Results 1 to 3 of 3

Thread: Hiding SI NT2K :)

  1. #1
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria

    Hiding SI NT2K :)

    Hi fellows

    I saw a few posts re the topic of anti-debugger cloaking for our beloved tool SI. We all know about Icedump team excellent work
    and Frogs+ as well....but I saw a few Q about Win2K. I always point ppl in the way of Nticedump and Pntice from EliCZ who coded a nice patcher for us with an *.ini file for us to update.
    This covered 3.24 very well. I made one for 4.01 but not 4.05 as I patched directly myself as well as the latest ntice.sys.

    Well I failed miserably at the w/e to make pntice.ini for the latest 4.2.1 Build 57 (or 58) of NTice.sys for everyone. So i attach my patched files for you to play with. I think you know this is for Win2K only

    Rename your original files before copying mine to the relevant system / Si directory's. Don't blame me for any PSOD !

    happy reversing in peace.

    +SplAj }>

  2. #2
    Hey Splaj...

    I tried your files... and SI wouldn't even start. But I'm not sure if that means anything because with the version of ntice from numega, SI would lock up my system before... With your version, it just says that ntice.sys can't be loaded (0xc0000221)

    I have SP2 btw... do you have that? I wish I could revert back to SP1 cuz i can't get SI to work w/ sp2...

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    There is a quite old tool called NTall which does a pretty good job. However, it didn't work with the latest driverstudio 2.5 beta2. Then again, the symbol loader couldn't be used either coz it thought sice wasn't active (symbol loader from ds2.5b2 that is) so it's more a beta-related thing I'd think...

    But give ntall a shot... it's quite fine. Altho once u activated all the protections/detections u can't disable them nemore (causes things to lock up heh). Can be annoying, but still... it's a nice tool.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. PoC: Hiding the caller.
    By Indy in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 8th, 2011, 15:22
  2. Hiding Si
    By ReVeR in forum The Newbie Forum
    Replies: 8
    Last Post: July 30th, 2004, 15:55
  3. Hiding SoftIce
    By SilSaLaMaTa in forum Tools of Our Trade (TOT) Messageboard
    Replies: 9
    Last Post: September 21st, 2002, 03:25
  4. Hiding SI in WINNT4/2K DS2.5
    By +SplAj in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: December 23rd, 2001, 19:21
  5. Runs under 98, but not NT2K
    By rich in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 13th, 2001, 14:20


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts