I want do protect my programm and want a small
code it check softice and close my own if found.
Posted on 2002-06-15 12:59:13 by Fred556
Last I heard, softice relied exclusively on INT3.
In case you don't know, Interrupt 3 is used to set the cpu into single-stepping mode, as used by many debuggers and tracers.
The anti-softice stuff I've seen worked by checking the value at the INT3 vector to determine if SI (or some other debugger) was loaded up.
Posted on 2002-06-15 13:11:32 by Homer
As usual:

Chances are that if an someone uses SoftIce for malicious purposes, any trick you can code it will be useless. :( As there are countless addons for SoftIce which all they do is keep their eyes open for a possible detection.


Chances are that you might piss off good Users (probably) developpers which won't even take your program into consideration when it closes itself upon SoftIce detection.


MeltIce is the most common trick to detect SI:

CreateFile with "\\\\.\\SICE" as Name - if it returns an existing Handle, you can assume that it is loaded.

There are many more :
See here for a start and Search the Net
Posted on 2002-06-15 19:46:42 by JimmyClif
Softice detection is silly. There is NO way you'll stop anybody
with just a little skill (people who are able to more than just install
softice). There's a few generic ways to do it (like the createfile method)
that will not harm your program, but most other methods involve
dirty tricks that'll make your program incompatible with a bunch of
windows versions. Really, softice detection is not worth the effort.
Posted on 2002-06-15 20:05:35 by f0dder

I attached example code about "how to detect SI and icedump". But not detected other debuggers. As Fodder said, this method not %100 safe...

have nice days
Posted on 2002-06-15 20:27:40 by CYDONIA


I attached example code about "how to detect SI and icedump". But not detected other debuggers. As Fodder said, this method not %100 safe...

have nice days

Thanks. Is this a Win32ASM or TASM?
Posted on 2002-06-16 03:02:57 by Fred556
search for more on the net...
Posted on 2002-06-16 04:17:29 by hunter

Thanks. Is this a Win32ASM or TASM?

Yes, TASM. MASM example below,

have nice days.
Posted on 2002-06-16 18:26:03 by CYDONIA
I dont have much knowledge about subject but here is translation of what i found on one of the russian web site about new protection program:

use INT0, INT1, INT3 also use DRx registers not just check or clear them use it.
Posted on 2002-06-16 23:22:18 by pahan

search for more on the net...

How Can I compile it?
incluse Win32.inc?? Cannot found it in MASM7.
Posted on 2002-06-17 06:17:41 by Fred556
If you don't know how to use it, and don't know how and WHY it
works, then by all means dont use it. You'll be back to point 0 without
any protection at all, and might end up annoying legitimate users.
Ie, I have softice running a lot of time on my system, for the purpose
of debugging *MY OWN* apps... sorta sucks that I have to reboot
to run a few apps (well, anti-si code can obviously be removed,
and often rather easily, but it's still annoying having to do it).
Posted on 2002-06-17 07:51:15 by f0dder