Secure Programming
Detecting SoftICE ? May 10 2005 04:12PM
Bruce Klein (bruce klein iovation com) (1 replies)
Re: Detecting SoftICE ? May 11 2005 03:41PM
Thierry Haven (thierry haven xmcopartners com)
Hi Bruce,

you may have a look at crackz's pages for usual tricks concerning Sice detection (http://www.woodmann.com/crackz/Tutorials/Protect.htm#detectsoftice)

However, please have a look at the following routines:

First, we can use int 68h to check the "magic" value 0x0F386 (= debugger present). Then, we may also check the interrupt descriptor table and see if there is a handler installed for INT 68h.

__inline bool IsSICELoaded() {
_asm {
mov ah, 0x43
int 0x68
cmp ax, 0x0F386 // Will be set by all system debuggers.
jz out_

xor ax, ax // check the IDT
mov es, ax
mov bx, word ptr es:[0x68*4]
mov es, word ptr es:[0x68*4+2]
mov eax, 0x0F43FC80
cmp eax, dword ptr es:[ebx]
jnz out_
jmp normal_
normal_:
xor eax, eax
leave
ret
out_:
mov eax, 0x1
leave
ret
}
return false;
}

If a debugger is not present AX will be 4300h.

Then, as you said, the CreateFile function may be used to check if the Sice device driver is loaded... It should be working with the latest versions anyway...

/*
Function: IsSoftIceNTLoaded
Description: Like the previous one but for use under Win NT only
Returns: true if SoftIce is loaded
*/

__inline BOOL IsSoftIceNTLoaded() {
HANDLE hFile=CreateFile( "\\\\.\\NTICE",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

if(hFile!=INVALID_HANDLE_VALUE) { CloseHandle(hFile); return true; }
return false;
}

Or maybe the dedicated function "IsDebuggerPresent" will detect it (I haven't tested it with Sice yet)
http://msdn.microsoft.com/library/en-us/debug/base/isdebuggerpresent.asp

BOOL IsDebuggerPresent(void);

But, if your Sice is patched, it may already include protections against those "anti-debugging" features. In this case, you should use your own imagination to detect it :)

--
_______________________________________
Thierry Haven - Xmco Partners
Consultant Sécurité / Test d'intrusion

web : http://www.xmcopartners.com

Bruce Klein wrote:
>
> Hello all,
>
> I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.
>
> I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method has succeeded at detecting it.
>
> The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net. One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK"
> in a register.
>
> I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. Perhaps because I'm doing something stupid.
>
> Given the above, I have two questions I'm hoping someone can answer:
> - Does anyone know a method to detect today's SoftICE?
> - Do the other methods even work (and for what versions)?
>
> I'd be happy to post the small source or answer any further questions.
>
> Thanks in advance.
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus