Log in

View Full Version : Anti Sice causes rebooting.....


crUsAdEr
March 9th, 2002, 06:08
Hi folks,

Recently i have encountered a few progs that causes reboot when sice is detected... i reckon to find out where is the anti sice code, i have to trace the code but the thing is that each time i pass the anti sice code while tracing, i get a reboot and it is really annoying as well as unhealthy for my system.. is there a way to stop the program from rebooting my comp?

I have found System Mechanics which causes reboot but it uses simple melt ice trick so not that much of a problem, but softlocx has many layer of anti sice code, using IDT etc..., also Flash XP (tELock???) also reboot my system...

So could someone tell me what to do with those underhanded tricks??? I would rather spend my time studying the real codes than bypassing these annoying tricks....

Thanx guys,

foxthree
March 9th, 2002, 08:20
Hi binh81:

I'm sure you know this already but just in case,

If you're running on Win98, try +Frog's Ice. (protools.cjb.net). It masks SICE from *most* tricks.

Otherwise, +spl/\j guru has written a message somewhere here (answering Solomon, I think) about patching SoftICE to make it invisible. He has also attached a detect.zip or something like that that would automate the patching process for SICE.

Just search with those keywords in the forum...

Still if SoftICE is detected, then we'll see ;-)

Signed,
-- FoxThree

foxthree
March 9th, 2002, 08:21
Sorry I forgot to mention, you could also try ICEDump with /protect on....

Signed,
-- FoxThree

Kayaker
March 9th, 2002, 08:40
Hi binh81

This brings up some interesting possibilities. While there are many ways to detect SI, there's probably only a handful of ways to reboot your system. To continue tracing in such an app I guess you'd have to deal with each situation individually, but it would be nice to have a general protection that would hook the reboot attempt and at least allow you kill the app before it had the chance to execute the full reboot sequence.

One way an app can reboot your system is by sending the Softice HBOOT command via the BCHK interface with the AL=0Eh - Execute a SoftICE command service. I've rebooted my own computer several times while testing this one out, lol But since this uses the INT 3 BCHK trick, we've already got protections against that (or patch winice).

I seem to remember System Mechanic used FindCloseChangeNotification after the Meltice detection to reboot. I'm not sure of the exact sequence of events, but in theory this, or some other API could be hooked and give the user the option of killing the app if this led to a reboot.

Rather than hooking it one could also do like Harlequin did with patching Kernel32.dll to intercept calls to TerminateProcess, checking the ProcessId to see if the call came from a target app he was trying to protect against.

It would take a bit of research to come up with a list of API's or other system calls that might be good candidates for hooking into if they are used during a reboot sequence, but it might be an interesting exercise. What about when you choose a normal Shutdown or Restart, does anyone know the exact sequence that occurs when you do this? I believe ExitWindowsEx is probably used in this case.

Cheers,
Kayaker

foxthree
March 9th, 2002, 12:21
Hi binh81/Kayaker:

Kayaker: Your post makes interesting reading.

Here is my contribution.

Look up API -> InitiateSystemShutdown.

However, if I'm a protector, I'd pissed to see SoftICE running. So instead of calling any API to gracefully shutdown the system, all I need to do is to create a BSOD sequence. This can be done in "n" ways and it would be impossible - I think - to track each and every way of BSODing. (May be easier to track in Win98 but in NT/2K keep guesssing ;-) )

Sorry, I'm not making things better but just thinking out aloud. However, IMHO, a better way to tackle this would be *really fix* SICE detection routines. We already have a list of such detection routines -- what we need to do is to enhance the list with each find (such as int20's crackme :-<

Signed,
-- FoxThree

crUsAdEr
March 9th, 2002, 12:52
Hi guys, thanx for your replies,

Yeah i am running on win2K SP2 with GeForce 2 gfx card, so no frogsice or icedump for me :<... i have applied Spl/\j trick to hide DS2.5 but i dont think it is that effective, there are other ways of detecting sice still, so far softlocx has been the most annoying ones...

Yeah like kayaker said, i was looking for somethings to hook the reboot APIs and kill the apps before it reboots my computer.... but alas, dont think my level of asm is that proficient to attempt to patch kernel32.dll yet :>.. i probably cause more reboots and BSOD that way :>... guess i will have to live with it for now....

Thanx guys,