Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

SYSENTER problem

Emre_TINAZTEPEEmre_TINAZTEPE Member Posts: 12
hi to everyone, i have read Intel Manual for SYSENTER and wrote an apropriate hooking driver but it seems that there is already something that i dont know. before running Driver, i gave RDMSR 176 with WINDBG, and got XXXXXXXX value of the IA32_SYSENTER_EIP, after loading the driver, i did the same thing and got YYYYYYYY (a different value) , so i thought HOOK worked but when i re-RDMSR value changed to the first, and i saw that value ic dnahging between TWO values. Once XXXXXXXX, once YYYYYYYYY.
Is it because each processor has its own Model Spesific Register's? My virtual machine has DUO CPU.
And the code is as follows...

#include <ntddk.h>

#define IA32_SYSENTER_EIP 0x176

ULONG DefaultKiFastCallEntry = 0;


void syshookUnload(IN PDRIVER_OBJECT DriverObject);


__declspec(naked) HookFuntion() {


//DbgPrint("Dikkat:Sistem Hooka girdi!");


__asm jmp dword ptr DefaultKiFastCallEntry;

}

void installSYSENTERhook() {
__asm {
mov ecx,IA32_SYSENTER_EIP;
rdmsr;
mov DefaultKiFastCallEntry,eax;

mov eax,HookFuntion;
wrmsr;
}
}

void uninstallSYSENTERhook() {
__asm {
mov eax,DefaultKiFastCallEntry
wrmsr
}
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
installSYSENTERhook();




return STATUS_SUCCESS;
}



void syshookUnload(IN PDRIVER_OBJECT DriverObject)
{

uninstallSYSENTERhook();

}

Comments

  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    Why are you trying to hook the system call dispatcher?

    - S

    -----Original Message-----
    From: xxxxx@gmail.com <xxxxx@gmail.com>
    Sent: Saturday, September 19, 2009 12:51
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntdev] SYSENTER problem


    hi to everyone, i have read Intel Manual for SYSENTER and wrote an apropriate hooking driver but it seems that there is already something that i dont know. before running Driver, i gave RDMSR 176 with WINDBG, and got XXXXXXXX value of the IA32_SYSENTER_EIP, after loading the driver, i did the same thing and got YYYYYYYY (a different value) , so i thought HOOK worked but when i re-RDMSR value changed to the first, and i saw that value ic dnahging between TWO values. Once XXXXXXXX, once YYYYYYYYY.
    Is it because each processor has its own Model Spesific Register's? My virtual machine has DUO CPU.
    And the code is as follows...

    #include <ntddk.h>

    #define IA32_SYSENTER_EIP 0x176

    ULONG DefaultKiFastCallEntry = 0;


    void syshookUnload(IN PDRIVER_OBJECT DriverObject);


    __declspec(naked) HookFuntion() {


    //DbgPrint("Dikkat:Sistem Hooka girdi!");


    __asm jmp dword ptr DefaultKiFastCallEntry;

    }

    void installSYSENTERhook() {
    __asm {
    mov ecx,IA32_SYSENTER_EIP;
    rdmsr;
    mov DefaultKiFastCallEntry,eax;

    mov eax,HookFuntion;
    wrmsr;
    }
    }

    void uninstallSYSENTERhook() {
    __asm {
    mov eax,DefaultKiFastCallEntry
    wrmsr
    }
    }

    NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
    {
    installSYSENTERhook();




    return STATUS_SUCCESS;
    }



    void syshookUnload(IN PDRIVER_OBJECT DriverObject)
    {

    uninstallSYSENTERhook();

    }



    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • Emre_TINAZTEPEEmre_TINAZTEPE Member Posts: 12
    Not the thing you think:) I am reading undocumented nt secrets and rootkits (hodlung), by the way i am writing a blog in my own language http://zararliyazilim.wordpress.com to inform people about MALWARE, but i am new to KERNEL, that is why trying to learn how it goes...
    you can look at the blog, isnt it odd to give your photo, and real name???

    But i understand you... That sword is too dangerous, in bad hands...

    Thanks anyway...
  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    Well since both of those books offer techniques that crash on most versions
    of Windows, you are starting out pretty bad. Also, since you cannot figure
    out your original question it is likely you will not get a stable driver.


    --
    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr



    wrote in message news:xxxxx@ntdev...
    > Not the thing you think:) I am reading undocumented nt secrets and
    > rootkits (hodlung), by the way i am writing a blog in my own language
    > http://zararliyazilim.wordpress.com to inform people about MALWARE, but i
    > am new to KERNEL, that is why trying to learn how it goes...
    > you can look at the blog, isnt it odd to give your photo, and real name???
    >
    > But i understand you... That sword is too dangerous, in bad hands...
    >
    > Thanks anyway...
    >
    >
    > __________ Information from ESET NOD32 Antivirus, version of virus
    > signature database 4441 (20090919) __________
    >
    > The message was checked by ESET NOD32 Antivirus.
    >
    > http://www.eset.com
    >
    >
    >



    __________ Information from ESET NOD32 Antivirus, version of virus signature database 4441 (20090919) __________

    The message was checked by ESET NOD32 Antivirus.

    http://www.eset.com
  • anton_bassovanton_bassov Member Posts: 5,008
    > i am writing a blog in my own language http://zararliyazilim.wordpress.com to inform people
    > about MALWARE,

    Well, if you write "in your own language", what are the chances that people would actually understand it
    (for example, I did not get a single word)....

    On a serious note, you chose pretty useless sources. The former one was a bit obsolete even at the time of its release in 1997, so that all the stuff it describes is quite unlikely to be used by a modern malware, simply because all these tricks are not going to work on present-day NT systems. Some tricks are really dumb, at least the way they are presented. For example, what is the point of entering a kernel without a driver if you still need a driver to make this trick work??? On systems before W2K3 SP2 you could do the whole thing from the UM from the beginning to the end, but starting from W2K3 SP2 UM code has no access to //Device//Physical memory regardless of account privileges, so that the whole thing is obsolete these days.

    The latter one is based upon BlackHat presentations - it does not describe anything that had not been earlier described on blackhat.com.


    In other words, you are very unlikely to tell people anything new here....


    Anton Bassov
  • NTDEV-26NTDEV-26 Member Posts: 316
    > For example, what is the point of entering a kernel without a driver if you
    > still need a driver to make this trick work??? On systems before W2K3 SP2
    > you could do the whole thing from the UM from the beginning to the end, but
    > starting from W2K3 SP2 UM code has no access to //Device//Physical memory
    > regardless of account privileges, so that the whole thing is obsolete these
    > days.
    >
    > The latter one is based upon BlackHat presentations - it does not describe
    > anything that had not been earlier described on blackhat.com.
    >
    >
    > In other words, you are very unlikely to tell people anything new here....
    >

    Nothing is impossible, Blue Pill did the things from UM using Page File
    attack (Although MS later disallowed write access to raw sectors from UM
    starting vista rc2) and easily got into the kernel memory from user space.

    Regards
    Deepak
  • anton_bassovanton_bassov Member Posts: 5,008
    > Nothing is impossible, Blue Pill did the things from UM using Page File attack
    > (Although MS later disallowed write access to raw sectors from UM starting vista rc2)
    > and easily got into the kernel memory from user space.

    This is an endless race - someone discovers vulnerability; it gets fixed, then new vulnerability gets discovered and fixed and so on and so forth. My point is that the whole thing keeps on moving, so that
    you cannot rely upon the tricks that you could rely upon a decade ago...


    Anton Bassov
  • >>Although MS later disallowed write access to raw sectors from UM starting vista rc2

    They really did? I think its not true for all sectors and is still possible to read/write MBR from UM. (obviously UAC plays a pivotal role).

    Thanks,
    Aditya
  • NTDEV-26NTDEV-26 Member Posts: 316
    I am not sure, I dont think they have restricted write access to MBR and
    other hidden sectors but yeah write access to all other portions of volume
    were disallowed (again I am not sure, coming off from my faint memory).
    Regards
    Deepak

    On Mon, Sep 21, 2009 at 12:41 PM, wrote:

    > >>Although MS later disallowed write access to raw sectors from UM starting
    > vista rc2
    >
    > They really did? I think its not true for all sectors and is still possible
    > to read/write MBR from UM. (obviously UAC plays a pivotal role).
    >
    > Thanks,
    > Aditya
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • NTDEV-26NTDEV-26 Member Posts: 316
    Yeah true, agreed
    Regards
    Deepak


    On Mon, Sep 21, 2009 at 12:08 PM, wrote:

    > > Nothing is impossible, Blue Pill did the things from UM using Page File
    > attack
    > > (Although MS later disallowed write access to raw sectors from UM
    > starting vista rc2)
    > > and easily got into the kernel memory from user space.
    >
    > This is an endless race - someone discovers vulnerability; it gets fixed,
    > then new vulnerability gets discovered and fixed and so on and so forth. My
    > point is that the whole thing keeps on moving, so that
    > you cannot rely upon the tricks that you could rely upon a decade ago...
    >
    >
    > Anton Bassov
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    >Nothing is impossible, Blue Pill did the things from UM using Page File attack (Although MS later
    >disallowed write access to raw sectors from UM starting vista rc2)

    Absolutely wrong, this is how restore process of disk imaging software works (in Win7/2008 R2 too).

    More so, this is how OS-provided FORMAT and CHKDSK /F work.

    Vista+ banned write (and IIRC read too) access _from \\.\PhysicalDrive%d name_ to the sectors belonging to the defined partition. You need to open this partition's volume and write through it.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • @Maxim
    >>Vista+ banned write (and IIRC read too) access _from \\.\PhysicalDrive%d name_ to the sectors belonging to the defined partition. You need to open this partition's volume and write through it.

    So that means they just banned the write to sectors which does not belongs to any partition?

    Thanks
    Aditya
  • NTDEV-26NTDEV-26 Member Posts: 316
    Sorry for being ambiguous, I meant PhysicalDrive%d objects only by "raw
    sector access to disks".

    Regards
    Deepak

    On Tue, Sep 22, 2009 at 6:26 PM, Maxim S. Shatskih
    wrote:

    > >Nothing is impossible, Blue Pill did the things from UM using Page File
    > attack (Although MS later
    > >disallowed write access to raw sectors from UM starting vista rc2)
    >
    > Absolutely wrong, this is how restore process of disk imaging software
    > works (in Win7/2008 R2 too).
    >
    > More so, this is how OS-provided FORMAT and CHKDSK /F work.
    >
    > Vista+ banned write (and IIRC read too) access _from \\.\PhysicalDrive%d
    > name_ to the sectors belonging to the defined partition. You need to open
    > this partition's volume and write through it.
    >
    > --
    > Maxim S. Shatskih
    > Windows DDK MVP
    > xxxxx@storagecraft.com
    > http://www.storagecraft.com
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > So that means they just banned the write to sectors which does not belongs to any partition?

    No, they banned writes _to the partitions_ via PhysicalDrive%d.

    Partition can be written only if opened by its volume or partition name.

    All of this is in partmgr.sys. In Vista+, disk.sys even cannot respond to "get drive layout" - this is now the job of PartMgr.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA