SoftICE DEAD?

[taos]

Uhmmm! Good news about OLLY.To my mind comes some Ring0 protections... STARFORCE & ILOK from PACE (a lot of audio plugins protected in the NET) .
Will be 2 ways? Rich & poor protections... So rich will use Ring0 and the rest Ring3?.
I think like you that it's time to Ring3 but at the other side I don't believe that SF & ILOK migrates to it. We must wait!

Only allowing "signed by Microsoft" drivers is not the only problem which we will have to face on Windows Vista. Even when only debugging your own Ring3 applications, a Ring0 Debugger has some advanced features which are not available in Ring3.

Quote from Microsoft on the topic "patch protection" (implemented in Win2003 x64 and Vista x86/x64):

Quote:

Q. What happens if an application or driver attempts to patch the kernel on a system that supports patch protection?
A. If the operating system detects an application or driver that patches the kernel, it generates a bug check and shuts down the system. Modifications that trigger this behavior are:
- Modifying system service tables

- Modifying the interrupt descriptor table (IDT)

- Modifying the global descriptor table (GDT)

- Using kernel stacks that are not allocated by the kernel

- Patching any part of the kernel (detected on AMD64-based systems only)

Over time, patch protection will be extended to protect additional kernel resources.

An IDT protection for example prevents anybody from using hardware breakpoints. (since INT 01 can't be "hooked" any more)

Kayaker posted a link on woodmann to an article which describes the patch guard protection in detail.it also gives working sample code how to bypass it.patchguard is only a software based protection so bypassing it wont be a big problem for the rce community.i dont expect m$ to improve on it if it is broken i think they only want that the average user is protected from rootkits and the like.heres the article http://uninformed.org/index.cgi?v=3&a=3&t=sumry