Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> SoftIce Driver Detection

Technique Name Category Analysis By Download Added On Last Updated
SoftIce Driver Detection Debugging ap0x AntiIce.zip March 11 2006 March 13 2006
Description:
; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################
      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
      
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
      
; #########################################################################  
    .data
VICETOOLZ_1 db "\\.\SICE",0h
VICETOOLZ_2 db "\\.\SIWVID",0h
VICETOOLZ_3 db "\\.\NTICE",0h
VICETOOLZ_4 db "\\.\REGSYS",0h
VICETOOLZ_5 db "\\.\REGVXG",0h
VICETOOLZ_6 db "\\.\FILEVXG",0h
VICETOOLZ_7 db "\\.\FILEM",0h
VICETOOLZ_8 db "\\.\TRW",0h
VICETOOLZ_9 db "\\.\ICEEXT",0h

DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger or other vice tool not found!",0h
DbgFoundText db "Debugger or other vice tool found!",0h
    .code

start:

; MASM32 antiICE example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This is the oldest way to detect SoftICE. Here we do it by trying to
; create a file named as SoftICE driver. Since we can not access it
; error will occure and we will detect this by CreateFileA return value.
; If EAX is zero, SICE or other "vice" tool is detected.

; Start data. There are 9 of vice tools and first string is located at
; VICETOOLZ_1 offset.

MOV ESI,9
MOV EDI,offset VICETOOLZ_1

@TryNext:
PUSH 0h ;hTemplateFile
PUSH FILE_ATTRIBUTE_NORMAL ;Hidden/Normal
PUSH OPEN_EXISTING ;OPEN_EXISTING
PUSH 0h ;pSecurity
PUSH FILE_SHARE_READ ;ShareMode = File Share Write
PUSH FILE_FLAG_WRITE_THROUGH ;Access
PUSH EDI ;Path
CALL CreateFileA ;CreateFileA

; Small fix here!

CMP EAX,-1
JNE @ToolFound

; Here we search for the next vice tool string [name].

@find_next:
INC EDI
CMP BYTE PTR[EDI],0h
JNE @find_next
INC EDI
DEC ESI
JNE @TryNext

PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox

@Exit:
PUSH 0
CALL ExitProcess

@ToolFound:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
JMP @Exit

end start

There are 31,099 total registered users.


Recently Created Topics
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15


Recent Forum Posts
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit