SoftICE: CreateFile(\\.\NTICE) doesnt work with latest ver? [Archive]

View Full Version : SoftICE: CreateFile(\\.\NTICE) doesnt work with latest ver?

onebitshort

November 28th, 2006, 00:00

SoftICE v4.3.2 ... I just tried the good old simple CreateFileA method (\\.\NTICE and a few others) which worked fine on older builds but it's no longer working, anyone know why? I didnt have any luck with Google apart from one guy who asked the same question but didnt get any response except for "it should work". I know there are other ways to detect SI but I'd like to know why this no longer works (or what they new device name is)

And by the way yes i do have \system32\drivers\ntice.sys, and the "ntice" service is running which makes it even stranger why I can't call CreateFile on it. (And yes I am logged in as Admin)

Kayaker

November 28th, 2006, 02:32

Yeah, Softice provides it's own MeltIce protection. Pretty cool huh?

If you look at the SymbolicLink name of NTICE using WinObj (or Four-F's extended version, WinObjEx) under the GLOBAL?? heading, you'll see the name is now \Device\NTicexxxx, where the xxxx is a 4 character combination which is based on the serial number.

You can check out the routines in Softice. Like many other drivers, NTICE creates a Symbolic Link name during DriverEntry with IoCreateSymbolicLink, and deletes it during DriverUnload (not normally called) with IoDeleteSymbolicLink. The INIT (DriverEntry) section is mostly paged out after Softice starts but you can still check out what's happening by looking at the DriverUnload function. If interested..

The DriverUnload function just happens to be immediately after the IRP_MJ_SHUTDOWN routine.
You can find the IRP_MJ_SHUTDOWN routine by typing
DRIVER NTICE
and disassembling the address shown for IRP_MJ_SHUTDOWN. A few screens down look for the IoDeleteSymbolicLink function, you should see your serial number displayed as one of the earlier parameters.

Code:



.text:000115C0 DriverUnload    proc near               ; CODE XREF: start+6F7p

.text:000115C0                                         ; start:loc_1C57B5p

.text:000115C0

.text:000115C0 SymbolicLinkName= dword ptr -8

...

.text:00011736

.text:00011736 loc_11736:                   ; CODE XREF: DriverUnload+170

.text:00011736                 push    offset SerialNumber

.text:0001173B                 push    offset aDosdevicesNtic ; "\\DosDevices\\NTice"

.text:00011740                 mov     esi, offset SymbolicNameBuffer

.text:00011745                 push    esi

.text:00011746                 call    InitializeSymbolicNameBuffer

.text:0001174B                 push    esi             ; SourceString

.text:0001174C                 lea     eax, [ebp+SymbolicLinkName]

.text:0001174F                 push    eax             ; DestinationString

.text:00011750                 call    ds:RtlInitUnicodeString_0

.text:00011756                 lea     eax, [ebp+SymbolicLinkName]

.text:00011759                 push    eax             ; SymbolicLinkName

.text:0001175A                 call    ds:IoDeleteSymbolicLink

.text:00011760                 push    DeviceObject    ; DeviceObject

.text:00011766                 call    ds:IoDeleteDevice

...

.text:00011779                 leave

.text:0001177A                 retn    4

.text:0001177A DriverUnload    endp

The comparable IoCreateSymbolicLink is in DriverEntry:

Code:



INIT:001C4A29                 push    ebp

INIT:001C4A2A                 mov     DeviceObject, eax

INIT:001C4A2F                 push    offset aDosdevicesNt_0 ; "\\DosDevices\\NTice"

INIT:001C4A34                 mov     ebx, offset SymbolicNameBuffer

INIT:001C4A39                 push    ebx

INIT:001C4A3A                 mov     dword ptr [esi+38h], offset IRP_MJ_CREATE_CLOSE

INIT:001C4A41                 mov     dword ptr [esi+40h], offset IRP_MJ_CREATE_CLOSE

INIT:001C4A48                 mov     dword ptr [esi+78h], offset IRP_MJ_SHUTDOWN

INIT:001C4A4F                 mov     dword ptr [esi+70h], offset IRP_MJ_DEVICE_CONTROL

INIT:001C4A56                 mov     dword ptr [esi+74h], offset IRP_MJ_INTERNAL_DEVICE_CONTROL

INIT:001C4A5D                 call    InitializeSymbolicNameBuffer

INIT:001C4A62                 push    ebx             ; SourceString

INIT:001C4A63                 lea     eax, [esp+5A4h+SymbolicLinkName]

INIT:001C4A67                 push    eax             ; DestinationString

INIT:001C4A68                 call    ds:RtlInitUnicodeString_0

INIT:001C4A6E                 lea     eax, [esp+5A0h+DeviceName]

INIT:001C4A72                 push    eax             ; DeviceName

INIT:001C4A73                 lea     eax, [esp+5A4h+SymbolicLinkName]

INIT:001C4A77                 push    eax             ; SymbolicLinkName

INIT:001C4A78                 call    ds:IoCreateSymbolicLink

You can see what it does is to take the basic Symbolic Link string "\\DosDevices\\NTice" and concatenate it with some algorithm based on the serial number.

In terms of the MeltIce detection, the following obviously won't work any longer:

Code:



HANDLE hFile = CreateFile( "\\\\.\\NTICE",

				GENERIC_READ | GENERIC_WRITE,

				FILE_SHARE_READ | FILE_SHARE_WRITE,

				NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);



if(hFile!=INVALID_HANDLE_VALUE)

{

     // Softice Detected

     CloseHandle(hFile);

}

One apparent solution then is to parse the names of all Symbolic Link objects and check for one which begins with "NTICE".

Kayaker

onebitshort

November 28th, 2006, 22:12

Awesome reply, thanks!

Strange - I was looking through WinObjEx\Global\ yesterday, SoftICE was definately running, but I couldn't see any NTIceanythings. Likewise I couldnt see any in Services, or Drivers, even though it was definately running. The only thing I could get CreateFile to work on was SIWVIDSTART, which is a bit useless.

But today I can see them all? lol

So I can now see NtIce in Services, I can see NtIceXXXX as a Symbolic Link in WinObj\Global?, and I can see \SystemRoot\System32\Drivers\NTice.SYS when I call EnumDeviceDrivers

Do FrogsICE or MeltICE or any of those protections change the name of either the ntice.sys file or the NTIce service?

Kayaker

November 28th, 2006, 23:22

IceExt does a couple of runtime modifications of the NTICE service name via SSDT hooking to protect against using NtCreateFile, NtQuerySystemInformation and NtQueryDirectoryObject to detect the service. This isn't absolute protection against other methods of detecting the service however such as direct registry access or using PsSetLoadImageNotifyRoutine (a la Daemon Tools/SPTD) or even DKOM access ("Direct Kernel Object Manipulation" as the buzzword is coined).

A more reliable method would be to change the service name yourself manually, though this doesn't mean Softice couldn't be detected in other ways. You can do this by editing the registry and a few Softice files. I have a VMWare image where the NTICE service has been renamed to NOICE (the file is now noice.sys). Change all pertinent entries in the registry and search for unicode string refs to "NTICE" in the files ntice.sys, siwvid.sys and bootcfg.sys (I think those are all that is required) and change the name there as well, updating the PE checksum afterwards. The unicode string refs are the ones which refer to CurrentControlSet\Services\NTICE. You could do the same with the other Softice services SIWVID and SIWSYM as well.

onebitshort

November 29th, 2006, 01:28

Ooh ... I just tried a brute-force approach - CreateFile "NTICE0000" to "NTICE9999". It successfully found mine, plus it only takes a couple milliseconds to test all 10000 combinations

The only two things I'm not sure about ...
1 - is the number in decimal or hex? (not that testing 0000 to FFFF would be much slower)
2 - is it always going to be four digits like 0000 if it's < 1000 ?

Kayaker

November 29th, 2006, 01:59

Well, I checked on 2 installations, XP and 2K, they were both 4 characters but in one case it included a letter. To truly answer your question though, forgive me saying, but that's what reversing is all about. I gave the clue that that particular answer would be found in the algo within what I called InitializeSymbolicNameBuffer.

If you check it out you'll see it contains no ring0 specific code and is a small enough string manipulation routine that could be easily "ripped". An ideal subject for what IDA can help with (save as asm file). I don't really know the answer to your question but it seems that the code could easily be duplicated in a test app and you could step through it to determine exactly what it does. If you do, please let us know, it would be interesting.

Cheers,
Kayaker

evlncrn8

November 29th, 2006, 02:23

trick is used on starforce ages ago...
softice records the serial in the registry under 'Serial'
take the last 4 chars, append those to \\.\ntice
voila...

onebitshort

November 29th, 2006, 02:24

Kayaker,

Quote:

Well, I checked on 2 installations, XP and 2K, they were both 4 characters but in one case it included a letter.

Was the letter in the hex A-F range ?

Quote:

trick is used on starforce ages ago...
softice records the serial in the registry under 'Serial'
take the last 4 chars, append those to \\.\ntice
voila...

Hmmm not quite ... but the 4byte serial does exist in the main serial, sort of ...
Assume that my HKEY_LOCAL_MACHINE\SOFTWARE\NuMega\DriverStudio\ Serial = 1234ABCD5678
The 4-byte serial that my ntice driver is running as is 6DB4, which you can see in reverse, seperated by one byte per char, which i highlighted bold

Is that the same with yours?

onebitshort

November 29th, 2006, 02:36

It looks like our usermode friend nmtrans.dll also uses that code

Code:

1001FBF5  |.  51                        push ecx                                                    ; /pBufSize

1001FBF6  |.  68 343E2510               push nmtrans.10253E34                                       ; |Buffer = nmtrans.10253E34

1001FBFB  |.  50                        push eax                                                    ; |pValueType

1001FBFC  |.  50                        push eax                                                    ; |Reserved

1001FBFD  |.  68 E4860710               push nmtrans.100786E4                                       ; |ValueName = "Serial"

1001FC02  |.  52                        push edx                                                    ; |hKey

1001FC03  |.  FF15 00C00610             call near dword ptr ds:[<&ADVAPI32.RegQueryValueExA>]       ; \RegQueryValueExA

1001FC09  |.  85C0                      test eax, eax

1001FC0B  |.  75 0A                     jnz short nmtrans.1001FC17

1001FC0D  |.  C705 303E2510 01000000    mov dword ptr ds:[10253E30], 1

1001FC17  |>  8B4424 04                 mov eax, dword ptr ss:[esp+4]

1001FC1B  |.  50                        push eax                                                    ; /hKey

1001FC1C  |.  FF15 04C00610             call near dword ptr ds:[<&ADVAPI32.RegCloseKey>]            ; \RegCloseKey

1001FC22  |>  68 343E2510               push nmtrans.10253E34

1001FC27  |.  8D4C24 10                 lea ecx, dword ptr ss:[esp+10]

1001FC2B  |.  68 D8860710               push nmtrans.100786D8                                       ;  ASCII "\\.\NTICE"

1001FC30  |.  51                        push ecx

1001FC31  |.  E8 3A000000               call nmtrans.1001FC70

 

...

...



1001FC70  /$  81EC 04020000             sub esp, 204

1001FC76  |.  8A15 FC010810             mov dl, byte ptr ds:[100801FC]

1001FC7C  |.  53                        push ebx

1001FC7D  |.  55                        push ebp

1001FC7E  |.  56                        push esi

1001FC7F  |.  57                        push edi

1001FC80  |.  B9 3F000000               mov ecx, 3F

1001FC85  |.  33C0                      xor eax, eax

1001FC87  |.  8D7C24 15                 lea edi, dword ptr ss:[esp+15]

1001FC8B  |.  885424 14                 mov byte ptr ss:[esp+14], dl

1001FC8F  |.  889424 14010000           mov byte ptr ss:[esp+114], dl

1001FC96  |.  F3:AB                     rep stos dword ptr es:[edi]

1001FC98  |.  66:AB                     stos word ptr es:[edi]

1001FC9A  |.  AA                        stos byte ptr es:[edi]

1001FC9B  |.  B9 3F000000               mov ecx, 3F

1001FCA0  |.  33C0                      xor eax, eax

1001FCA2  |.  8DBC24 15010000           lea edi, dword ptr ss:[esp+115]

1001FCA9  |.  8BAC24 18020000           mov ebp, dword ptr ss:[esp+218]

1001FCB0  |.  F3:AB                     rep stos dword ptr es:[edi]

1001FCB2  |.  66:AB                     stos word ptr es:[edi]

1001FCB4  |.  AA                        stos byte ptr es:[edi]

1001FCB5  |.  B9 40000000               mov ecx, 40

1001FCBA  |.  33C0                      xor eax, eax

1001FCBC  |.  8BFD                      mov edi, ebp

1001FCBE  |.  8B9424 1C020000           mov edx, dword ptr ss:[esp+21C]

1001FCC5  |.  F3:AB                     rep stos dword ptr es:[edi]

1001FCC7  |.  B9 40000000               mov ecx, 40

1001FCCC  |.  8D7C24 14                 lea edi, dword ptr ss:[esp+14]

1001FCD0  |.  F3:AB                     rep stos dword ptr es:[edi]

1001FCD2  |.  8BFA                      mov edi, edx

1001FCD4  |.  83C9 FF                   or ecx, FFFFFFFF

1001FCD7  |.  F2:AE                     repne scas byte ptr es:[edi]

1001FCD9  |.  F7D1                      not ecx

1001FCDB  |.  49                        dec ecx

1001FCDC  |.  51                        push ecx

1001FCDD  |.  52                        push edx

1001FCDE  |.  55                        push ebp

1001FCDF  |.  E8 9C2E0200               call nmtrans.10042B80

1001FCE4  |.  8BBC24 2C020000           mov edi, dword ptr ss:[esp+22C]

1001FCEB  |.  83C9 FF                   or ecx, FFFFFFFF

1001FCEE  |.  33C0                      xor eax, eax

1001FCF0  |.  8D9424 20010000           lea edx, dword ptr ss:[esp+120]

1001FCF7  |.  F2:AE                     repne scas byte ptr es:[edi]

1001FCF9  |.  F7D1                      not ecx

1001FCFB  |.  2BF9                      sub edi, ecx

1001FCFD  |.  8BC1                      mov eax, ecx

1001FCFF  |.  8BF7                      mov esi, edi

1001FD01  |.  8BFA                      mov edi, edx

1001FD03  |.  C1E9 02                   shr ecx, 2

1001FD06  |.  F3:A5                     rep movs dword ptr es:[edi], dword ptr ds:[esi]

1001FD08  |.  8BC8                      mov ecx, eax

1001FD0A  |.  83E1 03                   and ecx, 3

1001FD0D  |.  F3:A4                     rep movs byte ptr es:[edi], byte ptr ds:[esi]

1001FD0F  |.  8D8C24 20010000           lea ecx, dword ptr ss:[esp+120]

1001FD16  |.  51                        push ecx

1001FD17  |.  E8 64650400               call nmtrans.10066280

1001FD1C  |.  8BD8                      mov ebx, eax

1001FD1E  |.  83C9 FF                   or ecx, FFFFFFFF

1001FD21  |.  8BFB                      mov edi, ebx

1001FD23  |.  33C0                      xor eax, eax

1001FD25  |.  83C4 10                   add esp, 10

1001FD28  |.  BE 02000000               mov esi, 2

1001FD2D  |.  F2:AE                     repne scas byte ptr es:[edi]

1001FD2F  |.  F7D1                      not ecx

1001FD31  |.  49                        dec ecx

1001FD32  |.  8D7C24 14                 lea edi, dword ptr ss:[esp+14]

1001FD36  |.  894C24 10                 mov dword ptr ss:[esp+10], ecx

1001FD3A  |>  3B7424 10                 /cmp esi, dword ptr ss:[esp+10]

1001FD3E  |.  7D 22                     |jge short nmtrans.1001FD62

1001FD40  |.  0FBE141E                  |movsx edx, byte ptr ds:[esi+ebx]

1001FD44  |.  52                        |push edx

1001FD45  |.  E8 44500200               |call nmtrans.10044D8E

1001FD4A  |.  83C4 04                   |add esp, 4

1001FD4D  |.  85C0                      |test eax, eax

1001FD4F  |.  74 09                     |je short nmtrans.1001FD5A

1001FD51  |.  8A041E                    |mov al, byte ptr ds:[esi+ebx]

1001FD54  |.  8807                      |mov byte ptr ds:[edi], al

1001FD56  |.  47                        |inc edi

1001FD57  |.  C607 00                   |mov byte ptr ds:[edi], 0

1001FD5A  |>  83C6 02                   |add esi, 2

1001FD5D  |.  83FE 08                   |cmp esi, 8

1001FD60  |.^ 7E D8                     \jle short nmtrans.1001FD3A

1001FD62  |>  8D7C24 14                 lea edi, dword ptr ss:[esp+14]

1001FD66  |.  83C9 FF                   or ecx, FFFFFFFF

1001FD69  |.  33C0                      xor eax, eax

1001FD6B  |.  F2:AE                     repne scas byte ptr es:[edi]

1001FD6D  |.  F7D1                      not ecx

1001FD6F  |.  2BF9                      sub edi, ecx

1001FD71  |.  8BF7                      mov esi, edi

1001FD73  |.  8BD1                      mov edx, ecx

1001FD75  |.  8BFD                      mov edi, ebp

1001FD77  |.  83C9 FF                   or ecx, FFFFFFFF

1001FD7A  |.  F2:AE                     repne scas byte ptr es:[edi]

1001FD7C  |.  8BCA                      mov ecx, edx

1001FD7E  |.  4F                        dec edi

1001FD7F  |.  C1E9 02                   shr ecx, 2

1001FD82  |.  F3:A5                     rep movs dword ptr es:[edi], dword ptr ds:[esi]

1001FD84  |.  8BCA                      mov ecx, edx

1001FD86  |.  83E1 03                   and ecx, 3

1001FD89  |.  F3:A4                     rep movs byte ptr es:[edi], byte ptr ds:[esi]

1001FD8B  |.  5F                        pop edi

1001FD8C  |.  5E                        pop esi

1001FD8D  |.  5D                        pop ebp

1001FD8E  |.  5B                        pop ebx

1001FD8F  |.  81C4 04020000             add esp, 204

1001FD95  \.  C3                        retn

Geez ... that's a lot of work just to churn out 4 bytes

I might rip it later for further testing but for now I'll just try and invoke it normally and watch what it does with my valid serial

onebitshort

November 29th, 2006, 03:17

ok ...

Get a copy of nmtrans.dll from your SoftICE dir
Then LoadLibrary it ... then call NmSymIsSoftICELoaded(); (no params)
It'll return 0 if not loaded, or 1 if SoftICE is loaded. And that's all there is to it

. Set a breakpoint just before the call and you can step through to see what it does with the serial

NmSymIsSoftICELoaded immediately calls nmtrans.DevIO_ConnectToSoftICE, which is simply this - first the Win9x SICE check then the NTICE check with the four extra digits:

Code:



1001FB90 nm>/$  81EC 08010000 sub esp, 108

1001FB96    |.  56            push esi

1001FB97    |.  8B35 48C00610 mov esi, dword ptr ds:[<&KERNEL32.Create>;  kernel32.CreateFileA

1001FB9D    |.  6A 00         push 0                                   ; /hTemplateFile = NULL

1001FB9F    |.  68 80000000   push 80                                  ; |Attributes = NORMAL

1001FBA4    |.  6A 03         push 3                                   ; |Mode = OPEN_EXISTING

1001FBA6    |.  6A 00         push 0                                   ; |pSecurity = NULL

1001FBA8    |.  6A 03         push 3                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

1001FBAA    |.  68 00000080   push 80000000                            ; |Access = GENERIC_READ

1001FBAF    |.  68 04870710   push nmtrans.10078704                    ; |FileName = "\\.\SICE"

1001FBB4    |.  FFD6          call near esi                            ; \CreateFileA

1001FBB6    |.  83F8 FF       cmp eax, -1

1001FBB9    |.  0F85 A7000000 jnz nmtrans.1001FC66

1001FBBF    |.  A1 303E2510   mov eax, dword ptr ds:[10253E30]

1001FBC4    |.  C74424 08 000>mov dword ptr ss:[esp+8], 100

1001FBCC    |.  85C0          test eax, eax

1001FBCE    |.  75 52         jnz short nmtrans.1001FC22

1001FBD0    |.  8D4424 04     lea eax, dword ptr ss:[esp+4]

1001FBD4    |.  50            push eax                                 ; /pHandle

1001FBD5    |.  6A 01         push 1                                   ; |Access = KEY_QUERY_VALUE

1001FBD7    |.  6A 00         push 0                                   ; |Reserved = 0

1001FBD9    |.  68 EC860710   push nmtrans.100786EC                    ; |Subkey = "Software\NuMega\SoftIce"

1001FBDE    |.  68 02000080   push 80000002                            ; |hKey = HKEY_LOCAL_MACHINE

1001FBE3    |.  FF15 08C00610 call near dword ptr ds:[<&ADVAPI32.RegOp>; \RegOpenKeyExA

1001FBE9    |.  85C0          test eax, eax

1001FBEB    |.  75 35         jnz short nmtrans.1001FC22

1001FBED    |.  8B5424 04     mov edx, dword ptr ss:[esp+4]

1001FBF1    |.  8D4C24 08     lea ecx, dword ptr ss:[esp+8]

1001FBF5    |.  51            push ecx                                 ; /pBufSize

1001FBF6    |.  68 343E2510   push nmtrans.10253E34                    ; |Buffer = nmtrans.10253E34

1001FBFB    |.  50            push eax                                 ; |pValueType

1001FBFC    |.  50            push eax                                 ; |Reserved

1001FBFD    |.  68 E4860710   push nmtrans.100786E4                    ; |ValueName = "Serial"

1001FC02    |.  52            push edx                                 ; |hKey

1001FC03    |.  FF15 00C00610 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExA

1001FC09    |.  85C0          test eax, eax

1001FC0B    |.  75 0A         jnz short nmtrans.1001FC17

1001FC0D    |.  C705 303E2510>mov dword ptr ds:[10253E30], 1

1001FC17    |>  8B4424 04     mov eax, dword ptr ss:[esp+4]

1001FC1B    |.  50            push eax                                 ; /hKey

1001FC1C    |.  FF15 04C00610 call near dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey

1001FC22    |>  68 343E2510   push nmtrans.10253E34                   ; Serial

1001FC27    |.  8D4C24 10     lea ecx, dword ptr ss:[esp+10]

1001FC2B    |.  68 D8860710   push nmtrans.100786D8                    ;  ASCII "\\.\NTICE"

1001FC30    |.  51            push ecx

1001FC31    |.  E8 3A000000   call nmtrans.1001FC70

1001FC36    |.  83C4 0C       add esp, 0C

1001FC39    |.  8D5424 0C     lea edx, dword ptr ss:[esp+C]

1001FC3D    |.  6A 00         push 0

1001FC3F    |.  68 80000000   push 80

1001FC44    |.  6A 03         push 3

1001FC46    |.  6A 00         push 0

1001FC48    |.  6A 03         push 3

1001FC4A    |.  68 00000080   push 80000000

1001FC4F    |.  52            push edx

1001FC50    |.  FFD6          call near esi

1001FC52    |.  8BF0          mov esi, eax

1001FC54    |.  83FE FF       cmp esi, -1

1001FC57    |.  75 0B         jnz short nmtrans.1001FC64

1001FC59    |.  68 010058A6   push A6580001                            ; /Error = A6580001 (-1504182271.)

1001FC5E    |.  FF15 C8C00610 call near dword ptr ds:[<&KERNEL32.SetLa>; \SetLastError

1001FC64    |>  8BC6          mov eax, esi

1001FC66    |>  5E            pop esi

1001FC67    |.  81C4 08010000 add esp, 108

1001FC6D    \.  C3            retn

onebitshort

November 29th, 2006, 03:40

Kayaker, I just noticed this paragraph http://www.woodmann.com/crackz/Tutorials/Protect.htm ("http://www.woodmann.com/crackz/Tutorials/Protect.htm")

Quote:

In SoftICE v4.3.2 this detection method no longer works as internally the SymbolicLink name of NTICE has a 4 digit number appended (this is based upon the serial number used to install SoftICE), a discussion of this is available here courtesy of SoftICE guru Kayaker.

But the link is invalid (it just points to showthread.php but doesnt specify the thread) - have you got a working link for that? Many thanks

JMI

November 29th, 2006, 03:59

Try the link without the "( )" as

http://www.woodmann.com/crackz/Tutorials/Protect.htm

and it should work. Did for me, just now.

Regards,

onebitshort

November 29th, 2006, 04:03

No not that link, the one mentioned in the quote - "a discussion of this is available here, but that link is just to showthread.php without and thread ID

onebitshort

November 29th, 2006, 04:08

Only 60 references for NmSymisSoftICELoaded at Google and only 23 for DevIO_ConnectToSoftICE, but one of the more interesting ones is from a book 'Crackproof Your Software' (append .pdf to find the ebook) which mentions it:

Quote:

Detecting SoftICE by Calling the NmSymIsSoftICELoaded DLL
Function from the nmtrans.dll Library

The SoftICE DLL library nmtrans.dll contains the NmSymIsSoftICELoaded function, which we can use to see whether SoftICE is active in memory. This trick can be used in all Windows versions, and it is not used very often.

To use this trick, first load the nmtrans.dll library into memory by API− calling LoadLibraryA. Next, find its address by API−calling GetProcAddress, and then calls it. If the return value is other than 0 then SoftICE is active in memory.

The nmtrans.dll library uses an API call to CreateFileA for SoftICE detection, as shown in the section above titled "Detecting SoftICE by Opening Its Drivers and Calling the CreateFileA API Function (SICE, NTICE)." It is important to test breakpoints at API calls to the LoadLibraryA, GetProcAddress, CreateFileA, and possibly even to NmSymIsSoftICELoaded.

Because paths for Windows 9x and Windows NT are firmly set, this isn't an ideal tool, because SoftICE could be installed anywhere. In the "Using the Windows Registry to Find the Directory Where SoftICE Is Installed" section later in this chapter, I will show you how to use the Windows registers to determine where SoftICE has been installed.

JMI

November 29th, 2006, 04:10

The SEARCH Button can be your friend.

http://www.woodmann.com/forum/showthread.php?t=7237&highlight=SoftICE+v4.3.2

Maybe that's it. Nope. that's just about maping the keyboard. Guess we'll have to see if Kayaker remembers in the morning.

Regards,

onebitshort

November 29th, 2006, 04:13

I have searched, both here and Google, and no that's not it, thankyou anyway ...

JMI

November 29th, 2006, 04:23

Here's a list of 205 Threads with both Softice and Kayaker. You probably could add more words to the advanced search button and narrow it down. I'm relatively sure none of Kayaker's posts have been deleted.

http://www.woodmann.com/forum/search.php?searchid=256367

Regards,

Kayaker

November 29th, 2006, 14:09

Nice work onebitshort

Urm, if the question I'm supposed to remember in the morning concerns the link in the protect.htm file.. looks like that's been fixed and it points to THIS thread, the one of which you're part of.

Damn that CrackZ fellow is good. You almost never hear from him, you wonder if he's still around, and here he is quietly updating the updates on his classic website even while the ink is still wet. That's very reassuring!

Regards,
Kayaker

onebitshort

November 29th, 2006, 22:34

Hello Crackz!

Kayaker - I just rechecked the page and it seems Crackz has since corrected the link so that it points to this thread (when i posted here asking why it was broken it was just pointing at showthread.php), so even though I'm the one left looking like an absolute goose it was his stuffup ok?