Copy Link
Add to Bookmark
Report

Xine - issue #5 - Phile 108

eZine's profile picture
Published in 
Xine
 · 7 months ago

 

Ú-----------------------------¿
| Xine - issue #5 - Phile 107 |
À-----------------------------Ù





comment ÿ


Yet another way to stop WinICE/SoftICE (in 9x).


Hiya puppies, since SI uses software interrupts 1 to get control back after
an opcode, and 3 for breakpoints. You can make SI useless by patching its
code which is appearently writable(!).

but erh, saddly this isn't true for nt/2k :( (at least, win2k isn't big very
big friends with the SIDT instruction)

Pretty easy: find int1 & int3 after you have the IDT, and then patching the
code pointed by them to an iretd (0cfh) if you are friendly (no crash), or
some other code (like a nop) and saying bye to SI.

IMHO its better to use iretd, and replacing the original code back on the
end of your code, so SI still works, and, you code is less suspicious
because there are pretty much SI'ers in the world. i guess :)

Well, look for your self, tasm this code, popup SI, bpint3, run & trace...

Oh, and, don't forget the possiblity of BPM while defending, see my other
article.

many thanx to Marquis de Soiree, for being the best coder ever. (well, at
least: pretty skilled ;)

Lifewire/IKX , December 2000ÿ

.386p
.model flat
_call macro api
extrn api:proc;
call api
endm

;----------------------------------------------------------------------------;
_CODE segment dword use32 public 'CODE'
start:
int 3 ;bpint 3 do "rip ip+1"

push eax
sidt [esp-2]
pop eax

mov cx,0cfcfh

mov ebx,[eax+1*8+4] ;int1
mov bx,[eax+1*8]
xchg byte ptr [ebx],cl

nop ;start skipping from here

mov edx,[eax+3*8+4] ;int3
mov dx,[eax+3*8]
xchg byte ptr [edx],ch

nop

mov [edx],ch
mov [ebx],cl

nop ;here you have your best
;friend back bwuhaha :)
push 0
_call ExitProcess

_CODE ends
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
_DATA segment dword use32 public 'DATA'

fill db ?
_DATA ends
;----------------------------------------------------------------------------;

end start
end

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT