Log in

View Full Version : Is it possible to detect SoftICE by IsDebuggerPresent( )?

Solomon
February 21st, 2001, 04:43
According to MSDN, this API is used to detect debugger.
In my opinion it's used to detect Win32 application level debugger such as W32Dasm/VC++/TurboDebugger etc, not system debugger such as SoftICE.

Am I right? Thx
+SplAj
February 22nd, 2001, 01:46
Hi

I came across this in the last CommView 2.4. Usually, in previous versions, there was several checks by both ASprotect and CV.exe to find a debugger by the old Int and \\.\NTICE etc tricks.

When 2.4 was unpacked there was just this single call to 'IsDebuggerPresent'. I LOL cos the unpacked 2.4 ran ok, no SI / debugger message !...and I got on my merry way to try and fix the half packets of the evaluation etc etc.

Then I pressed the 'start capture' button......BOOM they got me PSOD. This was on Windows 2K

So in short this call can be used to find SI as well.

SplAj
Solomon
February 22nd, 2001, 04:45
Thank you for your experience.
I wrote a little prog to test this API, it always tells me "SoftICE not found". The environment is Win2000 Server + SoftICE 4.05. Both kernel32.dll and SoftICE are not patched.

#include <windows.h>
#include <stdio.h>

WINBASEAPI BOOL WINAPI IsDebuggerPresent(VOID);

void main(void)
{
if (IsDebuggerPresent( ))
{
printf("SoftICE detected.
";
}
else
{
printf("SoftICE not found.
";
}
}
Acid_Cool_178
February 22nd, 2001, 05:17
for some more API's that might help so are some of them in here:
http://msdn.microsoft.com/library/psdk/winbase/debug_6qcz.htm

else http://msdn.microsoft.com/default.asp is a good place to get some good information on API's

Acid_Cool_178
Solomon
February 24th, 2001, 01:56
Thx Acid_Cool_178.

Actually I have the MSDN CD. Just wonder why this API can't return TRUE when SoftICE resides in the memory.
Solomon
February 24th, 2001, 02:01
I have read some anti-tracing tuts saying that SoftICE can be detected in this way. But it can't detect SoftICE in my machine. That's why I asked such a question.
Lord Rhesus
February 24th, 2001, 08:56
I'm sure this only checks if someone is trying to debug the program using the debug API's that come with windows! Have a look at Iczelion's tuts on using the debug API www.win32asm.cjb.net
IcyDee
March 4th, 2001, 06:42
I think that the IsDebuggerPresent() API only checks that the application has been loaded using the Debug API. In other words using the SoftIce Loader.

If you run the program normally, with SoftIce in the background I don't think it tells you.