IceExt and DS 3.1 [Archive] - RCE Messageboard's Regroupment

bedrock

February 17th, 2004, 11:23

I read the other day that IceExt 0.57 (latest) is not working with DS 3.1 and I have not seen sign from Sten of update for quite some time, I dont know reasons, maybe he is busy with others, so i thought i would take a look...

Well i learnt a few things, and mostly now i learnt i am not skilled enough to solve this problem myself. But for starters i would like to say how far i have got to this point.

When you try and load IceExt on DS31, it fails trying to find softice Expression2Integer function pointer. Now looking at IceExt code shows there is a search function and some byte patterns it looks for, this function already has different byte patterns for DS < 3 and also for DS30 (you can see these in IceExt softice.h file), so i thought numega must of changed signature for this function again, so through comparing the ntice.sys files from DS30 and DS31 i found the Expression2Integer function and added the changes for new search pattern to IceExt code, but now it fails at next place which is looking for ActivateBPs function pointer, so i try and find this also, i add changed byte pattern and continue....

Well next IceExt is fails on ActivateHooks function pointer, but now i am stuck cause from comparing difference's and running old and new ntice.sys through IDA i can not locate this function in SI, i comment IceExt code out for now, not supprising it fails on DeactivateHooks also.

Well for now i have a butchered (M$ comment would say HACK

) version of IceExt which loads but is not very functional under DS31. Maybe some others can better dissasemble ntice.sys and figure out some of this stuff. I think together we should be able to fix up IceExt, or maybe even the great Sten will update this great tool for all to use with new driver studio.

--
bedrock

dELTA

February 17th, 2004, 22:42

Cool.

Has anyone tried to contact Sten about this, without getting any replies?

doug

February 18th, 2004, 01:17

I have contacted sten before & he replied within a day. he's a nice guy.

I think he checks this board once in a while, so if bedrock posts his changes, it'll probably help

(ppl using ds 3.1 might also be able to review his code)

Also, it looks like sten has some hosting problems atm.

Kayaker

February 18th, 2004, 04:41

Hi Guys,

I was doing a bit of exploring tonight, and it looks like ActivateHooks and DeactivateHooks will have to be rereferenced a bit. The others can be found with a new search pattern like bedrock showed. Here's what I've found so far for the record. Some of the Softice internal naming is from The Owl's pioneering work of course, and his original IDB databases are indispensible.

I found that ActivateHooks is called within the ActivateBPs function, and DeactivateHooks is called within the DeactivateBPs function. This is handy. Once they are identified, new search patterns can be devised. The DeactivateHooks function will especially need more looking into since the code pattern seems to have changed so much.

Hopefully you can make sense of the following code, each section has Sten's search pattern from softice.h, then a comparable DS3.1 pattern that might be usable for anyone wanting to make modifications.

Expression2Integer:

Code:



unsigned char PAT_Expression2Integer_DS30[] =   // code pattern

{

      0x55,                                     // push        ebp

      0x8B, 0xEC,                               // mov         ebp, esp

      0x51,                                     // push        ecx

      0x51,                                     // push        ecx

      0x56,                                     // push        esi

      0x33, 0xF6,                               // xor         esi, esi

      0x89, 0x75, 0xF8,                         // mov         [ebp+var_8], esi

      0x89, 0x75, 0xFC,                         // mov         [ebp+var_4], esi

      0x66, 0x89, 0x35, _XX_, _XX_, _XX_, _XX_, // and  word ptr dword_DDCB0, si

      0xE8                                      // call        pCreate_fExp2Int

};



DS 3.1:

.text:0007A5D4 55                            push    ebp

.text:0007A5D5 8B EC                         mov     ebp, esp

.text:0007A5D7 83 EC 0C                      sub     esp, 0Ch

.text:0007A5DA 56                            push    esi

.text:0007A5DB 33 F6                         xor     esi, esi

.text:0007A5DD 89 75 FC                      mov     [ebp+var_4], esi

.text:0007A5E0 89 75 F4                      mov     [ebp+var_C], esi

.text:0007A5E3 89 75 F8                      mov     [ebp+var_8], esi

.text:0007A5E6 66 89 35 7C 78 11 00          mov     word ptr dword_11787C, si

.text:0007A5ED E8 00 72 F9 FF                call    pCreate_fExp2Int

ActivateBPs:

Code:



unsigned char PAT_ActivateBPs[] =               // code pattern

{

      0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp   dw_IsBPActivated,1

      0x74, _XX_,                               // jz    short locret_41BD4

      0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp   dwNumberOfBPs?,1

      0x74, _XX_,                               // jz    short locret_41BD4

      0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp   dword_C28AC+1,0

      0x74, 0x01,                               // jz    short loc_41BD5

                                                //locret_41BD4:

      0xC3                                      // retn

                                                //loc_41BD5:

};



DS 3.1:

.text:000A2148            pActivateBPs    proc near

.text:000A2148 

.text:000A2148 80 3D 9C C4 0D 00 01              cmp     dw_IsBPActivated, 1

.text:000A214F 74 12                             jz      short loc_A2163

.text:000A2151 80 3D F7 E8 11 00 01              cmp     dwNumberOfBPs, 1

.text:000A2158 74 09                             jz      short loc_A2163

.text:000A215A 83 3D 8E 8A 10 00 00              cmp     dword_108A8E, 0

.text:000A2161 74 08                             jz      short loc_A216B

.text:000A2163                         loc_A2163:

.text:000A2163 60                                pusha

.text:000A2164 E8 AB 2A 00 00                    call    sub_A4C14

DeactivateBPs (no change but DeactivateBPs is important to find DeActivateHooks!):

Code:



unsigned char PAT_DeactivateBPs[] =             // code pattern

{

      0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp    dwNumberOfBPs?, 0

      0x75, 0x01,                               // jnz    short loc_418EA

      0xC3,                                     // retn

                                                //loc_418EA:

      0x60,                                     // pusha

      0x06,                                     // push   es

      0x66, 0x8E, 0x05                          // mov    es, wNTICE_SS

};



DS 3.1:

.text:000A1E6A           pDeactivateBPs  proc near

.text:000A1E6A 80 3D F7 E8 11 00 00              cmp     dwNumberOfBPs?, 0

.text:000A1E71 75 01                             jnz     short loc_A1E74

.text:000A1E73 C3                                retn

.text:000A1E74                         loc_A1E74:

.text:000A1E74 60                                 pusha

.text:000A1E75 06                                 push    es

.text:000A1E76 66 8E 05 D4 15 0E 00               mov     es, wNTICE_SS

ActivateHooks:

Code:



unsigned char PAT_ActivateHooks[] =

{

 0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01,    // cmp dNumOfCPUs, 1

 0x76, 0x0F,                                  // jbe short locret_30979

 0xC7, 0x05, _XX_, _XX_, _XX_, _XX_, 0x00, 0x00, 0x00, 0x00, // mov SpinLock, 0

 0xE8, _XX_, _XX_, _XX_, _XX_,                // call pActivateHooks

 0xC3                                         // retn

};



DS 3.1:

The ActivateHooks call can be found in the pActivateBPs function,

the pattern matches closely pre-DS3.1 versions



.text:000A2188 FF 35 FF 16 0F 00               push    dCurrentContext

.text:000A218E C6 05 F7 E8 11 00 01            mov     byte_11E8F7, 1

.text:000A2195 C7 05 06 5A 11 00 00 00 00 00   mov     dTSS_Base, 0

.text:000A219F C7 05 02 5A 11 00 FF FF FF FF   mov     dword_115A02, 0FFFFFFFFh

.text:000A21A9 E8 DB EA FF FF                  call    sub_A0C89

.text:000A21AE E8 21 2B 00 00                  call    pActivateHooks

...



.text:000A4CD4                    pActivateHooks  proc near 

.text:000A4CD4 60                                 pusha

.text:000A4CD5 E8 50 18 00 00                     call    sub_A652A

.text:000A4CDA E8 29 B3 FF FF                     call    sub_A0008

.text:000A4CDF E8 30 FF FF FF                     call    sub_A4C14

.text:000A4CE4 C6 05 D8 27 12 00 01               mov     byte_1227D8, 1

.text:000A4CEB 61                                 popa

.text:000A4CEC C3                                 retn

.text:000A4CEC                    pActivateHooks  endp

DeActivateHooks:

Code:



unsigned char PAT_DeActivateHooks[] =

{

0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01,        // cmp dNumOfCPUs, 1

0x76, 0x13,                                     // jbe short loc_3095F

0xF0, 0x0F, 0xBA, 0x2D, _XX_, _XX_, _XX_, _XX_, 0x00, // lock bts SpinLock, 0

0x73, 0x03,                                  // jnb short loc_3095A

0xF9,                                                  // stc

0xEB, 0x06,                                   // jmp short locret_30960

//                                                  loc_3095A:

0xE8, _XX_, _XX_, _XX_, _XX_,          // call pDeActivateHooks

0xF8,                                                 // clc

//                                                locret_30960:

0xC3                                            // retn     

};



DS 3.1:

The DeActivateHooks call can be found in the pDeactivateBPs function,

the pattern matches closely pre-DS3.1 versions.

This one is a little trickier, there are now *2* calls, where before there

was only one. One or both of them may be the new DeActivateHooks function.



.text:000A1F47           loc_A1F47:     ; CODE XREF: pDeactivateBPs+CDj



.text:000A1F47 E8 A1 2D 00 00                     call    sub_A4CED

.text:000A1F4C E8 AF 2C 00 00                     call    sub_A4C00

// one of these 2 calls seem to match what should be the call

// to DeActivateHooks as seen in earlier DS versions



....

.text:000A1F51 B0 01                     mov     al, 1

.text:000A1F53 E8 3B 68 FA FF            call    sub_48793

.text:000A1F58 58                        pop     eax

.text:000A1F59 E8 D2 62 FA FF            call    pSwitchContext_InWinice

.text:000A1F5E 58                        pop     eax

.text:000A1F5F A2 B0 9E 0D 00            mov     fNOPAGE, al

.text:000A1F64 07                        pop     es

.text:000A1F65 61                        popa

.text:000A1F66 C3                        retn

.text:000A1F66              pDeactivateBPs  endp

This is just a cursory look at things, I may have made some mistakes, but it should be enough as a guide to where the new functions are in DS 3.1.

As an aside, if you want to trace *into* IceExt, or any other Softice KDExtension, you can set a BPX in NTICE (yes, it seems to work!) at the call which calls the DriverEntry routine of standard KDExtensions. The DriverEntry routine is configured more like a regular DllEntry routine, except that you still need to find the PDRIVER_OBJECT to register a DriverUnload function. You can trace through IceExt live this way.

Code:



NTICE DS3.1

.text:0009A1A3 6A 00     push 0

.text:0009A1A5 6A 01     push 1   ; fwdReason = "DLL_PROCESS_ATTACH"

.text:0009A1A7 FF 76 17  push dword ptr [esi+17h]  ; MZ Header

.text:0009A1AA FF 56 1B  call dword ptr [esi+1Bh]  ; load KDExtension 

; DriverEntry_fdwReason_LoadKDExtension

Kayaker

bedrock

February 18th, 2004, 05:32

Thanks for your great post Kayaker,

I can confirm that i also found the same as you for Expression2Integer and ActivateBPs and added the following byte pattern structures to softice.h file in IceExt:

Code:



unsigned char PAT_Expression2Integer_DS31[] =   // code pattern

{

	0x55,                                       // push        ebp

	0x8B, 0xEC,                                 // mov         ebp, esp

	0x83, 0xEC, _XX_,                           // sub         esp, 0Ch

	0x56,                                       // push        esi

	0x33, 0xF6,                                 // xor         esi, esi

	0x89, 0x75, 0xFC,		// mov         [ebp+var_4], esi

	0x89, 0x75, 0xF4,		// mov         [ebp+var_C], esi

	0x89, 0x75, 0xF8,		// mov         [ebp+var_8], esi

	0x66, 0x89, 0x35,	_XX_, _XX_, _XX_, _XX_, 

// mov         word ptr dword_11787C, si

	0xE8										// call		   pCreate_fExp2Int

		

};



unsigned char PAT_ActivateBPs_DS31[] =              // code pattern

{

	0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01,   // cmp         dw_IsBPActivated, 1

	0x74, _XX_,                // jz          short loc_A2163

	0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01,   // cmp         dwNumberOfBPs?, 1

	0x74, _XX_,              // jz          short loc_A2163

	0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00,   // cmp         dword_108A8E, 0

	0x74, _XX_,             // jz          short loc_41BD5

	// loc_A2163:

	0x60,										// pusha

	0xE8, _XX_, _XX_, _XX_, _XX_,	// call        sub_A4C14

	0x61,                                       // popa

	0xC3										// retn

};

And made these changes to the init function in the softice.cpp IceExt file:

Code:



   //-------------------------------------------------------------------------

   //    Expression2Integer

   //-------------------------------------------------------------------------

   si_Expression2Integer = TYPE_Expression2Integer (RabSearch(PAT_Expression2Integer, sizeof(PAT_Expression2Integer),

                              si_CodeBase, si_CodeSize) + si_CodeBase - OFS_Expression2Integer);



   if ((DWORD)si_Expression2Integer < (DWORD)si_CodeBase)

   {

       // search for DS30 pExpression2Integer signature

       si_Expression2Integer = TYPE_Expression2Integer (RabSearch(PAT_Expression2Integer_DS30, sizeof(PAT_Expression2Integer_DS30),

                                         si_CodeBase, si_CodeSize) + si_CodeBase - OFS_Expression2Integer); 



       if ((DWORD)si_Expression2Integer < (DWORD)si_CodeBase)

       {       	   

       	   // search for DS31 pExpression2Integer signature

           si_Expression2Integer = TYPE_Expression2Integer (RabSearch(PAT_Expression2Integer_DS31, sizeof(PAT_Expression2Integer_DS31),

                                             si_CodeBase, si_CodeSize) + si_CodeBase - OFS_Expression2Integer);

           

           if ((DWORD)si_Expression2Integer < (DWORD)si_CodeBase)

           {

               DbgPrint("ERROR: Can't find Expression2Integer address in memory.\n";

               return FALSE;

           }

       }

   }



   //-------------------------------------------------------------------------

   //    pActivateBPs

   //-------------------------------------------------------------------------

   si_ActivateBPs = TYPE_ActivateBPs (RabSearch(PAT_ActivateBPs, sizeof(PAT_ActivateBPs),

                              si_CodeBase, si_CodeSize) + si_CodeBase - OFS_ActivateBPs);



   if ((DWORD)si_ActivateBPs < (DWORD)si_CodeBase)

   {

       si_ActivateBPs = TYPE_ActivateBPs (RabSearch(PAT_ActivateBPs_DS31, sizeof(PAT_ActivateBPs_DS31),

                                  si_CodeBase, si_CodeSize) + si_CodeBase - OFS_ActivateBPs);

                                  

       if ((DWORD)si_ActivateBPs < (DWORD)si_CodeBase)

       {

           DbgPrint("ERROR: Can't find pActivateBPs address in memory.\n";

           return FALSE;

       }

   }

I also found it fairly easy to step through the IceExt code live by placing an embedded int3 at the begining of the si_Init() function in the softice.cpp source file.

Hopefully i can spend some more time looking at this today, with your other findings we might be able to make some progress...

--
bedrock

bedrock

February 18th, 2004, 11:30

Ok,

I've gone through Kayakers info and made some changes to softice.h and softice.cpp files of IceExt source and i have a version of IceExt that will function with DS31. We're not all the way there yet, as I can't find the function named si_UNH_Write, which Sten is using to add Unhandled Exception Filter protection.

But at least this version should give you some Softice hiding ability and !dump function (the main reasons i use iceext) and of course tetris is fully functional

I am attaching a zip file with my two modified source files, in case others want to see changes (Sten) and an IceExt.sys file compiled in release using the XP DDK 2600.1106 version

On a slightly different issue, since installing DS31 and using BPINT 3, i keep landing in ntoskrnl!MmPrefetchPages+02B6, has anyone else noticed this? Maybe caus i've got XP SP2 beta also installed

PS. I haven't changed the version number of this file, it still identifies itself as 0.57, i wanted to keep my changes to a minimum.

Doh!, must of had a blonde moment, and added the wrong binary to the zip

Attachement should now be fixed, sorry guys.

--
bedrock

volodya

February 19th, 2004, 14:07

Gentlemen, I recently talked to Sten. He is aware of the problem and will do everything. Project is neither dead nor frozen. Just that fucken DDoS screwed up not only wasm, but many-many-many other Russian resources.

bedrock

February 19th, 2004, 14:34

Quote:

[Originally Posted by volodya]Gentlemen, I recently talked to Sten. He is aware of the problem and will do everything. Project is neither dead nor frozen..

volodya, this is very good news to hear, hopefully the work we have already done will help Sten, sorry to hear about the continued DDoS attacks on your russian freinds.

--
bedrock

crUsAdEr

February 20th, 2004, 17:54

Has anyone noticed that Symbol Loader cant detect sice active when iceext is loaded but will work fine once u unload iceext... i did a bit of searching and found the reason to be here in nmtrans.dll

Code:



.text:1001FB22 loc_1001FB22:                           ; CODE XREF: DevIO_ConnectToSoftICE+3Ej

.text:1001FB22                                         ; DevIO_ConnectToSoftICE+5Bj

.text:1001FB22   push  offset Data

.text:1001FB27   lea   ecx, [esp+110h+FileName]

.text:1001FB2B   push  offset a_Ntice                  ; "\\\\.\\NTICE"

.text:1001FB30   push  ecx

.text:1001FB31   call  sub_1001FB70

.text:1001FB36   add   esp, 0Ch

.text:1001FB39   lea   edx, [esp+10Ch+FileName]

.text:1001FB3D   push  0                               ; hTemplateFile

.text:1001FB3F   push  80h                             ; dwFlagsAndAttributes

.text:1001FB44   push  3                               ; dwCreationDisposition

.text:1001FB46   push  0                               ; lpSecurityAttributes

.text:1001FB48   push  3                               ; dwShareMode

.text:1001FB4A   push  80000000h                       ; dwDesiredAccess

.text:1001FB4F   push  edx                             ; lpFileName

.text:1001FB50   call  esi ; CreateFileA

.text:1001FB52   mov   esi, eax

.text:1001FB54   cmp   esi, 0FFFFFFFFh

.text:1001FB57   jnz   short sice_active

.text:1001FB59   push  0A6580001h                      ; dwErrCode

.text:1001FB5E   call  ds:__imp_SetLastError

.text:1001FB64 

.text:1001FB64 sice_active:                            ; CODE XREF: DevIO_ConnectToSoftICE+C7j

.text:1001FB64   mov   eax, esi

.text:1001FB66 

.text:1001FB66 loc_1001FB66:                           ; CODE XREF: DevIO_ConnectToSoftICE+29j

.text:1001FB66   pop   esi

.text:1001FB67   add   esp, 108h

.text:1001FB6D   retn

.text:1001FB6D DevIO_ConnectToSoftICE endp

Here when iceext is loaded, CreateFileA failed and hence export function DevIO_ConnectToSoftICE of nmtrans.dll will return sice not loaded... of course a dirty patch would do the job but i rather understand why... hence this post...

Is this a iceext feature that was present since last releases or is this a bug of the new 'dirty patch' by bedrock

.. no offense bedrock...

... any explanantion on why sice behaves this way when iceext is loaded? My guess is that iceext patchs something but not sure what...

cheers,
crUs

volodya

February 20th, 2004, 18:19

The answer should have been looked for in the sources. Use the source, Luk

Being brief the answer is "yes". The trick is known as "MeltIce" and many protections are using the same idea to catch Soft-Ice. IceExt hooks several NT API calls through SDT and prevents NtCreateFile (...NTICE...) to return the correct answer. For this and not only for this purpose there is a "protect off" command in IceExt...

crUsAdEr

February 20th, 2004, 22:51

lol... simple enough... thanks volodya...
pardon me for the silly question... been a while since i touched sice i forgot that meltice is still a viable option to detect softice

.. cheers... time to dig in the source n patch it to make symbol loader works then

...

crUsAdEr

February 21st, 2004, 00:36

sorry abt this.. but i am not much of a C++ programmer... and i was just wondering if there is a simple n nice way to change NewNtCreateFileA in protect.cpp to detect if CreateFileA is called by softice itself (nmtrans.dll) and response normally instead of kickin AntiMeltice...

Code:



static WCHAR FILT_STR1[] = L"\\??\\NTICE";

static WCHAR FILT_STR2[] = L"\\??\\SIWVIDSTART";

static WCHAR FILT_STR3[] = L"\\??\\SIWSYM";



#define FILT_STR1_SIZE ((sizeof(FILT_STR1)-1)/sizeof(WCHAR))

#define FILT_STR2_SIZE ((sizeof(FILT_STR2)-1)/sizeof(WCHAR))

#define FILT_STR3_SIZE ((sizeof(FILT_STR3)-1)/sizeof(WCHAR))



NTSTATUS NewNtCreateFile(

            PHANDLE FileHandle,

            ACCESS_MASK DesiredAccess,

            POBJECT_ATTRIBUTES ObjectAttributes,

            PIO_STATUS_BLOCK IoStatusBlock,

            PLARGE_INTEGER AllocationSize OPTIONAL,

            ULONG FileAttributes,

            ULONG ShareAccess,

            ULONG CreateDisposition,

            ULONG CreateOptions,

            PVOID EaBuffer OPTIONAL,

            ULONG EaLength)

{

     NTSTATUS rc;



     if (protect_MeltICE)

     {



         if (ObjectAttributes->ObjectName->Buffer)

         {

             if (

                  (_wcsnicmp(ObjectAttributes->ObjectName->Buffer, 

                                     FILT_STR1, FILT_STR1_SIZE) == 0) ||

                  (_wcsnicmp(ObjectAttributes->ObjectName->Buffer, 

                                     FILT_STR2, FILT_STR2_SIZE) == 0) ||

                  (_wcsnicmp(ObjectAttributes->ObjectName->Buffer, 

                                     FILT_STR3, FILT_STR3_SIZE) == 0) 

                )

             {

                  DbgPrint(szMethodMeltICE);

                  return STATUS_OBJECT_NAME_NOT_FOUND;

             }

         }

     }



     rc=((NTCREATEFILE)(OldNtCreateFile)) (

                        FileHandle,

                        DesiredAccess,

                        ObjectAttributes,

                        IoStatusBlock,

                        AllocationSize,

                        FileAttributes,

                        ShareAccess,

                        CreateDisposition,

                        CreateOptions,

                        EaBuffer,

                        EaLength);

     return rc;

}

of course in asm, we simply look on stack value n trace a few values down to find caller EIP but i rather do something nice n portable in C++,, any suggestion?

bedrock

February 21st, 2004, 06:45

@ crUsAdEr,

No offence taken

As volodya already answered, this was always the way symbol loader behaved with IceExt loaded and is due to protection.

I never thought about changing IceExt to allow symbol loader to detect softice, but i like your idea, i dont know how this can be done easily in C though, NtCreateFile is 'undocumented' my m$, although i found some information here hxxp://undocumented.ntinternals.net but it doesn't appear to be able to detect the caller of this function.

--
bedrock

doug

February 21st, 2004, 12:17

crusader:
imho, A better solution to this when using IceExt is to disable Meltice, do what needs to be done w.r.t nmtrans and put protect back on.

Some protections use nmtrans.dll's exported NmSynmIsSoftICELoaded to detect the debugger.. If you let nmtrans checks pass through, you might be fooled by an easy MeltICE debugger check without knowing / being able to disable it (without recompiling).

just !help protect and it'll tell u what to do to disable only meltice.

crUsAdEr

February 21st, 2004, 13:13

Hi doug,

Thanks for the suggestion... though i like to use softice log history and if symbol loader cant detect softice, i cant save log

... i was thinking of actually print out a debug msg saying Softice detection by nmtrans.dll etc... so hopefully i wont be fooled if protector uses nmtrans.dll exported function... the thing is that even iceext debug print is also to sice command window, which is stored in sice log so if i cant access log file, i wont even see any of iceext debug msg...

I was just exploring anyway, getting old rusty brain back in shape

bedrock, if you watch pOutputHandle of NewNtCreateFile, you will see it is a n address on usermode stack, thus if you scroll down from that address a bit you will see the address of original caller of CreateFileA... the thing now is how to work out how usermode stack is mapped onto kernel mode stack... what else is called inbetween CreateFileA and the final NtCreatFile...

crUsAdEr

February 22nd, 2004, 03:24

Can someone confirm this?

DS3.1 no longer patch CC into UnhandledExceptionFilter anymore? I have tried to detect sice through this feature with no success... the patch routine doesnt seem to be there anymore...

JMI

February 24th, 2004, 21:29

I've added this to another thread in the Newbie Forum, but thought I'd add it here as well.

"For those who may not have noticed, Sten's IceExt 0.60 is available at Wasm.ru. They are still under DDOS attack, so you may have to keep trying."

Regards,

andox

February 27th, 2004, 05:59

wasm.ru does not work at all for me, are there any another site to download IceExt 0.60 from?

sgdt

February 27th, 2004, 10:07

Have you tried ExeTools? That's where I got mine from.

ZaiRoN

February 27th, 2004, 10:16

andox, this thread will help you:
http://www.woodmann.net/forum/showthread.php?t=5500&highlight=iceext

andox

February 27th, 2004, 10:27

Thanks, i got it from exetools ftp

ZaiRoN

February 27th, 2004, 17:27

Oooops... sorry. I did not notice the version

Sten

March 1st, 2004, 07:04

Quote:

[Originally Posted by crUsAdEr]Can someone confirm this?

DS3.1 no longer patch CC into UnhandledExceptionFilter anymore? I have tried to detect sice through this feature with no success... the patch routine doesnt seem to be there anymore...

I've tested this on two machines. On one machine SoftICE doesn't patch UnhandledExceptionFilter at all.

On other machine INT3 is there, i.e. SoftICE patches UnhandledExceptionFilter but in a strange way. Now you can see this INT 3 instruction when disassemble function in SoftICE (previous versions hides INT3 when you activate SoftICE).

So, it seems SoftICE MAY patch UnhandledExceptionFilter during it's startup. It is not clear yet what conditions patching depends on.
Just disassemble KERNEL32!UnhandledExceptionFilter and look if SoftICE patches it on your system. If it does, you can now hide SoftICE just replacing INT3 instruction with the oribinal byte.

crUsAdEr

March 2nd, 2004, 03:05

HI Sten,

Thanks for the info... i can confirm that on 2 of my machine, win2k SP4 and Server 2003 both don't seem to be patched at UEF...

However, on the quest to find where sice patch... i stumbled upon quite a few functions in ntoskrnl that is patched by sice, eg. MiMapViewImageHeaderInHyperSpace, MiMapViewOfImageSection, _MmUnmapViewOfSection etc... note that these patched are masked by sice so display memory in sice wont show CC, but bpm on them will stick...

I guess sice hook these functions for paging handling etc.. not sure but if protectors want to check for sice, they sure as hell have lots of choices beside UEF... and i am not sure you can disable them the way you do with UEF.

On what system do you get sice to patch UEF?

Sten

March 2nd, 2004, 04:44

SoftICE patches UEF on my home PC (WinXP SP1). However, it does not patches UEF on other PC (WinXP SP1 + security patches). I'll check this again, patching may depend on SoftICE initialization settings for ex.

Quote:

However, on the quest to find where sice patch... i stumbled upon quite a few functions in ntoskrnl that is patched by sice, eg. MiMapViewImageHeaderInHyperSpace, MiMapViewOfImageSection, _MmUnmapViewOfSection etc...

Yeah, I know SoftICE patches some functions from ntoskrnl. Fortunately, windows kernel code is not accessible for ring3 applications, so I do not consider this as a problem.

BTW, these hooks can be disabled with help of undocumented and unexported in official build IceExt command '!unhook'.

crUsAdEr

March 2nd, 2004, 09:28

cool... no wonder i couldnt call the !unhook functions... i saw it in the source but couldnt figure out how to use it

... Do you know what these ntoskrnl hooks are for? Is this safe to disable them?

Quote:

Yeah, I know SoftICE patches some functions from ntoskrnl. Fortunately, windows kernel code is not accessible for ring3 applications, so I do not consider this as a problem.

lol.. i didnot know that... sorry for the misinformation... i always thought you can read from anywhere in memory, just cant write to certain memory area only...

btw, i was looking but cant find the area of code where sice sits there, loop ard do nothing, freezing everythign waiting for user input... can u point me to them?

Thanks,
crUs

Sten

March 2nd, 2004, 10:35

Quote:

[Originally Posted by crUsAdEr]
Do you know what these ntoskrnl hooks are for? Is this safe to disable them?

The system seems to be stable after disabling these hooks however I would prefer to keep them enabled as SoftICE relies on this hooks someway..

Quote:

[Originally Posted by crUsAdEr]btw, i was looking but cant find the area of code where sice sits there, loop ard do nothing, freezing everythign waiting for user input... can u point me to them?

SoftICE usually activates from one of the interrupt handler (p_INT03 for ex. in TheOwl notation). SoftICE calls pStopSecondCPUs to stop all CPUs except one SoftICE executes on and rises current APIC task priority to highest possible.

The main SoftICE routine called pNTIceMain. Here SoftICE does all the work for handling user input, executing commands e.t.c.

crUsAdEr

March 4th, 2004, 03:41

Hi Sten,

I notice in your iceext source, you simply drop the command into the KbdBuffer and then call NTicemain... is this as simple as that to send a command to sice or do you also need to patch somewhere else in ntice memory?

Sten

March 4th, 2004, 05:25

Quote:

[Originally Posted by crUsAdEr]I notice in your iceext source, you simply drop the command into the KbdBuffer and then call NTicemain... is this as simple as that to send a command to sice or do you also need to patch somewhere else in ntice memory?

Yeah, you can send command to SoftICE in this way. No patching is needed.
Even SoftICE itself uses this trick when handling initialization string from winice.dat.

crUsAdEr

March 28th, 2004, 05:06

Hi Sten,

Well this is what i found so far... using undocumaneted command "ver -ahk"
It will list all the hooks that sice installed, among which

Quote:

NT API Hook function 25: UnhandledExceptionFilter
Hook address : 7C51BD2B Module: kernel32.dll
Handler : BF37CD01 StartSearchFn:
RetHandler : 0
OSI ID : FA000024
First byte : 0
Enable * : BF3B1D18 (=1)
Status : OK

With the enable flag offset at BF3B1D18, i trace down to this

Code:

INIT:0016FAA6 68 78 F9 16 00      push  offset aDisableusermodehooks ; "DisableUserModeHooks"

INIT:0016FAAB A3 60 95 12 00      mov   fDisableNameSaving, eax

INIT:0016FAB0 E8 93 2D 00 00      call  pQueryRegistry

INIT:0016FAB5 85 C0               test  eax, eax

INIT:0016FAB7 74 07               jz    short loc_16FAC0

INIT:0016FAB9 83 25 18 9D 0D 00+  and   fEnableUsermodeHook, 0

INIT:0016FAC0                   

INIT:0016FAC0                   loc_16FAC0:                   ; CODE XREF: pReadUndocSiceSetting+115j

INIT:0016FAC0 85 F6               test  esi, esi

INIT:0016FAC2 74 0F               jz    short loc_16FAD3

INIT:0016FAC4 83 3D 5C 95 12 00+  cmp   fDoInt2DPatch, 2

INIT:0016FACB 74 06               jz    short loc_16FAD3

INIT:0016FACD 89 35 1C 4C 15 00   mov   Int2DLocation, esi

However, i cant seem to be able to find any Registry Key value corresponding to DisableUsermodeHook :/

Sten

March 29th, 2004, 05:01

Hi crUsAdEr,

I've just released IceExt 0.62 and added some sort of a fix to UnhandledExceptionFilter problem. Now IceExt patches UEF directly and removes INT3 instruction. The problem - I do not know what original byte is, so I always assume it to be 68h.

Your info can be quite useful, thanks.

crUsAdEr

March 29th, 2004, 21:47

Hi Sten,

iceext0.62 doesnt seem to be able to patch UEF on my system... it says fail to patch error... i couldnot locate your si_UNH_PAT either... can you tell me the exact RVA?

pLayAr

March 30th, 2004, 02:07

Quote:

[Originally Posted by crUsAdEr]Hi Sten,

Well this is what i found so far... using undocumaneted command "ver -ahk"
It will list all the hooks that sice installed, among which

With the enable flag offset at BF3B1D18, i trace down to this

Code:
INIT:0016FAA6 68 78 F9 16 00 push offset aDisableusermodehooks ; "DisableUserModeHooks"
INIT:0016FAAB A3 60 95 12 00 mov fDisableNameSaving, eax
INIT:0016FAB0 E8 93 2D 00 00 call pQueryRegistry
INIT:0016FAB5 85 C0 test eax, eax
INIT:0016FAB7 74 07 jz short loc_16FAC0
INIT:0016FAB9 83 25 18 9D 0D 00+ and fEnableUsermodeHook, 0
INIT:0016FAC0
INIT:0016FAC0 loc_16FAC0: ; CODE XREF: pReadUndocSiceSetting+115j
INIT:0016FAC0 85 F6 test esi, esi
INIT:0016FAC2 74 0F jz short loc_16FAD3
INIT:0016FAC4 83 3D 5C 95 12 00+ cmp fDoInt2DPatch, 2
INIT:0016FACB 74 06 jz short loc_16FAD3
INIT:0016FACD 89 35 1C 4C 15 00 mov Int2DLocation, esi

However, i cant seem to be able to find any Registry Key value corresponding to DisableUsermodeHook :/

GOOD WORK
i create a registry key named "DisableUsermodeHooks", and set it's value to 1
now ,si do not patch UEF!

bedrock

March 30th, 2004, 02:09

Hi sten,

Also i tried this on my system which is running XP SP2 (RC1 build 2096), i checked kernel32!UnhandledExceptionFilter and it does begin with 0x68, but iceext062 report

Error: Unable to patch UnhandledExceptionFilter

--
bedrock

Sten

March 30th, 2004, 02:36

Currently IceExt can patch UEF when SoftICE is activated in a context of a process that uses KERNEL32.DLL. (I'm too lazy to switch context from my code).

It seems DisableUsermodeHook registry key is preffered solution to UEF problem.

Quote:

[Originally Posted by bedrock]Hi sten,

Also i tried this on my system which is running XP SP2 (RC1 build 2096), i checked kernel32!UnhandledExceptionFilter and it does begin with 0x68, but iceext062 report

Error: Unable to patch UnhandledExceptionFilter

--
bedrock

crUsAdEr

March 30th, 2004, 03:15

Hi Sten,

Can you point me to the RVA of si_UHF_Write_PAT used in in your protect.cpp code? I did try pattern searching but cant seem to find them...

Sten

March 30th, 2004, 03:20

Hi crUsAdEr,

IceExt doesn't patches pUNH_Write procedure in SoftICE 4.3.1 (as there isn't any). IceExt directly writes to UnhandledExceptionFilter, see protSetUEFPatchDS31().

Quote:

[Originally Posted by crUsAdEr]Hi Sten,

Can you point me to the RVA of si_UHF_Write_PAT used in in your protect.cpp code? I did try pattern searching but cant seem to find them...

crUsAdEr

March 30th, 2004, 04:15

Thanks... that clears my doubt... the hooking is done by CptHook.sys but if we patch it then it will affect all API hooking...

crUsAdEr

March 30th, 2004, 05:41

Hi Sten,

Attempting to stop iceext with "bpint 1" or "bpint 3" on will result in a system crash... that is because bpint install new handler via IDT hence when we try to remove iceext the handling chain is broken... perhaps you can try patching bpint to hook int1/3 differently, chain after your handler, so iceext can exit gracefully when required? Then again i guess there is no reason to remove iceext heh

?

Anyway, since u r at it, can also fix the annoying "bpint 3 feature" that pop sice up at its own internal API hook (this has been reported here before)

Timbo

March 31st, 2004, 14:51

Hi Sten,

nice work, but if "net start iceext" start's ntice and iceext patch
unhandledexceptionfilter direct, a "CC" on OEP's won't be triggered
with XP (SP1&SP2pre). I have to enter ntice, write cc, exit to desktop,
enter ntice, replace cc with 68 (well never seen 55 maybe w2k),
and ntice trigger OEP (with i3here on)
maybe someone knows more