Secure Programming
Detecting SoftICE ? May 10 2005 04:12PM
Bruce Klein (bruce klein iovation com) (1 replies)

Hello all,

I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.

I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method has succeeded at detecting it.

The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net. One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK"
in a register.

I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. Perhaps because I'm doing something stupid.

Given the above, I have two questions I'm hoping someone can answer:
- Does anyone know a method to detect today's SoftICE?
- Do the other methods even work (and for what versions)?

I'd be happy to post the small source or answer any further questions.

Thanks in advance.

[ reply ]
Re: Detecting SoftICE ? May 11 2005 03:41PM
Thierry Haven (thierry haven xmcopartners com)


Privacy Statement
Copyright 2010, SecurityFocus