Detecting SoftICE by Calling INT 68h

written by: Sam Petrone; article published: year 2006, month 07;


In: Root » Computers and technology » Software » Detecting SoftICE by Calling INT 68h

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

Here's a way to detect the presence of SoftICE in memory by calling INT contain the value 43h before calling INT be in the AX register. 68h. The AH register must 68h. If SoftICE is active in memory, the return value 0F386h will

This is a well-known method of detecting SoftICE that is safe and commonly used, but only in Windows 9x. You can see it in action, for example, in SafeDisc: 

.386 
.MODEL FLAT,STDCALL locals 
jumps 
UNICODE=0 
include w32.inc 
Extrn SetUnhandledExceptionFilter : PROC .data 
message3 message2 delayESP previous .code db "Detection by calling 
INT 68h",0 db "SoftICE found",0 db "SoftICE not found",0 dd 0
;the ESP register saves here dd 0 ;the ESP register will save 
the address of the ;previous SEH service here 
Start: 
;-------------------------------------------------------------------------------------------------
;Sets SEH in case of an error 
;-------------------------------------------------------------------------------------------------
mov	[delayESP],esp
 
push offset error 
call SetUnhandledExceptionFilter 
mov	[previous], eax
 
;-------------------------------------------------------------------------------------------------
 
;The new address for Structured Exception Handling (SEH) is set here to ensure that in case of an 
;error, the program will continue from an error label and will end correctly. This is important 
;if, for example, the program calls an interrupt that will be performed correctly only if SoftICE 
;is active, but which will cause an error and crash the program if SoftICE is not active. Finally, 
;the previous SEH service address is saved. 
;-------------------------------------------------------------------------------------------------
   ah,43h int 68h push eax ;service number ;calls the INT 68h interruption ;saves the return value
 
;-------------------------------------------------------------------------------------------------
;Sets previous SEH service
;-------------------------------------------------------------------------------------------------
   push dword ptr [previous] 
call SetUnhandledExceptionFilter 
;-------------------------------------------------------------------------------------------------
;Sets the original SEH service address 
;-------------------------------------------------------------------------------------------------
pop   eax	;restores the return value
   cmp   ax, 0f386h	;tests to see whether the return value is
 
;a "magic number" 
;-------------------------------------------------------------------------------------------------
;If SoftICE is active in memory, the return value will be F386h in the AX register. 
;-------------------------------------------------------------------------------------------------
jz     jump	;if yes, the program jumps because SoftICE is
 
;active in memory 
continue: 
call MessageBoxA,0, offset message2,\ offset message1,0 
;if the return value was other than F386h, 

;SoftICE was not found, and an error message ;will be displayed. 
call ExitProcess, -1
   ;ends the program
 
jump: 
call MessageBoxA,0, offset message3,\ offset message1,0 
;prints a message that SoftICE was found. Any ;code may follow from this point. 
call ExitProcess, -1 
;ends the program
   error:
   ;starts a new SEH service in case of an error.
   mov   esp, [delayESP]
 
push offset continue ret 
;if an error occurs in the program, SEH ;ensures that the program will continue from the 
;error label. 
ends 
end Start 
;end of program

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article