Detecting SoftICE by Calling INT 3h

by Sam Petrone.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on software  

You are here: Categories » Computers and technology » Software

This is one of the most well known anti-debugging tricks, and it uses a back door in SoftICE itself. It works in all versions of Windows, and it is based on calling INT 3h with registers containing the following values: EAX=04h and EBP=4243484Bh. This is actually the "BCHK" string. If SoftICE is active in memory, the EAX register will contain a value other than 4.

This trick has often been used in the code of various compression and encoding programs, and it is well known because of its wide use. When used well, it may cause trouble even for the more experienced crackers. 

.386 
.MODEL FLAT,STDCALL 
 
locals jumps 
UNICODE=0 
include w32.inc 
Extrn SetUnhandledExceptionFilter : 
PROC .data 
message3 message2 delayESP previous 
.code db "Detection by calling INT 3h",0 
db "SoftICE found",0 db "SoftICE not found",0 dd 0
;the ESP register is saved here. dd 0 ;the ESP register will save the address of the 
;previous SEH service here. 
Start: 
;------------------------------------------------------------------------------------------------
-;Sets SEH in case of an error 
;-------------------------------------------------------------------------------------------------
mov	[delayESP], esp
 
push offset error 
call SetUnhandledExceptionFilter 
mov	[previous], eax
 
;-------------------------------------------------------------------------------------------------
;The new address for Structured Exception Handling (SEH) is set here to ensure that in case of an 
;error, the program will continue from an error label and will end correctly. This is important 
;if, for example, the program calls an interrupt that will be performed correctly only if SoftICE 
;is active, but which will cause an error and crash the program if SoftICE is not active. 
;Finally, the previous SEH service address is saved. 
;-------------------------------------------------------------------------------------------------
   eax,4 mov   ebp,"BCHK" int 3h push eax ;"magic" values to be found ;whether SoftICE is active
 ;calls the INT 3h interruption ;saves the return value 
;-------------------------------------------------------------------------------------------------
;Sets previous SEH service 
;-------------------------------------------------------------------------------------------------
   push dword ptr [previous] 
call SetUnhandledExceptionFilter 
;-------------------------------------------------------------------------------------------------
;Sets the original SEH service address 
;-------------------------------------------------------------------------------------------------
   pop   eax cmp   eax,4 jnz   jump 
   continue: ;restores the return value
 ;tests to see whether eax was changed ;if it was changed, SoftICE is active ;in memory
 
call MessageBoxA,0, offset message2,\ offset message1,0 
;-------------------------------------------------------------------------------------------------
;If the return value is 4 SoftICE wasn't found and the program prints out an error message.
 ;-------------------------------------------------------------------------------------------------
   call ExitProcess, -1 
;ends program 
jump: 
call MessageBoxA,0, offset message3,\ offset message1,0 
;-------------------------------------------------------------------------------------------------
;Displays a message that SoftICE was found; any code may follow this point.
 ;-------------------------------------------------------------------------------------------------
call ExitProcess, -1 
;ends program 
error: 
;starts a new SEH service in case of an error.
   mov   esp, [delayESP]
 
push offset continue ret 
;-------------------------------------------------------------------------------------------------
;If an error occurs in the program, SEH will ensure that the program will continue from the ;error label. 
;-------------------------------------------------------------------------------------------------ends 
end Start	
;end of program
Share
Leave a comment or ask a question
Total comments: 0

Software Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
The Beginner's Guide to iPad Video Conversion on Mac - So, you've just taken in a shiny new iPad and impressed by its beautiful display. There are several possible sources of content that you will want to convert for viewi (more...)
Touch and View: iPad application - iPad application development has become an extremely popular topic at numerous conferences and workshops since the product introduction keynote. Mobile software companies went boldly into the une (more...)
Deciding on TIFF vs. JPEG Output for Scanned Images - It can be difficult to understand which file type is best for saving your scanned images. Here's a brief breakdown of the two most common options. Preserving beloved memories is on (more...)
Photoshop Clipping Path and Masking Techniques :: Wonderful Technique to Knock Out Image Background - Graphic design is being the promotional key in every spare of business and individual life. Business organizations seek graphic tools to have publicity by dint of bill board, catalogs, magazines, w (more...)
Tips on Getting MP3 from CD as iPhone Ringtone on Mac - Many people must have favorite CDs filled with their bookcase or CD case somewhere at home due to the songs they loved while they still need to pay $0.99 each to get the same songs as their iPhone (more...)
Know about Architectural CAD Drawing - Architectural CAD drawing, which literally mean architectural drawing on the computer. Getting your architectural drawing in digital format. This applies to residential, commercial, pho (more...)
Tips to Develop Mechanical CAD Drawings and Design - The standard mechanical engineering CAD expert photo, as you need to develop such that can easily be explained by mechanical engineers. Before starting work on a mechanical image, you should know h (more...)
Most popular free open source software - Open source software ( OSS) is license-free computer software which can be used, modified, or distributed freely. There is a misconception that OSS is "second rated" or "prototyped" ver (more...)
How to send SMS from Microsoft Dynamics CRM 4.0 - Ozeki offers a solution to send SMS from Microsoft Dynamics CRM 4.0. If you use MS Dynamics to improve customer relationship management in your company, now you can increase the efficienc (more...)
Programming representational state transfer (REST) - REST (representational state transfer) is a process for getting information content from a Web site by reading a designated Web page that contains an XML (Extensible Markup Language) file that desc (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.