In: Categories » Computers and technology » Software » Detecting SoftICE by Searching Memory
|
This detection searches the memory in the V86 mode for the WINICE.BR string. Because this method is infrequently used, it's worth considering, though it can only be used in Windows 9x. This routine can be easily hidden because it doesn't use calls (neither API nor INT). This will make it impossible to detect, and, if you use it well, it may discover a debugging attempt—for an attacker to make the program continue, he will have to change its code or the register's contents. To discover the debugging attempt, all you need to do is check after this trick to see if the registers really contain the values that they should contain, and you'll need to perform a CRC test to see if the program code has been changed in memory. If SoftICE isn't active in memory, your checking routine will run without problems. This method's one disadvantage is that it works well only with older versions of SoftICE, and an error will occur if one of SoftICE's newer versions is active in memory. .386 .MODEL FLAT,STDCALL locals jumps UNICODE=0 include w32.inc Extrn SetUnhandledExceptionFilter : PROC .data message2 message3 delayESP previous db "Detection by memory search", 0 db "SoftICE not found",0 db "SoftICE found",0 dd 0 ;the ESP register saves here dd 0 ;the ESP register will save the address of the ;previous SEH service here. .code Start: ;------------------------------------------------------------------------------------------------- ;Sets SEH in case of an error ;------------------------------------------------------------------------------------------------- mov [delayESP],esp push offset error call SetUnhandledExceptionFilter mov [previous], eax mov al, "W" mov edi, 10000h mov ecx, 400000h - 10000h more: repnz SCASB jecxz notfound cmp dword ptr [edi], "INIC" jz found1 jmp more found1: add edi, 4 cmp dword ptr [edi], "RB.E" jnz more push word ptr 1 jmp short found notfound: push word ptr 0 ;searches for the WINICE.BR string in ;V86 memory ;begins the search here ;specifies the number of bytes to search ;searches for a "W" string in memory ;if the string is not found, the memory search ;ends because SoftICE isn't active in memory. ;when a "W" string is found, this tests to see ;whether the "INIC" string follows. ;ends when "INIC" is found ;otherwise it searches all memory ;move by 4 characters (bytes) ;when "WINIC" is found it checks to see if the ;"E.RB" string follows ;if it does not, the memory search ends ;go here if SoftICE is active in memory and ;save 1 into the stack to show that SoftICE ;was found. ;Go here if SoftICE is not found in memory. found: ;------------------------------------------------------------------------------------------------- ;Sets previous SEH service ;------------------------------------------------------------------------------------------------- push dword ptr [previous] call SetUnhandleExceptionFilter ;------------------------------------------------------------------------------------------------- pop ax test ax,ax jnz jump continue: ;restores the return value ;tests to see if the return value is 1 ;if it is, the program jumps because SoftICE is ;active. call MessageBoxA,0, offset message2,\ offset message1,0 call ExitProcess, -1 jump: call MessageBoxA,0, offset message3,\ offset message1,0 call ExitProcess, -1 error: ;starts a new SEH service in case of an error mov esp, [delayESP] push offset continue ret ends end Start
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Authentication protocols • EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP. • EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards. • MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm. • RADIUS - Remote...
2. Maximizing Your Internet Browser with Bookmarks
If you want to return to a first-rate online source, you’re likely to use a shortcut, such as a bookmark or a favorite. If you use the Netscape browser, you bookmark the Web page. This acts as a shortcut to the online source.If you use the Internet Explorer browser, you save the page as a favorite. (I refer to both of these types of shortcuts as bookmarks for this section of the article.) If you’ve used the Internet for a while, you likely have a long list of bookmarks. Today h...
3. Monitoring and Optimizing System Performance and Reliability in Windows XP Professional
Task scheduler: • Used to automate events such as batch files, scripts and system backups. • Tasks are stored in the Scheduled Tasks folder in Control Panel. • Running task with a user name and password allows an account with therequired rights to perform the task instead of an administrative account. • Set security for a task by group or user. Using offline files • Offline files replaces My Briefcase and works a lot like Offl...
4. Computer Tips and Tricks ~ How Do I Send Pictures via Email
One of the first things that new digital camera owners love to do is send a batch of images to family members or friends. As you may have already discovered yourself, the warmth of reception is inversely proportional to the size of the images that land in your recipients' inboxes. All too often, budding photographers send full-sized 2-, 4-, or even 6-megapixel pictures as email attachments. Unfortunately, these files take forever to download on all but the fastest Internet connections and are too large to view comfortably on a c...
TCP/IP protocol • TCP is an industry-standard suite of protocols • It is routable and works over most network topologies • It is the protocol that forms the foundation of the Internet • It is Installed by default in Windows XP • Can be used to connect dissimilar systems • Uses Microsoft Windows Sockets interface (Winsock) • IP addresses can be entered manually or be provided automatically by a DHCP server • DNS is used to resolve compute...
6. Advantages and Disadvantages of FAT and NTFS File Systems
Understanding FAT and NTFS File Systems • NTFS provides optimum security and reliability through its ability to lock down individual files and folders on a user-by-user basis. Advanced features such as disk compression, disk quotas and encryption make it the file system recommended by 9 out of 10 MCSEs. • FAT and FAT32 are only used for dual-booting between Windows XP and another operating system (like DOS 6.22, Win 3.1 or Win 95/98). • Existing NT 4.0 NTFS system partit...
7. Two Software Nags ~ Windows 95 versus Windows NT
The buildup to NT began after the incredibly successful launch of Windows 3.0 in 1990. For the next 3 years, Microsoft spent considerable time proclaiming that this new version of the product, once known as OS/2 3.0, would be the 32-bit successor to the 16-bit Windows 3.x product line. But as NT neared completion, complaints began to surface that the product was too big and resource-hungry to fit the existing desktop profile. Microsoft had heard these complaints before with other products, but Moore's Law which, roug...
8. Investing ~ Portfolio management software programs
Several hundred portfolio management programs are available for your investment tracking. The programs vary in price from free to $800. Many of the freeware and shareware portfolio management programs include an amazing amount of features, but are somewhat cumbersome to use. Some brokers give free portfolio management programs to customers who open an account. Financial data providers frequently give free portfolio man agement programs with a subscription to their services. Other portfolio management programs are components of...
9. How To Stitch Together Video Clips into Short Movies
Often, the difference between an interesting home movie and one that's intolerable is editing. This applies to the video you capture with your digital camera as well. Chances are your digicam came bundled with software to help you edit your movies. If it didn't, or if you don't like that software, you can use QuickTime Pro and just a few simple commands to transform your video clips into short movies. Many digital media fans are already familiar with QuickTime. The free player is available for Windows and Macintosh computers, a...