IceStealth´s Actual version now will always be here and on the SoftICE Extensions

http://www.woodmann.com/collaborative/tools/IceStealth

no comments at all ?
it would be nice to answer if my program works well for other computers or has some problems on other system basicly it only has tested on XP 32 SP2

IceStealth should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find softice with these methods
NtQueryDirectoryObject
NtQueryObject
everything controled with services.exe about drivers some examples : OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM protect
NtQuerySystemInformation
int 41 orignal data emulated + DPL 0 + int1 DPL 0

hopeful i get some comments now


btw i cant upload IceStealth to SoftIce extensions why ?
when i upload the rar file it creates a link on the link bar but when you then click "submit the tool!" it says error on site and nothing happens

hi, for NtCreateFile you could allow loader32.exe for example to access ntice by comparing name in EPROCESS.ImageFileName with loader32.exe. You can find this offset by searching through EPROCESS in DriverEntry for "System", and only allow access to ntice if it's loader32.exe - very useful when needed symbol loading at runtime

don't know how you protect BPM, maybe using hook in KiUserExceptionDispatcher, on other hand I protect it with GD bit in dr7, allowing only softice and cpthook to access drXes while it's faked for all other programs

in short, I have all of this in separate drivers/programs, kinda know exactly what is used by what protection so I load drivers depending on protection

thats a real good idea while i thought about a solution for that i didnt find a good solution but im still afraid that they ever create a executable with that name
so every1 plz load symbol files before IceStealth is started
i think of adding that to a next version as 3 option



your DRx emulator is some of the best toolz i ever saw for softice even on 98 i always hoped some1 is writing a such tool but i never found something to that - i really recommend derokus DRx emulator !
its not using KiUserExceptionDispatcher basicly cause its on ring3 its using NtContinue a only few different from yours its not setting a EH its checking if a dummy has passed to it and it dont print a dbgmsg
small protection this wont cheat everything i tested around with that a while simple changing the Dr´s will softice make look like it has the old BP but it breaks on a other 1
but at last double protection isnt wrong and more flexible

at last i protected all files DS 3.2 is using for me that are:
bootcfg.sys
CptHook.sys
siwvid.sys
osidata.sys
ntice.sys
NMFilter.sys
SIWSYM.sys
SIKSYM.SYS
SiwvidStart.sys

note CptHook.sys has DOS name of "KHook" and ntice+4digit number (if its DS3.2)

also everything is resistent to memory that means no driver to detect thats also why the application close itself after it´s done

btw if this tool goes in series i have to credit you for all information you gave me via msn

Are you developing a hiding tool just for interest or have not heard of IceExt?

http://stenri.pisem.net/

are you serious ? IceStealh give a clear better protection as IceExt

Kudos on the contribution Elenil.

It seems to work well but I noticed a few errors.

1. It crashes my VMWare xpsp2 system if I don't have the symbols for services.exe loaded. I know you said they either need to exist or let your app load them, but I did neither and got a big bad System Shutdown message with a timed forced NT_AUTHORITY reboot.

The minidump said only that services.exe was at fault - a C0000005 error on address 0 in a system fault reporting dll. Nothing particularly useful for debugging the error.

A check should be put in on that routine if symbols aren't available in order to protect users.


2. It fails on one of the xADT eXtensible Anti-Debug Tester plugin tests - one of them in the entry called "SICE Presence Tests".


3. I don't know exactly how you are hiding from ZwQuerySystemInformation/SystemModuleInformation, but I think you should check any modifications of the system linked lists. Your presence isn't entirely hidden. Softice is, but not the fact that some underhanded rootkit behaviour has just taken place

There is a discrepancy between the number of modules listed with ZwQuerySystemInformation at the start of the array of SYSTEM_MODULE_INFORMATION structures, and the number of arrays that can actually be accessed and\or printed out.

This is a red flag to any app that might want to check. As I say, it seems to me the most likely reason is that you have somehow short-circuited the natural linked list of modules the system maintains while your code was removing the Softice related entries.

Cheers,
Kayaker

to services problem i might got a quick solution

it need to download the PDB file from microsoftserver or this error will happen

the error normally only happen if the files dbghelp.dll and symsrv.dll are not in the IceStealth´s Folder
or something went wrong with reading the PDB file (normally not cause)
its only requied once to download this pdb file
i will add a check for the pdb file presents

i will see what i can do about the other problems the arteam site is currectly down for me

add:
SICE Presence Tests -> use Registry api (RegOpenKeyEx)
not supported atm
i know this problem but there a few ring0 apis to registry what can detect softice

I've been away for a while and never heard of your app. I've never had a problem with IceExt as long as you change it's name in the registry. It hides ice from it's own loader.

version 1.1

fixed the services bug what will cause if PDG file is blocked by firewall, is unaccepted or no connection is present
fixed the discrepancy problem with ntquerysysteminformation

anyway it already got 100 views but no comments why ? kayaker and deroko are the only 1´s yet who write something to my tool ok well WaxfordSqueers did but nothing to my tool ps waxford not trying to bug you but IceStealth also hide from sistart + loader32 (nmtrans.dll)

ppl can still bug me for my dialog the dialog´s style dont look well

add: 1 word to the registry detection to softice
in my opinion there the only 1 "bullet proof" concept:
"maybe a second in renaming and patching all drivers but then you got renamed names in the registry ..."
1: saving everything what is requied to load softice + other softice files manual from the registry
2: load softice ...
3: delete everything from the registry from softice
4: next reboot restore everything + load up the driver´s manual
5: start softice again ...
6: loop steps 4 5 3 again
a simplier idea of that is deleting everything manaual from the registry after softice is loaded - then reinstall softice
maybe thats why almost no protector detect registry entrys

to avoid that RegOpenKeyEx only NtOpenKey would be requied but this would be easy to cheat simple other registry apis can be used to check if something goes wrong with NtOpenKey i not wanna go in detail yet

Now that I'm back online I can reply to this. My router, fortunately still under warranty, went up in smoke - literally!

Mmmmm, burnt PCBeeee..., droooolll...

For the small percentage who don't get that reference - I can't help you.

Anyway,




'fraid not. I still see the same problem. For example, I print out a list of drivers returned from ZwQuerySystemInformation/SystemModuleInformation. The API returns a large array of SYSTEM_MODULE_INFORMATION structures. The array appears to be sorted in the order the modules are loaded (i.e. ntoskrnl.exe is first, new ones are added to the end).

The very first dword of the array is the number of modules. Before running IceStealth I see 120 modules reported, and can print out 120 entries. After running IceStealth there are 114 modules reported, the missing ones are the hidden Softice related modules, +/-.

HOWEVER, I can print out only 109/114 modules from the array and it's very apparent that it's the last ones that are missing.

If I start a new driver, that first dword of the SystemModuleInformation array is incremented correctly, however, I can't access the driver information from the array.

In other words, if I'm a driver and after loading I check to see if I'm listed under ZwQuerySystemInformation and don't see my name,.. then I'm going to be very suspicious and immediately enter bad cracker mode.


You should confirm this independantly to see if you get the same results. However, if you need to, I was using a silly little POC code with source I posted here long ago, playing with ZwQuerySystemInformation and returning it to usermode via an MDL. Click on SystemModuleInformation before and after IceStealth and scroll to the end of the list in each case, you should see the error.

http://www.woodmann.com/forum/attachment.php?attachmentid=904&d=1077340907



Since this seems important to you, I can think of a number of reasons why you got 100 downloads but few comments.

People are simply curious and will download anything to check it out.
There are not really that many people who still use Softice and care about hiding it.
IceExt and personal tools have worked for people so far.

Don't take it personally, but the lack of source or detailed explanation, and especially with an app that wants to connect to the internet, for whatever reason, is and should be approached with caution.

That is as it should be. Reversers paranoia is a good thing. Myself, I didn't run your app until I had reversed it to my satisfaction, only ran it in VMWare and didn't allow it to connect to the internet. Instead I used the Softice symbol retriever to get the symbols needed by the app and copied them over.

Finally, most people were probably waiting for Deroko and I to test it first since we're the most vocal Sice users


That said, this looks like a useful utility and I hope you continue to improve it. While I don't play with stuff much anymore that I need to hide Softice from, I would probably use this tool if I ever need to.

At this point, I'd give it my recommendation if that means anything.



I also have to add, you should consider including the finalized source code. The message of Reversing is about revealing the truth, not hiding it. It's what this board has always been about. (I know this is a bit of an oxymoron in regards to an app that hides Softice )



I personally feel this whole business about hiding cracker tricks from the "big bad software authors" who slither their way through boards like this as part of the cat and mouse game, kind of silly. For the majority of them, if they are good enough to come up with an "anti-anti" trick for your "anti" trick, then they are good enough to reverse your app and the tricks by themselves in the first place. Maybe you've made their life slightly more difficult - so what? - to what end?

I remember a long time ago someone made a little utility to remove duplicate Filemon entries. It partly inspired me to write and release my own version which included Regmon logs, with full source code of course. These guys however home-brew encrypted theirs, including the import table, added their cracking group "colors", etc. etc. I mean, c'mon, it was a silly little util they were supposedly 'sharing' with the reversing community, but was of course in reality a demonstration of l33t skillz

Kayaker...how do you blow up a PCB in a router in this day and age? Then again, my Canon printer blew a print head...literally. It went dead on me and I bypassed the cover switch to watch it cycle. As the head went by, it looked like a mini arc welder underneath the head. You know...blue flashes. When I pulled it apart, there was a hole burned in the electronics, right on the head.

Do you know the cause? If your telephone line isn't protected, it might be lightning. The telco line is protected at various points with spark gaps but it's unlikely that's what it was. Just mentioned it because it is a safety issue. Sometimes, they just blow for no known reason, but it's rare.

When I repaired electronic equipment, sometime in the past century, I used to get a lot of car radios with blown front ends from lightning, but that was in a dry region known for lightning.

Are you using an old browser (for example IE6)? There are known problems with these and some AJAX features of CRCETL.

I have made a CRCETL entry for your tool now anyway:
http://www.woodmann.com/collaborative/tools/IceStealth

Thanks.

first try dELTA for uploading my tool (yes IE 6 why no support ? )

i found the complete problem now kayaker the new version should work for you now too (it works wells here) the list where basicly currupted but such feadback i need ! i got no testers for the tool i not added a multi-processor support atm cause i dont got a MP and cant check the code (for the int patches)
i could release a beta soon but it might cause BSOD

i want to say a word why i created this tool it was cause i was nerved about the whole protector sh.. whats going on with softice (closing explorer if SI is detected, causing the program to crash or nag all the time) then i decided to "take my own hand" on it at last i thought its not a bad idea to release IceStealth maybe some can need my tool too

The ntquerysysteminformation seems fixed now.

Another general option to fool registry accesses might be to use CmRegisterCallback to filter registry calls and modify the return status for anything accessing something with a Softice name.

http://msdn.microsoft.com/en-us/library/aa906577.aspx



Waxford, the router problem was weird. The trigger that caused the overload seems to have been me pressing the on/off button on my phone/answering machine handset to check the dial tone.

I'd noticed lately that I often had a hard time reconnecting to the router after I had shut it off either through the software or main power button. In a number of cases I had to reboot the computer to get the router connection to reinitialize. I figured the router was starting to develop problems as indicated by this.

I happened to unplug my phone lines the other day (finally got pissed off enough at recorded telemarketer calls during dinner). Later I plugged the phone back in that is split into the DSL line and tried reconnecting to the internet. Again, the router wasn't responding, so I decided to check the phone to see if the dial tone was OK.

As soon as I pressed the phone dial button, the lights on my router went out!
I checked the external power supply/transformer, which is supposed to put out 18VAC and it was dead, nada, zip.

I brought everything in to my friendly local ISP and they replaced the power supply, gave it a quick 2 second power check with the old router, and sent me on my way.


When I later connected the power supply to the router I started to smell something. At first I thought it was just bake-off from the new power supply.. until I noticed significant smoke coming from the back of the router. Both the PS and router were hot to the touch at this point. I knew from the smell that the router was already toast. I applied power a couple more times to see how dramatic the destruction was - the power lights came on briefly then faded off. Bereft of life, the whole mess was returned to the ISP a second time.


So what happened? It seems unlikely that pressing the Dial button of a connected phone should send a strong enough spike through to the router to fry the external transformer. However, the two events seem directly linked - I pressed Dial and the router lights went out. Perhaps there was an inherent problem in the router (the cause of my connection troubles). Perhaps a small feedback signal from the phone created a short in the PCB which in turn shorted the transformer. I'm really not sure. Does this sound crazy?

On the plus side, I've now got a brand new router with updated software - and it works great, my connect speed seems even faster than before.

heyyyyyy!
if you soo much hide SICE, then it become like rootkit..!
this is, why simple renaming is BETTER! >secure

so, my suggestion is to create mostly RenamerPatcher(file&reg names,strings inside) + some Sice/bug/fixes

added a basic registry protection for dummy protectors cant see me doing write something what delete all entrys and restore it before softice is about to loading
its added as option to use
this will be the last update for a while if you see IceStealth is directly detected with something plz pm me

i recommended to use the DRx emulator from Deroko for DRx problems

download it from here :
http://deroko.phearless.org/dr7_mp_safe.rar

EDIT: removed IceStealth download plz see first post i will upload all newer versions to there

I don't like the sound of that. You say later that the lights went off on your router when you tried to press the phone dial button. I'm assuming you have a phone on which you press a button and the dial tone is heard, then you begin to dial. Mine is the older type where you pick up the receiver and the dial tone is heard in the handset receiver.

The first thing to consider is coincidence. I have seen enough of that in the electronics/electrical trade but the fact that an attached device was activated when the lights went out sounds a little too coincidental. In the older phone sets, when you lift the handset, a mechanical relay is activated and that tells the telco CO (Central Office) that a phone needs service. That action would actually activate a relay in the CO, called the 'A' relay, which would set off a sequence of action to get your dial tone from a separate source.

By pressing the button on your set, it must do something similar, although most CO's have been using electronic equipment for years in place of relays. So, you're normally sending control signals onto the telco line that wont harm other attached devices. Normally, attached devices also have filters and switches built-in to block interference from other attached equipment.

There are several ways things can go wrong. One problem that can arise, and which can be catastrophic to other equipment, is a reversed hot-neutral on your AC connector. In other words, if your telephone gets its power directly from the wall outlet (120 VAC), the prongs on the electrical cord are polarized so the hot is on one plug blade and ground (neutral) is on the other. Normally, the gold/bronze coloured connector is hot and the silver coloured one is neutral.

The neutral (which isn't a classic neutral) plays an important role in safety. At the Hydro connection, out at the transformer on the street, the secondary of the transformer is single phase and is a 240 volt centre tapped supply. The two ends of the 240 volt transformer are brought into the house with the centre-tapped conductor being the neutral. From neutral to either side of the 240 volt transformer there are two separate 120 volt sources.

At the main service panel, the neutral is immediately bonded to the service ground. From that point on, the neutral must never be connected to ground. The third prong you see on your wall outlet is the ground, and it's connected to the service ground at the panel. The neutral also goes back to that service ground at the panel, and although it is at ground potential as well, it must never touch that ground wire which connects all the third-prongs on the outlets.

If somewhere along the line, someone (usually a hacker) inadvertantly reverses the ground and hot wires, on even one outlet or connection, now we have a dangerous situation. The neutral conductor becomes the hot and the hot becomes the neutral. It's important that you buy yourself one of those polarity checkers from Home Depot or whatever, and test the outlets you use for polarity. It can be done with a volt meter, if you know what to look for.

On your phone, check to see how the power cord is aligned. Has anyone tampered with it? If it gets reversed, you can have an equally dangerous situation, both for human safety and for the equipment. Most electrical devices these days are made of plastic and that prevents shock. But all metal surfaces within the equipment must be connected to the service ground I mentioned earlier. If 120 volts gets on that metal somehow, there is the potential to blow the heck out of any attached equipment.

It's still not clear to me how your router is attached to telco. Are you saying you have a splitter at the telco outlet with the phone in one side of the splitter and the router on the other? Also, where is your DSL modem? Is it built in to the router? I have a separate DSL modem supplied by telco and my router is a Linksys from Cisco Systems which I bought from Future Shop. Your telephone should also be connected through a DSL filter, which you can get from telco or elsewhere. It keeps the DSL signal noise out of the telephone and might supply another level of protection for attached equipment.

From the sound of things, the router supplied by your ISP might not be up to snuff. With my router, which is both wireless and cable connectable, I can call it up from my browser by entering IP 192.168.1.1. Then I have access to a load of configurable items. I can set a password on it and the router has it's own firewall feature which adds to my software firewall.

When you can't access your router, it's usually a problem between Windoze and the router. I get that occasionally and I have to go through a rigamarole to fix it. I start out by disabling my Wireless Network Connection, then I shutdown my software firewall. I figure the router can protect me long enough to get back online. Then I fire up the firewall and enable the Wireless connection. That usually fixes it. If not, I shut down both the DSL modem and the router, and I might go as far as to reconfigure the router software. Sometimes it needs to find itself again.

If that fails, there is a process to reconfigure your TCP/IP stack through XP. I would think by this time that Msoft would have some wizards to do the job but more often than not it's a black art.

There's a decent chance your router may have been faulty and by plugging in a new power supply it may have been too much for it. The 18 volt supply could blow due to a short in the router, a blown rectifier diode in the module or a short in the step-down tranformer in the module. If it was brand new, however, I'd think it was the router shorting. Are you sure an 18 volt supply is the correct type? It sounds awful high for a router. I'm asking because devices use a regulator chip that will accept a broad range of input voltages from an external supply. If that supply is too large for the regulator, it all goes up in smoke, as you know.


A short in the router could be due to component failure or it could have been induced by catastrophic current being induced through the telco line from your telephone set. Or, some other currents could be coming in from telco itself. I've seen that happen.

When you press the phone button to get service, it signals the telco CO (central office) that you want service. Circuits are turned on to enable that and I'm thinking it's possible for their equipment to be blowing your router. Of course, they will deny that, but you could ask them to test the line. Whatever you do, make sure they are not going to charge you if they come out. If it's their router, the only thing they could charge you for is your telephone needing repair. If you can, borrow a cheap, old telephone set from someone. It's highly unlikely it will be defective whereas there is a chance that yours might be. If it is, they'll ding you.

hello there i just updated IceStealth to version 1.3
new things :

multi processor support
fixed 2 possible bugs
int41 killed


im not 100 % sure if the MP support cause a BSOD because i dont got a multi processor and i was only able to test with with a single cpu

so it would be nice if i get a few answers if this version cause a BSOD on MP system

Elenil, I'll answer your PM here in case anyone else wants to chip in.

I manually checked both Int41 IDT entries on my HyperThread enabled system and both were patched correctly (reverted to original HalpDispatchInterrupt). No BSOD's.

kd> dd KiProcessorBlock
gives both KPRCB's (thank you Opcode, http://www.woodmann.com/forum/showthread.php?p=46879#post46879)
KPRCB - 120h gives KPCR
KPCR + 38h gives IDT table address
IDT + 41h*8 gives Int41 address

Remember, my system is only a single CPU with HT, not a true MP dual core system, though as I mentioned, your algo should work for the other situations as well: MP+HT, MP-HT.

I then tested using xADT1.4 and the only test that failed was the one for FindSoftIceRegistryKeys.

I only tried Option 1, I don't want to mess with the others outside of a VM. From what I saw, only the Int41 protection was MP dependant, so that's all I was really checking for.

thank you for your answer Kayaker you always welcome to answer

with the registry problem you can try the last button "Option 1 with Registry Protection" or hit the "Hook Option 1" button first then start icestealth again and hit the "Load Basic Registry Protection" button.

note this only works for the hook buttons "Hook Option 1, Hook Option 2,Hook Option 1 NO BPM,Hook Option 2 NO BPM"
klicking a hook button again will conflict the code btw it will not work as it should

sorry for my bad readme information

if it still find a registry entry plz pm me i will see what i can do about it i protected all entrys i found to softice

new update is available: version 1.4
i added a complete new type of protection and made IceStealth more userfriendly
it should cheat the the most kernel spy toolz

thx to kayaker for testing IceStealth before it got released

download:
http://www.woodmann.com/collaborative/tools/IceStealth


if the new protection cause bsod plz pm me with code where it crashs + data

Thanks for the great tool! I'm not a huge Softice fan but one day, when I get more familiar with the kernel, I might start using it heavily and this tool might come in big handy.

Or....you could take the attitude, "Damn the torpedos, full speed ahead...crash and burn, crash and burn". That's how I approached the kernel (ring 0). You'll find it a lot more friendly in there under XP than it used to be and there's no better way to learn it than to be in there.

Just remember to turn off 'Enable write caching on the disk' under Device Manager/Disk Drives for each hard drive, otherwise you might get a nasty loss of data after a blue screen. Chkdsk is quite handy for recovering from those nasty events. Also, the hboot command in softice gets you out of a few fixes like that.

or simpply before starting rce session use sync.exe from sysinternals to flush cached files to disk, after that you are safe if you get bsod

hello there i just updated IceStealth again
it has overworked some routines added new types of protections ,winice.dat from me, lastest softice files (patched) , new options to use and i also added a option to not use the int1 patch for i1here users (for more details read readme.txt plz)
this is prolly the last update it was fun to work up to here
sadly softice is a pretty dead tool but anyway i like it
thx to Kayaker for testing IceStealth again before it got released

download:
http://www.woodmann.com/collaborative/tools/IceStealth

have fun

Very nice work!
Time to dust off my sice

Keep your work up

i could not hold back myself to update IceStealth after i found some errors :-)
i also did change some signatures so that it is atm not detected as possible malware
do not trust such issues !

here goes 1.6 version:
http://www.woodmann.com/collaborative/tools/IceStealth

Nice work as usual, and thanks for keeping its entry in the CRCETL updated too.

Hi Elenil,thank you for your work and IceStealth is a very useful tool. I'm using it(Ver 1.5) , for days and found no errors , it's just working wery well. And my question: Is it posible to get a copy of your source code ? I know that It'll be nicer to discuss issues on the forum but my english is so poor that i can't exchanged information with others very well.And to be a new learner ,I have very many questions on how it works. Perhaps I'm a littel lazy ^ ^.

And a bug in Ver 1.5: if a thread has it's own SST(witch was placed in nt!_KTHREAD's field "ServiceTable",offset 0e0h from begin of that structure on XP sp3 ),the hooks of IceStealth in system service table will no longer take effect on this thread.I fit this with my own tool but i just can't fit each Nt service that hooked by IceStealth ,becource i dont now how IceStealth works in those fuctions. I wanna to learn much more knowledge about kernel debug and anti—debug technology, so i have the first question.

It will be pleased to have your reply.

Hi Elenil,thank you for your work and IceStealth is a very useful tool. I'm using it(Ver 1.5) , for days and found no errors , it's just working wery well. And my question: Is it posible to get a copy of your source code ? I know that It'll be nicer to discuss issues on the forum but my english is so poor that i can't exchanged information with others very well.And to be a new learner ,I have very many questions on how it works. Perhaps I'm a littel lazy ^ ^.

And a bug in Ver 1.5: if a thread has it's own SST(witch was placed in nt!_KTHREAD's field "ServiceTable",offset 0e0h from begin of that structure on XP sp3 ),the hooks of IceStealth in system service table will no longer take effect on this thread.I fit this with my own tool but i just can't fit each Nt service that hooked by IceStealth ,becource i dont now how IceStealth works in those fuctions. I wanna to learn much more knowledge about kernel debug and anti—debug technology, so i have the first question.

It will be pleased to have your reply.

oh,sory about my poor eglish

I have a question for Elenil: I was fighting with this protection, whose forte appears to be anti-debug tricks. It is quite painful to trace and so far none of the usual debug hide tools (Olly Phantom hide debugger, and all I could find and try) SoftIce (IceExt definitely did no work). Syser and IDA with IDA stealth also bit the dust.
I was being able to painfully trace the code of the app, manually countering the anti-debug guards one at a time, but every time a new module was loaded or at random from other threads, the degugger would get discovered, and the app will pause all its threads so that Olly stopped working. . . (Claimed the app was running, but no thread was active). The App refuses even to start or install when SoftIce is in the system, so I could not even start tracing it with Sice.
Anyway, long story short, IceStealth did the trick, and the program loads and runs despite Sice (Huurrrray).
My question or request for suggestions to Elenil here is how could I figure out which anti-debug trick was it that IceStealth did solve?

can you be more precise about the problem of the SSDT ?
you mean a other driver has placed a ssdt entry before ?
you might use the "New Protection" it has a stronger protection and dont hooks SSDT´s (uncheck the SEH BPM protection)
im not sure atm if the 1.5 version supports NTKRNLPA and NTKRNLMP so i advice you to download the 1.6 version

1 word to the old protection: it only its still there cause is more compatible as the new protection

hi naides
well basicly IceStealth dont tell you if a detection apears but lemme ask you a few questions : did you load the new protection or old ? what protector does your target use ?
i collected the most detections in the IceStealth´s Readme(set breakpoints on these)
anyways the "New Protection" protect from a lot ring0/rootkit detections
like directly reading the PsLoadedModuleList or Listing Objects with OpenDirectoryObject (driver/device) also ObReferenceObjectByName and far more

i currectly improved the method for device objects but i could need some testers cause a other person has problems with it i did not release it yet

if you want to be a tester plz PM me with ICQ or MSN number

also i try to get the HWND command back
it already works perfect if you are in a ring3 application "addr" only dont work

i will try to fix that if i find time again
i could need some information in what ranges the TEB is set in windowsXP

i upload a beta to this answer plz note its a BETA if it get problems download the 1.6 from here:
http://www.woodmann.com/collaborative/tools/IceStealth

my english if ppl hasnt noted already isnt the best too

if any1 want to try the BETA! :
beta removed has bugs

replace the ntice drivers (in IceStealth´s "other" folder) in your system folder to get the hwnd command to work

I'll PM you my info. Of course I would like to be a tester.

take a look some codes in one version of NTKRNL bin file:
;_KiSystemService
.
.
.text:0046A564 64 8B 1D 1C 00 00 00 mov ebx, large fs:1Ch
.text:0046A56B 6A 3B push 3Bh
.text:0046A56D 8B B3 24 01 00 00 mov esi, [ebx+124h] ; esi -> nt!_KTHREAD
.
.
.
.text:0046A5BF 8B F8 mov edi, eax ; eax = system service ID
.text:0046A5C1 C1 EF 08 shr edi, 8
.text:0046A5C4 83 E7 30 and edi, 30h
.text:0046A5C7 8B CF mov ecx, edi
.text:0046A5C9 03 BE E0 00 00 00 add edi, [esi+0E0h] ; It is HERE,fetch nt!_KTHREAD.ServiceTable --- this ServiceTable is private for every thread
.text:0046A5CF 8B D8 mov ebx, eax
.text:0046A5D1 25 FF 0F 00 00 and eax, 0FFFh
.text:0046A5D6 3B 47 08 cmp eax, [edi+SERVICE_DESCRIPTOR_TABLE.TableSize]
.text:0046A5D9 0F 83 33 FD FF FF jnb _KiBBTUnexpectedRange
.
.
.text:0046A606 8B F2 mov esi, edx ; edx -> User stack
.text:0046A608 8B 5F 0C mov ebx, [edi+SERVICE_DESCRIPTOR_TABLE.ArgumentTable]
.text:0046A60B 33 C9 xor ecx, ecx
.text:0046A60D 8A 0C 18 mov cl, [eax+ebx] ; Arg num
.text:0046A610 8B 3F mov edi, [edi+SERVICE_DESCRIPTOR_TABLE.ServiceTable]
.text:0046A612 8B 1C 87 mov ebx, [edi+eax*4]
.text:0046A615 2B E1 sub esp, ecx
.text:0046A617 C1 E9 02 shr ecx, 2
.text:0046A61A 8B FC mov edi, esp
.text:0046A61C 3B 35 34 B1 48 00 cmp esi, ds:MmUserProbeAddress
.text:0046A622 0F 83 A8 01 00 00 jnb loc_46A7D0
.text:0046A628
.text:0046A628 loc_46A628: ; CODE XREF: _KiSystemService+373
.text:0046A628 ; DATA XREF: _KiTrap0E+10D
.text:0046A628 F3 A5 rep movsd
.text:0046A62A FF D3 call ebx ; call system service
.


1. I use old protection,so this situation may be not present in the new protection;
2. It shuld not be treated as a bug becouse the target process has KernelMod access rigth too, it can do anything as it can.


I'm a Novice so please forgive my reckless.

well i only can advice you to download 1.6 or higher the 1.5 version dont support NTKRLPA and NTKRNLMP or you PM me what you did to solve that and i then can think if this is senseful for the old protection

about the ntkrl error:
in 1.5 version this errors apears if NTKRNLPA or NTKRNLMP is used
connect to microsoft symbol server is blocked
the error also can apear is old protection was used and failed with a pdb file(always restart if a pdb error happens)

you can give IceStealth the files manual too
in IceStealth you have to create folder called \SYM there you put the 2 pdb files

You're a more advanced RE that I am so please take this for what it's worth. I don't understand why you could not load the app with sice. Did you try BPX _baseprocessstart ? You have to load a K32 nms file and use addr kernel 32 to get into the k32 context, then the _baseprocessstart func should appear listed with an exp *_baseproc* or sym *_baseproc*.

There have been problems lately with symbol loader in that it is not translating files like K32 correctly. It omits the names. I use ida2ice to get an nms file from IDA but it puts it's own peculiar names out in the nms file. That's why you need the exp or sym command to make sure it's available and to get its name right for the bpx command.

That gets you right to the first byte of any app's code after about 2 jumps (p - ret) over calls. I think it's the 3rd call you trace and when you do you're right at the start code. If not, there would appear to be a TLS issue. AFAIK, that's the only thing that will beat _baseprocessstart because the loading begins in the PE file.

deroko knows a lot about that as I'm sure kayaker does.

Hi Elenil,

Nice one on the HWND patch, it seems to work but I do see a couple of potential problems.

In explanation, the problem is that Softice uses a hardcoded address of 0x7ffde6e4 as the offset to TEB.Win32ClientInfo for use with the HWND command. This is based on an absolute value of 0x7ffde000 for the TEB/TIB, which is no longer valid in XPsp3, and possibly even in XPsp2. This was a bad omission by Numega not to fix that since I think the issue existed when they released their final ntice.sys patch version. This is the error that Elenil is trying to fix. A discussion of the problem can be found here:

http://www.woodmann.com/forum/showthread.php?t=9643


What you've done is to add a section to ntice.sys and divert the HWND command to find a valid address for TEB.Win32ClientInfo before passing it back to the rest of the function. You get the TEB from fs:18h, then add 6E4h to it and check for a valid Win32ClientInfo address by calling MmIsAddressValid.

That's fine as it stands, but it seems to me that the rest of the algorithm is uneeded and possibly in error. The instruction MOV EAX, FS:0X18 written in the patch in Softice *should* retrieve a valid TEB in the context in which the HWND command is issued. If the TEB is valid then the TEB.Win32ClientInfo offset should automatically be valid. Whether it contains a value or not is not important at this point since that will be evaluated by the rest of the HWND command.

All you need to do at that point is add 0x6E4 to the result and pass it back to the HWND command. Since this should only be a few lines of code, you don't even need to add a new section, but simply write it inline, overwriting the unneeded code you already wrote your JMP function onto.



The rest of the patch algorithm loops, but it seems to me will never be reached since the first part should have produced the correct answer - If MmIsAddressValid failed the first time, beginning at 7FFDA000h you add 6E4h and continue adding 1000h to check the next page until found. I may be wrong but from the disassembly it looks like the check for TEB.CLIENT_ID.Tid (is this what you were aiming for?) at [ebx+24h] actually points to an offset within the undocumented Win32ClientInfo structure. i.e. EBX is not the base TEB address is it?





One other small point about the patch. You use EBX and EDI but don't preserve those registers before passing control back to the original HWND function, which uses both of them later (EDI is supposed to equal 0, EBX is a previously filled variable).


I'm sorry if I'm missing something or don't understand the intent, but it seems all that is really needed is to change



to something like



Regards,
Kayaker

well basicly you got the little older version i wrote

the first 1 really was the 1 with the
mov eax, fs:0x18
add eax, 0x6E4
push eax

as written in the blog:
http://blogs.msdn.com/matt_pietrek/archive/2004/08/25/220330.aspx

but this returns 0 if you are in ring0 also if you use addr explorer or something its still 0

i then noted the patch requied need more space so i added a section called Elenil nice that you logged that

the 1.66 version (what is not released atm) has 2 variants to read the value
fs:18 (fs should be 30) + 6e4 (i noted some runs it cause bsod cause fs was 3b)
it then checks the result (some tester noted this not always works even if it has a value)

i noted that it mostly start from 7ffda000 to 7ffdf000
then i made something what calcs softice´s imports mmisaddresvalid
i also noted if its a valid client struct +24 must have a valid pointer
so 2 checks are done and finally it did work good for me

i didnt see side effects using the registers yet but the EDI is compared(maybe really a subject to change) after the function
but i see a other problem mmisaddressvalid will change some registers too
the only way would be to save the registers manual or using pushad command

edit: ok well nvm i didnt see side effects yet but i wrote something to restore the registers
update is available here:
http://www.woodmann.com/collaborative/tools/IceStealth