; another soft-ice (icedump) detection via scanning the VMM_GetVxDLocationList
;
; idea is easy.... this way here sucks! (better use another way to get r0
; otherwise cracker could pop up sice with \protect on)
;
;

.586p
.Model Flat

extrn     ExitProcess     : PROC
extrn     MessageBoxA     : PROC
extrn     GetTickCount    : PROC

.Data                                        

caption     db "daemon",0
text        db "no sice found!",0
text2       db "found SICE in memory",0
text3       db "found ICEDUMP in memory",0
text4       db "found SICE in memory (test2)",0
text5       db "found SICE in memory (test3)",0
found       dd ?                                ; hey is soft-ice here ?
found_1     dd ?                                ; hey is soft-ice here ?
found_2     dd ?                                ; hey is soft-ice here ?
ici         dd ?                                ; hey is icedump here
dumpa       db 01000h dup (00h)
pointer     dd offset dumpa

.Code
Main:
        push    edx
        sidt    [esp-2]                         ; Interrupt table to stack
        pop     edx
        add     edx,5*8+4                       ; Get interrupt vector

        mov     ebx,[edx]
        mov     bx,word ptr [edx-4]     

        lea     edi,setup

        mov     [edx-4],di
        ror     edi,16                  
        mov     [edx+2],di

        push    ds
        push    es
        int     5
        pop     es
        pop     ds

        mov     [edx-4],bx
        ror     ebx,16
        mov     [edx+2],bx


        push    0
        push    offset caption
        push    offset text
        cmp     found,0
        je      okay
        mov     dword ptr [esp],offset text2
okay:   push    0
        call    MessageBoxA

        cmp     found_1,0
        je      okay3
        push    0
        push    offset caption
        push    offset text4
        push    0
        call    MessageBoxA
okay3:  cmp     found_2,0
        je      okay4
        push    0
        push    offset caption
        push    offset text5
        push    0
        call    MessageBoxA
okay4:  cmp     ici,0
        je      okay2
        push    0
        push    offset caption
        push    offset text3
        push    0
        call    MessageBoxA
okay2:  push    0
        push    offset caption
        push    offset dumpa
        push    0
        call    MessageBoxA

call    ExitProcess

setup:  pushad
        db  0cdh,020h,03fh,01h,01h,00h  ; VMM_GetVxDLocationList
again:  mov eax,[eax]
        or  eax,eax
        jz  done
        pushad
        mov ecx,08
        mov edi,pointer
        lea esi,[eax+0ch]
        repz movsb
        mov al,020h
        stosb
        add pointer,09h
        popad
        pushad
        mov ax,word ptr [eax+06h]       ; get_vxd_id
        xor edi,edi                     ; point edi to string (zero cause
                                        ; we've got the vxd_id!)
        db  0cdh,020h,046h,01h,01h,00h  ; get_ddb (just for fun! this isn't
                                        ; necessary!)
        popad                           ;
        cmp dword ptr [eax+0ch],'ECIS'  ; SICE (crackers could change this
        jne next                        ; string here!!!)
        inc found
next:   cmp dword ptr [eax+0ch],'DECI'  ; ICED ? (is it icedump ????)
        jne next2
        inc ici
next2:  cmp word  ptr [eax+087h],0434bh ; SICE ???? don't know if it's an
        jne next3                       ; constant value)
        inc found_1
next3:  cmp dword ptr [eax+0ch],'DWIS'  ; SIWDEBUG (soft ice)
        jne again
        inc found_2
        jmp again
done:   popad
        iret

End Main                        ;End of code, Main is the entrypoint