Fravia's TOOLS OF OUR TRADE Messageboard ~ Moderated
How to detect SoftICE under M$-Windblows.(small essay).
Tuesday, 23-Mar-99 16:49:38

Greetings all,
I dont know if all of you guys know to how detect SoftICEs presence under windows. I have not seen it anywhere. ( anti-debugging)
But here is a way i found while reversing something.

Push edi;
Push 0000004fh;
Push 002a002ah;
call Kernel32_1; ORD_1 or VxdCall Pietreks
sub ax,f386h;
pop edi;
jz SoftICEisRunning;

--------------
ORD_1 usuall address in memory is BFF713d4 but not always.
use (in softice) EXP ORD_0000 to get the address.
you need the address to see if the programme is trying detect softice or any systems debugger by placing a bpx on it.
------------------------
Explaination:
basically this code snippet will cause the system to use INT 41 ( debugger notification interrupt)
with a value of 0000004f passed as a parameter.
push 002a002a
the high 002a means we are calling VWIN_32 vxd
the low 002a means we are calling the WIN32_Int41Dispatch service. ( for a complete list of services look at Pietreks book page 448-449).
I hope that i helped somehow.


The Undertaker, Afterdeath.