Log in

View Full Version : IceExt and DS 3.1


bedrock
February 17th, 2004, 11:23
I read the other day that IceExt 0.57 (latest) is not working with DS 3.1 and I have not seen sign from Sten of update for quite some time, I dont know reasons, maybe he is busy with others, so i thought i would take a look...

Well i learnt a few things, and mostly now i learnt i am not skilled enough to solve this problem myself. But for starters i would like to say how far i have got to this point.

When you try and load IceExt on DS31, it fails trying to find softice Expression2Integer function pointer. Now looking at IceExt code shows there is a search function and some byte patterns it looks for, this function already has different byte patterns for DS < 3 and also for DS30 (you can see these in IceExt softice.h file), so i thought numega must of changed signature for this function again, so through comparing the ntice.sys files from DS30 and DS31 i found the Expression2Integer function and added the changes for new search pattern to IceExt code, but now it fails at next place which is looking for ActivateBPs function pointer, so i try and find this also, i add changed byte pattern and continue....

Well next IceExt is fails on ActivateHooks function pointer, but now i am stuck cause from comparing difference's and running old and new ntice.sys through IDA i can not locate this function in SI, i comment IceExt code out for now, not supprising it fails on DeactivateHooks also.

Well for now i have a butchered (M$ comment would say HACK ) version of IceExt which loads but is not very functional under DS31. Maybe some others can better dissasemble ntice.sys and figure out some of this stuff. I think together we should be able to fix up IceExt, or maybe even the great Sten will update this great tool for all to use with new driver studio.

--
bedrock

dELTA
February 17th, 2004, 22:42
Cool. Has anyone tried to contact Sten about this, without getting any replies?

doug
February 18th, 2004, 01:17
I have contacted sten before & he replied within a day. he's a nice guy.

I think he checks this board once in a while, so if bedrock posts his changes, it'll probably help (ppl using ds 3.1 might also be able to review his code)

Also, it looks like sten has some hosting problems atm.

Kayaker
February 18th, 2004, 04:41
Hi Guys,

I was doing a bit of exploring tonight, and it looks like ActivateHooks and DeactivateHooks will have to be rereferenced a bit. The others can be found with a new search pattern like bedrock showed. Here's what I've found so far for the record. Some of the Softice internal naming is from The Owl's pioneering work of course, and his original IDB databases are indispensible.

I found that ActivateHooks is called within the ActivateBPs function, and DeactivateHooks is called within the DeactivateBPs function. This is handy. Once they are identified, new search patterns can be devised. The DeactivateHooks function will especially need more looking into since the code pattern seems to have changed so much.

Hopefully you can make sense of the following code, each section has Sten's search pattern from softice.h, then a comparable DS3.1 pattern that might be usable for anyone wanting to make modifications.

Expression2Integer:
Code:

unsigned char PAT_Expression2Integer_DS30[] = // code pattern
{
0x55, // push ebp
0x8B, 0xEC, // mov ebp, esp
0x51, // push ecx
0x51, // push ecx
0x56, // push esi
0x33, 0xF6, // xor esi, esi
0x89, 0x75, 0xF8, // mov [ebp+var_8], esi
0x89, 0x75, 0xFC, // mov [ebp+var_4], esi
0x66, 0x89, 0x35, _XX_, _XX_, _XX_, _XX_, // and word ptr dword_DDCB0, si
0xE8 // call pCreate_fExp2Int
};

DS 3.1:
.text:0007A5D4 55 push ebp
.text:0007A5D5 8B EC mov ebp, esp
.text:0007A5D7 83 EC 0C sub esp, 0Ch
.text:0007A5DA 56 push esi
.text:0007A5DB 33 F6 xor esi, esi
.text:0007A5DD 89 75 FC mov [ebp+var_4], esi
.text:0007A5E0 89 75 F4 mov [ebp+var_C], esi
.text:0007A5E3 89 75 F8 mov [ebp+var_8], esi
.text:0007A5E6 66 89 35 7C 78 11 00 mov word ptr dword_11787C, si
.text:0007A5ED E8 00 72 F9 FF call pCreate_fExp2Int


ActivateBPs:
Code:

unsigned char PAT_ActivateBPs[] = // code pattern
{
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dw_IsBPActivated,1
0x74, _XX_, // jz short locret_41BD4
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dwNumberOfBPs?,1
0x74, _XX_, // jz short locret_41BD4
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp dword_C28AC+1,0
0x74, 0x01, // jz short loc_41BD5
//locret_41BD4:
0xC3 // retn
//loc_41BD5:
};

DS 3.1:
.text:000A2148 pActivateBPs proc near
.text:000A2148
.text:000A2148 80 3D 9C C4 0D 00 01 cmp dw_IsBPActivated, 1
.text:000A214F 74 12 jz short loc_A2163
.text:000A2151 80 3D F7 E8 11 00 01 cmp dwNumberOfBPs, 1
.text:000A2158 74 09 jz short loc_A2163
.text:000A215A 83 3D 8E 8A 10 00 00 cmp dword_108A8E, 0
.text:000A2161 74 08 jz short loc_A216B
.text:000A2163 loc_A2163:
.text:000A2163 60 pusha
.text:000A2164 E8 AB 2A 00 00 call sub_A4C14


DeactivateBPs (no change but DeactivateBPs is important to find DeActivateHooks!):
Code:

unsigned char PAT_DeactivateBPs[] = // code pattern
{
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp dwNumberOfBPs?, 0
0x75, 0x01, // jnz short loc_418EA
0xC3, // retn
//loc_418EA:
0x60, // pusha
0x06, // push es
0x66, 0x8E, 0x05 // mov es, wNTICE_SS
};

DS 3.1:
.text:000A1E6A pDeactivateBPs proc near
.text:000A1E6A 80 3D F7 E8 11 00 00 cmp dwNumberOfBPs?, 0
.text:000A1E71 75 01 jnz short loc_A1E74
.text:000A1E73 C3 retn
.text:000A1E74 loc_A1E74:
.text:000A1E74 60 pusha
.text:000A1E75 06 push es
.text:000A1E76 66 8E 05 D4 15 0E 00 mov es, wNTICE_SS


ActivateHooks:
Code:

unsigned char PAT_ActivateHooks[] =
{
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dNumOfCPUs, 1
0x76, 0x0F, // jbe short locret_30979
0xC7, 0x05, _XX_, _XX_, _XX_, _XX_, 0x00, 0x00, 0x00, 0x00, // mov SpinLock, 0
0xE8, _XX_, _XX_, _XX_, _XX_, // call pActivateHooks
0xC3 // retn
};

DS 3.1:
The ActivateHooks call can be found in the pActivateBPs function,
the pattern matches closely pre-DS3.1 versions

.text:000A2188 FF 35 FF 16 0F 00 push dCurrentContext
.text:000A218E C6 05 F7 E8 11 00 01 mov byte_11E8F7, 1
.text:000A2195 C7 05 06 5A 11 00 00 00 00 00 mov dTSS_Base, 0
.text:000A219F C7 05 02 5A 11 00 FF FF FF FF mov dword_115A02, 0FFFFFFFFh
.text:000A21A9 E8 DB EA FF FF call sub_A0C89
.text:000A21AE E8 21 2B 00 00 call pActivateHooks
...

.text:000A4CD4 pActivateHooks proc near
.text:000A4CD4 60 pusha
.text:000A4CD5 E8 50 18 00 00 call sub_A652A
.text:000A4CDA E8 29 B3 FF FF call sub_A0008
.text:000A4CDF E8 30 FF FF FF call sub_A4C14
.text:000A4CE4 C6 05 D8 27 12 00 01 mov byte_1227D8, 1
.text:000A4CEB 61 popa
.text:000A4CEC C3 retn
.text:000A4CEC pActivateHooks endp


DeActivateHooks:
Code:

unsigned char PAT_DeActivateHooks[] =
{
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dNumOfCPUs, 1
0x76, 0x13, // jbe short loc_3095F
0xF0, 0x0F, 0xBA, 0x2D, _XX_, _XX_, _XX_, _XX_, 0x00, // lock bts SpinLock, 0
0x73, 0x03, // jnb short loc_3095A
0xF9, // stc
0xEB, 0x06, // jmp short locret_30960
// loc_3095A:
0xE8, _XX_, _XX_, _XX_, _XX_, // call pDeActivateHooks
0xF8, // clc
// locret_30960:
0xC3 // retn
};

DS 3.1:
The DeActivateHooks call can be found in the pDeactivateBPs function,
the pattern matches closely pre-DS3.1 versions.
This one is a little trickier, there are now *2* calls, where before there
was only one. One or both of them may be the new DeActivateHooks function.

.text:000A1F47 loc_A1F47: ; CODE XREF: pDeactivateBPs+CDj

.text:000A1F47 E8 A1 2D 00 00 call sub_A4CED
.text:000A1F4C E8 AF 2C 00 00 call sub_A4C00
// one of these 2 calls seem to match what should be the call
// to DeActivateHooks as seen in earlier DS versions

....
.text:000A1F51 B0 01 mov al, 1
.text:000A1F53 E8 3B 68 FA FF call sub_48793
.text:000A1F58 58 pop eax
.text:000A1F59 E8 D2 62 FA FF call pSwitchContext_InWinice
.text:000A1F5E 58 pop eax
.text:000A1F5F A2 B0 9E 0D 00 mov fNOPAGE, al
.text:000A1F64 07 pop es
.text:000A1F65 61 popa
.text:000A1F66 C3 retn
.text:000A1F66 pDeactivateBPs endp


This is just a cursory look at things, I may have made some mistakes, but it should be enough as a guide to where the new functions are in DS 3.1.


As an aside, if you want to trace *into* IceExt, or any other Softice KDExtension, you can set a BPX in NTICE (yes, it seems to work!) at the call which calls the DriverEntry routine of standard KDExtensions. The DriverEntry routine is configured more like a regular DllEntry routine, except that you still need to find the PDRIVER_OBJECT to register a DriverUnload function. You can trace through IceExt live this way.

Code:

NTICE DS3.1
.text:0009A1A3 6A 00 push 0
.text:0009A1A5 6A 01 push 1 ; fwdReason = "DLL_PROCESS_ATTACH"
.text:0009A1A7 FF 76 17 push dword ptr [esi+17h] ; MZ Header
.text:0009A1AA FF 56 1B call dword ptr [esi+1Bh] ; load KDExtension
; DriverEntry_fdwReason_LoadKDExtension


Kayaker

bedrock
February 18th, 2004, 05:32
Thanks for your great post Kayaker,

I can confirm that i also found the same as you for Expression2Integer and ActivateBPs and added the following byte pattern structures to softice.h file in IceExt:

Code:

unsigned char PAT_Expression2Integer_DS31[] = // code pattern
{
0x55, // push ebp
0x8B, 0xEC, // mov ebp, esp
0x83, 0xEC, _XX_, // sub esp, 0Ch
0x56, // push esi
0x33, 0xF6, // xor esi, esi
0x89, 0x75, 0xFC, // mov [ebp+var_4], esi
0x89, 0x75, 0xF4, // mov [ebp+var_C], esi
0x89, 0x75, 0xF8, // mov [ebp+var_8], esi
0x66, 0x89, 0x35, _XX_, _XX_, _XX_, _XX_,
// mov word ptr dword_11787C, si
0xE8 // call pCreate_fExp2Int

};

unsigned char PAT_ActivateBPs_DS31[] = // code pattern
{
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dw_IsBPActivated, 1
0x74, _XX_, // jz short loc_A2163
0x80, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x01, // cmp dwNumberOfBPs?, 1
0x74, _XX_, // jz short loc_A2163
0x83, 0x3D, _XX_, _XX_, _XX_, _XX_, 0x00, // cmp dword_108A8E, 0
0x74, _XX_, // jz short loc_41BD5
// loc_A2163:
0x60, // pusha
0xE8, _XX_, _XX_, _XX_, _XX_, // call sub_A4C14
0x61, // popa
0xC3 // retn
};


And made these changes to the init function in the softice.cpp IceExt file:

Code:

//-------------------------------------------------------------------------
// Expression2Integer
//-------------------------------------------------------------------------
si_Expression2Integer = TYPE_Expression2Integer (RabSearch(PAT_Expression2Integer, sizeof(PAT_Expression2Integer),
si_CodeBase, si_CodeSize) + si_CodeBase - OFS_Expression2Integer);

if ((DWORD)si_Expression2Integer < (DWORD)si_CodeBase)
{
// search for DS30 pExpression2Integer signature
si_Expression2Integer = TYPE_Expression2Integer (RabSearch(PAT_Expression2Integer_DS30, sizeof(PAT_Expression2Integer_DS30),
si_CodeBase, si_CodeSize) + si_CodeBase - OFS_Expression2Integer);

if ((DWORD)si_Expression2Integer < (DWORD)si_CodeBase)
{
// search for DS31 pExpression2Integer signature
si_Expression2Integer = TYPE_Expression2Integer (RabSearch(PAT_Expression2Integer_DS31, sizeof(PAT_Expression2Integer_DS31),
si_CodeBase, si_CodeSize) + si_CodeBase - OFS_Expression2Integer);

if ((DWORD)si_Expression2Integer < (DWORD)si_CodeBase)
{
DbgPrint("ERROR: Can't find Expression2Integer address in memory.\n";
return FALSE;
}
}
}

//-------------------------------------------------------------------------
// pActivateBPs
//-------------------------------------------------------------------------
si_ActivateBPs = TYPE_ActivateBPs (RabSearch(PAT_ActivateBPs, sizeof(PAT_ActivateBPs),
si_CodeBase, si_CodeSize) + si_CodeBase - OFS_ActivateBPs);

if ((DWORD)si_ActivateBPs < (DWORD)si_CodeBase)
{
si_ActivateBPs = TYPE_ActivateBPs (RabSearch(PAT_ActivateBPs_DS31, sizeof(PAT_ActivateBPs_DS31),
si_CodeBase, si_CodeSize) + si_CodeBase - OFS_ActivateBPs);

if ((DWORD)si_ActivateBPs < (DWORD)si_CodeBase)
{
DbgPrint("ERROR: Can't find pActivateBPs address in memory.\n";
return FALSE;
}
}


I also found it fairly easy to step through the IceExt code live by placing an embedded int3 at the begining of the si_Init() function in the softice.cpp source file.

Hopefully i can spend some more time looking at this today, with your other findings we might be able to make some progress...

--
bedrock

bedrock
February 18th, 2004, 11:30
Ok,

I've gone through Kayakers info and made some changes to softice.h and softice.cpp files of IceExt source and i have a version of IceExt that will function with DS31. We're not all the way there yet, as I can't find the function named si_UNH_Write, which Sten is using to add Unhandled Exception Filter protection.

But at least this version should give you some Softice hiding ability and !dump function (the main reasons i use iceext) and of course tetris is fully functional

I am attaching a zip file with my two modified source files, in case others want to see changes (Sten) and an IceExt.sys file compiled in release using the XP DDK 2600.1106 version

On a slightly different issue, since installing DS31 and using BPINT 3, i keep landing in ntoskrnl!MmPrefetchPages+02B6, has anyone else noticed this? Maybe caus i've got XP SP2 beta also installed

PS. I haven't changed the version number of this file, it still identifies itself as 0.57, i wanted to keep my changes to a minimum.

Doh!, must of had a blonde moment, and added the wrong binary to the zip

Attachement should now be fixed, sorry guys.

--
bedrock

volodya
February 19th, 2004, 14:07
Gentlemen, I recently talked to Sten. He is aware of the problem and will do everything. Project is neither dead nor frozen. Just that fucken DDoS screwed up not only wasm, but many-many-many other Russian resources.

bedrock
February 19th, 2004, 14:34
Quote:
[Originally Posted by volodya]Gentlemen, I recently talked to Sten. He is aware of the problem and will do everything. Project is neither dead nor frozen..


volodya, this is very good news to hear, hopefully the work we have already done will help Sten, sorry to hear about the continued DDoS attacks on your russian freinds.

--
bedrock

crUsAdEr
February 20th, 2004, 17:54
Has anyone noticed that Symbol Loader cant detect sice active when iceext is loaded but will work fine once u unload iceext... i did a bit of searching and found the reason to be here in nmtrans.dll

Code:

.text:1001FB22 loc_1001FB22: ; CODE XREF: DevIO_ConnectToSoftICE+3Ej
.text:1001FB22 ; DevIO_ConnectToSoftICE+5Bj
.text:1001FB22 push offset Data
.text:1001FB27 lea ecx, [esp+110h+FileName]
.text:1001FB2B push offset a_Ntice ; "\\\\.\\NTICE"
.text:1001FB30 push ecx
.text:1001FB31 call sub_1001FB70
.text:1001FB36 add esp, 0Ch
.text:1001FB39 lea edx, [esp+10Ch+FileName]
.text:1001FB3D push 0 ; hTemplateFile
.text:1001FB3F push 80h ; dwFlagsAndAttributes
.text:1001FB44 push 3 ; dwCreationDisposition
.text:1001FB46 push 0 ; lpSecurityAttributes
.text:1001FB48 push 3 ; dwShareMode
.text:1001FB4A push 80000000h ; dwDesiredAccess
.text:1001FB4F push edx ; lpFileName
.text:1001FB50 call esi ; CreateFileA
.text:1001FB52 mov esi, eax
.text:1001FB54 cmp esi, 0FFFFFFFFh
.text:1001FB57 jnz short sice_active
.text:1001FB59 push 0A6580001h ; dwErrCode
.text:1001FB5E call ds:__imp_SetLastError
.text:1001FB64
.text:1001FB64 sice_active: ; CODE XREF: DevIO_ConnectToSoftICE+C7j
.text:1001FB64 mov eax, esi
.text:1001FB66
.text:1001FB66 loc_1001FB66: ; CODE XREF: DevIO_ConnectToSoftICE+29j
.text:1001FB66 pop esi
.text:1001FB67 add esp, 108h
.text:1001FB6D retn
.text:1001FB6D DevIO_ConnectToSoftICE endp


Here when iceext is loaded, CreateFileA failed and hence export function DevIO_ConnectToSoftICE of nmtrans.dll will return sice not loaded... of course a dirty patch would do the job but i rather understand why... hence this post...

Is this a iceext feature that was present since last releases or is this a bug of the new 'dirty patch' by bedrock .. no offense bedrock... ... any explanantion on why sice behaves this way when iceext is loaded? My guess is that iceext patchs something but not sure what...

cheers,
crUs

volodya
February 20th, 2004, 18:19
The answer should have been looked for in the sources. Use the source, Luk
Being brief the answer is "yes". The trick is known as "MeltIce" and many protections are using the same idea to catch Soft-Ice. IceExt hooks several NT API calls through SDT and prevents NtCreateFile (...NTICE...) to return the correct answer. For this and not only for this purpose there is a "protect off" command in IceExt...

crUsAdEr
February 20th, 2004, 22:51
lol... simple enough... thanks volodya...
pardon me for the silly question... been a while since i touched sice i forgot that meltice is still a viable option to detect softice .. cheers... time to dig in the source n patch it to make symbol loader works then ...

crUsAdEr
February 21st, 2004, 00:36
sorry abt this.. but i am not much of a C++ programmer... and i was just wondering if there is a simple n nice way to change NewNtCreateFileA in protect.cpp to detect if CreateFileA is called by softice itself (nmtrans.dll) and response normally instead of kickin AntiMeltice...
Code:

static WCHAR FILT_STR1[] = L"\\??\\NTICE";
static WCHAR FILT_STR2[] = L"\\??\\SIWVIDSTART";
static WCHAR FILT_STR3[] = L"\\??\\SIWSYM";

#define FILT_STR1_SIZE ((sizeof(FILT_STR1)-1)/sizeof(WCHAR))
#define FILT_STR2_SIZE ((sizeof(FILT_STR2)-1)/sizeof(WCHAR))
#define FILT_STR3_SIZE ((sizeof(FILT_STR3)-1)/sizeof(WCHAR))

NTSTATUS NewNtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize OPTIONAL,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer OPTIONAL,
ULONG EaLength)
{
NTSTATUS rc;

if (protect_MeltICE)
{

if (ObjectAttributes->ObjectName->Buffer)
{
if (
(_wcsnicmp(ObjectAttributes->ObjectName->Buffer,
FILT_STR1, FILT_STR1_SIZE) == 0) ||
(_wcsnicmp(ObjectAttributes->ObjectName->Buffer,
FILT_STR2, FILT_STR2_SIZE) == 0) ||
(_wcsnicmp(ObjectAttributes->ObjectName->Buffer,
FILT_STR3, FILT_STR3_SIZE) == 0)
)
{
DbgPrint(szMethodMeltICE);
return STATUS_OBJECT_NAME_NOT_FOUND;
}
}
}

rc=((NTCREATEFILE)(OldNtCreateFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength);
return rc;
}


of course in asm, we simply look on stack value n trace a few values down to find caller EIP but i rather do something nice n portable in C++,, any suggestion?

bedrock
February 21st, 2004, 06:45
@ crUsAdEr,

No offence taken

As volodya already answered, this was always the way symbol loader behaved with IceExt loaded and is due to protection.

I never thought about changing IceExt to allow symbol loader to detect softice, but i like your idea, i dont know how this can be done easily in C though, NtCreateFile is 'undocumented' my m$, although i found some information here hxxp://undocumented.ntinternals.net but it doesn't appear to be able to detect the caller of this function.

--
bedrock

doug
February 21st, 2004, 12:17
crusader:
imho, A better solution to this when using IceExt is to disable Meltice, do what needs to be done w.r.t nmtrans and put protect back on.

Some protections use nmtrans.dll's exported NmSynmIsSoftICELoaded to detect the debugger.. If you let nmtrans checks pass through, you might be fooled by an easy MeltICE debugger check without knowing / being able to disable it (without recompiling).

just !help protect and it'll tell u what to do to disable only meltice.

crUsAdEr
February 21st, 2004, 13:13
Hi doug,

Thanks for the suggestion... though i like to use softice log history and if symbol loader cant detect softice, i cant save log ... i was thinking of actually print out a debug msg saying Softice detection by nmtrans.dll etc... so hopefully i wont be fooled if protector uses nmtrans.dll exported function... the thing is that even iceext debug print is also to sice command window, which is stored in sice log so if i cant access log file, i wont even see any of iceext debug msg...

I was just exploring anyway, getting old rusty brain back in shape

bedrock, if you watch pOutputHandle of NewNtCreateFile, you will see it is a n address on usermode stack, thus if you scroll down from that address a bit you will see the address of original caller of CreateFileA... the thing now is how to work out how usermode stack is mapped onto kernel mode stack... what else is called inbetween CreateFileA and the final NtCreatFile...

crUsAdEr
February 22nd, 2004, 03:24
Can someone confirm this?

DS3.1 no longer patch CC into UnhandledExceptionFilter anymore? I have tried to detect sice through this feature with no success... the patch routine doesnt seem to be there anymore...

JMI
February 24th, 2004, 21:29
I've added this to another thread in the Newbie Forum, but thought I'd add it here as well.

"For those who may not have noticed, Sten's IceExt 0.60 is available at Wasm.ru. They are still under DDOS attack, so you may have to keep trying."

Regards,

andox
February 27th, 2004, 05:59
wasm.ru does not work at all for me, are there any another site to download IceExt 0.60 from?

sgdt
February 27th, 2004, 10:07
Have you tried ExeTools? That's where I got mine from.

ZaiRoN
February 27th, 2004, 10:16
andox, this thread will help you:
http://www.woodmann.net/forum/showthread.php?t=5500&highlight=iceext

andox
February 27th, 2004, 10:27
Thanks, i got it from exetools ftp

ZaiRoN
February 27th, 2004, 17:27
Oooops... sorry. I did not notice the version

Sten
March 1st, 2004, 07:04
Quote:
[Originally Posted by crUsAdEr]Can someone confirm this?

DS3.1 no longer patch CC into UnhandledExceptionFilter anymore? I have tried to detect sice through this feature with no success... the patch routine doesnt seem to be there anymore...


I've tested this on two machines. On one machine SoftICE doesn't patch UnhandledExceptionFilter at all.

On other machine INT3 is there, i.e. SoftICE patches UnhandledExceptionFilter but in a strange way. Now you can see this INT 3 instruction when disassemble function in SoftICE (previous versions hides INT3 when you activate SoftICE).

So, it seems SoftICE MAY patch UnhandledExceptionFilter during it's startup. It is not clear yet what conditions patching depends on.
Just disassemble KERNEL32!UnhandledExceptionFilter and look if SoftICE patches it on your system. If it does, you can now hide SoftICE just replacing INT3 instruction with the oribinal byte.

crUsAdEr
March 2nd, 2004, 03:05
HI Sten,

Thanks for the info... i can confirm that on 2 of my machine, win2k SP4 and Server 2003 both don't seem to be patched at UEF...

However, on the quest to find where sice patch... i stumbled upon quite a few functions in ntoskrnl that is patched by sice, eg. MiMapViewImageHeaderInHyperSpace, MiMapViewOfImageSection, _MmUnmapViewOfSection etc... note that these patched are masked by sice so display memory in sice wont show CC, but bpm on them will stick...

I guess sice hook these functions for paging handling etc.. not sure but if protectors want to check for sice, they sure as hell have lots of choices beside UEF... and i am not sure you can disable them the way you do with UEF.

On what system do you get sice to patch UEF?

Sten
March 2nd, 2004, 04:44
SoftICE patches UEF on my home PC (WinXP SP1). However, it does not patches UEF on other PC (WinXP SP1 + security patches). I'll check this again, patching may depend on SoftICE initialization settings for ex.

Quote:
However, on the quest to find where sice patch... i stumbled upon quite a few functions in ntoskrnl that is patched by sice, eg. MiMapViewImageHeaderInHyperSpace, MiMapViewOfImageSection, _MmUnmapViewOfSection etc...


Yeah, I know SoftICE patches some functions from ntoskrnl. Fortunately, windows kernel code is not accessible for ring3 applications, so I do not consider this as a problem.

BTW, these hooks can be disabled with help of undocumented and unexported in official build IceExt command '!unhook'.

crUsAdEr
March 2nd, 2004, 09:28
cool... no wonder i couldnt call the !unhook functions... i saw it in the source but couldnt figure out how to use it ... Do you know what these ntoskrnl hooks are for? Is this safe to disable them?

Quote:
Yeah, I know SoftICE patches some functions from ntoskrnl. Fortunately, windows kernel code is not accessible for ring3 applications, so I do not consider this as a problem.

lol.. i didnot know that... sorry for the misinformation... i always thought you can read from anywhere in memory, just cant write to certain memory area only...

btw, i was looking but cant find the area of code where sice sits there, loop ard do nothing, freezing everythign waiting for user input... can u point me to them?

Thanks,
crUs

Sten
March 2nd, 2004, 10:35
Quote:
[Originally Posted by crUsAdEr]
Do you know what these ntoskrnl hooks are for? Is this safe to disable them?


The system seems to be stable after disabling these hooks however I would prefer to keep them enabled as SoftICE relies on this hooks someway..

Quote:
[Originally Posted by crUsAdEr]btw, i was looking but cant find the area of code where sice sits there, loop ard do nothing, freezing everythign waiting for user input... can u point me to them?


SoftICE usually activates from one of the interrupt handler (p_INT03 for ex. in TheOwl notation). SoftICE calls pStopSecondCPUs to stop all CPUs except one SoftICE executes on and rises current APIC task priority to highest possible.

The main SoftICE routine called pNTIceMain. Here SoftICE does all the work for handling user input, executing commands e.t.c.

crUsAdEr
March 4th, 2004, 03:41
Hi Sten,

I notice in your iceext source, you simply drop the command into the KbdBuffer and then call NTicemain... is this as simple as that to send a command to sice or do you also need to patch somewhere else in ntice memory?

Sten
March 4th, 2004, 05:25
Quote:
[Originally Posted by crUsAdEr]I notice in your iceext source, you simply drop the command into the KbdBuffer and then call NTicemain... is this as simple as that to send a command to sice or do you also need to patch somewhere else in ntice memory?


Yeah, you can send command to SoftICE in this way. No patching is needed.
Even SoftICE itself uses this trick when handling initialization string from winice.dat.

crUsAdEr
March 28th, 2004, 05:06
Hi Sten,

Well this is what i found so far... using undocumaneted command "ver -ahk"
It will list all the hooks that sice installed, among which
Quote:
NT API Hook function 25: UnhandledExceptionFilter
Hook address : 7C51BD2B Module: kernel32.dll
Handler : BF37CD01 StartSearchFn:
RetHandler : 0
OSI ID : FA000024
First byte : 0
Enable * : BF3B1D18 (=1)
Status : OK


With the enable flag offset at BF3B1D18, i trace down to this
Code:
INIT:0016FAA6 68 78 F9 16 00 push offset aDisableusermodehooks ; "DisableUserModeHooks"
INIT:0016FAAB A3 60 95 12 00 mov fDisableNameSaving, eax
INIT:0016FAB0 E8 93 2D 00 00 call pQueryRegistry
INIT:0016FAB5 85 C0 test eax, eax
INIT:0016FAB7 74 07 jz short loc_16FAC0
INIT:0016FAB9 83 25 18 9D 0D 00+ and fEnableUsermodeHook, 0
INIT:0016FAC0
INIT:0016FAC0 loc_16FAC0: ; CODE XREF: pReadUndocSiceSetting+115j
INIT:0016FAC0 85 F6 test esi, esi
INIT:0016FAC2 74 0F jz short loc_16FAD3
INIT:0016FAC4 83 3D 5C 95 12 00+ cmp fDoInt2DPatch, 2
INIT:0016FACB 74 06 jz short loc_16FAD3
INIT:0016FACD 89 35 1C 4C 15 00 mov Int2DLocation, esi


However, i cant seem to be able to find any Registry Key value corresponding to DisableUsermodeHook :/

Sten
March 29th, 2004, 05:01
Hi crUsAdEr,

I've just released IceExt 0.62 and added some sort of a fix to UnhandledExceptionFilter problem. Now IceExt patches UEF directly and removes INT3 instruction. The problem - I do not know what original byte is, so I always assume it to be 68h.

Your info can be quite useful, thanks.

crUsAdEr
March 29th, 2004, 21:47
Hi Sten,

iceext0.62 doesnt seem to be able to patch UEF on my system... it says fail to patch error... i couldnot locate your si_UNH_PAT either... can you tell me the exact RVA?

pLayAr
March 30th, 2004, 02:07
Quote:
[Originally Posted by crUsAdEr]Hi Sten,

Well this is what i found so far... using undocumaneted command "ver -ahk"
It will list all the hooks that sice installed, among which


With the enable flag offset at BF3B1D18, i trace down to this
Code:
INIT:0016FAA6 68 78 F9 16 00 push offset aDisableusermodehooks ; "DisableUserModeHooks"
INIT:0016FAAB A3 60 95 12 00 mov fDisableNameSaving, eax
INIT:0016FAB0 E8 93 2D 00 00 call pQueryRegistry
INIT:0016FAB5 85 C0 test eax, eax
INIT:0016FAB7 74 07 jz short loc_16FAC0
INIT:0016FAB9 83 25 18 9D 0D 00+ and fEnableUsermodeHook, 0
INIT:0016FAC0
INIT:0016FAC0 loc_16FAC0: ; CODE XREF: pReadUndocSiceSetting+115j
INIT:0016FAC0 85 F6 test esi, esi
INIT:0016FAC2 74 0F jz short loc_16FAD3
INIT:0016FAC4 83 3D 5C 95 12 00+ cmp fDoInt2DPatch, 2
INIT:0016FACB 74 06 jz short loc_16FAD3
INIT:0016FACD 89 35 1C 4C 15 00 mov Int2DLocation, esi


However, i cant seem to be able to find any Registry Key value corresponding to DisableUsermodeHook :/


GOOD WORK
i create a registry key named "DisableUsermodeHooks", and set it's value to 1
now ,si do not patch UEF!

bedrock
March 30th, 2004, 02:09
Hi sten,

Also i tried this on my system which is running XP SP2 (RC1 build 2096), i checked kernel32!UnhandledExceptionFilter and it does begin with 0x68, but iceext062 report

Error: Unable to patch UnhandledExceptionFilter

--
bedrock

Sten
March 30th, 2004, 02:36
Currently IceExt can patch UEF when SoftICE is activated in a context of a process that uses KERNEL32.DLL. (I'm too lazy to switch context from my code).

It seems DisableUsermodeHook registry key is preffered solution to UEF problem.

Quote:
[Originally Posted by bedrock]Hi sten,

Also i tried this on my system which is running XP SP2 (RC1 build 2096), i checked kernel32!UnhandledExceptionFilter and it does begin with 0x68, but iceext062 report

Error: Unable to patch UnhandledExceptionFilter

--
bedrock

crUsAdEr
March 30th, 2004, 03:15
Hi Sten,

Can you point me to the RVA of si_UHF_Write_PAT used in in your protect.cpp code? I did try pattern searching but cant seem to find them...

Sten
March 30th, 2004, 03:20
Hi crUsAdEr,

IceExt doesn't patches pUNH_Write procedure in SoftICE 4.3.1 (as there isn't any). IceExt directly writes to UnhandledExceptionFilter, see protSetUEFPatchDS31().

Quote:
[Originally Posted by crUsAdEr]Hi Sten,

Can you point me to the RVA of si_UHF_Write_PAT used in in your protect.cpp code? I did try pattern searching but cant seem to find them...

crUsAdEr
March 30th, 2004, 04:15
Thanks... that clears my doubt... the hooking is done by CptHook.sys but if we patch it then it will affect all API hooking...

crUsAdEr
March 30th, 2004, 05:41
Hi Sten,

Attempting to stop iceext with "bpint 1" or "bpint 3" on will result in a system crash... that is because bpint install new handler via IDT hence when we try to remove iceext the handling chain is broken... perhaps you can try patching bpint to hook int1/3 differently, chain after your handler, so iceext can exit gracefully when required? Then again i guess there is no reason to remove iceext heh ?

Anyway, since u r at it, can also fix the annoying "bpint 3 feature" that pop sice up at its own internal API hook (this has been reported here before)

Timbo
March 31st, 2004, 14:51
Hi Sten,

nice work, but if "net start iceext" start's ntice and iceext patch
unhandledexceptionfilter direct, a "CC" on OEP's won't be triggered
with XP (SP1&SP2pre). I have to enter ntice, write cc, exit to desktop,
enter ntice, replace cc with 68 (well never seen 55 maybe w2k),
and ntice trigger OEP (with i3here on)
maybe someone knows more