Page 3 of 3 FirstFirst 123
Results 31 to 40 of 40

Thread: IceExt and DS 3.1

  1. #31
    Sten
    Guest
    Hi crUsAdEr,

    I've just released IceExt 0.62 and added some sort of a fix to UnhandledExceptionFilter problem. Now IceExt patches UEF directly and removes INT3 instruction. The problem - I do not know what original byte is, so I always assume it to be 68h.

    Your info can be quite useful, thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #32
    Hi Sten,

    iceext0.62 doesnt seem to be able to patch UEF on my system... it says fail to patch error... i couldnot locate your si_UNH_PAT either... can you tell me the exact RVA?

  3. #33
    pLayAr
    Guest
    Quote Originally Posted by crUsAdEr
    Hi Sten,

    Well this is what i found so far... using undocumaneted command "ver -ahk"
    It will list all the hooks that sice installed, among which


    With the enable flag offset at BF3B1D18, i trace down to this
    Code:
    INIT:0016FAA6 68 78 F9 16 00      push  offset aDisableusermodehooks ; "DisableUserModeHooks"
    INIT:0016FAAB A3 60 95 12 00      mov   fDisableNameSaving, eax
    INIT:0016FAB0 E8 93 2D 00 00      call  pQueryRegistry
    INIT:0016FAB5 85 C0               test  eax, eax
    INIT:0016FAB7 74 07               jz    short loc_16FAC0
    INIT:0016FAB9 83 25 18 9D 0D 00+  and   fEnableUsermodeHook, 0
    INIT:0016FAC0                   
    INIT:0016FAC0                   loc_16FAC0:                   ; CODE XREF: pReadUndocSiceSetting+115j
    INIT:0016FAC0 85 F6               test  esi, esi
    INIT:0016FAC2 74 0F               jz    short loc_16FAD3
    INIT:0016FAC4 83 3D 5C 95 12 00+  cmp   fDoInt2DPatch, 2
    INIT:0016FACB 74 06               jz    short loc_16FAD3
    INIT:0016FACD 89 35 1C 4C 15 00   mov   Int2DLocation, esi
    However, i cant seem to be able to find any Registry Key value corresponding to DisableUsermodeHook :/
    GOOD WORK
    i create a registry key named "DisableUsermodeHooks", and set it's value to 1
    now ,si do not patch UEF!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #34
    Hi sten,

    Also i tried this on my system which is running XP SP2 (RC1 build 2096), i checked kernel32!UnhandledExceptionFilter and it does begin with 0x68, but iceext062 report

    Error: Unable to patch UnhandledExceptionFilter

    --
    bedrock

  5. #35
    Sten
    Guest
    Currently IceExt can patch UEF when SoftICE is activated in a context of a process that uses KERNEL32.DLL. (I'm too lazy to switch context from my code).

    It seems DisableUsermodeHook registry key is preffered solution to UEF problem.

    Quote Originally Posted by bedrock
    Hi sten,

    Also i tried this on my system which is running XP SP2 (RC1 build 2096), i checked kernel32!UnhandledExceptionFilter and it does begin with 0x68, but iceext062 report

    Error: Unable to patch UnhandledExceptionFilter

    --
    bedrock
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #36
    Hi Sten,

    Can you point me to the RVA of si_UHF_Write_PAT used in in your protect.cpp code? I did try pattern searching but cant seem to find them...

  7. #37
    Sten
    Guest
    Hi crUsAdEr,

    IceExt doesn't patches pUNH_Write procedure in SoftICE 4.3.1 (as there isn't any). IceExt directly writes to UnhandledExceptionFilter, see protSetUEFPatchDS31().

    Quote Originally Posted by crUsAdEr
    Hi Sten,

    Can you point me to the RVA of si_UHF_Write_PAT used in in your protect.cpp code? I did try pattern searching but cant seem to find them...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    Thanks... that clears my doubt... the hooking is done by CptHook.sys but if we patch it then it will affect all API hooking...

  9. #39
    Hi Sten,

    Attempting to stop iceext with "bpint 1" or "bpint 3" on will result in a system crash... that is because bpint install new handler via IDT hence when we try to remove iceext the handling chain is broken... perhaps you can try patching bpint to hook int1/3 differently, chain after your handler, so iceext can exit gracefully when required? Then again i guess there is no reason to remove iceext heh ?

    Anyway, since u r at it, can also fix the annoying "bpint 3 feature" that pop sice up at its own internal API hook (this has been reported here before)

  10. #40
    Timbo
    Guest
    Hi Sten,

    nice work, but if "net start iceext" start's ntice and iceext patch
    unhandledexceptionfilter direct, a "CC" on OEP's won't be triggered
    with XP (SP1&SP2pre). I have to enter ntice, write cc, exit to desktop,
    enter ntice, replace cc with 68 (well never seen 55 maybe w2k),
    and ntice trigger OEP (with i3here on)
    maybe someone knows more
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IceExt
    By naides in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: August 12th, 2005, 17:18
  2. IceExt 0.64
    By $tEpHoNz in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: June 16th, 2004, 12:42
  3. IceExt & DirectX
    By omega_red in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: June 1st, 2004, 11:54
  4. !dump in IceExt 0.62
    By naides in forum Tools of Our Trade (TOT) Messageboard
    Replies: 24
    Last Post: April 11th, 2004, 20:37
  5. IceExt 0.30
    By volodya in forum Tools of Our Trade (TOT) Messageboard
    Replies: 16
    Last Post: August 29th, 2003, 08:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •