Re: Detecting SoftICE ?

[Florian Maier <florian.maier () muenchen de>]

Hi Bruce,

there are several Methods for detecting Softice. More and less reliable 
ones, depending which version you are dealing with.
"Crackproof your software" (published by No Starch Press) outlines some 
of the more useful and recent techniques you should
probably check this resource first.

No promise, but i'll try to send you some implemention examples over the 
weekend.

regards


Florian


Bruce Klein schrieb:

> Hello all,
>
> I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.
>
> I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method 
> has succeeded at detecting it.
>
> The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net.  One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK" 
> in a register.
>
> I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. 
> Perhaps because I'm doing something stupid.
>
> Given the above, I have two questions I'm hoping someone can answer:
>    - Does anyone know a method to detect today's SoftICE?
>    - Do the other methods even work (and for what versions)?
>
> I'd be happy to post the small source or answer any further questions.
>
> Thanks in advance.
>
>