Back to list
Detecting SoftICE ?
May 10 2005 04:12PM
Bruce Klein (bruce klein iovation com)
I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.
I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method has succeeded at detecting it.
The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net. One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK"
in a register.
I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. Perhaps because I'm doing something stupid.
Given the above, I have two questions I'm hoping someone can answer:
- Does anyone know a method to detect today's SoftICE?
- Do the other methods even work (and for what versions)?
I'd be happy to post the small source or answer any further questions.
Thanks in advance.
[ reply ]
Re: Detecting SoftICE ?
May 11 2005 03:41PM
Thierry Haven (thierry haven xmcopartners com)
Copyright 2010, SecurityFocus