Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting SoftICE ?

from [Florian Maier] Network Security [Permanent Link]
Subject: Re: Detecting SoftICE ?
Date: Thu, 12 May 2005 17:26:31 +0200 
Hi Bruce,

there are several Methods for detecting Softice. More and less reliable ones, depending which version you are dealing with.
"Crackproof your software" (published by No Starch Press) outlines some of the more useful and recent techniques you should
probably check this resource first.

No promise, but i'll try to send you some implemention examples over the weekend.

regards


Florian


Bruce Klein schrieb:

Hello all,

I am writing a Win32 DLL and am currently trying to detect if SoftICE is 
present.

I am trying the "classic" detection methods and for my version of SoftICE 
(4.3.2) under Windows XP, so far no method has succeeded at detecting it.

The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net. One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK" in a register.

I am having no luck with either method. Perhaps because the methods are 
obsolete with the current version of SoftICE. Perhaps because I'm doing 
something stupid.

Given the above, I have two questions I'm hoping someone can answer:
   - Does anyone know a method to detect today's SoftICE?
   - Do the other methods even work (and for what versions)?

I'd be happy to post the small source or answer any further questions.

Thanks in advance.




[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Managing Code Signing Digital IDs for Open Source?, Saqib Ali
Next by Date:  New Free Tool - Foundstone .NET Mon, Curphey, Mark
Previous by Thread:  Re: Detecting SoftICE ?, mozilla
Next by Thread:  Re: ColdFusion - CFID & CFTOKEN, ron thigpen
Indexes:  [Date] [Thread] [Top] [All Lists]