Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 48

Thread: Can someone explain the unhandledexception mystery !!!!

  1. #16
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    ur welcome

  2. #17
    pasha
    Guest
    greetz

    i tried the last approach to reduce the distance between int1 and int 3 (1Eh) by just redirecting thru my KMD int1 and int3 handlers that are just 06 bytes apart

    without sice

    I1OFFSET: 0x80465A96
    I3OFFSET: 0x80465D6E
    DIFF: 0x000002D8

    with sice
    I1OFFSET: 0xBAE13729
    I3OFFSET: 0xBAE13747
    DIFF: 0x0000001E

    with my kmd
    I1OFFSET: 0xED5E14BA
    I3OFFSET: 0xED5E14C0
    DIFF: 0x00000006

    but still sice simply exits without display of any message box when i patch that kernel32!unhandledexceptionfilter to kernel32!Zhandledexceptionfilter.

    if i leave it alone, then it displays that "debugger detected" msgbox.

    so in a nutshell, i have patched/done the following
    1) int 1 DPL=0 using my kmd
    2) meltice (by changing all the names as in splajs patch)
    3) int1-int3 distance using my kmd
    4) int 3 bchk by splaj patch
    5) int 41 debugger check patch
    6) CC at first byte of unhandledexceptionfilter
    7) DR7 patch in ntice.sys
    8) i dont use any of DR1-Dr3 for breakpoints
    9) faults off in sice

    man, i still cant think how the hell sice is detected under NT/2k..(...

    i would appreciate any pointers on this..i know i shouldnt be asking, but it has been a month almost since i set out to defeat sice checks by sd2 under NT/2k/XP

    thnx again

    best regards
    pasha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    Lunar_Dust
    Guest
    Softice could still be detected using OpenService with "ServicesActive", which returns strings of the current services active.


    For example, go into Device Manager on Win2K or XP. Now click "View->Show Hidden Devices", and you will see NTice is listed as a device. YOu have to somehow change that name.

    I haven't gotten around to doing so, I don't know how to do that yet.

    -Lunar_Dust
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    pasha
    Guest
    greetz lunar

    i guess splajs patch takes care of that renames NTICE inside NTICE.SYS and SIWVID.SYS to ZTICE and also renames SIWVID to ZIWVID. so any of the createfilea, openservice, queryobjectdirectory, or any other meltice variants will not suceed coz NTICE is no longer the device name.

    best regards
    pasha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    No, it does not - I am the one who created the patches based of Splaj's walkthru, and I have them applied on my systems, and NTice is still listed in the services. The patches simply rename "CreateFile" name (The symbolic link) but the device name seems to still come out at NTice if you look at hidden devices. Just try it, you will see it is there even with patches installed.


    -nt20

  6. #21
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Isn't this name (the one displayed in the "hidden devices" list) simply based on a value in the driver's registry key?

  7. #22
    Might be... I know I patched the registry, but to be sure I also patched the "three files" and renamed NTice.sys... Now my sice is safe from openservice-trick... ;P

    ...and also DAEMONS NtQuerySystemInformation-trick.

    Ofcourse I had first patched NTice.sys with NicolaTesla20's fine patchers, to get rid of the usual stuff.

    /Manko

  8. #23
    pasha
    Guest
    greetz all

    thnx a ton for the replies, i patched the registry as well as the files against openserviceA detection scheme.

    but still sd2 2.90.40 seems to fish out my softice somehow .. i really have no clue on what detection scheme they have used ????

    hope someone who has done tells me what detection in the world does sd2 uses ...hehe..this has been my all time greatest experience with NTice/sd2..

    thnx again

    best regards
    pasha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    Just to be sure... Have you actually tried if your patching succeded?

    htetep://daemon.anticrack.de/

    sice_detection Explanation:
    OS: NT/2000/XP by scanning the loaded drivers (simple but as always EFFECTIVE!)

    There are more detecters, for usual stuff posted on THIS board too...

    /Manko

  10. #25
    pasha
    Guest
    greetz manko

    yep, i tried the listing and it doesnt show up as ntice anymore in the services panel. also i coded a small proggy using OpenService to list all services and it wasnt shown there either with Ntice, i renamed it to something else.

    but in any case i dont think sd2 uses this mechanism because the exe displays msgbox just after the first deviceiocontrol to secdrv.sys, i put my money mostly on some DrX stuff, but yet even after patching all the things, the msg still pops up

    i have patched my NTICe against all of the daemons detections and other detections. securom, peshield, pelocknt, armadillo, etc..the only stuff which detects it is sd2

    so am awaiting any pointers..

    best regards
    pasha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    um,

    all I have to say is sd2 is using a system driver for this? well then you could be in big trouble. ... You should try to disam the sys file and see what it's doing (of course I'm sure you've already done so) -- sys files can't be protected.

    The problem is the sys file could be using undocumented crap for doing its thing. Which may make it kinda hard to track down.

    Plus, it's a deviceiocontrol call, can't you just modify the return buffer....

    -nt20

  12. #27
    pasha
    Guest
    greetz nikola

    yep, i have disassembled secdrv.sys and am looking thru it documenting it everyday .

    also the first thing i tried was attack using the devio modify buffer, but sd2 uses some kinda complex buffer techniques, it passes an input buffer and the devio call modifies the buffer accordingly and that data is used somewhere else in the program. i have the pattern of the failed devio call but i cant just patch it coz i would not know what it was expecting in the output buffer meaning i have to crack that logic which seems pretty complex at first looks.

    so am looking at places where checks are performed with Drx and other stuff.

    hopefully i should be able to find someting soon.. or someone can help me on the way..but all in all this has been a tremendous learning experience for me with secdrv and ntice internals..

    thnx again

    best regards
    pasha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Well I haven't seen the V2.90 Secdrv yet.. but the one I had a look at, wasn't all that 'special'

    Which secdrv function are you having problems with?! The secdrv function is put in the input buffer at position 0x0C. (the positions before that are: dwVersionMajor (0x00), dwVersionMinor (0x04), dwVersionPatch (0x08)and then you have dwCommand at 0x0C)

    TIP: ignore those 4 dwords that get xor'ed in the output buffer.. it's nothing interesting (it's the KeTick value, but xor'ed over 4 dwords to 'hide' it). It's checked in the main dll to see if the call didn't last TOO long (ie. to screw people using 'normal' debuggers that don't freeze time)

  14. #29
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Just looked it up.. the secdrv I had a look at way back was:

    dwVersionMajor= 0x03;
    dwVersionMinor= 0x0D;
    dwVersionPatch= 0;

  15. #30
    pasha
    Guest
    greetz sintax

    without ntice loaded the first 2 deviceio call as as follows ---

    1)DeviceIOControlevice:00000070, Code:EF002407, IbufSize=00000514, OBufSize=00000C18
    ===Inbuf starts===
    03|00|00|00|12|00|00|00|00|00|00|00|3E|00|00|00|52|A0|8C|DB|3A|0D|19|4F|FD|94|2
    E|A8|84|7C|BB|3C|

    as seen
    dwVersionMajor=0x03
    dwVersionMinor=0x12
    dwVersionPatch=0x00
    dwCommandCode=0x3E

    and then you have 2 more detections ---

    IsDebuggerPresent call
    NTICE detection caught call.
    CreateFileA: \\.\Global\SecDrv, -->00000078
    CreateFileA: \\.\Global\SecDrv, -->00000078

    and then

    2) DeviceIOControlevice:00000078, Code:EF002407, IbufSize=00000514, OBufSize=00000C18
    ===Inbuf starts===
    03|00|00|00|12|00|00|00|00|00|00|00|3C|00|00|00|52|A0|8C|DB|3A|0D|19|4F|FD|94|2
    E|A8|84|7C|BB|3C|0

    here dwCommand=0x3c

    now, with ntice loaded we have this ---

    1st device io call -
    1) DeviceIOControlevice:00000070, Code:EF002407, IbufSize=00000514, OBufSize=00000C18
    ===Inbuf starts===
    03|00|00|00|12|00|00|00|00|00|00|00|3E|00|00|00|EC|C9|8C|DB|3A|0D|19|4F|FD|94|2
    E|A8|84|7C|BB|3C|

    as seen dwCommandCode=0x3E

    and then you have 2 more detections ---

    IsDebuggerPresent call
    NTICE detection caught call.

    BUT, the second device io call is never executed and i get the MessageBox saying debugger detected...

    so i figure there is some problem with the device io call with dwCommandCode = 0x3E...any ideas what that function does ??

    best regards
    pasha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 13
    Last Post: November 24th, 2012, 12:59
  2. MSI mystery...
    By volodya in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: March 22nd, 2004, 18:39
  3. flexlm (hard to explain)
    By Zigmund in forum The Newbie Forum
    Replies: 0
    Last Post: December 13th, 2002, 09:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •