Page 1 of 3 123 LastLast
Results 1 to 15 of 40

Thread: Softice Hide Tool

  1. #1

    Softice Hide Tool

    IceStealthīs Actual version now will always be here and on the SoftICE Extensions

    http://www.woodmann.com/collaborative/tools/index.php/IceStealth
    Last edited by Elenil; October 30th, 2008 at 01:18.

  2. #2
    no comments at all ?
    it would be nice to answer if my program works well for other computers or has some problems on other system basicly it only has tested on XP 32 SP2

    IceStealth should protect from:

    CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find softice with these methods
    NtQueryDirectoryObject
    NtQueryObject
    everything controled with services.exe about drivers some examples : OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
    UnhandledExceptionFilter (2 Options)
    SEH BPM protect
    NtQuerySystemInformation
    int 41 orignal data emulated + DPL 0 + int1 DPL 0

    hopeful i get some comments now


    btw i cant upload IceStealth to SoftIce extensions why ?
    when i upload the rar file it creates a link on the link bar but when you then click "submit the tool!" it says error on site and nothing happens

  3. #3
    hi, for NtCreateFile you could allow loader32.exe for example to access ntice by comparing name in EPROCESS.ImageFileName with loader32.exe. You can find this offset by searching through EPROCESS in DriverEntry for "System", and only allow access to ntice if it's loader32.exe - very useful when needed symbol loading at runtime

    don't know how you protect BPM, maybe using hook in KiUserExceptionDispatcher, on other hand I protect it with GD bit in dr7, allowing only softice and cpthook to access drXes while it's faked for all other programs

    in short, I have all of this in separate drivers/programs, kinda know exactly what is used by what protection so I load drivers depending on protection

  4. #4
    Quote Originally Posted by deroko View Post
    hi, for NtCreateFile you could allow loader32.exe for example to access ntice by comparing name in EPROCESS.ImageFileName with loader32.exe. You can find this offset by searching through EPROCESS in DriverEntry for "System", and only allow access to ntice if it's loader32.exe - very useful when needed symbol loading at runtime
    thats a real good idea while i thought about a solution for that i didnt find a good solution but im still afraid that they ever create a executable with that name
    so every1 plz load symbol files before IceStealth is started
    i think of adding that to a next version as 3 option


    Quote Originally Posted by deroko View Post
    don't know how you protect BPM, maybe using hook in KiUserExceptionDispatcher, on other hand I protect it with GD bit in dr7, allowing only softice and cpthook to access drXes while it's faked for all other programs
    your DRx emulator is some of the best toolz i ever saw for softice even on 98 i always hoped some1 is writing a such tool but i never found something to that - i really recommend derokus DRx emulator !
    its not using KiUserExceptionDispatcher basicly cause its on ring3 its using NtContinue a only few different from yours its not setting a EH its checking if a dummy has passed to it and it dont print a dbgmsg
    small protection this wont cheat everything i tested around with that a while simple changing the Drīs will softice make look like it has the old BP but it breaks on a other 1
    but at last double protection isnt wrong and more flexible

    at last i protected all files DS 3.2 is using for me that are:
    bootcfg.sys
    CptHook.sys
    siwvid.sys
    osidata.sys
    ntice.sys
    NMFilter.sys
    SIWSYM.sys
    SIKSYM.SYS
    SiwvidStart.sys

    note CptHook.sys has DOS name of "KHook" and ntice+4digit number (if its DS3.2)

    also everything is resistent to memory that means no driver to detect thats also why the application close itself after itīs done

    btw if this tool goes in series i have to credit you for all information you gave me via msn
    Last edited by Elenil; October 17th, 2008 at 12:33.

  5. #5
    Quote Originally Posted by Elenil View Post
    version 1.0 testers needed
    Are you developing a hiding tool just for interest or have not heard of IceExt?

    http://stenri.pisem.net/

  6. #6
    Quote Originally Posted by WaxfordSqueers View Post
    Are you developing a hiding tool just for interest or have not heard of IceExt?

    http://stenri.pisem.net/
    are you serious ? IceStealh give a clear better protection as IceExt

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Kudos on the contribution Elenil.

    It seems to work well but I noticed a few errors.

    1. It crashes my VMWare xpsp2 system if I don't have the symbols for services.exe loaded. I know you said they either need to exist or let your app load them, but I did neither and got a big bad System Shutdown message with a timed forced NT_AUTHORITY reboot.

    The minidump said only that services.exe was at fault - a C0000005 error on address 0 in a system fault reporting dll. Nothing particularly useful for debugging the error.

    A check should be put in on that routine if symbols aren't available in order to protect users.


    2. It fails on one of the xADT eXtensible Anti-Debug Tester plugin tests - one of them in the entry called "SICE Presence Tests".


    3. I don't know exactly how you are hiding from ZwQuerySystemInformation/SystemModuleInformation, but I think you should check any modifications of the system linked lists. Your presence isn't entirely hidden. Softice is, but not the fact that some underhanded rootkit behaviour has just taken place

    There is a discrepancy between the number of modules listed with ZwQuerySystemInformation at the start of the array of SYSTEM_MODULE_INFORMATION structures, and the number of arrays that can actually be accessed and\or printed out.

    This is a red flag to any app that might want to check. As I say, it seems to me the most likely reason is that you have somehow short-circuited the natural linked list of modules the system maintains while your code was removing the Softice related entries.

    Cheers,
    Kayaker

  8. #8
    to services problem i might got a quick solution

    it need to download the PDB file from microsoftserver or this error will happen

    the error normally only happen if the files dbghelp.dll and symsrv.dll are not in the IceStealthīs Folder
    or something went wrong with reading the PDB file (normally not cause)
    its only requied once to download this pdb file
    i will add a check for the pdb file presents

    i will see what i can do about the other problems the arteam site is currectly down for me

    add:
    SICE Presence Tests -> use Registry api (RegOpenKeyEx)
    not supported atm
    i know this problem but there a few ring0 apis to registry what can detect softice
    Last edited by Elenil; October 20th, 2008 at 23:41.

  9. #9
    Quote Originally Posted by Elenil View Post
    are you serious ? IceStealh give a clear better protection as IceExt
    I've been away for a while and never heard of your app. I've never had a problem with IceExt as long as you change it's name in the registry. It hides ice from it's own loader.

  10. #10

    update

    version 1.1

    fixed the services bug what will cause if PDG file is blocked by firewall, is unaccepted or no connection is present
    fixed the discrepancy problem with ntquerysysteminformation

    anyway it already got 100 views but no comments why ? kayaker and deroko are the only 1īs yet who write something to my tool ok well WaxfordSqueers did but nothing to my tool ps waxford not trying to bug you but IceStealth also hide from sistart + loader32 (nmtrans.dll)

    ppl can still bug me for my dialog the dialogīs style dont look well

    add: 1 word to the registry detection to softice
    in my opinion there the only 1 "bullet proof" concept:
    "maybe a second in renaming and patching all drivers but then you got renamed names in the registry ..."
    1: saving everything what is requied to load softice + other softice files manual from the registry
    2: load softice ...
    3: delete everything from the registry from softice
    4: next reboot restore everything + load up the driverīs manual
    5: start softice again ...
    6: loop steps 4 5 3 again
    a simplier idea of that is deleting everything manaual from the registry after softice is loaded - then reinstall softice
    maybe thats why almost no protector detect registry entrys

    to avoid that RegOpenKeyEx only NtOpenKey would be requied but this would be easy to cheat simple other registry apis can be used to check if something goes wrong with NtOpenKey i not wanna go in detail yet
    Last edited by Elenil; October 25th, 2008 at 19:25.

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Now that I'm back online I can reply to this. My router, fortunately still under warranty, went up in smoke - literally!

    Mmmmm, burnt PCBeeee..., droooolll...

    For the small percentage who don't get that reference - I can't help you.

    Anyway,

    fixed the discrepancy problem with ntquerysysteminformation

    'fraid not. I still see the same problem. For example, I print out a list of drivers returned from ZwQuerySystemInformation/SystemModuleInformation. The API returns a large array of SYSTEM_MODULE_INFORMATION structures. The array appears to be sorted in the order the modules are loaded (i.e. ntoskrnl.exe is first, new ones are added to the end).

    The very first dword of the array is the number of modules. Before running IceStealth I see 120 modules reported, and can print out 120 entries. After running IceStealth there are 114 modules reported, the missing ones are the hidden Softice related modules, +/-.

    HOWEVER, I can print out only 109/114 modules from the array and it's very apparent that it's the last ones that are missing.

    If I start a new driver, that first dword of the SystemModuleInformation array is incremented correctly, however, I can't access the driver information from the array.

    In other words, if I'm a driver and after loading I check to see if I'm listed under ZwQuerySystemInformation and don't see my name,.. then I'm going to be very suspicious and immediately enter bad cracker mode.


    You should confirm this independantly to see if you get the same results. However, if you need to, I was using a silly little POC code with source I posted here long ago, playing with ZwQuerySystemInformation and returning it to usermode via an MDL. Click on SystemModuleInformation before and after IceStealth and scroll to the end of the list in each case, you should see the error.

    http://www.woodmann.com/forum/attachment.php?attachmentid=904&d=1077340907



    Since this seems important to you, I can think of a number of reasons why you got 100 downloads but few comments.

    People are simply curious and will download anything to check it out.
    There are not really that many people who still use Softice and care about hiding it.
    IceExt and personal tools have worked for people so far.

    Don't take it personally, but the lack of source or detailed explanation, and especially with an app that wants to connect to the internet, for whatever reason, is and should be approached with caution.

    That is as it should be. Reversers paranoia is a good thing. Myself, I didn't run your app until I had reversed it to my satisfaction, only ran it in VMWare and didn't allow it to connect to the internet. Instead I used the Softice symbol retriever to get the symbols needed by the app and copied them over.

    Finally, most people were probably waiting for Deroko and I to test it first since we're the most vocal Sice users


    That said, this looks like a useful utility and I hope you continue to improve it. While I don't play with stuff much anymore that I need to hide Softice from, I would probably use this tool if I ever need to.

    At this point, I'd give it my recommendation if that means anything.



    I also have to add, you should consider including the finalized source code. The message of Reversing is about revealing the truth, not hiding it. It's what this board has always been about. (I know this is a bit of an oxymoron in regards to an app that hides Softice )


    [diatribe]
    I personally feel this whole business about hiding cracker tricks from the "big bad software authors" who slither their way through boards like this as part of the cat and mouse game, kind of silly. For the majority of them, if they are good enough to come up with an "anti-anti" trick for your "anti" trick, then they are good enough to reverse your app and the tricks by themselves in the first place. Maybe you've made their life slightly more difficult - so what? - to what end?

    I remember a long time ago someone made a little utility to remove duplicate Filemon entries. It partly inspired me to write and release my own version which included Regmon logs, with full source code of course. These guys however home-brew encrypted theirs, including the import table, added their cracking group "colors", etc. etc. I mean, c'mon, it was a silly little util they were supposedly 'sharing' with the reversing community, but was of course in reality a demonstration of l33t skillz
    [/diatribe]

  12. #12
    Quote Originally Posted by Kayaker View Post
    Now that I'm back online I can reply to this. My router, fortunately still under warranty, went up in smoke - literally!
    Mmmmm, burnt PCBeeee..., droooolll...
    Kayaker...how do you blow up a PCB in a router in this day and age? Then again, my Canon printer blew a print head...literally. It went dead on me and I bypassed the cover switch to watch it cycle. As the head went by, it looked like a mini arc welder underneath the head. You know...blue flashes. When I pulled it apart, there was a hole burned in the electronics, right on the head.

    Do you know the cause? If your telephone line isn't protected, it might be lightning. The telco line is protected at various points with spark gaps but it's unlikely that's what it was. Just mentioned it because it is a safety issue. Sometimes, they just blow for no known reason, but it's rare.

    When I repaired electronic equipment, sometime in the past century, I used to get a lot of car radios with blown front ends from lightning, but that was in a dry region known for lightning.

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Quote Originally Posted by Elenil View Post
    btw i cant upload IceStealth to SoftIce extensions why ?
    when i upload the rar file it creates a link on the link bar but when you then click "submit the tool!" it says error on site and nothing happens
    Are you using an old browser (for example IE6)? There are known problems with these and some AJAX features of CRCETL.

    I have made a CRCETL entry for your tool now anyway:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth

    Thanks.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #14
    first try dELTA for uploading my tool (yes IE 6 why no support ? )

    i found the complete problem now kayaker the new version should work for you now too (it works wells here) the list where basicly currupted but such feadback i need ! i got no testers for the tool i not added a multi-processor support atm cause i dont got a MP and cant check the code (for the int patches)
    i could release a beta soon but it might cause BSOD

    i want to say a word why i created this tool it was cause i was nerved about the whole protector sh.. whats going on with softice (closing explorer if SI is detected, causing the program to crash or nag all the time) then i decided to "take my own hand" on it at last i thought its not a bad idea to release IceStealth maybe some can need my tool too
    Last edited by Elenil; October 29th, 2008 at 01:15.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    The ntquerysysteminformation seems fixed now.

    Another general option to fool registry accesses might be to use CmRegisterCallback to filter registry calls and modify the return status for anything accessing something with a Softice name.

    http://msdn.microsoft.com/en-us/library/aa906577.aspx



    Waxford, the router problem was weird. The trigger that caused the overload seems to have been me pressing the on/off button on my phone/answering machine handset to check the dial tone.

    I'd noticed lately that I often had a hard time reconnecting to the router after I had shut it off either through the software or main power button. In a number of cases I had to reboot the computer to get the router connection to reinitialize. I figured the router was starting to develop problems as indicated by this.

    I happened to unplug my phone lines the other day (finally got pissed off enough at recorded telemarketer calls during dinner). Later I plugged the phone back in that is split into the DSL line and tried reconnecting to the internet. Again, the router wasn't responding, so I decided to check the phone to see if the dial tone was OK.

    As soon as I pressed the phone dial button, the lights on my router went out!
    I checked the external power supply/transformer, which is supposed to put out 18VAC and it was dead, nada, zip.

    I brought everything in to my friendly local ISP and they replaced the power supply, gave it a quick 2 second power check with the old router, and sent me on my way.


    When I later connected the power supply to the router I started to smell something. At first I thought it was just bake-off from the new power supply.. until I noticed significant smoke coming from the back of the router. Both the PS and router were hot to the touch at this point. I knew from the smell that the router was already toast. I applied power a couple more times to see how dramatic the destruction was - the power lights came on briefly then faded off. Bereft of life, the whole mess was returned to the ISP a second time.


    So what happened? It seems unlikely that pressing the Dial button of a connected phone should send a strong enough spike through to the router to fry the external transformer. However, the two events seem directly linked - I pressed Dial and the router lights went out. Perhaps there was an inherent problem in the router (the cause of my connection troubles). Perhaps a small feedback signal from the phone created a short in the PCB which in turn shorted the transformer. I'm really not sure. Does this sound crazy?

    On the plus side, I've now got a brand new router with updated software - and it works great, my connect speed seems even faster than before.

Similar Threads

  1. CodeProject: Driver to Hide Processes and Files
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 23rd, 2009, 12:57
  2. Searching for Hide Debugger plugin to download !!!!
    By tim mactroy in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 29th, 2005, 03:20
  3. Can Someone Post a link For Hide Debugger that Actually works?
    By dm47 in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 23rd, 2005, 20:44
  4. Hide Debugger fails to provide protection against Terminate Process
    By mcnorth in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 23rd, 2005, 14:41
  5. Softice: Hide and Seek
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: February 3rd, 2004, 07:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •