+SplAj
December 31st, 2002, 13:18
hello again
I'm gonna paste some asm here so I *hope* i'm in the right forum
Now, Evaluator disclosed some infos that IceDump left Colonel32 memory w-i-d-e-o-p-e-n ....naughty naughty tsk tsk. is it true... is the nemesis here.......
How to detect Icedump is loaded in Win9x O/S .....
Just run latest PElock 1.05 Demo and you'll see
how does it know.... you have /protect on but the bastard still knows you are using SoftICE !!!! (btw this Bart is not Bart, the other is Bart , Evaluator)
heres how :-
TASM ASM
.386p
.MODEL FLAT,STDCALL
locals
jumps
UNICODE=0
include w32.inc
include PELOCK.INC
extrn GetProcAddress :PROC
.data
msg1 db "PELock 1.05 check 'IceDump' test",0
msg2 db "SEH triggered ok....Did NOT detect IceDump....
",0
msg3 db "*** I C E D U M P *** D E T E C T E D
",0
mark db 0
iKern db "Kernel32",0
iExit db "ExitProcess",0
.code
Start:
xor eax,eax ;zero to EAX for setting xhandler
push offset SEH_handler ;address our new SEH handler
push dword ptr fs:[eax] ;save previous handler address
mov dword ptr fs:[eax],esp ;set our new xhandler
call GetModuleHandle, offset iKern
call GetProcAddress , EAX, offset iExit ; get 'ExitProcess' memory location
add dword ptr [eax],00 ;try and write to it....SEH if no IceDump else
push eax ;just ExitProcess...should NEVER GET HERE !!!]
call MessageBoxA,0, offset msg3, offset msg1,0
ret ; this will ret into ExitProcess and your gone !!!
;DEMO_START This is how EASY pelock programming-in-source-code is (see pelock.inc)
;place here some ' registered user only ' bit of code blah blah blah
;DEMO_END but i disabled it (
for my example
; and included a bit of home made crypto
iNop: db 05Eh,06Ah,087h,0C4h,07Fh,02Eh,03Dh,04Eh ; for phun.......
pop dword ptr fs:[0] ;set previous handler
add esp,4 ;clear stack
cmp mark, 1
jnz jump
call MessageBoxA,0, offset msg2, offset msg1,0
call ExitProcess, -1 ;end program
jump:
call MessageBoxA,0, offset msg3, offset msg1,0
call ExitProcess, -1 ;end program
;+++++++++++++++++++++
SEH_handler:
mov eax, [esp+04] ;set EAX to address with exception #
mov ecx, [esp+0Ch] ;read to ECX address start of context structure
mov dword ptr [ecx+0b8h], offset iNop ;return EIP
mov eax, [eax] ;read exception number
sub eax, 0C0000005 ;ACCESS_VIOLATION error value
jnz SEH_handler_end ;if it isn't Exception Breakpoint jump (not our exception call)
inc mark ;set mark because xhandler ran
xor dword ptr [iNop+4],0DEADBEEFh ;decrypt running code with DeadBeef+ShitFace ...hmmm
xor dword ptr [iNop+0],05417FACEh
SEH_handler_end:
ret ;back to program ..we hope
ends
end Start
I'm gonna paste some asm here so I *hope* i'm in the right forum

Now, Evaluator disclosed some infos that IceDump left Colonel32 memory w-i-d-e-o-p-e-n ....naughty naughty tsk tsk. is it true... is the nemesis here.......
How to detect Icedump is loaded in Win9x O/S .....
Just run latest PElock 1.05 Demo and you'll see

how does it know.... you have /protect on but the bastard still knows you are using SoftICE !!!! (btw this Bart is not Bart, the other is Bart , Evaluator)
heres how :-
TASM ASM

.386p
.MODEL FLAT,STDCALL
locals
jumps
UNICODE=0
include w32.inc
include PELOCK.INC
extrn GetProcAddress :PROC
.data
msg1 db "PELock 1.05 check 'IceDump' test",0
msg2 db "SEH triggered ok....Did NOT detect IceDump....

msg3 db "*** I C E D U M P *** D E T E C T E D

mark db 0
iKern db "Kernel32",0
iExit db "ExitProcess",0
.code
Start:
xor eax,eax ;zero to EAX for setting xhandler
push offset SEH_handler ;address our new SEH handler
push dword ptr fs:[eax] ;save previous handler address
mov dword ptr fs:[eax],esp ;set our new xhandler
call GetModuleHandle, offset iKern
call GetProcAddress , EAX, offset iExit ; get 'ExitProcess' memory location
add dword ptr [eax],00 ;try and write to it....SEH if no IceDump else
push eax ;just ExitProcess...should NEVER GET HERE !!!]
call MessageBoxA,0, offset msg3, offset msg1,0
ret ; this will ret into ExitProcess and your gone !!!
;DEMO_START This is how EASY pelock programming-in-source-code is (see pelock.inc)
;place here some ' registered user only ' bit of code blah blah blah
;DEMO_END but i disabled it (

; and included a bit of home made crypto

iNop: db 05Eh,06Ah,087h,0C4h,07Fh,02Eh,03Dh,04Eh ; for phun.......
pop dword ptr fs:[0] ;set previous handler
add esp,4 ;clear stack
cmp mark, 1
jnz jump
call MessageBoxA,0, offset msg2, offset msg1,0
call ExitProcess, -1 ;end program
jump:
call MessageBoxA,0, offset msg3, offset msg1,0
call ExitProcess, -1 ;end program
;+++++++++++++++++++++
SEH_handler:
mov eax, [esp+04] ;set EAX to address with exception #
mov ecx, [esp+0Ch] ;read to ECX address start of context structure
mov dword ptr [ecx+0b8h], offset iNop ;return EIP
mov eax, [eax] ;read exception number
sub eax, 0C0000005 ;ACCESS_VIOLATION error value
jnz SEH_handler_end ;if it isn't Exception Breakpoint jump (not our exception call)
inc mark ;set mark because xhandler ran
xor dword ptr [iNop+4],0DEADBEEFh ;decrypt running code with DeadBeef+ShitFace ...hmmm
xor dword ptr [iNop+0],05417FACEh
SEH_handler_end:
ret ;back to program ..we hope

ends
end Start