Xine - issue #5 - Phile 108

Published in

· 6 months ago

 

                                             Ú-----------------------------¿ 
                                             | Xine - issue #5 - Phile 107 | 
                                             À-----------------------------Ù 

 

 

comment ÿ 

 
 Yet another way to stop WinICE/SoftICE (in 9x). 

 
 Hiya puppies, since SI uses software interrupts 1 to get control back after 
 an opcode, and 3 for breakpoints. You can make SI useless by patching its  
 code which is appearently writable(!). 

 but erh, saddly this isn't true for nt/2k :( (at least, win2k isn't big very 
 big friends with the SIDT instruction) 

 Pretty easy: find int1 & int3 after you have the IDT, and then patching the 
 code pointed by them to an iretd (0cfh) if you are friendly (no crash), or 
 some other code (like a nop) and saying bye to SI. 

 IMHO its better to use iretd, and replacing the original code back on the 
 end of your code, so SI still works, and, you code is less suspicious 
 because there are pretty much SI'ers in the world. i guess :) 

 Well, look for your self, tasm this code, popup SI, bpint3, run & trace... 

 Oh, and, don't forget the possiblity of BPM while defending, see my other 
 article. 

 many thanx to Marquis de Soiree, for being the best coder ever. (well, at 
 least: pretty skilled ;) 

 Lifewire/IKX , December 2000ÿ 

.386p 
.model flat 
_call   macro   api 
        extrn   api:proc; 
        call    api 
        endm 

;----------------------------------------------------------------------------; 
_CODE   segment dword use32 public 'CODE' 
start: 
        int     3                               ;bpint 3 do "rip ip+1" 

        push    eax 
        sidt    [esp-2] 
        pop     eax 

        mov     cx,0cfcfh 

        mov     ebx,[eax+1*8+4]                 ;int1 
        mov     bx,[eax+1*8] 
        xchg    byte ptr [ebx],cl 

        nop                                     ;start skipping from here 

        mov     edx,[eax+3*8+4]                 ;int3 
        mov     dx,[eax+3*8] 
        xchg    byte ptr [edx],ch 

        nop 

        mov     [edx],ch 
        mov     [ebx],cl 

        nop                                     ;here you have your best  
                                                ;friend back bwuhaha :) 
        push    0 
        _call   ExitProcess 

_CODE   ends 
;----------------------------------------------------------------------------; 

;----------------------------------------------------------------------------; 
_DATA   segment dword use32 public 'DATA' 

fill    db      ? 
_DATA   ends 
;----------------------------------------------------------------------------; 

        end     start 
        end