About anti-SoftICE tricks

<TABLE width=500>
' ]; w9 J& ^2 T<TBODY>
<TR>
<TD><PRE>Method 01
( V/ G; S% e: M5 R: D% r=========
2 T2 ]; R3 H% M
, X& s. n9 ^* qThis method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
) r) x8 p( A: S* s1 ZIt seeks the signature of BoundsChecker in SoftICE

    mov     ebp, 04243484Bh        ; 'BCHK'
! f0 N8 U/ [% S1 E    mov     ax, 04h
    int     3      
    cmp     al,4
    jnz     SoftICE_Detected
' q! T" l2 ?" b* ?
___________________________________________________________________________
# d; @, k/ M1 k4 r5 d/ z
Method 02
9 O' t$ ?+ v8 D6 @* u" X7 P=========
. K5 E% y5 [# g; f, S
Still a method very much used (perhaps the most frequent one).  It is used
5 B) h$ f7 y, \" J" f% jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; W+ X! n; v  p4 k! }or execute SoftICE commands...
6 |" O( f% A) t) M  V( F2 K2 z3 ^It is also used to crash SoftICE and to force it to execute any commands
(HBOOT...) :-((  
8 ?0 f7 n1 |9 [, P" U
Here is a quick description:
! O, \  O9 h* F  I-AX = 0910h   (Display string in SIce windows)
+ d! T: ]0 L/ X3 [- A4 ]" H: F& J-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 [5 w1 H( t/ l-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
8 T- W/ ?) k( a: A/ a! Z# O0 P-AX = 0914h   (Remove SIce breakoints)

1 T! ?+ U2 K( B/ p& v" aEach time you'll meet this trick, you'll see:
-SI = 4647h
-DI = 4A4Dh
9 W3 t  V; a! g+ U2 @% zWhich are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

; |& d8 I0 T# q! v, C4 ~) N6 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
# F* f1 q  B3 Y1 O5 M9 T9 p6 [2 uEnvelope utility use to protect DOS applications:
/ \& ^5 Z. i! S. e4 c  ~( ]. J+ s

4C19:0095   MOV    AX,0911  ; execute command.
: x2 i& H! F2 r- m) ?9 c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& I% n, S! Y, [6 T4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 P/ l8 u# Q2 t$ `! H4C19:00A4   INC    CX
+ c5 T% O" v( I( G2 c7 K6 e- u3 A4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ Z) O% s' f5 I3 f  B4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

The program will execute 6 different SIce commands located at ds:dx, which
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 c2 R( C# ~1 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 J1 h3 O* w8 a" F# b  e- A___________________________________________________________________________
( A5 y* `4 L; G# j; I
) s2 j- b/ _2 T
! l0 H% {$ z; d; h9 e4 qMethod 03
( y6 [/ J/ }1 u: Z$ i1 p# x=========
9 M, U3 T* ?8 Y/ R  m
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
' M6 I5 l# r4 L! O7 I        
. n0 v9 {# y0 k+ C, C# i7 G; }
    xor     di,di
    mov     es,di
8 `3 N3 r  |2 R, V& C& s    mov     ax, 1684h      
0 M1 J+ ~/ X& v: o    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
* z9 a/ y* |1 t( \; s4 t  B    test    ax,ax
    jnz     SoftICE_Detected
4 E: {8 F0 }- V+ a" ^
___________________________________________________________________________
# ^- L3 |3 Q& ]8 }% S; N' [
1 X' q% u8 G7 d) e* q  {2 W7 CMethod 04
=========
$ `+ T0 c0 V7 ]$ ~* x( W
7 S1 W2 c2 b, J1 b+ w0 U0 XMethod identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.

, c! Q1 ^7 Q# H% P8 \    xor     di,di
$ l) ~& B; A7 I( t9 S    mov     es,di
# ^- s! F! k) d. C2 z# Y; r    mov     ax, 1684h      
9 B; ?) L7 _; {, ^    mov     bx, 7a5Fh       ; VxD ID of SIWVID
( o, o# S  \; A, H    int     2fh
6 ^6 b) P( V( T4 d% ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
- _# d( |1 Y  p5 l# r+ T! @# Q    test    ax,ax
    jnz     SoftICE_Detected

0 n- S, V& O! d0 A- x3 v__________________________________________________________________________
% H2 }. z& Q9 F

( Z+ i! a+ h) z! ?5 C. ]$ K6 ~Method 05
! k/ m( {) z; O4 }# M9 [- [0 l, ?=========

7 K) ^9 A8 A4 h& ?' J( ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
- V/ J- U, S0 I' l6 |2 u& ^: ndebugger. It calls the int 41h, function 4Fh.
3 g' f7 R5 ?) u6 VThere are several alternatives.  
) Y5 V5 w& H& Z* Q0 |) ^& d
8 |" t8 A" X: [6 MThe following one is the simplest:

    mov     ax,4fh
    int     41h
    cmp     ax, 0F386
. D5 p+ q/ |9 r+ f! ^. j8 V. H# L    jz      SoftICE_detected
* U% v+ ?/ b+ c4 a

Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):

" S# c) Q3 L7 D/ u# I3 q6 x6 I    mov     bx, cs
" e% J9 \3 c, Q$ l6 Q( X( i    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
1 C; H5 o, i1 L# x8 l5 X; y    cmp     ax, 0f386h
* j  U3 c; U. l/ i& n    jz      SoftICE_detected
' N. M( q5 `* g4 E% m# b3 Y! K
int41handler2 PROC
, `. S# M) n6 t% q, ~9 k# d- b6 I/ d( x    iret
int41handler2 ENDP
0 W2 j* q# O. Z; S  z( V9 H
( ]# V8 c9 ~) w$ Y
_________________________________________________________________________
/ p2 c8 X* F9 o$ h7 b! l9 a

Method 06
; F) G# {, X  L" V=========
: K2 S/ k' _3 k% B* ^

2nd method similar to the preceding one but more difficult to detect:
( s  O  m6 c. J; l

int41handler PROC
    mov     cl,al
    iret
  {" k9 |; B( o3 W1 mint41handler ENDP


    xor     ax,ax
    mov     es,ax
    mov     bx, cs
: c) d, f% D" H; y( m- V9 d2 L    lea     dx, int41handler
1 @" e* ~, D2 S0 N6 F, x7 ]    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
    in      al, 40h
! G( b0 }, w: U7 ~  w9 Q- d    xor     cx,cx
    int     41h
$ `9 {, W* q4 ^6 P) [& |    xchg    dx, es:[41h*4]
& t; V+ }9 E& p& {    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected

) l! c6 }; j9 s- t_________________________________________________________________________

4 h% k! p) T/ b& `# E6 o) CMethod 07
: \+ i- j8 ]0 k9 |=========

Method of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
    int     68h
$ y8 U- J; P8 i9 r5 I" h* F    cmp     ax,0F386h
    jz      SoftICE_Detected
- |, A! ^4 V# x/ O! b

=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. ^" c, D; ~9 Y) F   app like this:
  y, H0 E' f$ `0 Z  L' {$ P
   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________
& Y* m: k: B' O* x

- l- R1 i* W$ L$ y" a. F& d( rMethod 08
* n$ a- {! ~5 h2 B0 I=========

It is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
! j" A# q/ ^1 c# X8 uroutine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 g: a* t# b' N% d  dto the new routine to execute (hangs computer...)

    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
    int     21h
# x- V7 V. {) T$ n( D- D! U$ o
__________________________________________________________________________
( m/ e! V; d! h) f' G
4 J9 t9 O: L5 [2 I: U1 ^Method 09
5 Z0 X) g+ b& J, T# B=========

  ^0 A; T. e+ [! |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. r# X9 R. b% o- Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 M5 q* C5 @4 Q3 m2 j6 [The Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
) \- \; f% Q, [1 |9 I" p
* m! ]2 \) B+ p' V8 ^/ c   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
8 u9 m7 y* X: R1 _5 Z& d  q$ J% l   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
, w3 ~) m2 n& k" C& Z+ h! c   bpx Get_DDB if ax==0202 || ax==7a5fh
$ b! I& e' b% b8 r9 ^# |1 E
4 H! \+ T. J: Y, ?__________________________________________________________________________

Method 10
=========
( Z/ _* M$ x: n5 H5 Q- P2 @7 f
, p0 ~* b) u, d6 i$ H* d" W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
% B0 M" m7 O& l$ j$ B6 r% X% E" s8 i6 A4 e- U
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
6 o/ }  N: f. j* ~% N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" X, @' n: K0 M7 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)
6 I9 u$ s; t! [0 t) u
__________________________________________________________________________
( ?4 Y) O# I0 s. b4 P6 N
, e- `* ~0 p+ NMethod 11
=========

This method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
3 {6 w& f. Q; V. c( S, x: OSymbol Loader to check if SoftICE was active or not (the code is located
+ O  `( u7 F/ d) ?* v* hinside nmtrans.dll).

4 w5 z" Y8 _$ @9 q6 A& [; ]The way it works is very simple:
' u' h  N9 Y" C/ k7 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
/ S( c' f  f6 ~1 C, Y
Here is a sample (checking for 'SICE'):
) |3 Z- x4 W1 J* Z. z; Q
! F7 N' T# V! P1 ^BOOL IsSoftIce95Loaded()
6 y5 S% z) M( R( Q9 w7 u3 \% Y{
   HANDLE hFile;  
/ h/ \( Z' p: a! z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ T" X: R" C2 j                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( S% h2 i; s1 K   if( hFile != INVALID_HANDLE_VALUE )
9 w0 e. f7 q0 H" E3 Z+ [   {
      CloseHandle(hFile);
: W# m, l& T% r* z1 j% i      return TRUE;
8 l! ^+ G2 q& a' M' e0 ~   }
   return FALSE;
* ?2 z# r2 g  ]; o4 p& P}
& B! y7 V2 K. C. q; Y6 F" L
4 u: v, Q4 e* O* d( {  EAlthough this trick calls the CreateFileA function, don't even expect to be
' r7 S4 M) T$ p# Iable to intercept it by installing a IFS hook: it will not work, no way!
, [3 ^' T& h  @& f( c: uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
4 u7 J( L% u0 m8 G8 M: C! f0 UIn fact, its purpose is not to load/unload VxDs but only to send a
6 C9 P" l: m! J6 o1 }: ~. T9 g0 a4 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; w6 _/ a6 V( u$ `# ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, h, z# B# B3 @* A, p  gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ K6 F: E  T- X7 s2 Uits handle to be opened and then, will be detected.
; ^5 l6 D0 A% ]) O8 G$ Z! OYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.
- C) e/ j8 }2 N6 v
) @5 c' k$ y5 |1 W( c
  00401067:  push      00402025    ; \\.\SICE
) }4 d, e" M( y* W4 O8 }7 N  0040106C:  call      CreateFileA
' U& y! ^: i1 Y0 k# z  00401071:  cmp       eax,-001
  00401074:  je        00401091


There could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'

# n1 W. N: G2 s* S* `/ x-The most exotic ones (could be very slooooow :-(
0 S& X% T& d% X$ c" k% Z& R# c   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 `" V! f0 {' A- P: K9 c$ o& n% Z     ;will break 3 times :-(
7 ]6 d& t6 A2 z" a! v
-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
2 ]4 u; e% }2 Q2 f
-Much faster:
3 q5 S0 |! t% K" p   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
! N6 v$ h: y0 a# N3 {+ B, R
& D3 b7 [2 [/ J2 i   push    00                        ; OF_READ
1 |/ n" D! G" Q6 A, q   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
   call    KERNEL32!_lopen
9 Z5 ^9 I, x8 x   inc     eax
   jnz     00650589                  ; detected
' f2 n+ e# Q$ d4 `* n0 [   push    00                        ; OF_READ
) L7 M/ z$ ^7 ?   mov     eax,[00656638]            ; '\\.\SICE'
* J/ O2 u" d6 }( m/ H   push    eax
   call    KERNEL32!_lopen
   inc     eax
( k/ j) G5 K9 ^- C3 w9 q   jz      006505ae                  ; not detected
* e% `: D" M: ^9 L1 \. w- a* ?
$ {5 p1 r% y2 d3 [  k6 V$ F' A
__________________________________________________________________________

Method 12
; f# s: A0 n1 ?! P- J, D=========

; R3 p2 H$ N3 r' JThis trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. s1 \9 V! Z0 L+ K
   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
& T3 ]6 T- b5 h' F) ?4 V; J   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 [7 x4 Q4 ?1 \0 N( u% G$ A$ A! b   jz    SoftICE_detected
& V# y! W$ Y! C5 N1 h: _( p8 ?
8 `4 O" p& n. }% P. ~: mHere again, several ways to detect it:

* J$ o$ Q+ g3 Z    BPINT 41 if ax==4f
# N5 w8 ~. O; m" c
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

3 _  |2 r& ?  K1 u. R    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 X0 U2 Q% E( O+ I1 G# v# S
__________________________________________________________________________
" v+ X5 ]/ R" M8 s' _0 s! z
6 P# e0 E5 n3 G; b9 OMethod 13
=========
2 B- ]2 ?0 v2 ]- k: f7 T% U
Not a real method of detection, but a good way to know if SoftICE is
installed on a computer and to locate its installation directory.
1 s3 f# s9 ^1 Z) u- U" OIt is used by few softs which access the following registry keys (usually #2) :

-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
; X3 L9 h* B* M" p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# J0 O) X' p# m% g0 B& G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe

  F$ y& v0 w& l
, R, b2 x, I8 G- b& ?' M+ T+ e2 sNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(
8 Q& @, G' K9 H8 g5 q$ w
& f. D- p0 `( w. j- M6 yUseful breakpoint to detect it:
% v# }% K% w# r
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ I% z' k; K8 \
% p' [  e1 v' \- u% C__________________________________________________________________________
, a8 k/ {5 r0 g1 d, ~
% d2 g* k5 w) X
Method 14
=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).

   VMMCall Test_Debug_Installed
# g6 u$ b1 x, u4 M) ~8 H% b   je      not_installed

: G2 p& a& _& j* i0 N8 rThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>