Page 1 of 3 123 LastLast
Results 1 to 15 of 40

Thread: Softice Hide Tool

Hybrid View

  1. #1

    Softice Hide Tool

    IceStealthīs Actual version now will always be here and on the SoftICE Extensions

    http://www.woodmann.com/collaborative/tools/index.php/IceStealth
    Last edited by Elenil; October 30th, 2008 at 01:18.

  2. #2
    no comments at all ?
    it would be nice to answer if my program works well for other computers or has some problems on other system basicly it only has tested on XP 32 SP2

    IceStealth should protect from:

    CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find softice with these methods
    NtQueryDirectoryObject
    NtQueryObject
    everything controled with services.exe about drivers some examples : OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
    UnhandledExceptionFilter (2 Options)
    SEH BPM protect
    NtQuerySystemInformation
    int 41 orignal data emulated + DPL 0 + int1 DPL 0

    hopeful i get some comments now


    btw i cant upload IceStealth to SoftIce extensions why ?
    when i upload the rar file it creates a link on the link bar but when you then click "submit the tool!" it says error on site and nothing happens

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Quote Originally Posted by Elenil View Post
    btw i cant upload IceStealth to SoftIce extensions why ?
    when i upload the rar file it creates a link on the link bar but when you then click "submit the tool!" it says error on site and nothing happens
    Are you using an old browser (for example IE6)? There are known problems with these and some AJAX features of CRCETL.

    I have made a CRCETL entry for your tool now anyway:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth

    Thanks.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    first try dELTA for uploading my tool (yes IE 6 why no support ? )

    i found the complete problem now kayaker the new version should work for you now too (it works wells here) the list where basicly currupted but such feadback i need ! i got no testers for the tool i not added a multi-processor support atm cause i dont got a MP and cant check the code (for the int patches)
    i could release a beta soon but it might cause BSOD

    i want to say a word why i created this tool it was cause i was nerved about the whole protector sh.. whats going on with softice (closing explorer if SI is detected, causing the program to crash or nag all the time) then i decided to "take my own hand" on it at last i thought its not a bad idea to release IceStealth maybe some can need my tool too
    Last edited by Elenil; October 29th, 2008 at 01:15.

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    The ntquerysysteminformation seems fixed now.

    Another general option to fool registry accesses might be to use CmRegisterCallback to filter registry calls and modify the return status for anything accessing something with a Softice name.

    http://msdn.microsoft.com/en-us/library/aa906577.aspx



    Waxford, the router problem was weird. The trigger that caused the overload seems to have been me pressing the on/off button on my phone/answering machine handset to check the dial tone.

    I'd noticed lately that I often had a hard time reconnecting to the router after I had shut it off either through the software or main power button. In a number of cases I had to reboot the computer to get the router connection to reinitialize. I figured the router was starting to develop problems as indicated by this.

    I happened to unplug my phone lines the other day (finally got pissed off enough at recorded telemarketer calls during dinner). Later I plugged the phone back in that is split into the DSL line and tried reconnecting to the internet. Again, the router wasn't responding, so I decided to check the phone to see if the dial tone was OK.

    As soon as I pressed the phone dial button, the lights on my router went out!
    I checked the external power supply/transformer, which is supposed to put out 18VAC and it was dead, nada, zip.

    I brought everything in to my friendly local ISP and they replaced the power supply, gave it a quick 2 second power check with the old router, and sent me on my way.


    When I later connected the power supply to the router I started to smell something. At first I thought it was just bake-off from the new power supply.. until I noticed significant smoke coming from the back of the router. Both the PS and router were hot to the touch at this point. I knew from the smell that the router was already toast. I applied power a couple more times to see how dramatic the destruction was - the power lights came on briefly then faded off. Bereft of life, the whole mess was returned to the ISP a second time.


    So what happened? It seems unlikely that pressing the Dial button of a connected phone should send a strong enough spike through to the router to fry the external transformer. However, the two events seem directly linked - I pressed Dial and the router lights went out. Perhaps there was an inherent problem in the router (the cause of my connection troubles). Perhaps a small feedback signal from the phone created a short in the PCB which in turn shorted the transformer. I'm really not sure. Does this sound crazy?

    On the plus side, I've now got a brand new router with updated software - and it works great, my connect speed seems even faster than before.

  6. #6
    Quote Originally Posted by Kayaker View Post
    Waxford, the router problem was weird. The trigger that caused the overload seems to have been me pressing the on/off button on my phone/answering machine handset to check the dial tone.
    I don't like the sound of that. You say later that the lights went off on your router when you tried to press the phone dial button. I'm assuming you have a phone on which you press a button and the dial tone is heard, then you begin to dial. Mine is the older type where you pick up the receiver and the dial tone is heard in the handset receiver.

    The first thing to consider is coincidence. I have seen enough of that in the electronics/electrical trade but the fact that an attached device was activated when the lights went out sounds a little too coincidental. In the older phone sets, when you lift the handset, a mechanical relay is activated and that tells the telco CO (Central Office) that a phone needs service. That action would actually activate a relay in the CO, called the 'A' relay, which would set off a sequence of action to get your dial tone from a separate source.

    By pressing the button on your set, it must do something similar, although most CO's have been using electronic equipment for years in place of relays. So, you're normally sending control signals onto the telco line that wont harm other attached devices. Normally, attached devices also have filters and switches built-in to block interference from other attached equipment.

    There are several ways things can go wrong. One problem that can arise, and which can be catastrophic to other equipment, is a reversed hot-neutral on your AC connector. In other words, if your telephone gets its power directly from the wall outlet (120 VAC), the prongs on the electrical cord are polarized so the hot is on one plug blade and ground (neutral) is on the other. Normally, the gold/bronze coloured connector is hot and the silver coloured one is neutral.

    The neutral (which isn't a classic neutral) plays an important role in safety. At the Hydro connection, out at the transformer on the street, the secondary of the transformer is single phase and is a 240 volt centre tapped supply. The two ends of the 240 volt transformer are brought into the house with the centre-tapped conductor being the neutral. From neutral to either side of the 240 volt transformer there are two separate 120 volt sources.

    At the main service panel, the neutral is immediately bonded to the service ground. From that point on, the neutral must never be connected to ground. The third prong you see on your wall outlet is the ground, and it's connected to the service ground at the panel. The neutral also goes back to that service ground at the panel, and although it is at ground potential as well, it must never touch that ground wire which connects all the third-prongs on the outlets.

    If somewhere along the line, someone (usually a hacker) inadvertantly reverses the ground and hot wires, on even one outlet or connection, now we have a dangerous situation. The neutral conductor becomes the hot and the hot becomes the neutral. It's important that you buy yourself one of those polarity checkers from Home Depot or whatever, and test the outlets you use for polarity. It can be done with a volt meter, if you know what to look for.

    On your phone, check to see how the power cord is aligned. Has anyone tampered with it? If it gets reversed, you can have an equally dangerous situation, both for human safety and for the equipment. Most electrical devices these days are made of plastic and that prevents shock. But all metal surfaces within the equipment must be connected to the service ground I mentioned earlier. If 120 volts gets on that metal somehow, there is the potential to blow the heck out of any attached equipment.

    It's still not clear to me how your router is attached to telco. Are you saying you have a splitter at the telco outlet with the phone in one side of the splitter and the router on the other? Also, where is your DSL modem? Is it built in to the router? I have a separate DSL modem supplied by telco and my router is a Linksys from Cisco Systems which I bought from Future Shop. Your telephone should also be connected through a DSL filter, which you can get from telco or elsewhere. It keeps the DSL signal noise out of the telephone and might supply another level of protection for attached equipment.

    From the sound of things, the router supplied by your ISP might not be up to snuff. With my router, which is both wireless and cable connectable, I can call it up from my browser by entering IP 192.168.1.1. Then I have access to a load of configurable items. I can set a password on it and the router has it's own firewall feature which adds to my software firewall.

    When you can't access your router, it's usually a problem between Windoze and the router. I get that occasionally and I have to go through a rigamarole to fix it. I start out by disabling my Wireless Network Connection, then I shutdown my software firewall. I figure the router can protect me long enough to get back online. Then I fire up the firewall and enable the Wireless connection. That usually fixes it. If not, I shut down both the DSL modem and the router, and I might go as far as to reconfigure the router software. Sometimes it needs to find itself again.

    If that fails, there is a process to reconfigure your TCP/IP stack through XP. I would think by this time that Msoft would have some wizards to do the job but more often than not it's a black art.

    There's a decent chance your router may have been faulty and by plugging in a new power supply it may have been too much for it. The 18 volt supply could blow due to a short in the router, a blown rectifier diode in the module or a short in the step-down tranformer in the module. If it was brand new, however, I'd think it was the router shorting. Are you sure an 18 volt supply is the correct type? It sounds awful high for a router. I'm asking because devices use a regulator chip that will accept a broad range of input voltages from an external supply. If that supply is too large for the regulator, it all goes up in smoke, as you know.


    A short in the router could be due to component failure or it could have been induced by catastrophic current being induced through the telco line from your telephone set. Or, some other currents could be coming in from telco itself. I've seen that happen.

    When you press the phone button to get service, it signals the telco CO (central office) that you want service. Circuits are turned on to enable that and I'm thinking it's possible for their equipment to be blowing your router. Of course, they will deny that, but you could ask them to test the line. Whatever you do, make sure they are not going to charge you if they come out. If it's their router, the only thing they could charge you for is your telephone needing repair. If you can, borrow a cheap, old telephone set from someone. It's highly unlikely it will be defective whereas there is a chance that yours might be. If it is, they'll ding you.
    Last edited by WaxfordSqueers; November 1st, 2008 at 01:25.

  7. #7
    hi, for NtCreateFile you could allow loader32.exe for example to access ntice by comparing name in EPROCESS.ImageFileName with loader32.exe. You can find this offset by searching through EPROCESS in DriverEntry for "System", and only allow access to ntice if it's loader32.exe - very useful when needed symbol loading at runtime

    don't know how you protect BPM, maybe using hook in KiUserExceptionDispatcher, on other hand I protect it with GD bit in dr7, allowing only softice and cpthook to access drXes while it's faked for all other programs

    in short, I have all of this in separate drivers/programs, kinda know exactly what is used by what protection so I load drivers depending on protection

  8. #8
    Quote Originally Posted by deroko View Post
    hi, for NtCreateFile you could allow loader32.exe for example to access ntice by comparing name in EPROCESS.ImageFileName with loader32.exe. You can find this offset by searching through EPROCESS in DriverEntry for "System", and only allow access to ntice if it's loader32.exe - very useful when needed symbol loading at runtime
    thats a real good idea while i thought about a solution for that i didnt find a good solution but im still afraid that they ever create a executable with that name
    so every1 plz load symbol files before IceStealth is started
    i think of adding that to a next version as 3 option


    Quote Originally Posted by deroko View Post
    don't know how you protect BPM, maybe using hook in KiUserExceptionDispatcher, on other hand I protect it with GD bit in dr7, allowing only softice and cpthook to access drXes while it's faked for all other programs
    your DRx emulator is some of the best toolz i ever saw for softice even on 98 i always hoped some1 is writing a such tool but i never found something to that - i really recommend derokus DRx emulator !
    its not using KiUserExceptionDispatcher basicly cause its on ring3 its using NtContinue a only few different from yours its not setting a EH its checking if a dummy has passed to it and it dont print a dbgmsg
    small protection this wont cheat everything i tested around with that a while simple changing the Drīs will softice make look like it has the old BP but it breaks on a other 1
    but at last double protection isnt wrong and more flexible

    at last i protected all files DS 3.2 is using for me that are:
    bootcfg.sys
    CptHook.sys
    siwvid.sys
    osidata.sys
    ntice.sys
    NMFilter.sys
    SIWSYM.sys
    SIKSYM.SYS
    SiwvidStart.sys

    note CptHook.sys has DOS name of "KHook" and ntice+4digit number (if its DS3.2)

    also everything is resistent to memory that means no driver to detect thats also why the application close itself after itīs done

    btw if this tool goes in series i have to credit you for all information you gave me via msn
    Last edited by Elenil; October 17th, 2008 at 12:33.

  9. #9
    Quote Originally Posted by Elenil View Post
    version 1.0 testers needed
    Are you developing a hiding tool just for interest or have not heard of IceExt?

    http://stenri.pisem.net/

  10. #10
    Quote Originally Posted by WaxfordSqueers View Post
    Are you developing a hiding tool just for interest or have not heard of IceExt?

    http://stenri.pisem.net/
    are you serious ? IceStealh give a clear better protection as IceExt

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Kudos on the contribution Elenil.

    It seems to work well but I noticed a few errors.

    1. It crashes my VMWare xpsp2 system if I don't have the symbols for services.exe loaded. I know you said they either need to exist or let your app load them, but I did neither and got a big bad System Shutdown message with a timed forced NT_AUTHORITY reboot.

    The minidump said only that services.exe was at fault - a C0000005 error on address 0 in a system fault reporting dll. Nothing particularly useful for debugging the error.

    A check should be put in on that routine if symbols aren't available in order to protect users.


    2. It fails on one of the xADT eXtensible Anti-Debug Tester plugin tests - one of them in the entry called "SICE Presence Tests".


    3. I don't know exactly how you are hiding from ZwQuerySystemInformation/SystemModuleInformation, but I think you should check any modifications of the system linked lists. Your presence isn't entirely hidden. Softice is, but not the fact that some underhanded rootkit behaviour has just taken place

    There is a discrepancy between the number of modules listed with ZwQuerySystemInformation at the start of the array of SYSTEM_MODULE_INFORMATION structures, and the number of arrays that can actually be accessed and\or printed out.

    This is a red flag to any app that might want to check. As I say, it seems to me the most likely reason is that you have somehow short-circuited the natural linked list of modules the system maintains while your code was removing the Softice related entries.

    Cheers,
    Kayaker

  12. #12
    to services problem i might got a quick solution

    it need to download the PDB file from microsoftserver or this error will happen

    the error normally only happen if the files dbghelp.dll and symsrv.dll are not in the IceStealthīs Folder
    or something went wrong with reading the PDB file (normally not cause)
    its only requied once to download this pdb file
    i will add a check for the pdb file presents

    i will see what i can do about the other problems the arteam site is currectly down for me

    add:
    SICE Presence Tests -> use Registry api (RegOpenKeyEx)
    not supported atm
    i know this problem but there a few ring0 apis to registry what can detect softice
    Last edited by Elenil; October 20th, 2008 at 23:41.

  13. #13
    Quote Originally Posted by Elenil View Post
    are you serious ? IceStealh give a clear better protection as IceExt
    I've been away for a while and never heard of your app. I've never had a problem with IceExt as long as you change it's name in the registry. It hides ice from it's own loader.

  14. #14

    update

    version 1.1

    fixed the services bug what will cause if PDG file is blocked by firewall, is unaccepted or no connection is present
    fixed the discrepancy problem with ntquerysysteminformation

    anyway it already got 100 views but no comments why ? kayaker and deroko are the only 1īs yet who write something to my tool ok well WaxfordSqueers did but nothing to my tool ps waxford not trying to bug you but IceStealth also hide from sistart + loader32 (nmtrans.dll)

    ppl can still bug me for my dialog the dialogīs style dont look well

    add: 1 word to the registry detection to softice
    in my opinion there the only 1 "bullet proof" concept:
    "maybe a second in renaming and patching all drivers but then you got renamed names in the registry ..."
    1: saving everything what is requied to load softice + other softice files manual from the registry
    2: load softice ...
    3: delete everything from the registry from softice
    4: next reboot restore everything + load up the driverīs manual
    5: start softice again ...
    6: loop steps 4 5 3 again
    a simplier idea of that is deleting everything manaual from the registry after softice is loaded - then reinstall softice
    maybe thats why almost no protector detect registry entrys

    to avoid that RegOpenKeyEx only NtOpenKey would be requied but this would be easy to cheat simple other registry apis can be used to check if something goes wrong with NtOpenKey i not wanna go in detail yet
    Last edited by Elenil; October 25th, 2008 at 19:25.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Now that I'm back online I can reply to this. My router, fortunately still under warranty, went up in smoke - literally!

    Mmmmm, burnt PCBeeee..., droooolll...

    For the small percentage who don't get that reference - I can't help you.

    Anyway,

    fixed the discrepancy problem with ntquerysysteminformation

    'fraid not. I still see the same problem. For example, I print out a list of drivers returned from ZwQuerySystemInformation/SystemModuleInformation. The API returns a large array of SYSTEM_MODULE_INFORMATION structures. The array appears to be sorted in the order the modules are loaded (i.e. ntoskrnl.exe is first, new ones are added to the end).

    The very first dword of the array is the number of modules. Before running IceStealth I see 120 modules reported, and can print out 120 entries. After running IceStealth there are 114 modules reported, the missing ones are the hidden Softice related modules, +/-.

    HOWEVER, I can print out only 109/114 modules from the array and it's very apparent that it's the last ones that are missing.

    If I start a new driver, that first dword of the SystemModuleInformation array is incremented correctly, however, I can't access the driver information from the array.

    In other words, if I'm a driver and after loading I check to see if I'm listed under ZwQuerySystemInformation and don't see my name,.. then I'm going to be very suspicious and immediately enter bad cracker mode.


    You should confirm this independantly to see if you get the same results. However, if you need to, I was using a silly little POC code with source I posted here long ago, playing with ZwQuerySystemInformation and returning it to usermode via an MDL. Click on SystemModuleInformation before and after IceStealth and scroll to the end of the list in each case, you should see the error.

    http://www.woodmann.com/forum/attachment.php?attachmentid=904&d=1077340907



    Since this seems important to you, I can think of a number of reasons why you got 100 downloads but few comments.

    People are simply curious and will download anything to check it out.
    There are not really that many people who still use Softice and care about hiding it.
    IceExt and personal tools have worked for people so far.

    Don't take it personally, but the lack of source or detailed explanation, and especially with an app that wants to connect to the internet, for whatever reason, is and should be approached with caution.

    That is as it should be. Reversers paranoia is a good thing. Myself, I didn't run your app until I had reversed it to my satisfaction, only ran it in VMWare and didn't allow it to connect to the internet. Instead I used the Softice symbol retriever to get the symbols needed by the app and copied them over.

    Finally, most people were probably waiting for Deroko and I to test it first since we're the most vocal Sice users


    That said, this looks like a useful utility and I hope you continue to improve it. While I don't play with stuff much anymore that I need to hide Softice from, I would probably use this tool if I ever need to.

    At this point, I'd give it my recommendation if that means anything.



    I also have to add, you should consider including the finalized source code. The message of Reversing is about revealing the truth, not hiding it. It's what this board has always been about. (I know this is a bit of an oxymoron in regards to an app that hides Softice )


    [diatribe]
    I personally feel this whole business about hiding cracker tricks from the "big bad software authors" who slither their way through boards like this as part of the cat and mouse game, kind of silly. For the majority of them, if they are good enough to come up with an "anti-anti" trick for your "anti" trick, then they are good enough to reverse your app and the tricks by themselves in the first place. Maybe you've made their life slightly more difficult - so what? - to what end?

    I remember a long time ago someone made a little utility to remove duplicate Filemon entries. It partly inspired me to write and release my own version which included Regmon logs, with full source code of course. These guys however home-brew encrypted theirs, including the import table, added their cracking group "colors", etc. etc. I mean, c'mon, it was a silly little util they were supposedly 'sharing' with the reversing community, but was of course in reality a demonstration of l33t skillz
    [/diatribe]

Similar Threads

  1. CodeProject: Driver to Hide Processes and Files
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 23rd, 2009, 12:57
  2. Searching for Hide Debugger plugin to download !!!!
    By tim mactroy in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 29th, 2005, 03:20
  3. Can Someone Post a link For Hide Debugger that Actually works?
    By dm47 in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 23rd, 2005, 20:44
  4. Hide Debugger fails to provide protection against Terminate Process
    By mcnorth in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 23rd, 2005, 14:41
  5. Softice: Hide and Seek
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: February 3rd, 2004, 07:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •