Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 40

Thread: Softice Hide Tool

  1. #16
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    heyyyyyy!
    if you soo much hide SICE, then it become like rootkit..!
    this is, why simple renaming is BETTER! >secure

    so, my suggestion is to create mostly RenamerPatcher(file&reg names,strings inside) + some Sice/bug/fixes

  2. #17

    update

    added a basic registry protection for dummy protectors cant see me doing write something what delete all entrys and restore it before softice is about to loading
    its added as option to use
    this will be the last update for a while if you see IceStealth is directly detected with something plz pm me

    i recommended to use the DRx emulator from Deroko for DRx problems

    download it from here :
    http://deroko.phearless.org/dr7_mp_safe.rar

    EDIT: removed IceStealth download plz see first post i will upload all newer versions to there
    Last edited by Elenil; October 30th, 2008 at 01:10.

  3. #18
    Quote Originally Posted by Kayaker View Post
    Waxford, the router problem was weird. The trigger that caused the overload seems to have been me pressing the on/off button on my phone/answering machine handset to check the dial tone.
    I don't like the sound of that. You say later that the lights went off on your router when you tried to press the phone dial button. I'm assuming you have a phone on which you press a button and the dial tone is heard, then you begin to dial. Mine is the older type where you pick up the receiver and the dial tone is heard in the handset receiver.

    The first thing to consider is coincidence. I have seen enough of that in the electronics/electrical trade but the fact that an attached device was activated when the lights went out sounds a little too coincidental. In the older phone sets, when you lift the handset, a mechanical relay is activated and that tells the telco CO (Central Office) that a phone needs service. That action would actually activate a relay in the CO, called the 'A' relay, which would set off a sequence of action to get your dial tone from a separate source.

    By pressing the button on your set, it must do something similar, although most CO's have been using electronic equipment for years in place of relays. So, you're normally sending control signals onto the telco line that wont harm other attached devices. Normally, attached devices also have filters and switches built-in to block interference from other attached equipment.

    There are several ways things can go wrong. One problem that can arise, and which can be catastrophic to other equipment, is a reversed hot-neutral on your AC connector. In other words, if your telephone gets its power directly from the wall outlet (120 VAC), the prongs on the electrical cord are polarized so the hot is on one plug blade and ground (neutral) is on the other. Normally, the gold/bronze coloured connector is hot and the silver coloured one is neutral.

    The neutral (which isn't a classic neutral) plays an important role in safety. At the Hydro connection, out at the transformer on the street, the secondary of the transformer is single phase and is a 240 volt centre tapped supply. The two ends of the 240 volt transformer are brought into the house with the centre-tapped conductor being the neutral. From neutral to either side of the 240 volt transformer there are two separate 120 volt sources.

    At the main service panel, the neutral is immediately bonded to the service ground. From that point on, the neutral must never be connected to ground. The third prong you see on your wall outlet is the ground, and it's connected to the service ground at the panel. The neutral also goes back to that service ground at the panel, and although it is at ground potential as well, it must never touch that ground wire which connects all the third-prongs on the outlets.

    If somewhere along the line, someone (usually a hacker) inadvertantly reverses the ground and hot wires, on even one outlet or connection, now we have a dangerous situation. The neutral conductor becomes the hot and the hot becomes the neutral. It's important that you buy yourself one of those polarity checkers from Home Depot or whatever, and test the outlets you use for polarity. It can be done with a volt meter, if you know what to look for.

    On your phone, check to see how the power cord is aligned. Has anyone tampered with it? If it gets reversed, you can have an equally dangerous situation, both for human safety and for the equipment. Most electrical devices these days are made of plastic and that prevents shock. But all metal surfaces within the equipment must be connected to the service ground I mentioned earlier. If 120 volts gets on that metal somehow, there is the potential to blow the heck out of any attached equipment.

    It's still not clear to me how your router is attached to telco. Are you saying you have a splitter at the telco outlet with the phone in one side of the splitter and the router on the other? Also, where is your DSL modem? Is it built in to the router? I have a separate DSL modem supplied by telco and my router is a Linksys from Cisco Systems which I bought from Future Shop. Your telephone should also be connected through a DSL filter, which you can get from telco or elsewhere. It keeps the DSL signal noise out of the telephone and might supply another level of protection for attached equipment.

    From the sound of things, the router supplied by your ISP might not be up to snuff. With my router, which is both wireless and cable connectable, I can call it up from my browser by entering IP 192.168.1.1. Then I have access to a load of configurable items. I can set a password on it and the router has it's own firewall feature which adds to my software firewall.

    When you can't access your router, it's usually a problem between Windoze and the router. I get that occasionally and I have to go through a rigamarole to fix it. I start out by disabling my Wireless Network Connection, then I shutdown my software firewall. I figure the router can protect me long enough to get back online. Then I fire up the firewall and enable the Wireless connection. That usually fixes it. If not, I shut down both the DSL modem and the router, and I might go as far as to reconfigure the router software. Sometimes it needs to find itself again.

    If that fails, there is a process to reconfigure your TCP/IP stack through XP. I would think by this time that Msoft would have some wizards to do the job but more often than not it's a black art.

    There's a decent chance your router may have been faulty and by plugging in a new power supply it may have been too much for it. The 18 volt supply could blow due to a short in the router, a blown rectifier diode in the module or a short in the step-down tranformer in the module. If it was brand new, however, I'd think it was the router shorting. Are you sure an 18 volt supply is the correct type? It sounds awful high for a router. I'm asking because devices use a regulator chip that will accept a broad range of input voltages from an external supply. If that supply is too large for the regulator, it all goes up in smoke, as you know.


    A short in the router could be due to component failure or it could have been induced by catastrophic current being induced through the telco line from your telephone set. Or, some other currents could be coming in from telco itself. I've seen that happen.

    When you press the phone button to get service, it signals the telco CO (central office) that you want service. Circuits are turned on to enable that and I'm thinking it's possible for their equipment to be blowing your router. Of course, they will deny that, but you could ask them to test the line. Whatever you do, make sure they are not going to charge you if they come out. If it's their router, the only thing they could charge you for is your telephone needing repair. If you can, borrow a cheap, old telephone set from someone. It's highly unlikely it will be defective whereas there is a chance that yours might be. If it is, they'll ding you.
    Last edited by WaxfordSqueers; November 1st, 2008 at 01:25.

  4. #19

    update test version released

    hello there i just updated IceStealth to version 1.3
    new things :

    multi processor support
    fixed 2 possible bugs
    int41 killed


    im not 100 % sure if the MP support cause a BSOD because i dont got a multi processor and i was only able to test with with a single cpu

    so it would be nice if i get a few answers if this version cause a BSOD on MP system

  5. #20
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Elenil, I'll answer your PM here in case anyone else wants to chip in.

    I manually checked both Int41 IDT entries on my HyperThread enabled system and both were patched correctly (reverted to original HalpDispatchInterrupt). No BSOD's.

    kd> dd KiProcessorBlock
    gives both KPRCB's (thank you Opcode, http://www.woodmann.com/forum/showthread.php?p=46879#post46879)
    KPRCB - 120h gives KPCR
    KPCR + 38h gives IDT table address
    IDT + 41h*8 gives Int41 address

    Remember, my system is only a single CPU with HT, not a true MP dual core system, though as I mentioned, your algo should work for the other situations as well: MP+HT, MP-HT.

    I then tested using xADT1.4 and the only test that failed was the one for FindSoftIceRegistryKeys.

    I only tried Option 1, I don't want to mess with the others outside of a VM. From what I saw, only the Int41 protection was MP dependant, so that's all I was really checking for.

  6. #21
    thank you for your answer Kayaker you always welcome to answer

    with the registry problem you can try the last button "Option 1 with Registry Protection" or hit the "Hook Option 1" button first then start icestealth again and hit the "Load Basic Registry Protection" button.

    note this only works for the hook buttons "Hook Option 1, Hook Option 2,Hook Option 1 NO BPM,Hook Option 2 NO BPM"
    klicking a hook button again will conflict the code btw it will not work as it should

    sorry for my bad readme information

    if it still find a registry entry plz pm me i will see what i can do about it i protected all entrys i found to softice
    Last edited by Elenil; January 17th, 2009 at 18:55.

  7. #22

    update to 1.4

    new update is available: version 1.4
    i added a complete new type of protection and made IceStealth more userfriendly
    it should cheat the the most kernel spy toolz

    thx to kayaker for testing IceStealth before it got released

    download:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth


    if the new protection cause bsod plz pm me with code where it crashs + data

  8. #23
    Thanks for the great tool! I'm not a huge Softice fan but one day, when I get more familiar with the kernel, I might start using it heavily and this tool might come in big handy.
    Externalist

  9. #24
    Quote Originally Posted by Externalist View Post
    Thanks for the great tool! I'm not a huge Softice fan but one day, when I get more familiar with the kernel, I might start using it heavily and this tool might come in big handy.
    Or....you could take the attitude, "Damn the torpedos, full speed ahead...crash and burn, crash and burn". That's how I approached the kernel (ring 0). You'll find it a lot more friendly in there under XP than it used to be and there's no better way to learn it than to be in there.

    Just remember to turn off 'Enable write caching on the disk' under Device Manager/Disk Drives for each hard drive, otherwise you might get a nasty loss of data after a blue screen. Chkdsk is quite handy for recovering from those nasty events. Also, the hboot command in softice gets you out of a few fixes like that.

  10. #25
    or simpply before starting rce session use sync.exe from sysinternals to flush cached files to disk, after that you are safe if you get bsod

  11. #26

    new update

    hello there i just updated IceStealth again
    it has overworked some routines added new types of protections ,winice.dat from me, lastest softice files (patched) , new options to use and i also added a option to not use the int1 patch for i1here users (for more details read readme.txt plz)
    this is prolly the last update it was fun to work up to here
    sadly softice is a pretty dead tool but anyway i like it
    thx to Kayaker for testing IceStealth again before it got released

    download:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth

    have fun

  12. #27
    Very nice work!
    Time to dust off my sice

    Keep your work up

  13. #28
    i could not hold back myself to update IceStealth after i found some errors :-)
    i also did change some signatures so that it is atm not detected as possible malware
    do not trust such issues !

    here goes 1.6 version:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth

  14. #29
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Nice work as usual, and thanks for keeping its entry in the CRCETL updated too.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  15. #30
    Hi Elenil,thank you for your work and IceStealth is a very useful tool. I'm using it(Ver 1.5) , for days and found no errors , it's just working wery well. And my question: Is it posible to get a copy of your source code ? I know that It'll be nicer to discuss issues on the forum but my english is so poor that i can't exchanged information with others very well.And to be a new learner ,I have very many questions on how it works. Perhaps I'm a littel lazy ^ ^.

    And a bug in Ver 1.5: if a thread has it's own SST(witch was placed in nt!_KTHREAD's field "ServiceTable",offset 0e0h from begin of that structure on XP sp3 ),the hooks of IceStealth in system service table will no longer take effect on this thread.I fit this with my own tool but i just can't fit each Nt service that hooked by IceStealth ,becource i dont now how IceStealth works in those fuctions. I wanna to learn much more knowledge about kernel debug and anti—debug technology, so i have the first question.

    It will be pleased to have your reply.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. CodeProject: Driver to Hide Processes and Files
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 23rd, 2009, 12:57
  2. Searching for Hide Debugger plugin to download !!!!
    By tim mactroy in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 29th, 2005, 03:20
  3. Can Someone Post a link For Hide Debugger that Actually works?
    By dm47 in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 23rd, 2005, 20:44
  4. Hide Debugger fails to provide protection against Terminate Process
    By mcnorth in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 23rd, 2005, 14:41
  5. Softice: Hide and Seek
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: February 3rd, 2004, 07:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •