In: Categories » Computers and technology » Software » Detecting SoftICE by Calling INT 3h
|
This is one of the most well known anti-debugging tricks, and it uses a back door in SoftICE itself. It works in all versions of Windows, and it is based on calling INT 3h with registers containing the following values: EAX=04h and EBP=4243484Bh. This is actually the "BCHK" string. If SoftICE is active in memory, the EAX register will contain a value other than 4. This trick has often been used in the code of various compression and encoding programs, and it is well known because of its wide use. When used well, it may cause trouble even for the more experienced crackers. .386 .MODEL FLAT,STDCALL locals jumps UNICODE=0 include w32.inc Extrn SetUnhandledExceptionFilter : PROC .data message3 message2 delayESP previous .code db "Detection by calling INT 3h",0 db "SoftICE found",0 db "SoftICE not found",0 dd 0 ;the ESP register is saved here. dd 0 ;the ESP register will save the address of the ;previous SEH service here. Start: ;------------------------------------------------------------------------------------------------ -;Sets SEH in case of an error ;------------------------------------------------------------------------------------------------- mov [delayESP], esp push offset error call SetUnhandledExceptionFilter mov [previous], eax ;------------------------------------------------------------------------------------------------- ;The new address for Structured Exception Handling (SEH) is set here to ensure that in case of an ;error, the program will continue from an error label and will end correctly. This is important ;if, for example, the program calls an interrupt that will be performed correctly only if SoftICE ;is active, but which will cause an error and crash the program if SoftICE is not active. ;Finally, the previous SEH service address is saved. ;------------------------------------------------------------------------------------------------- eax,4 mov ebp,"BCHK" int 3h push eax ;"magic" values to be found ;whether SoftICE is active ;calls the INT 3h interruption ;saves the return value ;------------------------------------------------------------------------------------------------- ;Sets previous SEH service ;------------------------------------------------------------------------------------------------- push dword ptr [previous] call SetUnhandledExceptionFilter ;------------------------------------------------------------------------------------------------- ;Sets the original SEH service address ;------------------------------------------------------------------------------------------------- pop eax cmp eax,4 jnz jump continue: ;restores the return value ;tests to see whether eax was changed ;if it was changed, SoftICE is active ;in memory call MessageBoxA,0, offset message2,\ offset message1,0 ;------------------------------------------------------------------------------------------------- ;If the return value is 4 SoftICE wasn't found and the program prints out an error message. ;------------------------------------------------------------------------------------------------- call ExitProcess, -1 ;ends program jump: call MessageBoxA,0, offset message3,\ offset message1,0 ;------------------------------------------------------------------------------------------------- ;Displays a message that SoftICE was found; any code may follow this point. ;------------------------------------------------------------------------------------------------- call ExitProcess, -1 ;ends program error: ;starts a new SEH service in case of an error. mov esp, [delayESP] push offset continue ret ;------------------------------------------------------------------------------------------------- ;If an error occurs in the program, SEH will ensure that the program will continue from the ;error label. ;-------------------------------------------------------------------------------------------------ends end Start ;end of program
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
1.
Computer Tips and Tricks ~ How Do I Send Pictures via Email
One of the first things that new digital camera owners love to do is send a batch of images to family members or friends. As you may have already discovered yourself, the warmth of reception is inversely proportional to the size of the images that land in your recipients' inboxes. All too often, budding photographers send full-sized 2-, 4-, or even 6-megapixel pictures as email attachments. Unfortunately, these files take forever to download on all but the fastest Internet connections and are too large to view comfortably on a c...
2. Communication Protocols Used by Windows Systems
TCP/IP protocol • TCP is an industry-standard suite of protocols • It is routable and works over most network topologies • It is the protocol that forms the foundation of the Internet • It is Installed by default in Windows XP • Can be used to connect dissimilar systems • Uses Microsoft Windows Sockets interface (Winsock) • IP addresses can be entered manually or be provided automatically by a DHCP server • DNS is used to resolve compute...
3. Advantages and Disadvantages of FAT and NTFS File Systems
Understanding FAT and NTFS File Systems • NTFS provides optimum security and reliability through its ability to lock down individual files and folders on a user-by-user basis. Advanced features such as disk compression, disk quotas and encryption make it the file system recommended by 9 out of 10 MCSEs. • FAT and FAT32 are only used for dual-booting between Windows XP and another operating system (like DOS 6.22, Win 3.1 or Win 95/98). • Existing NT 4.0 NTFS system partit...
4. Two Software Nags ~ Windows 95 versus Windows NT
The buildup to NT began after the incredibly successful launch of Windows 3.0 in 1990. For the next 3 years, Microsoft spent considerable time proclaiming that this new version of the product, once known as OS/2 3.0, would be the 32-bit successor to the 16-bit Windows 3.x product line. But as NT neared completion, complaints began to surface that the product was too big and resource-hungry to fit the existing desktop profile. Microsoft had heard these complaints before with other products, but Moore's Law which, roug...
5.
Investing ~ Portfolio management software programs
Several hundred portfolio management programs are available for your investment tracking. The programs vary in price from free to $800. Many of the freeware and shareware portfolio management programs include an amazing amount of features, but are somewhat cumbersome to use. Some brokers give free portfolio management programs to customers who open an account. Financial data providers frequently give free portfolio man agement programs with a subscription to their services. Other portfolio management programs are components of...
6. How To Stitch Together Video Clips into Short Movies
Often, the difference between an interesting home movie and one that's intolerable is editing. This applies to the video you capture with your digital camera as well. Chances are your digicam came bundled with software to help you edit your movies. If it didn't, or if you don't like that software, you can use QuickTime Pro and just a few simple commands to transform your video clips into short movies. Many digital media fans are already familiar with QuickTime. The free player is available for Windows and Macintosh computers, a...
7. Investing ~ Using Web Based Portfolio Management Programs
Many Web sites provide online portfolio tracking services. Some of these serv ices are free, and others are fee-based. The aim of Web-based portfolio man agement tools is to help you make better investment decisions and thus increase your capital gains. Each Web-based portfolio management program offers something different. In the following sections, I describe just a few examples. Don’t let the fascination of having your portfolio online tempt you into over trading (buying or selling) your investments. Investor compil...
8. Investing ~ Personal finance software programs
Personal finance software programs often offer much more than what you pay for. These programs provide a way to access online banking, organize your personal finances, understand what you have and what you owe, and organize your financial accounts for the tax collector. Additionally, portfolio management programs track and analyze your portfolio’s performance. Most personal finance software programs automatically use your portfolio’s gains and losses for your net-worth calculations. With many personal finance pro grams...
9. How To Work with RAW Files
One of the great debates among advanced digital photographers is whether to use the JPEG or RAW format for recording images. Both formats are capable of producing highquality pictures, but when you shoot in JPEG mode, the camera processes the image for you so it is "complete" when you upload it to your computer. Images captured in RAW format, on the other hand, are not complete when you transfer them to your workstation. This process is more like taking a negative into a darkroom, where you can adjust the white balance an...
One of the first things that new digital camera owners love to do is send a batch of images to family members or friends. As you may have already discovered yourself, the warmth of reception is inversely proportional to the size of the images that land in your recipients' inboxes. All too often, budding photographers send full-sized 2-, 4-, or even 6-megapixel pictures as email attachments. Unfortunately, these files take forever to download on all but the fastest Internet connections and are too large to view comfortably on a c...
2. Communication Protocols Used by Windows Systems
TCP/IP protocol • TCP is an industry-standard suite of protocols • It is routable and works over most network topologies • It is the protocol that forms the foundation of the Internet • It is Installed by default in Windows XP • Can be used to connect dissimilar systems • Uses Microsoft Windows Sockets interface (Winsock) • IP addresses can be entered manually or be provided automatically by a DHCP server • DNS is used to resolve compute...
3. Advantages and Disadvantages of FAT and NTFS File Systems
Understanding FAT and NTFS File Systems • NTFS provides optimum security and reliability through its ability to lock down individual files and folders on a user-by-user basis. Advanced features such as disk compression, disk quotas and encryption make it the file system recommended by 9 out of 10 MCSEs. • FAT and FAT32 are only used for dual-booting between Windows XP and another operating system (like DOS 6.22, Win 3.1 or Win 95/98). • Existing NT 4.0 NTFS system partit...
4. Two Software Nags ~ Windows 95 versus Windows NT
The buildup to NT began after the incredibly successful launch of Windows 3.0 in 1990. For the next 3 years, Microsoft spent considerable time proclaiming that this new version of the product, once known as OS/2 3.0, would be the 32-bit successor to the 16-bit Windows 3.x product line. But as NT neared completion, complaints began to surface that the product was too big and resource-hungry to fit the existing desktop profile. Microsoft had heard these complaints before with other products, but Moore's Law which, roug...
Several hundred portfolio management programs are available for your investment tracking. The programs vary in price from free to $800. Many of the freeware and shareware portfolio management programs include an amazing amount of features, but are somewhat cumbersome to use. Some brokers give free portfolio management programs to customers who open an account. Financial data providers frequently give free portfolio man agement programs with a subscription to their services. Other portfolio management programs are components of...
6. How To Stitch Together Video Clips into Short Movies
Often, the difference between an interesting home movie and one that's intolerable is editing. This applies to the video you capture with your digital camera as well. Chances are your digicam came bundled with software to help you edit your movies. If it didn't, or if you don't like that software, you can use QuickTime Pro and just a few simple commands to transform your video clips into short movies. Many digital media fans are already familiar with QuickTime. The free player is available for Windows and Macintosh computers, a...
7. Investing ~ Using Web Based Portfolio Management Programs
Many Web sites provide online portfolio tracking services. Some of these serv ices are free, and others are fee-based. The aim of Web-based portfolio man agement tools is to help you make better investment decisions and thus increase your capital gains. Each Web-based portfolio management program offers something different. In the following sections, I describe just a few examples. Don’t let the fascination of having your portfolio online tempt you into over trading (buying or selling) your investments. Investor compil...
8. Investing ~ Personal finance software programs
Personal finance software programs often offer much more than what you pay for. These programs provide a way to access online banking, organize your personal finances, understand what you have and what you owe, and organize your financial accounts for the tax collector. Additionally, portfolio management programs track and analyze your portfolio’s performance. Most personal finance software programs automatically use your portfolio’s gains and losses for your net-worth calculations. With many personal finance pro grams...
9. How To Work with RAW Files
One of the great debates among advanced digital photographers is whether to use the JPEG or RAW format for recording images. Both formats are capable of producing highquality pictures, but when you shoot in JPEG mode, the camera processes the image for you so it is "complete" when you upload it to your computer. Images captured in RAW format, on the other hand, are not complete when you transfer them to your workstation. This process is more like taking a negative into a darkroom, where you can adjust the white balance an...