Detecting SoftICE by Searching Memory

by Sam Petrone.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on software  

You are here: Categories » Computers and technology » Software

This detection searches the memory in the V86 mode for the WINICE.BR string. Because this method is infrequently used, it's worth considering, though it can only be used in Windows 9x.

This routine can be easily hidden because it doesn't use calls (neither API nor INT). This will make it impossible to detect, and, if you use it well, it may discover a debugging attempt—for an attacker to make the program continue, he will have to change its code or the register's contents.

To discover the debugging attempt, all you need to do is check after this trick to see if the registers really contain the values that they should contain, and you'll need to perform a CRC test to see if the program code has been changed in memory. If SoftICE isn't active in memory, your checking routine will run without problems.

This method's one disadvantage is that it works well only with older versions of SoftICE, and an error will occur if one of SoftICE's newer versions is active in memory. 

.386 
.MODEL FLAT,STDCALL locals 
jumps 
UNICODE=0 
include w32.inc 
Extrn SetUnhandledExceptionFilter : 
PROC .data 
message2 message3 delayESP previous db "Detection by memory search",
0 db "SoftICE not found",0 db "SoftICE found",0 dd 0 
;the ESP register saves here dd 0 
;the ESP register will save the address of the 
;previous SEH service here. 
.code 
Start: 
;-------------------------------------------------------------------------------------------------
;Sets SEH in case of an error 
;-------------------------------------------------------------------------------------------------
   mov [delayESP],esp push   offset error
call   SetUnhandledExceptionFilter mov [previous], eax mov     al, "W"
mov     edi, 10000h mov     ecx, 400000h - 10000h 
   more: 
   repnz SCASB jecxz notfound
cmp     dword ptr [edi], "INIC" jz found1 jmp     more 
   found1: 
   add     edi, 4
cmp     dword ptr [edi], "RB.E" jnz     more push   word ptr 1
jmp     short found 
   notfound: 
   push   word ptr 0 ;searches for the WINICE.BR string in 
;V86 memory 
;begins the search here
;specifies the number of bytes to search
;searches for a "W" string in memory 
;if the string is not found, the memory search 
;ends because SoftICE isn't active in memory. 
;when a "W" string is found, this tests to see 
;whether the "INIC" string follows. 
;ends when "INIC" is found
;otherwise it searches all memory
;move by 4 characters (bytes)
;when "WINIC" is found it checks to see if the 
;"E.RB" string follows
;if it does not, the memory search ends 
;go here if SoftICE is active in memory and
 ;save 1 into the stack to show that SoftICE 
;was found.
;Go here if SoftICE is not found in memory. 
found: 
;-------------------------------------------------------------------------------------------------
;Sets previous SEH service 
;-------------------------------------------------------------------------------------------------
   push dword ptr [previous] 
call SetUnhandleExceptionFilter 
 
;-------------------------------------------------------------------------------------------------
   pop   ax test ax,ax jnz   jump 
   continue: 
;restores the return value 
;tests to see if the return value is 1 
;if it is, the program jumps because SoftICE is 
;active.
 
call MessageBoxA,0, offset message2,\ offset message1,0 
call ExitProcess, -1 
jump: 
call MessageBoxA,0, offset message3,\ offset message1,0 
call ExitProcess, -1 
error:	;starts a new SEH service in case of an error
 
mov   esp, [delayESP] push offset continue ret 
ends 
end Start
Share
Leave a comment or ask a question
Total comments: 0

Software Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Remote Access Services (RAS) under Windows XP Professional - Authentication protocols • EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technol (more...)
Detecting SoftICE by Calling INT 3h - This is one of the most well known anti-debugging tricks, and it uses a back door in SoftICE itself. It works in all versions of Windows, and it is based on calling INT 3h with registers containing (more...)
Detecting SoftICE by Calling INT 68h - Here's a way to detect the presence of SoftICE in memory by calling INT contain the value 43h before calling INT be in the AX register. 68h. The AH register must 68h. If SoftICE is active in memor (more...)
How Can You Increase Your computer performance - Basic computer knowledge or/ and appropriate technical assistance can help you increase computer performance. Computers have become an expected supporter in this modern world. O (more...)
Fight for the Future, Digital Future: Google VS Apple - We can be proud as we watch one of the greatest virtual wars unleashing at the digital market. If 15 years ago it was Apple Vs Windows confrontation, today it has slightly changed its main parties (more...)
The Beginner's Guide to iPad Video Conversion on Mac - So, you've just taken in a shiny new iPad and impressed by its beautiful display. There are several possible sources of content that you will want to convert for viewi (more...)
Touch and View: iPad application - iPad application development has become an extremely popular topic at numerous conferences and workshops since the product introduction keynote. Mobile software companies went boldly into the une (more...)
Deciding on TIFF vs. JPEG Output for Scanned Images - It can be difficult to understand which file type is best for saving your scanned images. Here's a brief breakdown of the two most common options. Preserving beloved memories is on (more...)
Photoshop Clipping Path and Masking Techniques :: Wonderful Technique to Knock Out Image Background - Graphic design is being the promotional key in every spare of business and individual life. Business organizations seek graphic tools to have publicity by dint of bill board, catalogs, magazines, w (more...)
Tips on Getting MP3 from CD as iPhone Ringtone on Mac - Many people must have favorite CDs filled with their bookcase or CD case somewhere at home due to the songs they loved while they still need to pay $0.99 each to get the same songs as their iPhone (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.