In: Categories » Computers and technology » Software » Detecting SoftICE by Calling INT 68h
|
Here's a way to detect the presence of SoftICE in memory by calling INT contain the value 43h before calling INT be in the AX register. 68h. The AH register must 68h. If SoftICE is active in memory, the return value 0F386h will This is a well-known method of detecting SoftICE that is safe and commonly used, but only in Windows 9x. You can see it in action, for example, in SafeDisc: .386 .MODEL FLAT,STDCALL locals jumps UNICODE=0 include w32.inc Extrn SetUnhandledExceptionFilter : PROC .data message3 message2 delayESP previous .code db "Detection by calling INT 68h",0 db "SoftICE found",0 db "SoftICE not found",0 dd 0 ;the ESP register saves here dd 0 ;the ESP register will save the address of the ;previous SEH service here Start: ;------------------------------------------------------------------------------------------------- ;Sets SEH in case of an error ;------------------------------------------------------------------------------------------------- mov [delayESP],esp push offset error call SetUnhandledExceptionFilter mov [previous], eax ;------------------------------------------------------------------------------------------------- ;The new address for Structured Exception Handling (SEH) is set here to ensure that in case of an ;error, the program will continue from an error label and will end correctly. This is important ;if, for example, the program calls an interrupt that will be performed correctly only if SoftICE ;is active, but which will cause an error and crash the program if SoftICE is not active. Finally, ;the previous SEH service address is saved. ;------------------------------------------------------------------------------------------------- ah,43h int 68h push eax ;service number ;calls the INT 68h interruption ;saves the return value ;------------------------------------------------------------------------------------------------- ;Sets previous SEH service ;------------------------------------------------------------------------------------------------- push dword ptr [previous] call SetUnhandledExceptionFilter ;------------------------------------------------------------------------------------------------- ;Sets the original SEH service address ;------------------------------------------------------------------------------------------------- pop eax ;restores the return value cmp ax, 0f386h ;tests to see whether the return value is ;a "magic number" ;------------------------------------------------------------------------------------------------- ;If SoftICE is active in memory, the return value will be F386h in the AX register. ;------------------------------------------------------------------------------------------------- jz jump ;if yes, the program jumps because SoftICE is ;active in memory continue: call MessageBoxA,0, offset message2,\ offset message1,0 ;if the return value was other than F386h, ;SoftICE was not found, and an error message ;will be displayed. call ExitProcess, -1 ;ends the program jump: call MessageBoxA,0, offset message3,\ offset message1,0 ;prints a message that SoftICE was found. Any ;code may follow from this point. call ExitProcess, -1 ;ends the program error: ;starts a new SEH service in case of an error. mov esp, [delayESP] push offset continue ret ;if an error occurs in the program, SEH ;ensures that the program will continue from the ;error label. ends end Start ;end of program
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
1.
Detecting SoftICE by Calling INT 3h
This is one of the most well known anti-debugging tricks, and it uses a back door in SoftICE itself. It works in all versions of Windows, and it is based on calling INT 3h with registers containing the following values: EAX=04h and EBP=4243484Bh. This is actually the "BCHK" string. If SoftICE is active in memory, the EAX register will contain a value other than 4. This trick has often been used in the code of various compression and encoding programs, and it is well known because of its wide use. When used well, it may cau...
2. Remote Access Services (RAS) under Windows XP Professional
Authentication protocols • EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP. • EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards. • MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm. • RADIUS - Remote...
3. Maximizing Your Internet Browser with Bookmarks
If you want to return to a first-rate online source, you’re likely to use a shortcut, such as a bookmark or a favorite. If you use the Netscape browser, you bookmark the Web page. This acts as a shortcut to the online source.If you use the Internet Explorer browser, you save the page as a favorite. (I refer to both of these types of shortcuts as bookmarks for this section of the article.) If you’ve used the Internet for a while, you likely have a long list of bookmarks. Today h...
4. Monitoring and Optimizing System Performance and Reliability in Windows XP Professional
Task scheduler: • Used to automate events such as batch files, scripts and system backups. • Tasks are stored in the Scheduled Tasks folder in Control Panel. • Running task with a user name and password allows an account with therequired rights to perform the task instead of an administrative account. • Set security for a task by group or user. Using offline files • Offline files replaces My Briefcase and works a lot like Offl...
5. Computer Tips and Tricks ~ How Do I Send Pictures via Email
One of the first things that new digital camera owners love to do is send a batch of images to family members or friends. As you may have already discovered yourself, the warmth of reception is inversely proportional to the size of the images that land in your recipients' inboxes. All too often, budding photographers send full-sized 2-, 4-, or even 6-megapixel pictures as email attachments. Unfortunately, these files take forever to download on all but the fastest Internet connections and are too large to view comfortably on a c...
6. Communication Protocols Used by Windows Systems
TCP/IP protocol • TCP is an industry-standard suite of protocols • It is routable and works over most network topologies • It is the protocol that forms the foundation of the Internet • It is Installed by default in Windows XP • Can be used to connect dissimilar systems • Uses Microsoft Windows Sockets interface (Winsock) • IP addresses can be entered manually or be provided automatically by a DHCP server • DNS is used to resolve compute...
7. Advantages and Disadvantages of FAT and NTFS File Systems
Understanding FAT and NTFS File Systems • NTFS provides optimum security and reliability through its ability to lock down individual files and folders on a user-by-user basis. Advanced features such as disk compression, disk quotas and encryption make it the file system recommended by 9 out of 10 MCSEs. • FAT and FAT32 are only used for dual-booting between Windows XP and another operating system (like DOS 6.22, Win 3.1 or Win 95/98). • Existing NT 4.0 NTFS system partit...
This is one of the most well known anti-debugging tricks, and it uses a back door in SoftICE itself. It works in all versions of Windows, and it is based on calling INT 3h with registers containing the following values: EAX=04h and EBP=4243484Bh. This is actually the "BCHK" string. If SoftICE is active in memory, the EAX register will contain a value other than 4. This trick has often been used in the code of various compression and encoding programs, and it is well known because of its wide use. When used well, it may cau...
2. Remote Access Services (RAS) under Windows XP Professional
Authentication protocols • EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP. • EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards. • MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm. • RADIUS - Remote...
3. Maximizing Your Internet Browser with Bookmarks
If you want to return to a first-rate online source, you’re likely to use a shortcut, such as a bookmark or a favorite. If you use the Netscape browser, you bookmark the Web page. This acts as a shortcut to the online source.If you use the Internet Explorer browser, you save the page as a favorite. (I refer to both of these types of shortcuts as bookmarks for this section of the article.) If you’ve used the Internet for a while, you likely have a long list of bookmarks. Today h...
4. Monitoring and Optimizing System Performance and Reliability in Windows XP Professional
Task scheduler: • Used to automate events such as batch files, scripts and system backups. • Tasks are stored in the Scheduled Tasks folder in Control Panel. • Running task with a user name and password allows an account with therequired rights to perform the task instead of an administrative account. • Set security for a task by group or user. Using offline files • Offline files replaces My Briefcase and works a lot like Offl...
5. Computer Tips and Tricks ~ How Do I Send Pictures via Email
One of the first things that new digital camera owners love to do is send a batch of images to family members or friends. As you may have already discovered yourself, the warmth of reception is inversely proportional to the size of the images that land in your recipients' inboxes. All too often, budding photographers send full-sized 2-, 4-, or even 6-megapixel pictures as email attachments. Unfortunately, these files take forever to download on all but the fastest Internet connections and are too large to view comfortably on a c...
6. Communication Protocols Used by Windows Systems
TCP/IP protocol • TCP is an industry-standard suite of protocols • It is routable and works over most network topologies • It is the protocol that forms the foundation of the Internet • It is Installed by default in Windows XP • Can be used to connect dissimilar systems • Uses Microsoft Windows Sockets interface (Winsock) • IP addresses can be entered manually or be provided automatically by a DHCP server • DNS is used to resolve compute...
7. Advantages and Disadvantages of FAT and NTFS File Systems
Understanding FAT and NTFS File Systems • NTFS provides optimum security and reliability through its ability to lock down individual files and folders on a user-by-user basis. Advanced features such as disk compression, disk quotas and encryption make it the file system recommended by 9 out of 10 MCSEs. • FAT and FAT32 are only used for dual-booting between Windows XP and another operating system (like DOS 6.22, Win 3.1 or Win 95/98). • Existing NT 4.0 NTFS system partit...