Log in

View Full Version : New !Improved! UnHandledExceptionFilter sollution!

Manko
April 18th, 2003, 03:28
(This is DS 2.7, but probably easy to apply to other versions with some small amount of work...)

The old patch of altering slightly the name, to make sice fail to set BP on it, has one major drawback... The irritating errormessage that floods softicewindow...

So I thought to find where in code it prints that string...
It turned out to be much simpler to find a way to make it not patch in the first place, or in my case to let it think it had patched...

Finding the string "kernel32!UnhandledExceptionFilter" in NTice.sys is simpel...

We need to disassemble Ntice.sys to find references too it...
...and here they are:

Code:


.text:0005DF8C 6B 65 72 6E 65 6C 33 32 21+aKernel32Unhand db 'kernel32!UnhandledExceptionFilter',0

.text:0005DF8C 55 6E 68 61 6E 64 6C 65 64+                                        ; DATA XREF: Get_UnhandledExceptionFilter_Adress+1Do

.text:0005DF8C 45 78 63 65 70 74 69 6F 6E+                                        ; Get_UnhandledExceptionFilter_Adress+3Ao

.text:0005DFAE                            

.text:0005DFAE

; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ

.text:0005DFAE                           

.text:0005DFAE                          

.text:0005DFAE                           Get_UnhandledExceptionFilter_Adress proc near

.text:0005DFAE 60                                                                ; CODE XREF: sub_4CC4E+2Cp

.text:0005DFAE                                pusha

.text:0005DFAF 83 3D C5 EC 0E 00 00           cmp UnhandledExceptionFilter_Address, 0

.text:0005DFB6 75 2E                          jnz short loc_5DFE6

.text:0005DFB8 B8 22 DA 0E 00                 mov eax, offset aKernel32           ; "Kernel32"

.text:0005DFBD E8 46 96 FF FF                 call sub_57608

.text:0005DFC2 0B C0                          or  eax, eax

.text:0005DFC4 74 20                          jz  short loc_5DFE6

.text:0005DFC6 A3 C9 EC 0E 00              mov baseofKernel32,

 eax

.text:0005DFCB BE 8C DF 05 00                 mov esi, offset aKernel32Unhand     ; "kernel32!UnhandledExceptionFilter"

.text:0005DFD0 E8 D1 98 FD FF                 call sub_378A6

.text:0005DFD5 72 11                          jb  short loc_5DFE8

.text:0005DFD7 3D 00 00 10 00                 cmp eax, 100000h

.text:0005DFDC 72 08                          jb  short loc_5DFE6

.text:0005DFDE 8B F8                          mov edi, eax

.text:0005DFE0 89 3D C5 EC 0E 00              mov UnhandledExceptionFilter_Address, edi

.text:0005DFE6                            

.text:0005DFE6                            loc_5DFE6:                              ; CODE XREF: Get_UnhandledExceptionFilter_Adress+8j

.text:0005DFE6 61                                                                 ; Get_UnhandledExceptionFilter_Adress+16j

.text:0005DFE6                                                                    ; Get_UnhandledExceptionFilter_Adress+2Ej

.text:0005DFE6                                                                    ; Get_UnhandledExceptionFilter_Adress+44j

.text:0005DFE6                                popa

.text:0005DFE7 C3                             retn

.text:0005DFE8                            ; ---------------------------------------------------------------------------

.text:0005DFE8                            

.text:0005DFE8                            loc_5DFE8:                              ; CODE XREF: Get_UnhandledExceptionFilter_Adress+27j

.text:0005DFE8 BE 8C DF 05 00                 mov esi, offset aKernel32Unhand     ; "kernel32!UnhandledExceptionFilter"

.text:0005DFED E8 E8 EA FD FF                 call sub_3CADA

.text:0005DFF2 EB F2                          jmp short loc_5DFE6

.text:0005DFF2                            Get_UnhandledExceptionFilter_Adress endp


So, we'll just look at the place the adress get stored, to find more interesting procs...

Code:
.data:000EECC5 00 00 00 00                UnhandledExceptionFilter_Address dd 0   ; DATA XREF: Get_UnhandledExceptionFilter_Adress+1r

.data:000EECC5                                                                    ; Get_UnhandledExceptionFilter_Adress+32w

.data:000EECC5                                                                    ; some_ckeckUHEFpatchedr

.data:000EECC5                                                                    ; containsUHEFaddr_plusleadstorellatedprocs+Fr

.data:000EECC5                                                                    ; Unhandledexceptfltr_BP_reached+4r


We're gonna look at "some_ckeckUHEFpatched"

Code:


.text:0005DFF4                            some_ckeckUHEFpatched proc near         ; CODE XREF: CChere_UHEFpatchedflaghere_leadsto_checkUHEFpatched+11p

.text:0005DFF4 8B 3D C5 EC 0E 00                                                  ; contains_UHEFpatchedflag_leadsto_checkUHEFpatched+15p

.text:0005DFF4                                mov edi, UnhandledExceptionFilter_Address

.text:0005DFFA 0B FF                          or  edi, edi

.text:0005DFFC 74 72                          jz  short locret_5E070

.text:0005DFFE 0A D2                          or  dl, dl                          ; Contains CC or original first byte of UHEF

.text:0005E000 74 6E                          jz  short locret_5E070

.text:0005E002 80 3D 07 6E 0E 00 00           cmp byte_E6E07, 0

.text:0005E009 74 65                          jz  short locret_5E070

.text:0005E00B E8 7D ED FF FF                 call sub_5CD8D

.text:0005E010 A1 C9 EC 0E 00                 mov eax, baseofKernel32

.text:0005E015 8B DF                          mov ebx, edi                   ; edi contains UnhandledExceptionFilter_Address.

.text:0005E017 E8 69 96 FF FF                 call sub_57685

.text:0005E01C 80 3D CD EC 0E 00 00           cmp Original_first_byte_of_UHEF, 0

.text:0005E023 75 24                          jnz short loc_5E049

.text:0005E025 E8 0A 8D FD FF                 call here_it_gets_originalUHEFfirstbyte

.text:0005E02A 72 3F                          jb  short loc_5E06B

.text:0005E02C A2 CD EC 0E 00                 mov Original_first_byte_of_UHEF, al

.text:0005E031 3C 55                          cmp al, 55h

.text:0005E033 74 14                          jz  short loc_5E049

.text:0005E035 3C 8B                          cmp al, 8Bh

.text:0005E037 74 10                          jz  short loc_5E049

.text:0005E039 3C 68                          cmp al, 68h

.text:0005E03B 74 0C                          jz  short loc_5E049

.text:0005E03D 56                             push esi

.text:0005E03E BE C1 ED 0E 00                 mov esi, offset aNticeUnrecogni     ; "NTICE: *** Unrecognized unhandled excep"...

.text:0005E043 E8 CA B5 FF FF                 call sub_59612

.text:0005E048 5E                             pop esi

.text:0005E049                            

.text:0005E049                            loc_5E049:                              ; CODE XREF: some_ckeckUHEFpatched+2Fj

.text:0005E049 8A C2                                                              ; some_ckeckUHEFpatched+3Fj

.text:0005E049                                                                    ; some_ckeckUHEFpatched+43j

.text:0005E049                                                                    ; some_ckeckUHEFpatched+47j

.text:0005E049                                mov al, dl

.text:0005E04B E8 F2 8D FD FF                 call sub_36E42

.text:0005E050 72 19                          jb  short loc_5E06B

.text:0005E052 C6 05 CE EC 0E 00 00           mov is_UHEF_BP_set, 0

.text:0005E059 3C CC                          cmp al, 0CCh

.text:0005E05B 75 0E                          jnz short loc_5E06B                 ; We want the "is_UHEF_BP_set" flag to BE set, 

.text:0005E05B                                                                    ; so maybe we just force it not to jump. 

.text:0005E05D C6 05 CE EC 0E 00 01           mov is_UHEF_BP_set, 1

.text:0005E064 C6 05 CF EC 0E 00 00           mov byte_EECCF, 0

.text:0005E06B                            

.text:0005E06B                            loc_5E06B:                              ; CODE XREF: some_ckeckUHEFpatched+36j

.text:0005E06B E8 44 ED FF FF                                                     ; some_ckeckUHEFpatched+5Cj

.text:0005E06B                                                                    ; some_ckeckUHEFpatched+67j

.text:0005E06B                                call sub_5CDB4

.text:0005E070                            

.text:0005E070                            locret_5E070:                           ; CODE XREF: some_ckeckUHEFpatched+8j

.text:0005E070 C3                                                                 ; some_ckeckUHEFpatched+Cj

.text:0005E070                                                                    ; some_ckeckUHEFpatched+15j

.text:0005E070                                retn

.text:0005E070                            some_ckeckUHEFpatched endp


As you see, we can easily make it believe it already has a BP set.
(remember to repair any changes you have done earlier to the UnhandledexcptFltr-string you might have done earlier.)
Just patch it!
I patched 75 0e to 75 00. But feel free to deal with this in any way you please! (And DO explore if you get the urge.)
Also, if you do changes to a .sys, remember to recalculate checksum.

It's working GREAT for me!

Best of luck to ya'll!

/Manko

I hate scrolling sideways Woodmann
SiNTAX
April 18th, 2003, 05:35
Just curious about something.. for what reason exactly does SI hook this function?!
Manko
April 18th, 2003, 06:52
Hi!

Dunno really... Part of "Faults on"? (Maybe?)
Though it will patch regardless, so I really don't know...

I know someone made a partial explanation somewhere...
Maybe I should search... Hmm... Maybe even here...

/Manko
nikolatesla20
April 19th, 2003, 09:58
Thanks Manko!

I always knew the best solution would be to patch the sys so it doesn't even try to patch Unhandled, but I never could track it down (I got bored)

Thanks !

-nt20
Manko
April 20th, 2003, 07:24
Hi!

nt20:
Thanks for the recognition!
I was waiting for someone to appreciate my small gift.

( I didn't forget you Pasha! Thanks to you too! )

sintax:
I was gonna write some more regarding your question,
but I think I'll have to check some things first...

/Manko
pasha
April 20th, 2003, 12:01
greetz manko

hehe..i am not worth a thanks....but i will take it..

btw, i think i will apply to macrovision as a programmer. with the amount of secdrv.sys source code that i have disassembled here in my room all around

man, i still cant figure out why that sd2 exe exits without any messages..checked out the secdrv functions as suggested by sintax..guess..i will go back and keep working on it..

thnx

best regards
pasha
SiNTAX
April 20th, 2003, 16:10
Quote:
Originally posted by Manko

sintax:
I was gonna write some more regarding your question,
but I think I'll have to check some things first...

/Manko


Don't worry.. I won't shoot you if the info isn't 100% accurate

Anyway I can imagine why they want to hook the function.. afterall.. SI is a debugger, so it's useful to know about exceptions
Manko
April 20th, 2003, 16:53
Hi!

To pasha:
Keep up the good work! You'll get there... or die trying!

To Sintax:
Don't worry, I can guarante it is NOT 100% correct.
Seems I was right in my thinking it had something to do with "Faults On"...
Though, even MORE questions have arissen in my mind, while documenting the function that deals with BP hit on UHEF,
this was exhausting, so I will give it a rest...
Seems sice uses UHEF to glean info about exceptions...
Yeah, you posted that before I was finnished, but anyway...
I still don't know anything about that contextswap thingie, where it tries to repatch, everytime... why?
And I haven't understood the whole listing I'm about to spew into your face...

...so brace yourself, here goes!

Code:
.text:0005E0B0 ; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ

.text:0005E0B0 

.text:0005E0B0 

.text:0005E0B0 Unhandledexceptfltr_BP_reached proc near ; CODE XREF: sub_5DF37+Ep

.text:0005E0B0     mov eax, [ebp+10h]                  ; BPadress...

.text:0005E0B3     dec eax                             ; Right on 0xCC-byte...

.text:0005E0B4     cmp eax, UnhandledExceptionFilter_Address

.text:0005E0BA     jnz some_other_BP

.text:0005E0C0     cmp Faults_On_Flag, 0               ; This is the "faults on" flag! 

.text:0005E0C7     jz  short Bail_run_original_UHEF

.text:0005E0C9     mov edi, [ebp+1Ch]                  ; Points to stack...

.text:0005E0CC     add edi, 4                          ; Set to: argument for UnHandledExceptionFilter

.text:0005E0CF     call read_dword                     ; Read argument...

.text:0005E0D4     jb  short Bail_run_original_UHEF

.text:0005E0D6     mov edi, eax                        ; Points to an EXCEPTION_POINTERS structure...

.text:0005E0D8     call read_dword                     ; Read Pointer to EXCEPTION_RECORD structure. 

.text:0005E0D8                                         ; It contains a machine-independent description 

.text:0005E0D8                                         ; of the exception.

.text:0005E0DD     jb  short Bail_run_original_UHEF

.text:0005E0DF     lea edi, [eax+0Ch]                  ; Points to ExceptionAdress.

.text:0005E0E2     call read_dword                     ; Read it!

.text:0005E0E7     jb  short Bail_run_original_UHEF

.text:0005E0E9     cmp ExceptionAddress, eax           ; Same as last??

.text:0005E0EF     jz  short Bail_run_original_UHEF    ;  Don't bother!

.text:0005E0F1     mov ExceptionAddress, eax           ; Store it!

.text:0005E0F6     mov ebx, eax

.text:0005E0F8     sub edi, 0Ch                        ; Point to ExceptionCode.

.text:0005E0FB     call read_dword                     ; Read it!

.text:0005E100     mov ExceptionCode, eax              ; Store it!

.text:0005E105     cmp eax, 0C0000000h

.text:0005E10A     jb  short Bail_run_original_UHEF

.text:0005E10C     cmp eax, 0C0000005h                 ; EXCEPTION_ACCESS_VIOLATION

.text:0005E111     jnz short Handle_Exceptions

.text:0005E113     add edi, 14h                        ; Point to ExceptionInformation. First part tells if the

.text:0005E113                                         ; AccessViolation was due to a read (0) or a write (1).

.text:0005E113                                         ; Second part contains the affected adress...

.text:0005E116     call read_dword                     ; Read It! (Read/write?)

.text:0005E11B     jb  short Handle_Exceptions

.text:0005E11D     or  eax, eax

.text:0005E11F     jz  short Handle_Exceptions         ; If it was a write, NO jump.

.text:0005E121     add edi, 4                          ; Point to second part!

.text:0005E124     call read_dword                     ; Read affected address!

.text:0005E129     jb  short Handle_Exceptions

.text:0005E12B     call sub_5E1B3                      ; Does some extra work if it was a write... ??

.text:0005E130     jb  short Bail_run_original_UHEF    ; If it failed, just let UHEF do it's normal work... (?)

.text:0005E132 

.text:0005E132 Handle_Exceptions:                      ; CODE XREF: Unhandledexceptfltr_BP_reached+61j

.text:0005E132                                         ; Unhandledexceptfltr_BP_reached+6Bj

.text:0005E132                                         ; Unhandledexceptfltr_BP_reached+6Fj

.text:0005E132                                         ; Unhandledexceptfltr_BP_reached+79j

.text:0005E132     movzx eax, word ptr [ebp+14h]       ; ??

.text:0005E136     call sub_470B7                      ; ??

.text:0005E13B     mov dword_D879E, 10009h             ; some NTice internal statuscode, I guess...

.text:0005E145     jmp short Emulate_result_of_UnHandledExceptionFilter

.text:0005E147 ; ---------------------------------------------------------------------------

.text:0005E147 

.text:0005E147 Bail_run_original_UHEF:                 ; CODE XREF: Unhandledexceptfltr_BP_reached+17j

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+24j

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+2Dj

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+37j

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+3Fj

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+5Aj

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+80j

.text:0005E147                                         ; Unhandledexceptfltr_BP_reached+EEj

.text:0005E147     cmp Original_first_byte_of_UHEF, 55h

.text:0005E14E     jz  short Emulate_opcode_0x55

.text:0005E150     cmp Original_first_byte_of_UHEF, 68h

.text:0005E157     jz  short Emulate_opcode_0x68

.text:0005E159     mov eax, large fs:0                 ; SEH???

.text:0005E15F     mov [ebp+8], eax                    ; in what?

.text:0005E162     add dword ptr [ebp+10h], 6          ; Set Eip to next instruction... hmm...

.text:0005E166     jmp short Finished

.text:0005E168 ; ---------------------------------------------------------------------------

.text:0005E168 

.text:0005E168 Emulate_opcode_0x68:                    ; CODE XREF: Unhandledexceptfltr_BP_reached+A7j

.text:0005E168     sub dword ptr [ebp+1Ch], 4          ; Change esp like pushed...

.text:0005E16C     mov edi, [ebp+10h]                  ; eip

.text:0005E16C                                         ; This I don't understand. This would read 68XXXXXX

.text:0005E16C                                         ; When it should read XXXXXXXX... ???

.text:0005E16F     call read_dword                     ; read value to be pushed

.text:0005E174     mov edi, [ebp+1Ch]                  ; esp

.text:0005E177     call write_dword                    ; push value on stack

.text:0005E17C     add dword ptr [ebp+10h], 5          ; set eip to next instruction

.text:0005E180     jmp short Finished

.text:0005E182 ; ---------------------------------------------------------------------------

.text:0005E182 

.text:0005E182 Emulate_opcode_0x55:                    ; CODE XREF: Unhandledexceptfltr_BP_reached+9Ej

.text:0005E182     sub dword ptr [ebp+1Ch], 4          ; change esp like pushed...

.text:0005E186     mov edi, [ebp+1Ch]                  ; esp

.text:0005E189     mov eax, [ebp+0]                    ; Must be ebp...

.text:0005E18C     call write_dword                    ; push ebp on stack

.text:0005E191     inc dword ptr [ebp+10h]             ; set eip to next instruction

.text:0005E194     jmp short Finished

.text:0005E196 ; ---------------------------------------------------------------------------

.text:0005E196 

.text:0005E196 Emulate_result_of_UnHandledExceptionFilter:

.text:0005E196                                         ; CODE XREF: Unhandledexceptfltr_BP_reached+95j

.text:0005E196     mov edi, [ebp+1Ch]                  ; Point to returnadress.

.text:0005E199     call read_dword                     ; Read IT!

.text:0005E19E     jb  short Bail_run_original_UHEF    ; No returnaddress? Go to backup plan...

.text:0005E1A0     inc eax                             ; Set to one byte after???

.text:0005E1A1     mov [ebp+10h], eax                  ; Put Eip to returnadress+1 (???).

.text:0005E1A4     add dword ptr [ebp+1Ch], 8          ; Fix stack!

.text:0005E1A8     mov dword ptr [ebp+8], 0FFFFFFFFh   ; ??

.text:0005E1AF 

.text:0005E1AF Finished:                               ; CODE XREF: Unhandledexceptfltr_BP_reached+B6j

.text:0005E1AF                                         ; Unhandledexceptfltr_BP_reached+D0j

.text:0005E1AF                                         ; Unhandledexceptfltr_BP_reached+E4j

.text:0005E1AF     stc                                 ; set carry

.text:0005E1B0     retn

.text:0005E1B1 ; ---------------------------------------------------------------------------

.text:0005E1B1 

.text:0005E1B1 some_other_BP:                          ; CODE XREF: Unhandledexceptfltr_BP_reached+Aj

.text:0005E1B1     clc                                 ; clear carry

.text:0005E1B2     retn

.text:0005E1B2 Unhandledexceptfltr_BP_reached endp


/Manko