About anti-SoftICE tricks

<TABLE width=500>
<TBODY>
9 O$ k! R$ G: V: o<TR>
" A, H) z, }( ?, F% b<TD><PRE>Method 01
, W& h- X; e' ~8 I=========

" s6 R! z1 I. l4 CThis method of detection of SoftICE (as well as the following one) is
. H* K( Y# ^2 [" lused by the majority of packers/encryptors found on Internet.
1 X% E7 y& e  WIt seeks the signature of BoundsChecker in SoftICE
7 D) u. J2 m1 ?  A2 U: n
/ b6 @& _$ a5 K4 S( e    mov     ebp, 04243484Bh        ; 'BCHK'
& K7 P* a0 a5 j4 I! d    mov     ax, 04h
0 p. ]  P5 n/ z  a# I/ S; ?' g    int     3      
7 O" ^1 c3 Q$ P8 d* q8 B    cmp     al,4
    jnz     SoftICE_Detected

, W1 [6 X3 O) d9 X( X1 U9 i  P___________________________________________________________________________
6 X4 S4 j* G* H. X) z- ]
Method 02
=========
6 P" S+ w$ x% h
& A( K4 P& q8 `5 v2 k: i' r5 dStill a method very much used (perhaps the most frequent one).  It is used
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 D" H* c+ S5 j% }/ P3 `7 Yor execute SoftICE commands...
It is also used to crash SoftICE and to force it to execute any commands
- @7 g9 C( [+ Z2 b8 z9 c2 z, {(HBOOT...) :-((  
, B( v* Z$ N* ^7 X" W! T# ~
' z1 p, n+ T4 K7 P# `9 ^Here is a quick description:
* f5 V0 b: n+ b2 w-AX = 0910h   (Display string in SIce windows)
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
-AX = 0912h   (Get breakpoint infos)
6 h" Q5 u- [" Z5 i; P-AX = 0913h   (Set Sice breakpoints)
  J) r- @4 [2 |. c8 T# x-AX = 0914h   (Remove SIce breakoints)
# }0 x- }8 D5 v! }& K& M
  S# S8 t; t/ _3 ?, t' REach time you'll meet this trick, you'll see:
-SI = 4647h
-DI = 4A4Dh
& p7 t7 A$ a5 a2 [& J4 WWhich are the 'magic values' used by SoftIce.
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.

" Z" L5 E1 |" y4 K4 g7 p8 V$ ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
( ]9 p) C; s/ L, l) BEnvelope utility use to protect DOS applications:


4C19:0095   MOV    AX,0911  ; execute command.
6 R2 }4 M7 y3 m4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 ]( b# Y7 l9 D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% Y3 r9 `+ L0 q2 V4C19:00A4   INC    CX
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4C19:00A8   JB     0095     ; 6 different commands.
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 t- y8 y$ X+ ~$ @
The program will execute 6 different SIce commands located at ds:dx, which
4 g# z% f: A" X+ a: W+ mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.

& J+ v5 J; B  t7 h$ u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X  I/ \6 s$ X2 \8 @___________________________________________________________________________

  u- N1 _* Q/ V* O# Y& Y. q
Method 03
=========
6 Y- j! L+ d2 n1 D8 H" S
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
(API Get entry point)
        
$ G% Q  G* ]0 L+ F; k0 N1 m9 ]
    xor     di,di
    mov     es,di
# o" A# _6 m8 a7 _) Q    mov     ax, 1684h      
5 Y& t) R; ~7 @    mov     bx, 0202h       ; VxD ID of winice
    int     2Fh
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( y7 t2 |# B6 ?" y    add     ax, di
    test    ax,ax
( Z/ }9 Z4 q! i  f" t$ r# J    jnz     SoftICE_Detected
9 N1 l2 M) y( o8 g  q4 `
___________________________________________________________________________
7 W; m* F8 F7 C$ E5 i1 r+ |
Method 04
=========

4 X6 G6 q3 X  m$ {0 U8 k8 c: ?Method identical to the preceding one except that it seeks the ID of SoftICE
GFX VxD.

    xor     di,di
    mov     es,di
5 q$ g; z9 _9 }$ `" M    mov     ax, 1684h      
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 j$ H2 l2 o+ W3 x9 H    int     2fh
  M6 s8 N& P& u; i$ ?! e/ P; F    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ R  w( \  C5 G1 H; j; J8 U    add     ax, di
3 P. C" Z; g% I; S; o: P    test    ax,ax
    jnz     SoftICE_Detected

__________________________________________________________________________
# f+ b( h0 {! p+ @0 I$ B6 I# R

Method 05
; w  ]' ]4 H, F  r=========

4 ^# `+ U; s# qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
debugger. It calls the int 41h, function 4Fh.
There are several alternatives.  

5 |# i$ ^" Q  g8 dThe following one is the simplest:
8 z& A3 N9 B# i  ]7 Q
    mov     ax,4fh
    int     41h
( n" N9 O! M. s    cmp     ax, 0F386
    jz      SoftICE_detected
6 E) E% k. z' G
- {; B  v. V$ o" L" w+ n
2 G6 A7 S" p1 k9 lNext method as well as the following one are 2 examples from Stone's
"stn-wid.zip" (www.cracking.net):
! Q, B5 j, J* o; d
& O8 e+ @) U; c, ?; y* }% K    mov     bx, cs
) I8 s: ]' R  f2 ?& s3 Y    lea     dx, int41handler2
' T; j8 {' z! W: d0 j    xchg    dx, es:[41h*4]
    xchg    bx, es:[41h*4+2]
, {0 }( C; W" ~  m- B$ g" n    mov     ax,4fh
    int     41h
$ V- H3 r0 C! ?. F    xchg    dx, es:[41h*4]
# l- u, |! S! {3 E0 Q    xchg    bx, es:[41h*4+2]
    cmp     ax, 0f386h
    jz      SoftICE_detected
4 R, _+ S6 V$ l+ T  }
- f9 o8 f9 M  V1 [8 A7 Rint41handler2 PROC
    iret
int41handler2 ENDP
4 J5 Q# B# E! U1 h
2 E/ s# W, h0 L4 b3 L+ T
_________________________________________________________________________
3 k* P% |" c- E" y( j9 S$ L" |: d
# m$ v# R' y/ Z- X8 u6 [
Method 06
  z% R. @! S% F0 [, u' n=========


2nd method similar to the preceding one but more difficult to detect:
5 ^# `" R' z7 ?* U2 H1 ~

int41handler PROC
    mov     cl,al
$ ~, E' X. z! Z3 Q    iret
int41handler ENDP

  a; M8 r6 n9 B2 s. ]
    xor     ax,ax
1 C; ~; Z5 K1 `) o$ l/ }; r    mov     es,ax
    mov     bx, cs
5 l9 b  S/ {1 `2 r4 v    lea     dx, int41handler
    xchg    dx, es:[41h*4]
. s' t8 {% O: o: ]6 V  G2 v8 h    xchg    bx, es:[41h*4+2]
    in      al, 40h
2 H3 O7 y- c$ H3 D    xor     cx,cx
/ ^! w6 Q- l) f% t3 {    int     41h
% k6 t& c5 Z6 ^; ], P4 ]. L4 {    xchg    dx, es:[41h*4]
0 o2 e7 W6 D% [& W; ?" S; P5 |    xchg    bx, es:[41h*4+2]
    cmp     cl,al
9 p4 q" W& z+ |3 E+ ~    jnz     SoftICE_detected

_________________________________________________________________________
  e$ ?( v( z. m: B
+ S: A; f4 l+ k/ MMethod 07
+ X2 s) W0 T1 k9 [1 _- j=========
/ v0 ?* M8 o9 D3 A+ r6 E) J) ^9 k
Method of detection of the WinICE handler in the int68h (V86)
* j8 a3 r/ d& |( O
$ d- m% H2 [1 c    mov     ah,43h
    int     68h
" l# B% v; j7 u    cmp     ax,0F386h
    jz      SoftICE_Detected
4 L/ s% E+ D' w; `0 v
, g' A& Y" e: x, [8 l& i
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
   app like this:

   BPX exec_int if ax==68
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  W2 u/ U* y5 o7 b: M$ w   located at [ebp+48h] for 32Bit apps)
__________________________________________________________________________

7 O. y3 B8 C: P
Method 08
$ H+ Q* \3 y* \! Z3 A$ F- l=========

It is not a method of detection of SoftICE but a possibility to crash the
4 o- {5 U# c6 Ksystem by intercepting int 01h and int 03h and redirecting them to another
5 [# n3 o6 L) `  s! m( ]& Aroutine.
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ l- R+ U- ]& L7 Bto the new routine to execute (hangs computer...)
* Q+ P  D" Q; f$ G+ S
$ R, A9 H$ S+ y9 x    mov     ah, 25h
    mov     al, Int_Number (01h or 03h)
) [7 ^1 m( M  B- U    mov     dx, offset New_Int_Routine
    int     21h

# _* ]( e% h* o# k( q__________________________________________________________________________

Method 09
( z! v1 J6 {, j) \=========
! j# I  v! d) ]! r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
performed in ring0 (VxD or a ring3 app using the VxdCall).
- R9 F2 Q4 a6 y( @( SThe Get_DDB service is used to determine whether or not a VxD is installed
for the specified device and returns a Device Description Block (in ecx) for
that device if it is installed.
% D2 s4 K: h+ x& I2 s, l9 _; W$ G
6 g3 j- b: d( u; ^; i4 q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 I6 _5 Z8 U' V4 x7 O   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
   VMMCall Get_DDB
6 f  N1 o; o1 V; D. t8 n   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 C( ]. s; [( A3 u- H" I
Note as well that you can easily detect this method with SoftICE:
$ B8 u0 V# Z: P/ x5 d2 A   bpx Get_DDB if ax==0202 || ax==7a5fh

__________________________________________________________________________
. S$ i8 p% t- W: R$ b
Method 10
7 }% w3 B: F2 P# {4 o. m=========

=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' P1 C. `& [. x# r  SoftICE while the option is enable!!
4 x% N8 [1 B& f  Q; @7 u
, E. w$ x- v3 x/ O- VThis trick is very efficient:
' |) Y: ~! o2 |* n7 vby checking the Debug Registers, you can detect if SoftICE is loaded
. `6 q6 z* E7 ?* k5 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 p+ z- w0 _3 p( l6 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
value (in ring0 only). Values can be manipulated and or changed as well
(clearing BPMs for instance)

' i" g/ Q3 _1 M$ z) v$ U__________________________________________________________________________
! i: u  S6 N+ v8 p6 T( B
Method 11
( X' H& o: H* ~5 G$ k+ P=========
: m/ N# ^! }2 @6 |0 W" R
This method is most known as 'MeltICE' because it has been freely distributed
/ n5 e/ b# [( e+ jvia www.winfiles.com. However it was first used by NuMega people to allow
. V* Z2 H. @& w  I1 T3 V* ^Symbol Loader to check if SoftICE was active or not (the code is located
inside nmtrans.dll).

) t5 ?$ w) ]5 @/ K& IThe way it works is very simple:
4 L  }5 j; A% n1 ?' @" e3 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 O/ E7 u7 Z3 O4 O% TWinNT) with the CreateFileA API.
( F4 q; A- T: }0 l% Y
Here is a sample (checking for 'SICE'):

BOOL IsSoftIce95Loaded()
, E7 t# s6 v" V{
" N6 D3 ^" \4 n# j$ D   HANDLE hFile;  
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# s, R' C5 d! X" i2 h, U: A& `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 e; Y* B) d8 p2 \- K* ^8 N4 I- g. ^   if( hFile != INVALID_HANDLE_VALUE )
   {
$ m* y+ M- j% X# ~& b2 q      CloseHandle(hFile);
/ g  K7 `( x- i5 Z/ h9 ?      return TRUE;
/ t% t# n, j7 P8 M( W   }
1 q# F. \9 ?+ R0 b" t- m   return FALSE;
+ B7 @" a6 C' Y0 c. v4 y6 I3 g}

# k, `2 K$ \$ u' |Although this trick calls the CreateFileA function, don't even expect to be
able to intercept it by installing a IFS hook: it will not work, no way!
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  _) n  q/ v/ y$ I# W- R3 |) kfield.
; V, [. h+ l0 `  A( j0 g$ `/ j7 wIn fact, its purpose is not to load/unload VxDs but only to send a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 V8 a8 J7 k! D# m. }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 B6 |" o6 H. I3 s) x$ nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
its handle to be opened and then, will be detected.
+ W' E9 H3 X* }( I6 _You can check that simply by hooking Winice.exe control proc entry point
while running MeltICE.

" F3 g3 Y6 W9 l) [: p
  00401067:  push      00402025    ; \\.\SICE
; y1 i7 _5 N) ?/ Z+ Q5 A- V  0040106C:  call      CreateFileA
  00401071:  cmp       eax,-001
' v- Q3 t$ q: n, @1 ]  00401074:  je        00401091
& p) u# K5 J7 s3 l

2 |5 r+ h4 R% H$ z# \# E2 G( DThere could be hundreds of BPX you could use to detect this trick.
& u' ~  ?: o/ e7 I  v2 ~: G- b, A4 j1 m-The most classical one is:
" p$ g- X- \; p( f: C; q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
    *(esp-&gt;4+4)=='NTIC'
  h: x/ J7 R; B; R$ z% n* ^* I1 x
0 I: L4 ?5 |( X5 E-The most exotic ones (could be very slooooow :-(
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( c, E  O1 \# \& V     ;will break 3 times :-(
3 |9 u( _4 _6 [* i2 c2 x
' I6 G2 j3 ?6 d$ m' O& P4 Z-or (a bit) faster:
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')

   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
     ;will break 3 times :-(
7 h3 p! @" B/ z; W' m4 s
& ?0 p; l: U) i8 {3 `/ |-Much faster:
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'

Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
function to do the same job:
, J4 ]* |0 \/ @: S* O* @8 S7 [' z: A
   push    00                        ; OF_READ
; J; v2 d- O1 K; @$ O   mov     eax,[00656634]            ; '\\.\SICE',0
* L/ u. h8 Y0 O0 j   push    eax
   call    KERNEL32!_lopen
5 F1 q5 X: {& ?9 y$ Y   inc     eax
   jnz     00650589                  ; detected
   push    00                        ; OF_READ
   mov     eax,[00656638]            ; '\\.\SICE'
   push    eax
' y. |, s0 |3 o6 E% ]1 d   call    KERNEL32!_lopen
  F  @/ @! r( o+ e) _& C6 o$ o   inc     eax
   jz      006505ae                  ; not detected
1 E7 f9 {% K& a8 [, V

__________________________________________________________________________

Method 12
=========

) s, m: d+ J5 z/ {7 {$ EThis trick is similar to int41h/4fh Debugger installation check (code 05
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: w4 O; @: D$ G) F+ ?; m# Z- tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 y  W9 e. V" @  N1 j4 }% O
   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
- ]1 R7 q# f1 t3 P                           ; low word specifies which service
: a2 C9 L3 j9 I( ]% Y                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
0 m! Z! ~+ G/ z& x0 C1 T/ B+ {3 z) n   cmp   ax, 0f386h        ; magic number returned by system debuggers
, ]( o5 e3 T) `   jz    SoftICE_detected
# O) `' ?8 D2 ]4 J3 p7 {
# q$ N9 |' B4 ~5 Z+ fHere again, several ways to detect it:
8 J! L* L' v% d& M, K7 B
; U9 g0 D; I( V    BPINT 41 if ax==4f

- m5 C1 w7 g+ B    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ Z+ L+ I" [; ^0 f4 W" H
. }1 D) l+ k7 r) J* L& z5 G+ C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A

    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!

; U) w9 k* }, k0 g__________________________________________________________________________

: Z! h5 a8 j. z* P' aMethod 13
=========

  L6 }4 Y9 F. m% Y2 h! f/ TNot a real method of detection, but a good way to know if SoftICE is
7 p- }9 @1 i' p' {% n0 Iinstalled on a computer and to locate its installation directory.
' i( I! l" D2 @' c$ C$ o$ G  LIt is used by few softs which access the following registry keys (usually #2) :

2 a  U' `& D5 Z6 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\SoftICE
0 w; i% L  j4 e3 ?+ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 V" ~, U! A' u; j  W5 E# U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* j  i) l3 b1 m6 `* [\App Paths\Loader32.Exe

" `- Z% Y1 D: d
Note that some nasty apps could then erase all files from SoftICE directory
(I faced that once :-(

& P, x- w0 b6 O6 l4 S- X' EUseful breakpoint to detect it:
- A7 g% w/ Y  ~' U
4 ]: G! f+ i( ~: J. W+ Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 s1 s; ?! H4 b5 k0 \- {
__________________________________________________________________________
: k. t" z0 |) P* `! ~$ O7 r: k' k' f

Method 14
=========

A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
is to determines whether a debugger is running on your system (ring0 only).
+ i3 X& s/ h$ B. d8 ]. q2 k* {  @/ m
/ [% h! _) F' k8 S, J) i   VMMCall Test_Debug_Installed
" W7 U' a! k8 D% a0 p2 w9 x1 X   je      not_installed
: p" b0 E# u  J/ s
% H+ ~; A  p3 E, _6 O, g4 `This service just checks a flag.
</PRE></TD></TR></TBODY></TABLE>