Page 3 of 3 FirstFirst 123
Results 31 to 40 of 40

Thread: Softice Hide Tool

  1. #31
    Hi Elenil,thank you for your work and IceStealth is a very useful tool. I'm using it(Ver 1.5) , for days and found no errors , it's just working wery well. And my question: Is it posible to get a copy of your source code ? I know that It'll be nicer to discuss issues on the forum but my english is so poor that i can't exchanged information with others very well.And to be a new learner ,I have very many questions on how it works. Perhaps I'm a littel lazy ^ ^.

    And a bug in Ver 1.5: if a thread has it's own SST(witch was placed in nt!_KTHREAD's field "ServiceTable",offset 0e0h from begin of that structure on XP sp3 ),the hooks of IceStealth in system service table will no longer take effect on this thread.I fit this with my own tool but i just can't fit each Nt service that hooked by IceStealth ,becource i dont now how IceStealth works in those fuctions. I wanna to learn much more knowledge about kernel debug and anti—debug technology, so i have the first question.

    It will be pleased to have your reply.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #32
    oh,sory about my poor eglish
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #33
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I have a question for Elenil: I was fighting with this protection, whose forte appears to be anti-debug tricks. It is quite painful to trace and so far none of the usual debug hide tools (Olly Phantom hide debugger, and all I could find and try) SoftIce (IceExt definitely did no work). Syser and IDA with IDA stealth also bit the dust.
    I was being able to painfully trace the code of the app, manually countering the anti-debug guards one at a time, but every time a new module was loaded or at random from other threads, the degugger would get discovered, and the app will pause all its threads so that Olly stopped working. . . (Claimed the app was running, but no thread was active). The App refuses even to start or install when SoftIce is in the system, so I could not even start tracing it with Sice.
    Anyway, long story short, IceStealth did the trick, and the program loads and runs despite Sice (Huurrrray).
    My question or request for suggestions to Elenil here is how could I figure out which anti-debug trick was it that IceStealth did solve?

  4. #34
    Quote Originally Posted by korall View Post
    Hi Elenil,thank you for your work and IceStealth is a very useful tool. I'm using it(Ver 1.5) , for days and found no errors , it's just working wery well. And my question: Is it posible to get a copy of your source code ? I know that It'll be nicer to discuss issues on the forum but my english is so poor that i can't exchanged information with others very well.And to be a new learner ,I have very many questions on how it works. Perhaps I'm a littel lazy ^ ^.

    And a bug in Ver 1.5: if a thread has it's own SST(witch was placed in nt!_KTHREAD's field "ServiceTable",offset 0e0h from begin of that structure on XP sp3 ),the hooks of IceStealth in system service table will no longer take effect on this thread.I fit this with my own tool but i just can't fit each Nt service that hooked by IceStealth ,becource i dont now how IceStealth works in those fuctions. I wanna to learn much more knowledge about kernel debug and anti—debug technology, so i have the first question.

    It will be pleased to have your reply.
    can you be more precise about the problem of the SSDT ?
    you mean a other driver has placed a ssdt entry before ?
    you might use the "New Protection" it has a stronger protection and dont hooks SSDT´s (uncheck the SEH BPM protection)
    im not sure atm if the 1.5 version supports NTKRNLPA and NTKRNLMP so i advice you to download the 1.6 version

    1 word to the old protection: it only its still there cause is more compatible as the new protection

    hi naides
    well basicly IceStealth dont tell you if a detection apears but lemme ask you a few questions : did you load the new protection or old ? what protector does your target use ?
    i collected the most detections in the IceStealth´s Readme(set breakpoints on these)
    anyways the "New Protection" protect from a lot ring0/rootkit detections
    like directly reading the PsLoadedModuleList or Listing Objects with OpenDirectoryObject (driver/device) also ObReferenceObjectByName and far more

    i currectly improved the method for device objects but i could need some testers cause a other person has problems with it i did not release it yet

    if you want to be a tester plz PM me with ICQ or MSN number

    also i try to get the HWND command back
    it already works perfect if you are in a ring3 application "addr" only dont work

    i will try to fix that if i find time again
    i could need some information in what ranges the TEB is set in windowsXP

    i upload a beta to this answer plz note its a BETA if it get problems download the 1.6 from here:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth

    my english if ppl hasnt noted already isnt the best too

    if any1 want to try the BETA! :
    beta removed has bugs

    replace the ntice drivers (in IceStealth´s "other" folder) in your system folder to get the hwnd command to work
    Last edited by Elenil; July 17th, 2009 at 13:05.

  5. #35
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Elenil View Post

    hi naides
    well basicly IceStealth dont tell you if a detection apears but lemme ask you a few questions : did you load the new protection or old ? what protector does your target use ?

    IO used the old protection. The new did not work (??) and produced two error messages regarding .PDB files??.
    The protection appears to be made by the software authors, not a commercial one.




    if any1 want to try the BETA! :
    http://ul.to/a3p76k

    replace the ntice drivers (in IceStealth´s "other" folder) in your system folder to get the hwnd command to work
    I'll PM you my info. Of course I would like to be a tester.

  6. #36
    Quote Originally Posted by Elenil View Post
    can you be more precise about the problem of the SSDT ?
    you mean a other driver has placed a ssdt entry before ?
    you might use the "New Protection" it has a stronger protection and dont hooks SSDT´s (uncheck the SEH BPM protection)
    im not sure atm if the 1.5 version supports NTKRNLPA and NTKRNLMP so i advice you to download the 1.6 version

    1 word to the old protection: it only its still there cause is more compatible as the new protection
    take a look some codes in one version of NTKRNL bin file:
    ;_KiSystemService
    .
    .
    .text:0046A564 64 8B 1D 1C 00 00 00 mov ebx, large fs:1Ch
    .text:0046A56B 6A 3B push 3Bh
    .text:0046A56D 8B B3 24 01 00 00 mov esi, [ebx+124h] ; esi -> nt!_KTHREAD
    .
    .
    .
    .text:0046A5BF 8B F8 mov edi, eax ; eax = system service ID
    .text:0046A5C1 C1 EF 08 shr edi, 8
    .text:0046A5C4 83 E7 30 and edi, 30h
    .text:0046A5C7 8B CF mov ecx, edi
    .text:0046A5C9 03 BE E0 00 00 00 add edi, [esi+0E0h] ; It is HERE,fetch nt!_KTHREAD.ServiceTable --- this ServiceTable is private for every thread
    .text:0046A5CF 8B D8 mov ebx, eax
    .text:0046A5D1 25 FF 0F 00 00 and eax, 0FFFh
    .text:0046A5D6 3B 47 08 cmp eax, [edi+SERVICE_DESCRIPTOR_TABLE.TableSize]
    .text:0046A5D9 0F 83 33 FD FF FF jnb _KiBBTUnexpectedRange
    .
    .
    .text:0046A606 8B F2 mov esi, edx ; edx -> User stack
    .text:0046A608 8B 5F 0C mov ebx, [edi+SERVICE_DESCRIPTOR_TABLE.ArgumentTable]
    .text:0046A60B 33 C9 xor ecx, ecx
    .text:0046A60D 8A 0C 18 mov cl, [eax+ebx] ; Arg num
    .text:0046A610 8B 3F mov edi, [edi+SERVICE_DESCRIPTOR_TABLE.ServiceTable]
    .text:0046A612 8B 1C 87 mov ebx, [edi+eax*4]
    .text:0046A615 2B E1 sub esp, ecx
    .text:0046A617 C1 E9 02 shr ecx, 2
    .text:0046A61A 8B FC mov edi, esp
    .text:0046A61C 3B 35 34 B1 48 00 cmp esi, ds:MmUserProbeAddress
    .text:0046A622 0F 83 A8 01 00 00 jnb loc_46A7D0
    .text:0046A628
    .text:0046A628 loc_46A628: ; CODE XREF: _KiSystemService+373
    .text:0046A628 ; DATA XREF: _KiTrap0E+10D
    .text:0046A628 F3 A5 rep movsd
    .text:0046A62A FF D3 call ebx ; call system service
    .


    1. I use old protection,so this situation may be not present in the new protection;
    2. It shuld not be treated as a bug becouse the target process has KernelMod access rigth too, it can do anything as it can.


    I'm a Novice so please forgive my reckless.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    well i only can advice you to download 1.6 or higher the 1.5 version dont support NTKRLPA and NTKRNLMP or you PM me what you did to solve that and i then can think if this is senseful for the old protection

    about the ntkrl error:
    in 1.5 version this errors apears if NTKRNLPA or NTKRNLMP is used
    connect to microsoft symbol server is blocked
    the error also can apear is old protection was used and failed with a pdb file(always restart if a pdb error happens)

    you can give IceStealth the files manual too
    in IceStealth you have to create folder called \SYM there you put the 2 pdb files

  8. #38
    Quote Originally Posted by naides View Post
    The App refuses even to start or install when SoftIce is in the system, so I could not even start tracing it with Sice.
    You're a more advanced RE that I am so please take this for what it's worth. I don't understand why you could not load the app with sice. Did you try BPX _baseprocessstart ? You have to load a K32 nms file and use addr kernel 32 to get into the k32 context, then the _baseprocessstart func should appear listed with an exp *_baseproc* or sym *_baseproc*.

    There have been problems lately with symbol loader in that it is not translating files like K32 correctly. It omits the names. I use ida2ice to get an nms file from IDA but it puts it's own peculiar names out in the nms file. That's why you need the exp or sym command to make sure it's available and to get its name right for the bpx command.

    That gets you right to the first byte of any app's code after about 2 jumps (p - ret) over calls. I think it's the 3rd call you trace and when you do you're right at the start code. If not, there would appear to be a TLS issue. AFAIK, that's the only thing that will beat _baseprocessstart because the loading begins in the PE file.

    deroko knows a lot about that as I'm sure kayaker does.

  9. #39
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Hi Elenil,

    Nice one on the HWND patch, it seems to work but I do see a couple of potential problems.

    In explanation, the problem is that Softice uses a hardcoded address of 0x7ffde6e4 as the offset to TEB.Win32ClientInfo for use with the HWND command. This is based on an absolute value of 0x7ffde000 for the TEB/TIB, which is no longer valid in XPsp3, and possibly even in XPsp2. This was a bad omission by Numega not to fix that since I think the issue existed when they released their final ntice.sys patch version. This is the error that Elenil is trying to fix. A discussion of the problem can be found here:

    http://www.woodmann.com/forum/showthread.php?t=9643


    What you've done is to add a section to ntice.sys and divert the HWND command to find a valid address for TEB.Win32ClientInfo before passing it back to the rest of the function. You get the TEB from fs:18h, then add 6E4h to it and check for a valid Win32ClientInfo address by calling MmIsAddressValid.

    That's fine as it stands, but it seems to me that the rest of the algorithm is uneeded and possibly in error. The instruction MOV EAX, FS:0X18 written in the patch in Softice *should* retrieve a valid TEB in the context in which the HWND command is issued. If the TEB is valid then the TEB.Win32ClientInfo offset should automatically be valid. Whether it contains a value or not is not important at this point since that will be evaluated by the rest of the HWND command.

    All you need to do at that point is add 0x6E4 to the result and pass it back to the HWND command. Since this should only be a few lines of code, you don't even need to add a new section, but simply write it inline, overwriting the unneeded code you already wrote your JMP function onto.



    The rest of the patch algorithm loops, but it seems to me will never be reached since the first part should have produced the correct answer - If MmIsAddressValid failed the first time, beginning at 7FFDA000h you add 6E4h and continue adding 1000h to check the next page until found. I may be wrong but from the disassembly it looks like the check for TEB.CLIENT_ID.Tid (is this what you were aiming for?) at [ebx+24h] actually points to an offset within the undocumented Win32ClientInfo structure. i.e. EBX is not the base TEB address is it?

    Code:
    .Elenil:001DA19E    mov     ebx, 7FFDA000h
    .Elenil:001DA1A3    add     ebx, 6E4h
    .Elenil:001DA1A9
    .Elenil:001DA1A9    push    ebx
    .Elenil:001DA1AA    call    $+5
    .Elenil:001DA1AF    pop     edi
    .Elenil:001DA1B0    call    dword ptr [edi-122CFFh] ; 0xB74B0 MmIsAddressValid
    .Elenil:001DA1B6    cmp     al, 0
    .Elenil:001DA1B8    jz      short loc_1DA1CE
    .Elenil:001DA1BA    mov     esi, [ebx+24h]
    .Elenil:001DA1BD    push    esi
    .Elenil:001DA1BE    call    $+5
    .Elenil:001DA1C3    pop     edi
    .Elenil:001DA1C4    call    dword ptr [edi-122D13h] ; 0xB74B0 MmIsAddressValid


    One other small point about the patch. You use EBX and EDI but don't preserve those registers before passing control back to the original HWND function, which uses both of them later (EDI is supposed to equal 0, EBX is a previously filled variable).


    I'm sorry if I'm missing something or don't understand the intent, but it seems all that is really needed is to change

    Code:
    :0004EEBA                 push    7FFDE6E4h
    :0004EEBF                 call    RetrieveWin32ClientInfoValue
    to something like

    Code:
                              mov eax, fs:0x18
                              add eax, 0x6E4
                              push eax
    
    :0004EEBF                 call    RetrieveWin32ClientInfoValue
    Regards,
    Kayaker

  10. #40
    well basicly you got the little older version i wrote

    the first 1 really was the 1 with the
    mov eax, fs:0x18
    add eax, 0x6E4
    push eax

    as written in the blog:
    http://blogs.msdn.com/matt_pietrek/archive/2004/08/25/220330.aspx

    but this returns 0 if you are in ring0 also if you use addr explorer or something its still 0

    i then noted the patch requied need more space so i added a section called Elenil nice that you logged that

    the 1.66 version (what is not released atm) has 2 variants to read the value
    fs:18 (fs should be 30) + 6e4 (i noted some runs it cause bsod cause fs was 3b)
    it then checks the result (some tester noted this not always works even if it has a value)

    i noted that it mostly start from 7ffda000 to 7ffdf000
    then i made something what calcs softice´s imports mmisaddresvalid
    i also noted if its a valid client struct +24 must have a valid pointer
    so 2 checks are done and finally it did work good for me

    i didnt see side effects using the registers yet but the EDI is compared(maybe really a subject to change) after the function
    but i see a other problem mmisaddressvalid will change some registers too
    the only way would be to save the registers manual or using pushad command

    edit: ok well nvm i didnt see side effects yet but i wrote something to restore the registers
    update is available here:
    http://www.woodmann.com/collaborative/tools/index.php/IceStealth
    Last edited by Elenil; July 25th, 2009 at 01:05.

Similar Threads

  1. CodeProject: Driver to Hide Processes and Files
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: January 23rd, 2009, 12:57
  2. Searching for Hide Debugger plugin to download !!!!
    By tim mactroy in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 29th, 2005, 03:20
  3. Can Someone Post a link For Hide Debugger that Actually works?
    By dm47 in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 23rd, 2005, 20:44
  4. Hide Debugger fails to provide protection against Terminate Process
    By mcnorth in forum OllyDbg Support Forums
    Replies: 6
    Last Post: September 23rd, 2005, 14:41
  5. Softice: Hide and Seek
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: February 3rd, 2004, 07:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •