Compiling inline Assembly

good answer danp ,
thats what i tryed to say , but even so … some times self modify code
neccesery ;).

take for example the INT opcode.
if you should called INT you cant call INT EAX it must be INT value> .
once i did it as a self modify code in one of my projects…

----- Original Message -----
From: danp
To: File Systems Developers
Sent: Friday, May 11, 2001 3:20 PM
Subject: [ntfsd] Re: Compiling inline Assembly

> Is not a question of “system file” or whatever , it is a question of page
> level protection. Starting with 486 CPU’s , a new bit was introduced in
Cr0
> , the WP (Write Protect) bit ,
> which prohibits even ring0 code to write on Read Only pages , when set.
> This , combined with the fact Win2k by default enforces write protection
on
> code section of binarys (default, can be modified trough
> EnforceWriteProtection registry key), will prevent writes to RO pages. Of
> course , this can be bypassed , but again , take our advice and forget
this
> stuff , focus on a clean & reliable implementation of your toy. You dont
> need self modifing code in a filter driver , you dont need ASM in it , you
> need a clean and , in the even this is
> a encryption filter , a good cryptographic aproach.
>
> ----- Original Message -----
> From: “Satish”
> To: “File Systems Developers”
> Sent: Friday, May 11, 2001 2:14 PM
> Subject: [ntfsd] Re: Compiling inline Assembly
>
>
> >
> > > On the May 10 Nuno the First wrote
> > >
> > > > i saw the answer about the _emit , good to know about it :wink: but here
> is
> > mostly the same way.
> > > >
> > > > __asm {
> > > > jmp domodify
> > > > modifyhere:
> > > > nop ;will become INT 20 (CDh,20h)
> > > > nop
> > > > ret
> > > > domodify:
> > > > mov BYTE PTR [modifyhere],0xcd
> > > > mov BYTE PTR [modifyhere+1],0x20
> > > > jmp modifyhere
> > > > }
> > > >
> > >
> > > In the code above the storage to modify would be in the code
> section.
> > If I am not mistaking modification of such a storage
> > > is not possible under W2k (there’s a note in new DDK releases
> > > or article in the knowledge base that the driver code sections are
> > > read only).
> > > _emit itself is used in Win9x DDK to represent the VMM call.
> > >
> >
> > In win2k if we overwrite System file then it doesnt allow. Above code is
> in
> > Run Time modifying itself. I think that is possible.
> >
> > Regards,
> > Satish K.S
> >
> >
> > —
> > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

try and tell us :wink:
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Friday, May 11, 2001 1:14 PM
Subject: [ntfsd] Re: Compiling inline Assembly

>
> > On the May 10 Nuno the First wrote
> >
> > > i saw the answer about the _emit , good to know about it :wink: but here
is
> mostly the same way.
> > >
> > > __asm {
> > > jmp domodify
> > > modifyhere:
> > > nop ;will become INT 20 (CDh,20h)
> > > nop
> > > ret
> > > domodify:
> > > mov BYTE PTR [modifyhere],0xcd
> > > mov BYTE PTR [modifyhere+1],0x20
> > > jmp modifyhere
> > > }
> > >
> >
> > In the code above the storage to modify would be in the code
section.
> If I am not mistaking modification of such a storage
> > is not possible under W2k (there’s a note in new DDK releases
> > or article in the knowledge base that the driver code sections are
> > read only).
> > _emit itself is used in Win9x DDK to represent the VMM call.
> >
>
> In win2k if we overwrite System file then it doesnt allow. Above code is
in
> Run Time modifying itself. I think that is possible.
>
> Regards,
> Satish K.S
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

This i am doing for my Learning purpose.

  1. First i wanted to write File Encryption/Decyption ( Using some simple
    logic for encryption. I do not want to know more about Cypt ). But it should
    work properly.
  2. I want to implement Anti-debugging techniques. ( Includes compression,
    Hooking interrupt, Self modify )

Regards,
Satish K.S

good answer danp ,
thats what i tryed to say , but even so … some times self modify code
neccesery ;).

take for example the INT opcode.
if you should called INT you cant call INT EAX it must be INT > value> .
> once i did it as a self modify code in one of my projects…
>
> ----- Original Message -----
> From: danp
> To: File Systems Developers
> Sent: Friday, May 11, 2001 3:20 PM
> Subject: [ntfsd] Re: Compiling inline Assembly
>
>
> > Is not a question of “system file” or whatever , it is a question of
page
> > level protection. Starting with 486 CPU’s , a new bit was introduced in
> Cr0
> > , the WP (Write Protect) bit ,
> > which prohibits even ring0 code to write on Read Only pages , when set.
> > This , combined with the fact Win2k by default enforces write
protection
> on
> > code section of binarys (default, can be modified trough
> > EnforceWriteProtection registry key), will prevent writes to RO pages.
Of
> > course , this can be bypassed , but again , take our advice and forget
> this
> > stuff , focus on a clean & reliable implementation of your toy. You dont
> > need self modifing code in a filter driver , you dont need ASM in it ,
you
> > need a clean and , in the even this is
> > a encryption filter , a good cryptographic aproach.
> >
> > ----- Original Message -----
> > From: “Satish”
> > To: “File Systems Developers”
> > Sent: Friday, May 11, 2001 2:14 PM
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > >
> > > > On the May 10 Nuno the First wrote
> > > >
> > > > > i saw the answer about the _emit , good to know about it :wink: but
here
> > is
> > > mostly the same way.
> > > > >
> > > > > __asm {
> > > > > jmp domodify
> > > > > modifyhere:
> > > > > nop ;will become INT 20 (CDh,20h)
> > > > > nop
> > > > > ret
> > > > > domodify:
> > > > > mov BYTE PTR [modifyhere],0xcd
> > > > > mov BYTE PTR [modifyhere+1],0x20
> > > > > jmp modifyhere
> > > > > }
> > > > >
> > > >
> > > > In the code above the storage to modify would be in the code
> > section.
> > > If I am not mistaking modification of such a storage
> > > > is not possible under W2k (there’s a note in new DDK releases
> > > > or article in the knowledge base that the driver code sections are
> > > > read only).
> > > > _emit itself is used in Win9x DDK to represent the VMM call.
> > > >
> > >
> > > In win2k if we overwrite System file then it doesnt allow. Above code
is
> > in
> > > Run Time modifying itself. I think that is possible.
> > >
> > > Regards,
> > > Satish K.S
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> This i am doing for my Learning purpose.

  1. First i wanted to write File Encryption/Decyption ( Using
    some simple
    logic for encryption. I do not want to know more about Cypt
    ). But it should
    work properly.

When I wrote our encryption filter I encrypted files by adding 1 to each
byte
and decrypted by decrementing by 1.
This is all that is need for a simple encryption test.

  1. I want to implement Anti-debugging techniques. ( Includes
    compression,
    Hooking interrupt, Self modify )
    These wont require the driver to be fully written in assembler.
    Linking in, or using inline assembly should be sufficient.

Rob Linegar
Software Engineer
Data Encryption Systems Limited

Regards,
Satish K.S

> good answer danp ,
> thats what i tryed to say , but even so … some times
self modify code
> neccesery ;).
>
> take for example the INT opcode.
> if you should called INT you cant call INT EAX it must be
INT > > value> .
> > once i did it as a self modify code in one of my projects…
> >
> > ----- Original Message -----
> > From: danp
> > To: File Systems Developers
> > Sent: Friday, May 11, 2001 3:20 PM
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > > Is not a question of “system file” or whatever , it is a
> question of
> page
> > > level protection. Starting with 486 CPU’s , a new bit
> was introduced in
> > Cr0
> > > , the WP (Write Protect) bit ,
> > > which prohibits even ring0 code to write on Read Only
> pages , when set.
> > > This , combined with the fact Win2k by default enforces write
> protection
> > on
> > > code section of binarys (default, can be modified trough
> > > EnforceWriteProtection registry key), will prevent writes
> to RO pages.
> Of
> > > course , this can be bypassed , but again , take our
> advice and forget
> > this
> > > stuff , focus on a clean & reliable implementation of
> your toy. You dont
> > > need self modifing code in a filter driver , you dont
> need ASM in it ,
> you
> > > need a clean and , in the even this is
> > > a encryption filter , a good cryptographic aproach.
> > >
> > > ----- Original Message -----
> > > From: “Satish”
> > > To: “File Systems Developers”
> > > Sent: Friday, May 11, 2001 2:14 PM
> > > Subject: [ntfsd] Re: Compiling inline Assembly
> > >
> > >
> > > >
> > > > > On the May 10 Nuno the First wrote
> > > > >
> > > > > > i saw the answer about the _emit , good to know
> about it :wink: but
> here
> > > is
> > > > mostly the same way.
> > > > > >
> > > > > > __asm {
> > > > > > jmp domodify
> > > > > > modifyhere:
> > > > > > nop ;will become INT 20 (CDh,20h)
> > > > > > nop
> > > > > > ret
> > > > > > domodify:
> > > > > > mov BYTE PTR [modifyhere],0xcd
> > > > > > mov BYTE PTR [modifyhere+1],0x20
> > > > > > jmp modifyhere
> > > > > > }
> > > > > >
> > > > >
> > > > > In the code above the storage to modify would be
> in the code
> > > section.
> > > > If I am not mistaking modification of such a storage
> > > > > is not possible under W2k (there’s a note in new DDK releases
> > > > > or article in the knowledge base that the driver code
> sections are
> > > > > read only).
> > > > > _emit itself is used in Win9x DDK to represent
> the VMM call.
> > > > >
> > > >
> > > > In win2k if we overwrite System file then it doesnt
> allow. Above code
> is
> > > in
> > > > Run Time modifying itself. I think that is possible.
> > > >
> > > > Regards,
> > > > Satish K.S
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > > > To unsubscribe send a blank email to
> leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
> > > To unsubscribe send a blank email to
> leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@des.co.uk
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Where in the registry is the “EnforceWriteProtection” registry key?

-----Original Message-----
From: danp [mailto:danp@jb.rdsor.ro]
Sent: Friday, May 11, 2001 8:20 AM
To: File Systems Developers
Subject: [ntfsd] Re: Compiling inline Assembly

Is not a question of “system file” or whatever , it is a
question of page
level protection. Starting with 486 CPU’s , a new bit was
introduced in Cr0
, the WP (Write Protect) bit ,
which prohibits even ring0 code to write on Read Only pages ,
when set.
This , combined with the fact Win2k by default enforces
write protection on
code section of binarys (default, can be modified trough
EnforceWriteProtection registry key), will prevent writes to
RO pages. Of
course , this can be bypassed , but again , take our advice
and forget this
stuff , focus on a clean & reliable implementation of your
toy. You dont
need self modifing code in a filter driver , you dont need
ASM in it , you
need a clean and , in the even this is
a encryption filter , a good cryptographic aproach.

----- Original Message -----
From: “Satish”
> To: “File Systems Developers”
> Sent: Friday, May 11, 2001 2:14 PM
> Subject: [ntfsd] Re: Compiling inline Assembly
>
>
> >
> > > On the May 10 Nuno the First wrote
> > >
> > > > i saw the answer about the _emit , good to know about
> it :wink: but here
> is
> > mostly the same way.
> > > >
> > > > __asm {
> > > > jmp domodify
> > > > modifyhere:
> > > > nop ;will become INT 20 (CDh,20h)
> > > > nop
> > > > ret
> > > > domodify:
> > > > mov BYTE PTR [modifyhere],0xcd
> > > > mov BYTE PTR [modifyhere+1],0x20
> > > > jmp modifyhere
> > > > }
> > > >
> > >
> > > In the code above the storage to modify would be in the code
> section.
> > If I am not mistaking modification of such a storage
> > > is not possible under W2k (there’s a note in new DDK releases
> > > or article in the knowledge base that the driver code sections are
> > > read only).
> > > _emit itself is used in Win9x DDK to represent the VMM call.
> > >
> >
> > In win2k if we overwrite System file then it doesnt allow.
> Above code is
> in
> > Run Time modifying itself. I think that is possible.
> >
> > Regards,
> > Satish K.S
> >
> >
> > —
> > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nsisw.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

HKLM\System\CurrentControlSet\Control\SessionManager\MemoryManagement\Enforc
eWriteProtection

----- Original Message -----
From: “Rob Fuller”
To: “File Systems Developers”
Sent: Friday, May 11, 2001 6:38 PM
Subject: [ntfsd] Re: Compiling inline Assembly

> Where in the registry is the “EnforceWriteProtection” registry key?
>
> > -----Original Message-----
> > From: danp [mailto:danp@jb.rdsor.ro]
> > Sent: Friday, May 11, 2001 8:20 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > Is not a question of “system file” or whatever , it is a
> > question of page
> > level protection. Starting with 486 CPU’s , a new bit was
> > introduced in Cr0
> > , the WP (Write Protect) bit ,
> > which prohibits even ring0 code to write on Read Only pages ,
> > when set.
> > This , combined with the fact Win2k by default enforces
> > write protection on
> > code section of binarys (default, can be modified trough
> > EnforceWriteProtection registry key), will prevent writes to
> > RO pages. Of
> > course , this can be bypassed , but again , take our advice
> > and forget this
> > stuff , focus on a clean & reliable implementation of your
> > toy. You dont
> > need self modifing code in a filter driver , you dont need
> > ASM in it , you
> > need a clean and , in the even this is
> > a encryption filter , a good cryptographic aproach.
> >
> > ----- Original Message -----
> > From: “Satish”
> > To: “File Systems Developers”
> > Sent: Friday, May 11, 2001 2:14 PM
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > >
> > > > On the May 10 Nuno the First wrote
> > > >
> > > > > i saw the answer about the _emit , good to know about
> > it :wink: but here
> > is
> > > mostly the same way.
> > > > >
> > > > > __asm {
> > > > > jmp domodify
> > > > > modifyhere:
> > > > > nop ;will become INT 20 (CDh,20h)
> > > > > nop
> > > > > ret
> > > > > domodify:
> > > > > mov BYTE PTR [modifyhere],0xcd
> > > > > mov BYTE PTR [modifyhere+1],0x20
> > > > > jmp modifyhere
> > > > > }
> > > > >
> > > >
> > > > In the code above the storage to modify would be in the code
> > section.
> > > If I am not mistaking modification of such a storage
> > > > is not possible under W2k (there’s a note in new DDK releases
> > > > or article in the knowledge base that the driver code sections are
> > > > read only).
> > > > _emit itself is used in Win9x DDK to represent the VMM call.
> > > >
> > >
> > > In win2k if we overwrite System file then it doesnt allow.
> > Above code is
> > in
> > > Run Time modifying itself. I think that is possible.
> > >
> > > Regards,
> > > Satish K.S
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nsisw.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
> —
> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> 2) I want to implement Anti-debugging techniques. ( Includes compression,

Hooking interrupt, Self modify )

Useless waste of time IMHO. FS filters are complex enough even without it.
Such a thing deserves to exist in copy-protection stuff only, not in
encryption.

Max


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello Elad,
Forgive me for disagreeing.
INTERUPT_TYPE Interupt=
{
__asm emit 0x01cdc390; // disassembles to int 01; ret; nop;
__asm emit 0x02cdc390;
__asm emit 0x03cdc390;
}

Interupt[1];

Regards,
Anders

Friday, May 11, 2001, 1:53:59 AM, you wrote:

EZ> good answer danp ,
EZ> thats what i tryed to say , but even so … some times self modify code
EZ> neccesery ;).

EZ> take for example the INT opcode.
EZ> if you should called INT you cant call INT EAX it must be INT value>> .
EZ> once i did it as a self modify code in one of my projects…

EZ> ----- Original Message -----
EZ> From: danp
EZ> To: File Systems Developers
EZ> Sent: Friday, May 11, 2001 3:20 PM
EZ> Subject: [ntfsd] Re: Compiling inline Assembly

>> Is not a question of “system file” or whatever , it is a question of page
>> level protection. Starting with 486 CPU’s , a new bit was introduced in
EZ> Cr0
>> , the WP (Write Protect) bit ,
>> which prohibits even ring0 code to write on Read Only pages , when set.
>> This , combined with the fact Win2k by default enforces write protection
EZ> on
>> code section of binarys (default, can be modified trough
>> EnforceWriteProtection registry key), will prevent writes to RO pages. Of
>> course , this can be bypassed , but again , take our advice and forget
EZ> this
>> stuff , focus on a clean & reliable implementation of your toy. You dont
>> need self modifing code in a filter driver , you dont need ASM in it , you
>> need a clean and , in the even this is
>> a encryption filter , a good cryptographic aproach.
>>
>> ----- Original Message -----
>> From: “Satish”
>> To: “File Systems Developers”
>> Sent: Friday, May 11, 2001 2:14 PM
>> Subject: [ntfsd] Re: Compiling inline Assembly
>>
>>
>> >
>> > > On the May 10 Nuno the First wrote
>> > >
>> > > > i saw the answer about the _emit , good to know about it :wink: but here
>> is
>> > mostly the same way.
>> > > >
>> > > > __asm {
>> > > > jmp domodify
>> > > > modifyhere:
>> > > > nop ;will become INT 20 (CDh,20h)
>> > > > nop
>> > > > ret
>> > > > domodify:
>> > > > mov BYTE PTR [modifyhere],0xcd
>> > > > mov BYTE PTR [modifyhere+1],0x20
>> > > > jmp modifyhere
>> > > > }
>> > > >
>> > >
>> > > In the code above the storage to modify would be in the code
>> section.
>> > If I am not mistaking modification of such a storage
>> > > is not possible under W2k (there’s a note in new DDK releases
>> > > or article in the knowledge base that the driver code sections are
>> > > read only).
>> > > _emit itself is used in Win9x DDK to represent the VMM call.
>> > >
>> >
>> > In win2k if we overwrite System file then it doesnt allow. Above code is
>> in
>> > Run Time modifying itself. I think that is possible.
>> >
>> > Regards,
>> > Satish K.S
>> >
>> >
>> > —
>> > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
>> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>> >
>>
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>

EZ> —
EZ> You are currently subscribed to ntfsd as: xxxxx@flaffer.com
EZ> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Best regards,
Anders mailto:xxxxx@flaffer.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Not that this is correct assembly… I have not written asm in many years,
but this is how you can simulate an interrupt without modifying code; the
general idea:

main:
pushdf
push eax
ret

eax:
iret

Look Ma, no code section modification :slight_smile:

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Elad Zucker
Sent: Friday, May 11, 2001 1:54 AM
To: File Systems Developers
Subject: [ntfsd] Re: Compiling inline Assembly

good answer danp ,
thats what i tryed to say , but even so … some times self modify code
neccesery ;).

take for example the INT opcode.
if you should called INT you cant call INT EAX it must be INT > value> .
> once i did it as a self modify code in one of my projects…
>
> ----- Original Message -----
> From: danp
> To: File Systems Developers
> Sent: Friday, May 11, 2001 3:20 PM
> Subject: [ntfsd] Re: Compiling inline Assembly
>
>
> > Is not a question of “system file” or whatever , it is a
> question of page
> > level protection. Starting with 486 CPU’s , a new bit was introduced in
> Cr0
> > , the WP (Write Protect) bit ,
> > which prohibits even ring0 code to write on Read Only pages , when set.
> > This , combined with the fact Win2k by default enforces write
> protection
> on
> > code section of binarys (default, can be modified trough
> > EnforceWriteProtection registry key), will prevent writes to RO
> pages. Of
> > course , this can be bypassed , but again , take our advice and forget
> this
> > stuff , focus on a clean & reliable implementation of your toy. You dont
> > need self modifing code in a filter driver , you dont need ASM
> in it , you
> > need a clean and , in the even this is
> > a encryption filter , a good cryptographic aproach.
> >
> > ----- Original Message -----
> > From: “Satish”
> > To: “File Systems Developers”
> > Sent: Friday, May 11, 2001 2:14 PM
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > >
> > > > On the May 10 Nuno the First wrote
> > > >
> > > > > i saw the answer about the _emit , good to know about it
> :wink: but here
> > is
> > > mostly the same way.
> > > > >
> > > > > __asm {
> > > > > jmp domodify
> > > > > modifyhere:
> > > > > nop ;will become INT 20 (CDh,20h)
> > > > > nop
> > > > > ret
> > > > > domodify:
> > > > > mov BYTE PTR [modifyhere],0xcd
> > > > > mov BYTE PTR [modifyhere+1],0x20
> > > > > jmp modifyhere
> > > > > }
> > > > >
> > > >
> > > > In the code above the storage to modify would be in the code
> > section.
> > > If I am not mistaking modification of such a storage
> > > > is not possible under W2k (there’s a note in new DDK releases
> > > > or article in the knowledge base that the driver code sections are
> > > > read only).
> > > > _emit itself is used in Win9x DDK to represent the VMM call.
> > > >
> > >
> > > In win2k if we overwrite System file then it doesnt allow.
> Above code is
> > in
> > > Run Time modifying itself. I think that is possible.
> > >
> > > Regards,
> > > Satish K.S
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thank u all for inputs. I have got so many ideas from this.

Regards,
Satish K.S

----- Original Message -----
From: “Jamey Kirby”
To: “File Systems Developers”
Sent: Saturday, May 12, 2001 1:12 PM
Subject: [ntfsd] Re: Compiling inline Assembly

> Not that this is correct assembly… I have not written asm in many years,
> but this is how you can simulate an interrupt without modifying code; the
> general idea:
>
> main:
> pushdf
> push eax
> ret
>
> eax:
> iret
>
> Look Ma, no code section modification :slight_smile:
>
> Jamey
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Elad Zucker
> > Sent: Friday, May 11, 2001 1:54 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > good answer danp ,
> > thats what i tryed to say , but even so … some times self modify code
> > neccesery ;).
> >
> > take for example the INT opcode.
> > if you should called INT you cant call INT EAX it must be INT > > value> .
> > once i did it as a self modify code in one of my projects…
> >
> > ----- Original Message -----
> > From: danp
> > To: File Systems Developers
> > Sent: Friday, May 11, 2001 3:20 PM
> > Subject: [ntfsd] Re: Compiling inline Assembly
> >
> >
> > > Is not a question of “system file” or whatever , it is a
> > question of page
> > > level protection. Starting with 486 CPU’s , a new bit was introduced
in
> > Cr0
> > > , the WP (Write Protect) bit ,
> > > which prohibits even ring0 code to write on Read Only pages , when
set.
> > > This , combined with the fact Win2k by default enforces write
> > protection
> > on
> > > code section of binarys (default, can be modified trough
> > > EnforceWriteProtection registry key), will prevent writes to RO
> > pages. Of
> > > course , this can be bypassed , but again , take our advice and forget
> > this
> > > stuff , focus on a clean & reliable implementation of your toy. You
dont
> > > need self modifing code in a filter driver , you dont need ASM
> > in it , you
> > > need a clean and , in the even this is
> > > a encryption filter , a good cryptographic aproach.
> > >
> > > ----- Original Message -----
> > > From: “Satish”
> > > To: “File Systems Developers”
> > > Sent: Friday, May 11, 2001 2:14 PM
> > > Subject: [ntfsd] Re: Compiling inline Assembly
> > >
> > >
> > > >
> > > > > On the May 10 Nuno the First wrote
> > > > >
> > > > > > i saw the answer about the _emit , good to know about it
> > :wink: but here
> > > is
> > > > mostly the same way.
> > > > > >
> > > > > > __asm {
> > > > > > jmp domodify
> > > > > > modifyhere:
> > > > > > nop ;will become INT 20 (CDh,20h)
> > > > > > nop
> > > > > > ret
> > > > > > domodify:
> > > > > > mov BYTE PTR [modifyhere],0xcd
> > > > > > mov BYTE PTR [modifyhere+1],0x20
> > > > > > jmp modifyhere
> > > > > > }
> > > > > >
> > > > >
> > > > > In the code above the storage to modify would be in the code
> > > section.
> > > > If I am not mistaking modification of such a storage
> > > > > is not possible under W2k (there’s a note in new DDK releases
> > > > > or article in the knowledge base that the driver code sections are
> > > > > read only).
> > > > > _emit itself is used in Win9x DDK to represent the VMM call.
> > > > >
> > > >
> > > > In win2k if we overwrite System file then it doesnt allow.
> > Above code is
> > > in
> > > > Run Time modifying itself. I think that is possible.
> > > >
> > > > Regards,
> > > > Satish K.S
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@netvision.net.il
> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com