This detection searches the memory in the V86 mode for the WINICE.BR string. Because this method is infrequently used, it's worth considering, though it can only be used in Windows 9x.

This routine can be easily hidden because it doesn't use calls (neither API nor INT). This will make it impossible to detect, and, if you use it well, it may discover a debugging attempt—for an attacker to make the program continue, he will have to change its code or the register's contents.

To discover the debugging attempt, all you need to do is check after this trick to see if the registers really contain the values that they should contain, and you'll need to perform a CRC test to see if the program code has been changed in memory. If SoftICE isn't active in memory, your checking routine will run without problems.

This method's one disadvantage is that it works well only with older versions of SoftICE, and an error will occur if one of SoftICE's newer versions is active in memory.

.386 

.MODEL FLAT,STDCALL locals 

jumps 

UNICODE=0 

include w32.inc 

Extrn SetUnhandledExceptionFilter : 
PROC .data 
message2 message3 delayESP previous db "Detection by memory search",
0 db "SoftICE not found",0 db "SoftICE found",0 dd 0 
;the ESP register saves here dd 0 
;the ESP register will save the address of the 

;previous SEH service here. 

.code 

Start: 

;-------------------------------------------------------------------------------------------------
;Sets SEH in case of an error 

;-------------------------------------------------------------------------------------------------
   mov [delayESP],esp push   offset error

call   SetUnhandledExceptionFilter mov [previous], eax mov     al, "W"

mov     edi, 10000h mov     ecx, 400000h - 10000h 
   more: 
   repnz SCASB jecxz notfound

cmp     dword ptr [edi], "INIC" jz found1 jmp     more 
   found1: 
   add     edi, 4

cmp     dword ptr [edi], "RB.E" jnz     more push   word ptr 1

jmp     short found 
   notfound: 
   push   word ptr 0 ;searches for the WINICE.BR string in 
;V86 memory 
;begins the search here

;specifies the number of bytes to search

;searches for a "W" string in memory 
;if the string is not found, the memory search 
;ends because SoftICE isn't active in memory. 
;when a "W" string is found, this tests to see 
;whether the "INIC" string follows. 
;ends when "INIC" is found

;otherwise it searches all memory

;move by 4 characters (bytes)

;when "WINIC" is found it checks to see if the 
;"E.RB" string follows

;if it does not, the memory search ends 
;go here if SoftICE is active in memory and
 ;save 1 into the stack to show that SoftICE 
;was found.

;Go here if SoftICE is not found in memory. 

found: 

;-------------------------------------------------------------------------------------------------
;Sets previous SEH service 

;-------------------------------------------------------------------------------------------------
   push dword ptr [previous] 

call SetUnhandleExceptionFilter 

;-------------------------------------------------------------------------------------------------
   pop   ax test ax,ax jnz   jump 
   continue: 
;restores the return value 
;tests to see if the return value is 1 
;if it is, the program jumps because SoftICE is 
;active.

call MessageBoxA,0, offset message2,\ offset message1,0 

call ExitProcess, -1 

jump: 

call MessageBoxA,0, offset message3,\ offset message1,0 

call ExitProcess, -1 

error:	;starts a new SEH service in case of an error
 

mov   esp, [delayESP] push offset continue ret 

ends 

end Start