6 c' A    mov     bx, cs
  B6 `: j4 ~$ [1 i! t  i; B8 l( X    lea     dx, int41handler2
) c$ W% m. q8 i& r0 }& n    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
2 P+ `! x8 w+ O1 M$ O3 A6 T  E    mov     ax,4fh
- K9 a  k* u3 z3 H: m    int     41h
# u3 h$ G$ N% H/ B  T' M; D9 {    xchg    dx, es:[41h*4]
$ F# K1 p/ C2 U$ {$ N: Y5 p0 y    xchg    bx, es:[41h*4+2]
( W$ T, I  i" H6 s    cmp     ax, 0f386h
    jz      SoftICE_detected
- v/ H6 a6 m4 f, N& L# [
int41handler2 PROC
    iret
/ q# h; m# g2 R! G9 @4 H- e8 Zint41handler2 ENDP

2 m# v# k3 `1 F  v; T  L/ S; r  Y
_________________________________________________________________________

, u9 V5 I. Q" Z2 |
9 }0 {+ i. M) |5 }1 J. |! m. u# oMethod 06
6 A) I% q1 D6 t3 F=========


/ N) q6 L  q5 g. d3 v& `) q2nd method similar to the preceding one but more difficult to detect:


( L! D/ F5 t9 kint41handler PROC
    mov     cl,al
5 u, s+ @0 f5 S1 S. ]% X) E$ i1 \* `    iret
7 b( P8 R1 v3 [  g) R, kint41handler ENDP


    xor     ax,ax
    mov     es,ax
1 u2 r$ t0 e5 M, E( r  X    mov     bx, cs
) U& H& U  h# Q; }3 r& h    lea     dx, int41handler
    xchg    dx, es:[41h*4]
+ t& f2 G( H  m    xchg    bx, es:[41h*4+2]
    in      al, 40h
8 F6 ^; q1 d6 C/ U$ P% `    xor     cx,cx
( m; J5 @' e4 q+ N. A/ U" ?9 t  G& j    int     41h
    xchg    dx, es:[41h*4]
; ~+ d& g* A% q    xchg    bx, es:[41h*4+2]
    cmp     cl,al
% p5 X$ u8 N5 O3 l# K    jnz     SoftICE_detected

. d# ~* H( ~' H$ \! e$ q2 R_________________________________________________________________________

; O3 G% g+ ]; i. E) mMethod 07
=========
' Z0 P  I: D( A2 x) T0 y5 J9 c
5 [* e( e5 ~7 m6 V: p) x$ bMethod of detection of the WinICE handler in the int68h (V86)
, i1 v3 x3 S7 ]) O0 a
" r6 z/ N+ ^3 J8 J. S    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected


, c# N5 I4 W+ K" z* o=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ \: _( k  P3 P" s   app like this:
: x/ w. v9 C% G' _6 k5 Y, k5 y0 v
   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 e& j" D  k, R- v   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
9 ^9 K" [1 ^- r

Method 08
=========

It is not a method of detection of SoftICE but a possibility to crash the
. j. k* A" k) |! m0 y, z+ s9 Usystem by intercepting int 01h and int 03h and redirecting them to another
routine.
5 w+ Q( `6 F, s/ uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)
. a1 S4 m* [6 D
    mov     ah, 25h
  ~  a: Y2 X8 U6 E8 ^; K    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
    int     21h

. a4 l4 }/ t" f__________________________________________________________________________

0 {/ f( b1 O$ K' c9 d. HMethod 09
: f$ T' {' N1 o* z  R, E- d=========
1 _1 H' }  b! s3 C& _; m
: B) s  g8 m% _! M! O4 a& CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
- T, B+ q6 c* ~for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.

2 W+ e: W- G& L2 O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

4 u& \' ~  d. N2 A" C" Z+ d$ xNote as well that you can easily detect this method with SoftICE:
8 b9 s# v/ ?! R3 R9 ?   bpx Get_DDB if ax==0202 || ax==7a5fh
  y6 t! ^7 T$ D! E) |( O) d
- M; c# c6 m& \6 X8 Y$ a__________________________________________________________________________

Method 10
=========

* Y, q3 T8 e0 u7 \( F) k=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 J! a+ s& x6 \3 i% ^5 u  SoftICE while the option is enable!!
7 @5 `+ j& B9 \& v6 M
This trick is very efficient:
6 ?8 `1 b/ N% ^& x: }. _; Zby checking the Debug Registers, you can detect if SoftICE is loaded
; l+ {9 U- a0 O2 }/ R% D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( J$ e2 _3 r6 e- xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: z9 J9 ?2 W, G3 Kvalue (in ring0 only). Values can be manipulated and or changed as well
/ W2 M! q9 j% s# @$ ?(clearing BPMs for instance)
/ u! l; ?) h' m8 }! g6 A
__________________________________________________________________________
( P& L/ t' X: {5 j
Method 11
" b' ^$ u: ~; }3 L" E2 D1 W=========

7 J4 }2 n/ A( F) q; R1 yThis method is most known as 'MeltICE' because it has been freely distributed
& z& v3 ~* i1 b9 {& n6 vvia www.winfiles.com. However it was first used by NuMega people to allow
: g" j6 U& T) _2 y6 W9 X! ~Symbol Loader to check if SoftICE was active or not (the code is located
# C2 D+ Y: h* N5 y5 C1 y. i2 [inside nmtrans.dll).
9 L+ m" j: Y( _# e1 e' z
The way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 l) R; D2 d+ {7 ^  |WinNT) with the CreateFileA API.

- o% i+ `% z3 w* RHere is a sample (checking for 'SICE'):
/ |+ N0 ]* |& I$ R1 _
BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
8 T5 |6 j( n5 h! K/ r   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, ], D. d/ m$ C$ U1 u                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; I: t8 u* T) a& |) ~                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- K3 ]; `6 d  f. h. i1 F   if( hFile != INVALID_HANDLE_VALUE )
/ D& }+ v7 B) m2 u% Y8 l1 m   {
" J( [6 l. X4 q4 U) x! J3 s      CloseHandle(hFile);
      return TRUE;
   }
   return FALSE;
0 J3 B) o2 D2 Y2 J( X}

Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
1 d; j3 j0 W8 V# NIn fact, its purpose is not to load/unload VxDs but only to send a
$ m4 b0 l. s7 O* F- HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; g# l; c6 {3 Q0 h' {6 ]8 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ R6 r$ o( U% t1 k! ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
, H) F- ^' C" o2 C0 g6 n( }: Lits handle to be opened and then, will be detected.
You can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
- m9 P4 [' T' d$ D% h, D; v- ?
3 ?& b+ w8 T' V4 k
  00401067:  push      00402025    ; \\.\SICE
  0040106C:  call      CreateFileA
( B% x5 n  w3 e% v  00401071:  cmp       eax,-001
1 {& y$ M9 y/ e; O8 \; z: w6 |  00401074:  je        00401091
- _+ N) w2 ^. r4 M- \* y

9 K3 m. |" B! @$ X$ r: A2 gThere could be hundreds of BPX you could use to detect this trick.
$ _8 `; g0 O& M3 B-The most classical one is:
+ u: d& p( o5 t+ @! j( f8 |  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ N- h. {3 S2 S7 C5 C, e    *(esp-&gt;4+4)=='NTIC'
; K4 w* |1 t# k
5 t& h6 ?/ h0 ^+ }-The most exotic ones (could be very slooooow :-(
/ s. a# y. }# {/ Q& [% r0 d$ z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* o0 A. \0 N' ^: `, y- E: p: [6 ?     ;will break 3 times :-(
, I# V3 o, o/ o2 @
-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

  k6 w2 y4 Q* P/ s( `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
- _5 Z$ l( e% [6 R* N! r
2 o3 \- ~3 p5 m9 v1 Z0 x9 l1 L' ~-Much faster:
8 c+ r1 Q. y" w1 d: O/ B   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& j2 H+ n: L& `. D  u) g& o
0 X7 q- y+ \) uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
" ^6 N$ N2 X% i
4 K0 y; A' z* `& d  \( D   push    00                        ; OF_READ
* Y( M, h& ^# q1 |+ H   mov     eax,[00656634]            ; '\\.\SICE',0
& D0 \- K1 p, Q) @   push    eax
# u: e' ^9 ~4 j( K3 d1 B   call    KERNEL32!_lopen
   inc     eax
   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
   call    KERNEL32!_lopen
   inc     eax
1 p" N! Q# U, h" _$ ]2 e7 @   jz      006505ae                  ; not detected


9 G- t+ F/ k5 ?2 X__________________________________________________________________________
! W3 L7 {* s7 E. e5 ?' J3 L4 ~
Method 12
% d% V- K$ P& ]  i; ?+ V=========

! G* g: X0 S4 a) e. ^& B# jThis trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
6 \( t* p7 Z. x, ?4 j   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
5 T1 [/ f6 d; S' L( i9 i+ {                             (VWIN32_Int41Dispatch)
/ T9 S) N3 W/ \3 G   call  Kernel32!ORD_001  ; VxdCall
. R! v$ y  i0 g" x   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected
4 V/ @4 @  ]. J$ X
Here again, several ways to detect it:

7 ?8 x7 W2 F) h9 M  p" m8 ?1 n    BPINT 41 if ax==4f

    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

$ F  Z+ J, p1 C/ w& _3 f    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  U' [4 O% k: k! {4 q
6 @' q3 P' ]/ h4 l6 @$ j, n) j$ q__________________________________________________________________________
7 z$ o) Z4 u4 K  T/ C7 P, x
- Q7 ?* Q7 a$ U2 [5 T9 B1 ?Method 13
=========
# s+ X+ [, y+ f, y
Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

% q7 w: {, t9 p, e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 H! X$ ]" @3 Z8 K4 I9 ]( k/ V\App Paths\Loader32.Exe
) h& j$ B, E& `9 A; X8 a+ s

Note that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(
. k; I4 \. O7 j
Useful breakpoint to detect it:
9 x1 U( m0 o" {2 x* J& L9 H+ R+ i9 p
6 r# i& i+ q, f; L     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

4 k4 m: M8 K, [6 M__________________________________________________________________________
5 R+ V- p* p+ `4 N
. R+ _, M! _3 Z/ [+ p
4 D* e6 ^3 s1 R7 R) i6 b$ IMethod 14
=========
' `1 K' C2 q( d& w) ~
- u* z$ l' N; E% {4 bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).
: f1 ]. a' D  K
# Y0 h' _. V, J5 D$ Z, O$ z   VMMCall Test_Debug_Installed
   je      not_installed

4 V3 x: \: [- J* L8 x, |/ c1 ?This service just checks a flag.
; q; @5 J# U& F9 C' t6 C6 k</PRE></TD></TR></TBODY></TABLE>