Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> SoftIce Driver Detection

Technique Name Category Analysis By Download Added On Last Updated
SoftIce Driver Detection Debugging ap0x AntiIce.zip March 11 2006 March 13 2006
Description:
; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################
      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
      
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
      
; #########################################################################  
    .data
VICETOOLZ_1 db "\\.\SICE",0h
VICETOOLZ_2 db "\\.\SIWVID",0h
VICETOOLZ_3 db "\\.\NTICE",0h
VICETOOLZ_4 db "\\.\REGSYS",0h
VICETOOLZ_5 db "\\.\REGVXG",0h
VICETOOLZ_6 db "\\.\FILEVXG",0h
VICETOOLZ_7 db "\\.\FILEM",0h
VICETOOLZ_8 db "\\.\TRW",0h
VICETOOLZ_9 db "\\.\ICEEXT",0h

DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger or other vice tool not found!",0h
DbgFoundText db "Debugger or other vice tool found!",0h
    .code

start:

; MASM32 antiICE example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This is the oldest way to detect SoftICE. Here we do it by trying to
; create a file named as SoftICE driver. Since we can not access it
; error will occure and we will detect this by CreateFileA return value.
; If EAX is zero, SICE or other "vice" tool is detected.

; Start data. There are 9 of vice tools and first string is located at
; VICETOOLZ_1 offset.

MOV ESI,9
MOV EDI,offset VICETOOLZ_1

@TryNext:
PUSH 0h ;hTemplateFile
PUSH FILE_ATTRIBUTE_NORMAL ;Hidden/Normal
PUSH OPEN_EXISTING ;OPEN_EXISTING
PUSH 0h ;pSecurity
PUSH FILE_SHARE_READ ;ShareMode = File Share Write
PUSH FILE_FLAG_WRITE_THROUGH ;Access
PUSH EDI ;Path
CALL CreateFileA ;CreateFileA

; Small fix here!

CMP EAX,-1
JNE @ToolFound

; Here we search for the next vice tool string [name].

@find_next:
INC EDI
CMP BYTE PTR[EDI],0h
JNE @find_next
INC EDI
DEC ESI
JNE @TryNext

PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox

@Exit:
PUSH 0
CALL ExitProcess

@ToolFound:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
JMP @Exit

end start

There are 31,056 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit