Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Detecting SoftICE ?
From: Bruce Klein <bruce.klein () iovation com>
Date: 10 May 2005 00:11:12 -0000


Hello all,
 
I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.
 
I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method 
has succeeded at detecting it.
 
The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net.  
One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" 
method that uses int 3, with "BCHK" 
in a register.
 
I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. 
Perhaps because I'm doing something stupid.
 
Given the above, I have two questions I'm hoping someone can answer:
    - Does anyone know a method to detect today's SoftICE?
    - Do the other methods even work (and for what versions)?
 
I'd be happy to post the small source or answer any further questions.
 
Thanks in advance.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]