SYSENTER problem

hi to everyone, i have read Intel Manual for SYSENTER and wrote an apropriate hooking driver but it seems that there is already something that i dont know. before running Driver, i gave RDMSR 176 with WINDBG, and got XXXXXXXX value of the IA32_SYSENTER_EIP, after loading the driver, i did the same thing and got YYYYYYYY (a different value) , so i thought HOOK worked but when i re-RDMSR value changed to the first, and i saw that value ic dnahging between TWO values. Once XXXXXXXX, once YYYYYYYYY.
Is it because each processor has its own Model Spesific Register’s? My virtual machine has DUO CPU.
And the code is as follows…

#include <ntddk.h>

#define IA32_SYSENTER_EIP 0x176

ULONG DefaultKiFastCallEntry = 0;

void syshookUnload(IN PDRIVER_OBJECT DriverObject);

__declspec(naked) HookFuntion() {

//DbgPrint(“Dikkat:Sistem Hooka girdi!”);

__asm jmp dword ptr DefaultKiFastCallEntry;

}

void installSYSENTERhook() {
__asm {
mov ecx,IA32_SYSENTER_EIP;
rdmsr;
mov DefaultKiFastCallEntry,eax;

mov eax,HookFuntion;
wrmsr;
}
}

void uninstallSYSENTERhook() {
__asm {
mov eax,DefaultKiFastCallEntry
wrmsr
}
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
installSYSENTERhook();

return STATUS_SUCCESS;
}

void syshookUnload(IN PDRIVER_OBJECT DriverObject)
{

uninstallSYSENTERhook();

}</ntddk.h>

Why are you trying to hook the system call dispatcher?

  • S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Saturday, September 19, 2009 12:51
To: Windows System Software Devs Interest List
Subject: [ntdev] SYSENTER problem

hi to everyone, i have read Intel Manual for SYSENTER and wrote an apropriate hooking driver but it seems that there is already something that i dont know. before running Driver, i gave RDMSR 176 with WINDBG, and got XXXXXXXX value of the IA32_SYSENTER_EIP, after loading the driver, i did the same thing and got YYYYYYYY (a different value) , so i thought HOOK worked but when i re-RDMSR value changed to the first, and i saw that value ic dnahging between TWO values. Once XXXXXXXX, once YYYYYYYYY.
Is it because each processor has its own Model Spesific Register’s? My virtual machine has DUO CPU.
And the code is as follows…

#include <ntddk.h>

#define IA32_SYSENTER_EIP 0x176

ULONG DefaultKiFastCallEntry = 0;

void syshookUnload(IN PDRIVER_OBJECT DriverObject);

__declspec(naked) HookFuntion() {

//DbgPrint(“Dikkat:Sistem Hooka girdi!”);

__asm jmp dword ptr DefaultKiFastCallEntry;

}

void installSYSENTERhook() {
__asm {
mov ecx,IA32_SYSENTER_EIP;
rdmsr;
mov DefaultKiFastCallEntry,eax;

mov eax,HookFuntion;
wrmsr;
}
}

void uninstallSYSENTERhook() {
__asm {
mov eax,DefaultKiFastCallEntry
wrmsr
}
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
installSYSENTERhook();

return STATUS_SUCCESS;
}

void syshookUnload(IN PDRIVER_OBJECT DriverObject)
{

uninstallSYSENTERhook();

}


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</ntddk.h>

Not the thing you think:) I am reading undocumented nt secrets and rootkits (hodlung), by the way i am writing a blog in my own language http://zararliyazilim.wordpress.com to inform people about MALWARE, but i am new to KERNEL, that is why trying to learn how it goes…
you can look at the blog, isnt it odd to give your photo, and real name???

But i understand you… That sword is too dangerous, in bad hands…

Thanks anyway…

Well since both of those books offer techniques that crash on most versions
of Windows, you are starting out pretty bad. Also, since you cannot figure
out your original question it is likely you will not get a stable driver.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> Not the thing you think:) I am reading undocumented nt secrets and
> rootkits (hodlung), by the way i am writing a blog in my own language
> http://zararliyazilim.wordpress.com to inform people about MALWARE, but i
> am new to KERNEL, that is why trying to learn how it goes…
> you can look at the blog, isnt it odd to give your photo, and real name???
>
> But i understand you… That sword is too dangerous, in bad hands…
>
> Thanks anyway…
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4441 (20090919)

>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4441 (20090919)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

> i am writing a blog in my own language http://zararliyazilim.wordpress.com to inform people

about MALWARE,

Well, if you write “in your own language”, what are the chances that people would actually understand it
(for example, I did not get a single word)…

On a serious note, you chose pretty useless sources. The former one was a bit obsolete even at the time of its release in 1997, so that all the stuff it describes is quite unlikely to be used by a modern malware, simply because all these tricks are not going to work on present-day NT systems. Some tricks are really dumb, at least the way they are presented. For example, what is the point of entering a kernel without a driver if you still need a driver to make this trick work??? On systems before W2K3 SP2 you could do the whole thing from the UM from the beginning to the end, but starting from W2K3 SP2 UM code has no access to //Device//Physical memory regardless of account privileges, so that the whole thing is obsolete these days.

The latter one is based upon BlackHat presentations - it does not describe anything that had not been earlier described on blackhat.com.

In other words, you are very unlikely to tell people anything new here…

Anton Bassov

> For example, what is the point of entering a kernel without a driver if you

still need a driver to make this trick work??? On systems before W2K3 SP2
you could do the whole thing from the UM from the beginning to the end, but
starting from W2K3 SP2 UM code has no access to //Device//Physical memory
regardless of account privileges, so that the whole thing is obsolete these
days.

The latter one is based upon BlackHat presentations - it does not describe
anything that had not been earlier described on blackhat.com.

In other words, you are very unlikely to tell people anything new here…

Nothing is impossible, Blue Pill did the things from UM using Page File
attack (Although MS later disallowed write access to raw sectors from UM
starting vista rc2) and easily got into the kernel memory from user space.

Regards
Deepak

> Nothing is impossible, Blue Pill did the things from UM using Page File attack

(Although MS later disallowed write access to raw sectors from UM starting vista rc2)
and easily got into the kernel memory from user space.

This is an endless race - someone discovers vulnerability; it gets fixed, then new vulnerability gets discovered and fixed and so on and so forth. My point is that the whole thing keeps on moving, so that
you cannot rely upon the tricks that you could rely upon a decade ago…

Anton Bassov

>>Although MS later disallowed write access to raw sectors from UM starting vista rc2

They really did? I think its not true for all sectors and is still possible to read/write MBR from UM. (obviously UAC plays a pivotal role).

Thanks,
Aditya

I am not sure, I dont think they have restricted write access to MBR and
other hidden sectors but yeah write access to all other portions of volume
were disallowed (again I am not sure, coming off from my faint memory).
Regards
Deepak

On Mon, Sep 21, 2009 at 12:41 PM, wrote:

> >>Although MS later disallowed write access to raw sectors from UM starting
> vista rc2
>
> They really did? I think its not true for all sectors and is still possible
> to read/write MBR from UM. (obviously UAC plays a pivotal role).
>
> Thanks,
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Yeah true, agreed
Regards
Deepak

On Mon, Sep 21, 2009 at 12:08 PM, wrote:

> > Nothing is impossible, Blue Pill did the things from UM using Page File
> attack
> > (Although MS later disallowed write access to raw sectors from UM
> starting vista rc2)
> > and easily got into the kernel memory from user space.
>
> This is an endless race - someone discovers vulnerability; it gets fixed,
> then new vulnerability gets discovered and fixed and so on and so forth. My
> point is that the whole thing keeps on moving, so that
> you cannot rely upon the tricks that you could rely upon a decade ago…
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>Nothing is impossible, Blue Pill did the things from UM using Page File attack (Although MS later

disallowed write access to raw sectors from UM starting vista rc2)

Absolutely wrong, this is how restore process of disk imaging software works (in Win7/2008 R2 too).

More so, this is how OS-provided FORMAT and CHKDSK /F work.

Vista+ banned write (and IIRC read too) access from \.\PhysicalDrive%d name to the sectors belonging to the defined partition. You need to open this partition’s volume and write through it.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

@Maxim

>Vista+ banned write (and IIRC read too) access from \.\PhysicalDrive%d name to the sectors belonging to the defined partition. You need to open this partition’s volume and write through it.

So that means they just banned the write to sectors which does not belongs to any partition?

Thanks
Aditya

Sorry for being ambiguous, I meant PhysicalDrive%d objects only by “raw
sector access to disks”.

Regards
Deepak

On Tue, Sep 22, 2009 at 6:26 PM, Maxim S. Shatskih
wrote:

> >Nothing is impossible, Blue Pill did the things from UM using Page File
> attack (Although MS later
> >disallowed write access to raw sectors from UM starting vista rc2)
>
> Absolutely wrong, this is how restore process of disk imaging software
> works (in Win7/2008 R2 too).
>
> More so, this is how OS-provided FORMAT and CHKDSK /F work.
>
> Vista+ banned write (and IIRC read too) access from \.\PhysicalDrive%d
> name
to the sectors belonging to the defined partition. You need to open
> this partition’s volume and write through it.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> So that means they just banned the write to sectors which does not belongs to any partition?

No, they banned writes to the partitions via PhysicalDrive%d.

Partition can be written only if opened by its volume or partition name.

All of this is in partmgr.sys. In Vista+, disk.sys even cannot respond to “get drive layout” - this is now the job of PartMgr.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com