About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
- ]4 A- g% O) Y# U' A/ C<TR>
<TD><PRE>Method 01
) i, l  ?9 o4 s+ f5 q=========
! G) A( ~& ~  \( }( @
This method of detection of SoftICE (as well as the following one) is
used by the majority of packers/encryptors found on Internet.
It seeks the signature of BoundsChecker in SoftICE
) j- s; F5 c! k* b) e8 O& k+ s, w
    mov     ebp, 04243484Bh        ; 'BCHK'
    mov     ax, 04h
. y! U! V8 b7 _' r- ^/ Y    int     3      
0 c) m2 D( \5 j2 i& {7 {    cmp     al,4
( d& E! z9 S0 h    jnz     SoftICE_Detected
4 _% t. k7 }% G( E' {  }/ ^# q
___________________________________________________________________________
. @7 r6 q9 y9 D8 N7 D# G
Method 02
# k) ^2 x" r( X=========

7 L0 n0 d. j  RStill a method very much used (perhaps the most frequent one).  It is used
+ u& N3 `& ~! D# B  Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 l2 v" d$ }# V6 `- W4 tor execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
5 w! Q( B0 O) X& u  V(HBOOT...) :-((  

Here is a quick description:
! I: p& |) ^" f. j6 i, N; P+ }4 e: W9 m-AX = 0910h   (Display string in SIce windows)
' o  G/ P4 V% C4 w, [; S6 S-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
0 R; Q) K( p. Z4 T3 I* ^-AX = 0912h   (Get breakpoint infos)
-AX = 0913h   (Set Sice breakpoints)
-AX = 0914h   (Remove SIce breakoints)
/ K% u1 x" t3 B$ W/ ^! u
Each time you'll meet this trick, you'll see:
-SI = 4647h
) w- R  D2 d( o3 i1 w' X: g  N-DI = 4A4Dh
% R9 m8 [  r, m* _7 `Which are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 ~& G- u, `. b$ S7 k+ U
$ Y& r& X$ l. B2 m4 c' Z# fHere is one example from the file "Haspinst.exe" which is the dongle HASP
Envelope utility use to protect DOS applications:
' ~3 g: E" s1 \' z+ `

4C19:0095   MOV    AX,0911  ; execute command.
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 t+ j  f- E& E: x5 F% e4C19:009A   MOV    SI,4647  ; 1st magic value.
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 P: n% G# p0 O6 t4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
0 p6 }3 F# P& ^) ~1 g# x0 m, ~- q  E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& `0 b  a: _; Q  k+ N4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 w% ^1 f0 C: k% `1 F, L" \8 o
The program will execute 6 different SIce commands located at ds:dx, which
, C% }) P6 Q4 d4 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: Y/ e( R2 R; I; k7 _
7 I* y0 @4 A8 {' y, ^2 V% ^8 y; h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
___________________________________________________________________________

, \" G+ v' `" |, ^. u- Q
Method 03
=========
9 H* ?5 x' H4 x8 k6 F# P& V
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
6 z2 |6 V2 Y, K: \        

    xor     di,di
    mov     es,di
& m2 B+ U8 [; D" M7 k. ?    mov     ax, 1684h      
9 L6 |+ H( ?. K+ J9 z    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
    add     ax, di
    test    ax,ax
    jnz     SoftICE_Detected

9 R/ e+ S+ w1 f: z3 @, D; q5 c/ F' d___________________________________________________________________________
) \& C+ L! L' N- A
  ^; X8 J1 }5 R8 S7 L1 aMethod 04
=========
9 [4 o  Z$ o3 X- F  F
; _; e, S" `  V, e3 Q# e% rMethod identical to the preceding one except that it seeks the ID of SoftICE
, e% H! A$ }- `* U8 {5 _# O% g! XGFX VxD.
* i  k8 C. Z* {0 V
    xor     di,di
    mov     es,di
% A5 O8 o9 {6 M8 c; M& Y" \) R    mov     ax, 1684h      
0 c: R/ Y* C& A+ K( }. A  h    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 O. g$ L6 G7 q4 d6 P    int     2fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; o3 y4 j3 l2 C% F" l* c& T    add     ax, di
. u" N0 U0 V+ S/ P    test    ax,ax
    jnz     SoftICE_Detected
$ y: H7 q/ w+ s, V% c& S+ M6 l
( E9 \7 R8 v2 [: [__________________________________________________________________________

. G+ d* S& M( R2 K( R
Method 05
=========
# a0 p! Q8 l/ X0 o+ b+ C/ b2 R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  
4 D; i  |& P. @3 `; z& o
: C1 S) N! c% r% f7 r# ?The following one is the simplest:

    mov     ax,4fh
    int     41h
    cmp     ax, 0F386
    jz      SoftICE_detected


: E8 g4 p7 R* W: [# d: Z2 ]Next method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):
( M' y7 l! d! i* v
+ A! m; U) Y* L/ T( r  S+ o    mov     bx, cs
4 Y' s; F0 z- ^: n' ~. O    lea     dx, int41handler2
! w# Z$ y# l2 f4 A6 q    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
2 S/ G! ]2 K) O3 T    mov     ax,4fh
! `: U; O* r& u2 K    int     41h
    xchg    dx, es:[41h*4]
' w4 x* D/ Q( C5 Y: K& X' r    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
! O: Z# K& G  D9 T2 W    jz      SoftICE_detected

int41handler2 PROC
2 |( n8 ?* b" n    iret
, i4 d$ w9 W; N3 _: y3 dint41handler2 ENDP
' M2 J1 {7 {3 g, {) J# X+ v

- d- k9 b9 w7 m( ~' @! W_________________________________________________________________________
% k7 H( a" w9 }  \9 R

& U8 i2 p- l7 P0 Y5 JMethod 06
+ i; ?* f  ?  o2 V=========
5 N, R3 q5 P2 l' s1 T
9 r' \* U0 Q: l. X
2nd method similar to the preceding one but more difficult to detect:


int41handler PROC
* b5 X0 j2 \; G, d7 f# i! T5 N& Y4 N    mov     cl,al
    iret
int41handler ENDP


    xor     ax,ax
    mov     es,ax
1 n. f9 z) R3 F( c    mov     bx, cs
    lea     dx, int41handler
/ d$ d. M* ?1 C' C9 [& \, t    xchg    dx, es:[41h*4]
% Y: l: l- E$ O) x8 D" S  E  ~    xchg    bx, es:[41h*4+2]
3 n: D/ w6 o9 g4 n7 `0 w+ c; \& M9 M9 y+ b    in      al, 40h
    xor     cx,cx
    int     41h
* G4 \0 _0 a, i$ R4 ?" i9 l    xchg    dx, es:[41h*4]
6 m; Q2 C" R7 K6 `  g; f. Q1 O    xchg    bx, es:[41h*4+2]
    cmp     cl,al
    jnz     SoftICE_detected
0 v8 I  j+ N5 A
_________________________________________________________________________
4 _  y- y1 V- G) I! \2 H4 x
7 K5 t; b1 }: h) j5 ~$ v2 NMethod 07
, v  H" x: Z; z, M" R=========

5 k" F: j7 L8 E9 rMethod of detection of the WinICE handler in the int68h (V86)

    mov     ah,43h
    int     68h
    cmp     ax,0F386h
    jz      SoftICE_Detected
2 l: p% y3 D1 y/ s
7 C% ^/ j& D, g, E
/ L, w6 y" Z# d1 K3 L. t  q5 @=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) ]8 B5 g) U) @) d   app like this:
* f& V  j( a0 M& @+ U7 y3 P' p
   BPX exec_int if ax==68
4 ?: n9 d  r! {   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 W$ l. w" M+ W& D- r  t. }: v   located at [ebp+48h] for 32Bit apps)
: G6 z& E4 h- x& c4 x( T__________________________________________________________________________

7 B, M5 ]# c1 J* s! P
& Z9 U. u. l7 i; o% v- EMethod 08
1 m; X  X7 C+ \. i=========
, M- X3 q& ^/ O
It is not a method of detection of SoftICE but a possibility to crash the
  v% u7 [& o  `: t$ H% b; isystem by intercepting int 01h and int 03h and redirecting them to another
8 k6 A+ v$ m9 I  ^& Yroutine.
' O; j* r7 q& ^: ~$ J0 ?- F& l* aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
to the new routine to execute (hangs computer...)

0 k4 A  d# i4 X9 h4 A    mov     ah, 25h
+ [" n# n4 k' p$ H0 [    mov     al, Int_Number (01h or 03h)
1 w7 Z2 W8 _* k+ d    mov     dx, offset New_Int_Routine
    int     21h

__________________________________________________________________________

Method 09
, p5 Q1 R* S/ G, G, N5 K=========
" _. f7 h' J& @! x  C$ n
  |; _: u9 k; }$ MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 Z, Q! s, @' L& i  |performed in ring0 (VxD or a ring3 app using the VxdCall).
The Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
& H& z1 T: b6 i1 G  F! R+ ^$ |
5 _% ]: }% Z" k' M! k0 M& R   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, Y  o# H& N$ M   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 H  i# }( M/ z$ o   VMMCall Get_DDB
$ s+ u" G: e% O' n; i+ H   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed

Note as well that you can easily detect this method with SoftICE:
. _7 [6 I& S+ d/ N- ~, e( A: |  j, {   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________

Method 10
=========
- X, M2 @0 J  K8 K& z) f+ p
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  SoftICE while the option is enable!!
" g' `, `  \. d
This trick is very efficient:
by checking the Debug Registers, you can detect if SoftICE is loaded
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 I+ S8 B/ J. e3 _+ Z- wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 }  n9 j; W5 _1 e% u3 {value (in ring0 only). Values can be manipulated and or changed as well
3 `) {; m# N: o6 p. ^) t(clearing BPMs for instance)
* Z; R: U6 h/ H
$ @/ _) C6 T6 {( S% S( F__________________________________________________________________________
8 y! X8 P$ p6 z; I4 U
( J/ ]9 @8 |6 M, EMethod 11
) K* Q( U" {6 I$ X* D3 X=========

, E8 H7 ]2 y' M& x0 ?This method is most known as 'MeltICE' because it has been freely distributed
3 b5 i! A, f+ t8 ^9 F0 C' `! Ovia www.winfiles.com. However it was first used by NuMega people to allow
3 P( |- `. N* N, Y% C4 D  q  ]Symbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

: ^3 Y% |' n  W5 f+ r, W* x: P: SThe way it works is very simple:
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
WinNT) with the CreateFileA API.
- D6 e& ^; W& o+ }
Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
{
   HANDLE hFile;  
( p. k9 \* y) C# U& G- y   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 v0 w$ D- B' j9 ~- B8 V( A                      FILE_SHARE_READ | FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if( hFile != INVALID_HANDLE_VALUE )
: l+ Q+ y# ]. O   {
      CloseHandle(hFile);
      return TRUE;
   }
) j) `/ A3 H' [/ ]   return FALSE;
}
& t3 J4 [1 M, u- p/ f7 Q, @
+ y% s9 Q! C% n( P* E) k- ]) X9 dAlthough this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
$ f& m! R' k+ ~! a7 i" @' E+ BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! R* _3 r; J2 O8 a& R9 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# X: Y* W& F- }  sfield.
In fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# W$ f: \8 ]6 W' mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 Q  X% ?/ c/ H: W7 Qits handle to be opened and then, will be detected.
" }$ G5 j: C; e9 yYou can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.

7 i. R) p; l8 y% a+ S
2 f2 [& w3 M- P( M  00401067:  push      00402025    ; \\.\SICE
( Y8 {" h2 K: s$ Q! e  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
' r; {. m9 C1 K, [9 h; a  00401074:  je        00401091
. l, b1 `- t4 A+ @* A2 n, i; k

9 G' x7 U4 j# B- q6 ZThere could be hundreds of BPX you could use to detect this trick.
-The most classical one is:
9 @% ^* D( X5 d: N; j& t2 B  J& g  k* Y. U  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
; j( e9 Z9 k+ D
! F5 B$ t' J5 Q# ?/ F-The most exotic ones (could be very slooooow :-(
" `2 f; V! e- I1 s: b   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 {5 }) R! w1 i8 Z6 f' ?6 X     ;will break 3 times :-(
. s5 I/ O. }* w- h0 J
" Q; H7 }& c) I; @-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

8 u8 g4 z' I. @1 r   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(

-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
+ Y% f* ]# M1 z% z# b
   push    00                        ; OF_READ
9 E: e: d9 u+ a6 a/ H$ `) f   mov     eax,[00656634]            ; '\\.\SICE',0
   push    eax
   call    KERNEL32!_lopen
   inc     eax
8 R& V  H) g# M2 V   jnz     00650589                  ; detected
   push    00                        ; OF_READ
' p& K8 Z* B* I. Z; X; J   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
   call    KERNEL32!_lopen
   inc     eax
& {7 }9 J& p; I) E" Y   jz      006505ae                  ; not detected
: v9 B% f- f1 a, n4 n" h5 f- f

__________________________________________________________________________

/ Q6 l& ^+ v/ Y, h- ~; U+ ZMethod 12
=========
1 S$ Y; w, ?% u. k& q+ c
This trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
$ A1 r8 C. T6 F  X8 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 g) u& h( E- I# y
* |/ `8 i- l. ]& X   push  0000004fh         ; function 4fh
5 \  B8 Z' e9 ^- m2 Y   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
1 ^3 ]- Z% ]7 r: A   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 R! {  X, `- U) Z7 q: K! n/ S- G   jz    SoftICE_detected

, ~6 r4 g- ^* i- fHere again, several ways to detect it:
0 l6 [, U$ B8 j- f: q
    BPINT 41 if ax==4f

    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one

8 k5 ~5 h2 Q- n    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; ^& Y$ f1 Z; S" B+ u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ ~' g0 \/ R& y$ m
__________________________________________________________________________

' u; m! F6 M; l& o' YMethod 13
2 [) z& Y. i" j4 M+ B=========
" k' L% T3 ?9 o1 ]/ ?* Y$ M' [, k0 X
Not a real method of detection, but a good way to know if SoftICE is
3 ]6 t# w' F5 _installed on a computer and to locate its installation directory.
9 @$ n, W+ l7 q! p! {4 q1 aIt is used by few softs which access the following registry keys (usually #2) :
, E7 _7 p$ q7 a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
, R# \9 u/ F! C0 d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 b) ^$ l1 C7 R; I7 E' v0 |+ j  {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\App Paths\Loader32.Exe

$ c6 U/ {' F5 F8 z- O
Note that some nasty apps could then erase all files from SoftICE directory
5 ^+ v! u8 H; \- G(I faced that once :-(

Useful breakpoint to detect it:

     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 W! E! M; T+ b5 B4 B$ B  w# Y
+ c. `* q) R+ P: T7 S7 x' y__________________________________________________________________________


Method 14
=========
8 _' O) a1 A4 O0 c2 ]) ]+ P# q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 }5 r, y& I6 L  N8 ?is to determines whether a debugger is running on your system (ring0 only).
9 L+ Y# w6 u: v! P1 }
8 W8 j6 c! B/ x) Q/ x4 b7 h2 [   VMMCall Test_Debug_Installed
   je      not_installed

. S% Z$ G" {6 t3 _1 b$ KThis service just checks a flag.
* w/ w7 F; R7 w1 s% x8 w6 n</PRE></TD></TR></TBODY></TABLE>