Hello,
I want do protect my programm and want a small
code it check softice and close my own if found.
I want do protect my programm and want a small
code it check softice and close my own if found.
Last I heard, softice relied exclusively on INT3.
In case you don't know, Interrupt 3 is used to set the cpu into single-stepping mode, as used by many debuggers and tracers.
The anti-softice stuff I've seen worked by checking the value at the INT3 vector to determine if SI (or some other debugger) was loaded up.
In case you don't know, Interrupt 3 is used to set the cpu into single-stepping mode, as used by many debuggers and tracers.
The anti-softice stuff I've seen worked by checking the value at the INT3 vector to determine if SI (or some other debugger) was loaded up.
As usual:
Chances are that if an someone uses SoftIce for malicious purposes, any trick you can code it will be useless. :( As there are countless addons for SoftIce which all they do is keep their eyes open for a possible detection.
and
Chances are that you might piss off good Users (probably) developpers which won't even take your program into consideration when it closes itself upon SoftIce detection.
Anyway,
MeltIce is the most common trick to detect SI:
CreateFile with "\\\\.\\SICE" as Name - if it returns an existing Handle, you can assume that it is loaded.
There are many more :
See here for a start and Search the Net
Chances are that if an someone uses SoftIce for malicious purposes, any trick you can code it will be useless. :( As there are countless addons for SoftIce which all they do is keep their eyes open for a possible detection.
and
Chances are that you might piss off good Users (probably) developpers which won't even take your program into consideration when it closes itself upon SoftIce detection.
Anyway,
MeltIce is the most common trick to detect SI:
CreateFile with "\\\\.\\SICE" as Name - if it returns an existing Handle, you can assume that it is loaded.
There are many more :
See here for a start and Search the Net
Softice detection is silly. There is NO way you'll stop anybody
with just a little skill (people who are able to more than just install
softice). There's a few generic ways to do it (like the createfile method)
that will not harm your program, but most other methods involve
dirty tricks that'll make your program incompatible with a bunch of
windows versions. Really, softice detection is not worth the effort.
with just a little skill (people who are able to more than just install
softice). There's a few generic ways to do it (like the createfile method)
that will not harm your program, but most other methods involve
dirty tricks that'll make your program incompatible with a bunch of
windows versions. Really, softice detection is not worth the effort.
Hi,
I attached example code about "how to detect SI and icedump". But not detected other debuggers. As Fodder said, this method not %100 safe...
have nice days
I attached example code about "how to detect SI and icedump". But not detected other debuggers. As Fodder said, this method not %100 safe...
have nice days
Hi,
I attached example code about "how to detect SI and icedump". But not detected other debuggers. As Fodder said, this method not %100 safe...
have nice days
Thanks. Is this a Win32ASM or TASM?
search for more on the net...
Hi,
Thanks. Is this a Win32ASM or TASM?
Yes, TASM. MASM example below,
have nice days.
Thanks. Is this a Win32ASM or TASM?
Yes, TASM. MASM example below,
have nice days.
I dont have much knowledge about subject but here is translation of what i found on one of the russian web site about new protection program:
use INT0, INT1, INT3 also use DRx registers not just check or clear them use it.
use INT0, INT1, INT3 also use DRx registers not just check or clear them use it.
search for more on the net...
How Can I compile it?
incluse Win32.inc?? Cannot found it in MASM7.
If you don't know how to use it, and don't know how and WHY it
works, then by all means dont use it. You'll be back to point 0 without
any protection at all, and might end up annoying legitimate users.
Ie, I have softice running a lot of time on my system, for the purpose
of debugging *MY OWN* apps... sorta sucks that I have to reboot
to run a few apps (well, anti-si code can obviously be removed,
and often rather easily, but it's still annoying having to do it).
works, then by all means dont use it. You'll be back to point 0 without
any protection at all, and might end up annoying legitimate users.
Ie, I have softice running a lot of time on my system, for the purpose
of debugging *MY OWN* apps... sorta sucks that I have to reboot
to run a few apps (well, anti-si code can obviously be removed,
and often rather easily, but it's still annoying having to do it).