Flag: Tornado!
Hurricane!
|
|
| Detecting SoftICE by Opening Its Drivers |
Debugging |
halsten |
|
July 10 2007 |
July 10 2007 |
|
; ----------------------------------------------------------------------
;
; Author: halsten
; E-mail: halsten [at] gmail [dot] com
; Website: http://iamhalsten.thecoderblogs.com/
;
; -----------------------------------------------------------------------
.386p
model flat
locals
jumps
UNICODE=0
include w32.inc
extrn SetUnhandledExceptionFilter :PROC
.data
szMsgTitle db "Detection by means of CreateFileA", 00h
szDebuggerFound db "SoftICE found", 00h
szDebuggerNotFound db "SoftICE not found", 00h
DelayESP dd 0
PreviousSEH dd 0
szSoftIce9x db "\\.\SICE", 00h
szSoftIceNT db "\\.\NTICE", 00h
.code
EntryPoint PROC
mov [DelayESP], esp
push offset @@Error
call SetUnhandledExceptionFilter
mov [PreviousSEH], eax
push NULL
push FILE_ATTRIBUTE_NORMAL
push NULL
push OPEN_EXISTING
push FILE_SHARE_READ
push FILE_FLAG_WRITE_THROUGH
push offset szSoftIce9x
call CreateFileA
cmp eax, -1
jz @@NoSoftIce9x
push word ptr 1
jmp short @@DebuggerFound
@@NoSoftIce9x:
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push FILE_FLAG_WRITE_THROUGH
push offset szSoftIceNT
call CreateFileA
cmp eax, -1
push dword ptr 1
jnz short @@DebuggerFound
pop eax
push dword ptr 0
@@DebuggerFound:
push dword ptr [PreviousSEH]
call SetUnhandledExceptionFilter
pop eax
test eax,eax
jnz @@DebuggerFound
@@DebuggerNotFound:
push 0
push offset szMsgTitle
push offset szDebuggerNotFound
push 0
call MessageBoxA
push -1
call ExitProcess
@@DebuggerFound:
push 0
push offset szMsgTitle
push offset szDebuggerFound
push 0
call MessageBoxA
push -1
call ExitProcess
@@Error:
mov esp, [DelayESP]
push offset @@DebuggerNotFound
ret
EntryPoint ENDP
ends
end EntryPoint
|
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}