Flag: Tornado!
Hurricane!
|
|
| SoftIce Driver Detection |
Debugging |
ap0x |
AntiIce.zip |
March 11 2006 |
March 13 2006 |
|
; #########################################################################
.586
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
; #########################################################################
.data
VICETOOLZ_1 db "\\.\SICE",0h
VICETOOLZ_2 db "\\.\SIWVID",0h
VICETOOLZ_3 db "\\.\NTICE",0h
VICETOOLZ_4 db "\\.\REGSYS",0h
VICETOOLZ_5 db "\\.\REGVXG",0h
VICETOOLZ_6 db "\\.\FILEVXG",0h
VICETOOLZ_7 db "\\.\FILEM",0h
VICETOOLZ_8 db "\\.\TRW",0h
VICETOOLZ_9 db "\\.\ICEEXT",0h
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger or other vice tool not found!",0h
DbgFoundText db "Debugger or other vice tool found!",0h
.code
start:
; MASM32 antiICE example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This is the oldest way to detect SoftICE. Here we do it by trying to
; create a file named as SoftICE driver. Since we can not access it
; error will occure and we will detect this by CreateFileA return value.
; If EAX is zero, SICE or other "vice" tool is detected.
; Start data. There are 9 of vice tools and first string is located at
; VICETOOLZ_1 offset.
MOV ESI,9
MOV EDI,offset VICETOOLZ_1
@TryNext:
PUSH 0h ;hTemplateFile
PUSH FILE_ATTRIBUTE_NORMAL ;Hidden/Normal
PUSH OPEN_EXISTING ;OPEN_EXISTING
PUSH 0h ;pSecurity
PUSH FILE_SHARE_READ ;ShareMode = File Share Write
PUSH FILE_FLAG_WRITE_THROUGH ;Access
PUSH EDI ;Path
CALL CreateFileA ;CreateFileA
; Small fix here!
CMP EAX,-1
JNE @ToolFound
; Here we search for the next vice tool string [name].
@find_next:
INC EDI
CMP BYTE PTR[EDI],0h
JNE @find_next
INC EDI
DEC ESI
JNE @TryNext
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
@Exit:
PUSH 0
CALL ExitProcess
@ToolFound:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
JMP @Exit
end start
|
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}