About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
1 c4 v" {0 @8 L, E# b. @8 ]<TR>
<TD><PRE>Method 01
=========
/ T: ~6 _* z6 Q" l
# l5 t1 Y# B, E! ?9 h7 U  EThis method of detection of SoftICE (as well as the following one) is
8 V' t) t7 k. F! k4 g0 ?used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
8 H' O$ g4 e; p+ n
    mov     ebp, 04243484Bh        ; 'BCHK'
! l( n/ p4 q* v) g8 \    mov     ax, 04h
    int     3      
* z' F$ w- g) G" l0 b    cmp     al,4
    jnz     SoftICE_Detected
7 O/ j: b, E, b4 q
___________________________________________________________________________
* r, B. Z8 ^' A& q' K
6 `! {% C4 R3 a# g; gMethod 02
4 K6 K, M" ^8 g( j3 g1 t  [=========
2 X% p8 X; _4 Y% R1 M
Still a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ x& S% ^8 \- w& c3 {" Xor execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
/ T! T7 f0 l$ x8 i(HBOOT...) :-((  

3 H+ U. Z0 j4 X  gHere is a quick description:
' ]/ s' G1 t* t' r& R-AX = 0910h   (Display string in SIce windows)
/ v  s1 m7 c) B; {-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 S) l0 m) l7 |& |-AX = 0912h   (Get breakpoint infos)
+ K$ h7 A% Y6 h% {( U-AX = 0913h   (Set Sice breakpoints)
. ~( h# l/ `. p/ H-AX = 0914h   (Remove SIce breakoints)
% }; _$ m. U. l7 |! J8 t* e
Each time you'll meet this trick, you'll see:
* k% ?- K- `% m" W-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
" W* Q2 ^' x( R% }$ YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.

- G. C5 ^" O% C" Y# gHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 C% [' {" n: l8 N& q! z0 dEnvelope utility use to protect DOS applications:


- L9 m5 J' b2 |( V# B% o4C19:0095   MOV    AX,0911  ; execute command.
) l1 P* R5 Z1 m: h6 p$ E0 c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, R& m. E+ v9 N9 x+ O. c" c4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: h, Z" \$ _# j9 j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 ?6 ?( m6 N: b- L. w& M4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
5 a9 X- @7 q, s/ [+ ]( a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
7 a! [" s/ l9 H3 I! U& i3 I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)

4 v7 z6 }' i8 l7 j0 x, k$ CThe program will execute 6 different SIce commands located at ds:dx, which
, d5 l. s7 O4 A2 p: r; vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ?4 [" A/ `8 @# }0 z6 R0 L! X# |2 d
+ [. X4 P$ W& ^, O2 C0 j. |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' h1 P- Y& r  @. |___________________________________________________________________________
* I9 P0 c& H0 i1 k

Method 03
- p# \* r( q& z1 l( g% p=========

Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
" }% [7 n' h; f1 K        

    xor     di,di
0 B4 P7 |$ y: T8 o' X: G; }    mov     es,di
    mov     ax, 1684h      
    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
4 J0 d8 m! B5 }& H    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
7 s. d5 }3 q4 i    test    ax,ax
    jnz     SoftICE_Detected
0 v. [" P* W- i2 d* e
; a2 X* x6 `9 m3 R___________________________________________________________________________

+ X5 Q1 ]$ C8 H/ BMethod 04
=========

' e: S2 O; J. z( E$ Z/ l% ~Method identical to the preceding one except that it seeks the ID of SoftICE
$ v* T" e! ~! A7 ?+ D$ s4 X& k8 u0 pGFX VxD.
; I" C6 d8 k2 Z8 ^9 q! m4 @/ `
    xor     di,di
    mov     es,di
    mov     ax, 1684h      
( \) ^% X: k# V9 p    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" d& S+ X/ c7 v    int     2fh
! |' z. p: [  a4 ^5 \- d& Q  z( s    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
) h2 k6 K& A/ p  P% ]    test    ax,ax
    jnz     SoftICE_Detected

__________________________________________________________________________

2 m& W5 r) A+ A5 u
) D& N: O3 H5 n4 H. C- J& bMethod 05
" d5 U' H% e- P- f- k=========
' H" C3 ^( Q2 }6 [% y- U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 l. M* {. E, O4 K" Ndebugger. It calls the int 41h, function 4Fh.
, E1 b9 y5 K5 ?- T7 wThere are several alternatives.  
$ h. o1 Q& F5 p0 H" X
# `& x6 j, v( O. d/ ]The following one is the simplest:

    mov     ax,4fh
    int     41h
    cmp     ax, 0F386
0 k; L7 w% I, C, A! F3 p2 Y' L& |- v    jz      SoftICE_detected
$ G7 l( o. j- N# X1 |" V  A
4 s. F& M) J( F+ a$ P3 z
Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):
; V; i; i: @' m0 p/ p
9 _) K/ P; w( Y1 r( O    mov     bx, cs
: H9 S% K+ `5 e0 W) Y    lea     dx, int41handler2
    xchg    dx, es:[41h*4]
* `. ~9 N# U: f0 F& j5 m    xchg    bx, es:[41h*4+2]
    mov     ax,4fh
    int     41h
" v/ q2 H' |0 ?4 B) K$ X& h    xchg    dx, es:[41h*4]
5 p- E5 q) E* ^1 C! d, R3 |! o1 s, j    xchg    bx, es:[41h*4+2]
  n7 b* L! B6 X8 Z5 W% M5 `6 w    cmp     ax, 0f386h
+ @# a5 T7 y2 o4 {7 t& G    jz      SoftICE_detected
  d4 \  z. \. u1 U2 F1 s
int41handler2 PROC
( T# A% E% T- w( j+ [/ ]1 j    iret
& f0 \, W3 j* B) l0 Uint41handler2 ENDP
( L3 A6 [! E9 ]" e. r* c% v
0 [6 x9 e; `4 L3 Q+ W$ m9 G
# }2 F) J" P$ y: _' [# x% V_________________________________________________________________________


/ }! p7 V+ p3 j# l, m5 }Method 06
=========


2 j; a5 e# ]% E2nd method similar to the preceding one but more difficult to detect:
6 J4 j$ u( l5 D
  }) C( [/ m# j3 Z" |
& h( w1 Y8 z$ k% a' S$ J. q# Gint41handler PROC
    mov     cl,al
% J  `6 L5 I$ _! X, r2 o9 Q    iret
int41handler ENDP

. W# [# v' M0 k) I7 q
* M5 K" i/ p& F% }3 G5 c4 h    xor     ax,ax
    mov     es,ax
    mov     bx, cs
    lea     dx, int41handler
    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
5 |  z+ O) ?) h, _% A    in      al, 40h
    xor     cx,cx
# }$ u) }/ y$ L& d3 r6 y# }    int     41h
# j* ]4 R/ F4 J. E, S4 x, ~$ y* N    xchg    dx, es:[41h*4]
+ Y9 G  Y% h, o. r) H4 o" z  @    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected

_________________________________________________________________________

Method 07
1 ^6 Y! Z4 x2 V* x+ j0 C6 D=========
+ L2 W9 \6 {' e' q0 U
2 }- P! I, J; ^6 l) E2 t  m. Q6 dMethod of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
1 T  ]+ c$ C( @3 F" j) M0 C( ~
0 A8 u$ [2 _" j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) T: |* F* V" b9 k  E1 E" I' W- a   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 B; [4 ]4 M; y, b* |   located at [ebp+48h] for 32Bit apps)
/ W6 f* H% |4 I2 G9 T5 ~7 }__________________________________________________________________________
' @4 M: V$ B! b1 u; c2 `

: l6 c( \: N2 x+ iMethod 08
=========

% u- S, \0 d- V; Z$ VIt is not a method of detection of SoftICE but a possibility to crash the
system by intercepting int 01h and int 03h and redirecting them to another
routine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)
6 o9 L  l- G1 w! }1 G  G3 T8 U
    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
    mov     dx, offset New_Int_Routine
) |1 t$ X9 D/ y( ^2 c" g% \    int     21h
; h- [0 j: W0 }- C  ?
__________________________________________________________________________
2 o4 E- }6 _- L3 I# S& J) A! M+ ^
Method 09
! J# s' s0 j- c/ p5 E+ t=========

This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 F+ u6 Q. [  r7 k8 o0 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
; `+ h! b" f2 \) J4 `8 D2 t% Zthat device if it is installed.
7 X$ x1 S( C8 d- S
" S$ ?2 C2 K( W/ c! A1 r7 o0 ?   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
: U$ }6 K  w" b5 v2 K   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
5 w3 P' T9 K5 s4 X7 Y  e
Note as well that you can easily detect this method with SoftICE:
$ _9 |2 D2 U+ w5 W6 p: l   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________
/ o7 P) A& X* t0 a0 L% R8 r
Method 10
: y+ o: [, V/ l% V; K# @' s=========

=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
8 c6 i, a. g2 m% B4 u6 V' Z  SoftICE while the option is enable!!

. a- V5 C% Q9 R3 t% g! ?This trick is very efficient:
  k" I& |$ M! P7 y6 u- }4 i6 o% Gby checking the Debug Registers, you can detect if SoftICE is loaded
& G! P) T' N" r# R' j. S" f6 Y) ^  f, B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& t) N: ^; Q! c% A" j4 Jvalue (in ring0 only). Values can be manipulated and or changed as well
) Q, F0 T& j8 D(clearing BPMs for instance)
1 k. V, x+ S# [5 B
__________________________________________________________________________
) D& m0 k6 E& N" c0 M$ p; z4 F
* c8 @" M/ ]0 j6 sMethod 11
/ d) y$ a4 y" y0 h7 D8 R; ?4 a8 j=========
8 d$ ?. r: O2 g1 P  A4 j
This method is most known as 'MeltICE' because it has been freely distributed
via www.winfiles.com. However it was first used by NuMega people to allow
" @% z6 a, d) x: B1 v0 eSymbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

  c' w. i0 a+ h7 F( jThe way it works is very simple:
$ x; m' x- ?9 U% [" ^9 cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: h" |: t1 ]2 V1 k1 {4 ?WinNT) with the CreateFileA API.
/ Y# l3 M. z/ F/ N
Here is a sample (checking for 'SICE'):
0 K, b, U: _! w: B1 U9 o
9 E; j" p* [9 H# bBOOL IsSoftIce95Loaded()
{
' C1 [, @. O) k7 J   HANDLE hFile;  
& x1 B" n( J  l, w/ d( N& d   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( |  w* R# D, K1 |% O& U8 q                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  t9 W" \$ A& D2 _% w' N   if( hFile != INVALID_HANDLE_VALUE )
   {
      CloseHandle(hFile);
, M" d- W( G! [, Y. W      return TRUE;
   }
   return FALSE;
6 r4 L$ G" y* ?2 j6 ~; n* S}
- r% \9 s) D9 p; Z
8 Y8 C6 W' F" I: ]. Q6 R, U4 }Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
7 X9 r5 ?* m, r, F7 P$ wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
field.
( e# L1 ?& K4 c# `+ @In fact, its purpose is not to load/unload VxDs but only to send a
' @8 r0 J, ^1 V2 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
2 a/ ^7 s. Q. B1 A5 t  {, {7 FYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.


) M- s5 H& g& Y3 ^  00401067:  push      00402025    ; \\.\SICE
- T, e3 l) |) c7 G  f7 X  0040106C:  call      CreateFileA
. c" l! X9 M5 i; V8 @( j* P  00401071:  cmp       eax,-001
  00401074:  je        00401091
1 H: f+ O" V& @; e* k# N% T
1 M; N# v$ L+ I, P4 F( I3 m
% U8 F* D! u" M6 _% K8 \+ UThere could be hundreds of BPX you could use to detect this trick.
$ p% ^( B2 d* A8 b1 L1 F* z2 u+ w-The most classical one is:
1 ]; \3 J' M1 }  B6 W  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 h; W$ S$ ?4 U$ }( X" I! V    *(esp-&gt;4+4)=='NTIC'
: @- ?/ J: z; o; Q) s+ [- v
9 N) W$ }2 l2 p) S. }8 |-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
     ;will break 3 times :-(

( H5 a1 c# K& L$ S0 R/ x-or (a bit) faster:
, y, Y4 s8 a9 s' s: a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

# ^* G: ^1 k2 E   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 W( N& S# O, i) L$ s) h     ;will break 3 times :-(
, [2 a8 K$ C: \6 W/ E
' s) v" p3 N, i0 R* r0 L-Much faster:
' F' m1 U; r$ ~) a   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:

   push    00                        ; OF_READ
; ^- K9 z% ?  T& ^1 q. O$ b   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
' I0 b/ `1 F& U' Y1 I   call    KERNEL32!_lopen
* r# P7 ?& b; a! S2 Z   inc     eax
   jnz     00650589                  ; detected
( X# t3 V5 b0 j' ?: Z5 n2 k* Q   push    00                        ; OF_READ
8 H9 Q! v" a3 J4 s7 c   mov     eax,[00656638]            ; '\\.\SICE'
2 ?* r$ n* F) t- I0 V   push    eax
9 c7 ^* O2 P1 g/ g9 M' a; W" z% R# v   call    KERNEL32!_lopen
6 k! C/ ~8 A  p2 B) }" e1 Z3 g   inc     eax
   jz      006505ae                  ; not detected

) Z9 O+ r- J! n' D2 d
0 W- x# Q+ R* F6 ^- [" I__________________________________________________________________________

Method 12
  m1 N; {: U. M. H=========

0 X# T' p7 @( f8 q  {: ~' V) yThis trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( D6 q$ A- L1 y; `; q! Q; ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( Y' L1 u4 R6 o/ z6 S7 f
; Q+ e& J, O  M1 [3 i* L9 R; j- V2 }   push  0000004fh         ; function 4fh
. C. k0 r+ O6 B3 _0 P3 b; E   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 `# r7 ?% u3 B  w0 z5 @- B* b* K   jz    SoftICE_detected
- k( ?2 F; j! f# K
, M- O7 @* ^4 R' u, O2 u; {Here again, several ways to detect it:

( P7 f! q- A( g    BPINT 41 if ax==4f

+ E1 K* e7 F, `6 R# o' |    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 C3 V' w# A1 M/ U
$ Y4 a7 o3 g5 E    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

; \8 Q2 Y* x! G__________________________________________________________________________

Method 13
=========
# z/ X: `3 ~1 L, R
1 a5 H( }. d$ t, K& l  f! T1 QNot a real method of detection, but a good way to know if SoftICE is
9 c* z" b( u3 T2 [4 ninstalled on a computer and to locate its installation directory.
5 ?' |# }4 h8 L8 D4 |It is used by few softs which access the following registry keys (usually #2) :

6 L& u" g& a+ G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ w% W2 m) A, M# [" @2 m: s\Uninstall\SoftICE
% g. ]- z. c6 T( V& Y: R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe
3 g; g8 h" P/ W

1 r* J+ S4 i9 e+ x. x9 i+ M7 U% ^  VNote that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

3 q5 ^/ `5 o8 v% @3 l" HUseful breakpoint to detect it:
* P8 W# f6 X! m% U) N, z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'

- {6 N. O& u* l7 u7 c7 M__________________________________________________________________________


2 t/ l9 K# V8 OMethod 14
2 O. l8 w: ]. K- j=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).

: ~/ N/ z4 y3 W. K   VMMCall Test_Debug_Installed
   je      not_installed
, ^7 a0 E" ~: x+ r+ Z/ F
& R1 T) W5 L$ L9 }* J; ?; EThis service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>