About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
# m9 y. Q0 d. z. k$ m; `<TR>
8 p/ S( q/ }& _* G& y2 Q<TD><PRE>Method 01
=========

This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
  l# y% n2 C& u1 t3 k3 t6 h' c
    mov     ebp, 04243484Bh        ; 'BCHK'
: t: a) p! _$ t8 d    mov     ax, 04h
    int     3      
    cmp     al,4
% f7 D5 y/ R: `& N3 Y# V8 H    jnz     SoftICE_Detected

___________________________________________________________________________

Method 02
=========

) h  ?2 P. v; M; S* t0 H0 N& HStill a method very much used (perhaps the most frequent one).  It is used
! r+ c2 D! N, C! e$ z7 [% S% Q3 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
or execute SoftICE commands...
: c' Z1 k; ?& TIt is also used to crash SoftICE and to force it to execute any commands
6 T  Z7 D' w& z( f/ i/ l$ N( ~(HBOOT...) :-((  
; N: ], s; y9 r; I; R* v
. S+ G# j3 q, n; THere is a quick description:
-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' W6 ~% V7 M7 y5 H& L, D% W; j-AX = 0912h   (Get breakpoint infos)
* A( n% |( J5 Y0 J( [-AX = 0913h   (Set Sice breakpoints)
: D) Z6 [. e8 L-AX = 0914h   (Remove SIce breakoints)

Each time you'll meet this trick, you'll see:
-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% W6 ^* s6 l  G/ b7 m
2 s' Y# d- Y8 `9 p( D7 aHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:


' J  k$ B. ~- U, ^* p5 n% I, ^4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  B  q* F/ ^$ ~' |4C19:009A   MOV    SI,4647  ; 1st magic value.
, M6 s5 o, U  c; |) K8 X; U4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 e, J4 `6 p8 G5 t4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' |9 h' c8 h# Y. a  Y& s) s7 l" f* v4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
- K# N- h0 Q$ W: A3 E5 \; ~5 Y/ y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

- ]- R3 B2 {9 s' _' jThe program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& {9 y/ I$ c" O# g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________
) }5 u7 X8 o' Y) U3 F; ?; _5 ^- v4 `

Method 03
) @0 j7 ^) O: w=========

* R/ |' @, N2 I6 V; a5 j2 H: |Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        
$ H' ^) j$ Q5 I
    xor     di,di
    mov     es,di
    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
# Q+ d0 U4 v. s6 b+ b7 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
9 s5 v- n$ A0 b3 M    test    ax,ax
  H5 [! F$ V  a! S" i    jnz     SoftICE_Detected
2 e$ d7 p3 X9 c# {# `
___________________________________________________________________________

Method 04
=========
+ z$ ]6 O9 T+ e7 e
2 X! ^5 T$ j6 h/ AMethod identical to the preceding one except that it seeks the ID of SoftICE
/ p6 @( i% x' DGFX VxD.
) Z6 I: b+ P; h. \% G( @
0 v! F: L( O3 H. Z" t, `    xor     di,di
    mov     es,di
# `0 q8 \/ E! v) G7 P+ w! Y) I. u    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
    int     2fh
; a6 T- H# w' I$ `- q* L    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 e& O; _+ l7 J" r' q3 }6 ^    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

__________________________________________________________________________

2 m8 B- b- J: a0 L4 y
2 Q$ N$ i3 S' x; sMethod 05
# R% x6 ^6 z* x$ R8 W0 ~2 J=========

Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  
) j! `* w! ~0 V/ l
The following one is the simplest:
$ S/ L9 u0 B1 k% N9 z
+ E! n; U& |5 @  G    mov     ax,4fh
0 N0 m  @0 t8 j* t    int     41h
    cmp     ax, 0F386
    jz      SoftICE_detected


. Q% a1 Z- x! i4 a, I: \Next method as well as the following one are 2 examples from Stone's
9 }- e6 I7 ~5 N0 `1 A"stn-wid.zip" (www.cracking.net):

" D# C* [; M0 b: A0 b; n    mov     bx, cs
    lea     dx, int41handler2
) g0 b5 B+ i) D; k    xchg    dx, es:[41h*4]
$ l8 G, u' K# y# s0 Y, B! Z    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
: c: s$ ^8 p7 b: v8 V    xchg    bx, es:[41h*4+2]
9 [- g+ r* J) G( b    cmp     ax, 0f386h
    jz      SoftICE_detected

* g: \9 T7 {' Dint41handler2 PROC
3 K2 g6 x* f2 _2 E4 ?3 |    iret
int41handler2 ENDP


! a! V3 V! [% X. \" F# @( _! w_________________________________________________________________________
1 B" ?4 A  @+ C  B$ [( r* D

Method 06
=========

* Y$ i! e! {8 ]4 K  p
2nd method similar to the preceding one but more difficult to detect:

5 z" g: s, J6 k
int41handler PROC
/ n/ N5 s: ~5 x! t3 t* c5 n    mov     cl,al
    iret
  n5 ^; |5 V2 Q" s7 lint41handler ENDP

# [2 E; k, v( w) d; d
0 B* t4 @1 R# y9 h' U% Q    xor     ax,ax
* L' m, `9 i" l" S; p    mov     es,ax
    mov     bx, cs
# Z$ ]9 V; C# t" d0 y& g    lea     dx, int41handler
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    in      al, 40h
; i8 ?- [- R  x6 _3 ], o    xor     cx,cx
4 F$ T+ G/ t+ G7 e0 r5 V5 y    int     41h
% t% Z1 c8 g; R    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
) y1 c5 y$ h4 ~& u( Y, z5 B) m    cmp     cl,al
/ Q  c. R& h: x6 x1 v- c! P    jnz     SoftICE_detected
, J9 e- h3 Y6 q& W. J1 h9 {
( Q6 ]0 w7 p% x, l& O_________________________________________________________________________
. d% p( T6 S7 v- C5 N
Method 07
=========
/ s/ m2 I/ e. T! @2 d8 e; ]% q! {
8 q/ H4 Z3 v' s; j4 W$ HMethod of detection of the WinICE handler in the int68h (V86)
# U( D% ~/ F9 f( P" Q/ t
! \* m9 p% a% Q  x    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
  B- l* c- h) x

=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 @! R+ G/ ^; {' A+ P/ ]   app like this:

   BPX exec_int if ax==68
6 t8 ]* X1 O" u8 |   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
8 I# D7 D% v1 R  k9 e/ @. X' U__________________________________________________________________________

8 c4 h2 V' j" g5 q- q
9 @' c# A  U  p  ~! GMethod 08
5 E5 H& t9 A$ r9 m" M=========
3 n' D# j' J9 ?/ g3 X( S
9 t- r+ S0 I. O" e! ^1 o+ wIt is not a method of detection of SoftICE but a possibility to crash the
, K' i' V2 t8 C; ~* Z/ bsystem by intercepting int 01h and int 03h and redirecting them to another
routine.
7 L3 h  X5 T  [! u2 s' W" v% iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

2 o# L6 v* F; `$ C2 c7 j! ?* T    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
# w; v2 V- ]# H  |" B    int     21h

# y  Q  y. i5 N5 ?+ A+ h2 h__________________________________________________________________________
, f; }- y' g  Q+ U# t
8 z1 ]% q1 e7 a1 uMethod 09
=========

This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
' P& c" S8 |& ]for the specified device and returns a Device Description Block (in ecx) for
3 K* I7 w' |$ \. e) z, {that device if it is installed.
9 |! l0 a5 p$ z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
  Y! M1 X9 h; B+ r6 a2 z' W6 j   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

3 R. z: Z# {7 m6 k3 ^% h1 GNote as well that you can easily detect this method with SoftICE:
   bpx Get_DDB if ax==0202 || ax==7a5fh
/ d, X1 A3 M7 }0 j; y  t, ^
: t" Q. F8 u( i__________________________________________________________________________

" Q, @% U7 [: y) b6 S+ vMethod 10
=========
% D3 ]9 q2 [$ t0 l, `4 ?; B
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* ~' K1 J( Y+ Z  SoftICE while the option is enable!!
' H1 L' {& }+ Z8 Y$ u1 ~* \  I! c, U
; f4 U, T3 L. G( DThis trick is very efficient:
; Z6 i7 L: N0 ?: f1 e6 uby checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  P0 Z& w* c3 i* pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' ~& H! L. E; a! f& h6 Y& N- x6 uvalue (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)

; z( Z- v7 J" f- v$ a__________________________________________________________________________
' Z0 v* y% O: ]: G6 J0 O
Method 11
=========
8 b6 J0 }. E- @# M- F& n2 Q- Y! k4 v
This method is most known as 'MeltICE' because it has been freely distributed
. P) c1 \7 U. M8 E0 H9 }- `2 k& ovia www.winfiles.com. However it was first used by NuMega people to allow
Symbol Loader to check if SoftICE was active or not (the code is located
6 r; ]6 G9 r4 u( l, M7 d: kinside nmtrans.dll).
# a' X8 b7 k+ n1 ?9 t* Y
# X- T% G+ ?* U4 T  CThe way it works is very simple:
5 `* \: G# I# aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: {& a, a" v  \' a! zWinNT) with the CreateFileA API.

Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 `5 Y9 Z; L* a. x% b                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
      return TRUE;
   }
2 Q3 |$ C8 L* X1 Y   return FALSE;
}

* g- Y& t9 w/ r; r6 U: zAlthough this trick calls the CreateFileA function, don't even expect to be
7 X% C7 F" k# g& jable to intercept it by installing a IFS hook: it will not work, no way!
5 z  m4 [# r- i0 t: u( k* WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* q- x7 P9 c# a0 b$ ]9 I2 v) T6 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
* G( x  S) W- T/ c3 [, w! KIn fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 r3 a5 e3 P! O* B; Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 |7 |6 @" v7 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 q5 {  n2 q& M% K4 b. U6 zits handle to be opened and then, will be detected.
/ l& M2 ^* A! v) F- XYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
% g7 p7 F8 Q8 l5 G4 G0 M

  00401067:  push      00402025    ; \\.\SICE
8 d* h4 n6 Z4 m' d  0040106C:  call      CreateFileA
; s0 @" L- @  ~& x6 {  00401071:  cmp       eax,-001
9 m- c3 m. C0 I5 Z1 K3 |$ f5 v  00401074:  je        00401091
  }# o8 _( w. e: p8 y% p8 p& P
% b8 K) `# ]0 `7 N$ L+ `
0 v) |7 R1 z) ]+ m* s+ l' m+ gThere could be hundreds of BPX you could use to detect this trick.
1 \; N3 M! M, E1 u6 D2 I-The most classical one is:
* s8 Y: T6 }2 w  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
: D  u, @* X. |3 D9 i    *(esp-&gt;4+4)=='NTIC'

-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(

+ C5 T: T/ N( |4 Z4 i-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  n/ a* Y9 L4 z' _  `) z  [9 v6 P3 |! z
6 _5 Z& z, d3 c5 z   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

: ^% F; \4 V( }-Much faster:
9 b9 l" b$ w7 w3 I, C   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& s% C7 v# c1 m6 H9 ]) @0 E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
1 K! @. W1 W$ s0 n2 ~
: R; n- m, f$ o0 d3 P0 ?$ Q   push    00                        ; OF_READ
6 Q3 c+ z) ^7 ?   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
1 V- i  E/ l( G, g   call    KERNEL32!_lopen
" |* |! v: s$ W   inc     eax
) s( Q. U8 O7 a6 @) p   jnz     00650589                  ; detected
+ E% c& B/ \+ t$ Q% O* }   push    00                        ; OF_READ
( W+ g% N7 Z3 a4 ?7 R   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
   call    KERNEL32!_lopen
   inc     eax
4 _+ B9 b& ~/ L( N4 y   jz      006505ae                  ; not detected

/ a$ N" j3 i: ]! n
__________________________________________________________________________
- b" }. m8 j! [: k
1 P7 s0 q8 |! A/ {/ V, j  ]1 d# cMethod 12
=========
7 e5 D' D9 V' X
This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.

   push  0000004fh         ; function 4fh
% R* l$ G1 W) J/ D+ N" [0 T   push  002a002ah         ; high word specifies which VxD (VWIN32)
& f0 m  u! o4 C                           ; low word specifies which service
; o3 w" f7 u- S! m) z5 P: \                             (VWIN32_Int41Dispatch)
: P3 Y7 I# u% \7 f: @" |1 V0 N   call  Kernel32!ORD_001  ; VxdCall
- L: a4 n2 S% ^' U- H2 h   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 b" M: Z" m# K! S& K# J   jz    SoftICE_detected

0 K' U- J' [( I9 h, q7 t+ c) RHere again, several ways to detect it:
) x) I0 c. ?' i
3 D; `! ], m' A4 ^; y    BPINT 41 if ax==4f
. e5 l  M8 Q+ l. [$ ?
. H' Z" V0 u4 T    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

3 x4 g( D8 H. i9 R: K* ^    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

% k, O' o9 B- A    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' G  W8 E, S- o9 r1 s3 e
: g  E, X, A! f6 B1 B& G__________________________________________________________________________

8 |0 t8 V  A0 [  Z3 B5 `Method 13
=========

Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
It is used by few softs which access the following registry keys (usually #2) :

  M" Z; ~" H1 Z, a3 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ x3 l: u3 L! z  \: W# J" c\Uninstall\SoftICE
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe
) ^/ \# a+ R9 z8 ~( I1 w
' f# k  a$ D+ b
/ ~$ f1 b+ c( JNote that some nasty apps could then erase all files from SoftICE directory
0 I/ `6 G# [- ]! _(I faced that once :-(
2 E  {4 s. p) t
! J& C8 }- K' y. y3 t+ v* G  ^Useful breakpoint to detect it:
7 V3 F2 G( K0 G$ c" j% @6 z
  l3 |8 F" c2 x8 d7 ^     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

__________________________________________________________________________
/ q5 }, c/ M! E8 ~& i+ _

; S7 M" H. c5 I* D7 sMethod 14
=========
4 R" D8 j, ^8 |% M  s! `$ @
6 |1 Z" `, s9 B9 O2 M  f: NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! Q4 q8 s3 s! n- }: M* c1 Gis to determines whether a debugger is running on your system (ring0 only).
( B2 p+ k5 `( K) C( X  G  A1 }
2 K! Q$ b4 P' w! e% ]   VMMCall Test_Debug_Installed
   je      not_installed
5 X$ C6 p: |( r
) ?  L  P: a$ Q2 D" j% C0 SThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>