Re[4]: hooking and getting caller context

Hello ntdev,

Saturday, December 25, 2004, 10:38:41 AM, you wrote:

DP> From various reasons, your aproach in flawed for the purpose of stack
DP> protection.
DP> Dont waste your time.

i know there are some problems, but generally a very interesting
approach…
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf

so please don’t regulate me, how i have to use my time!

is there a way to get the virtual memory and the thread context before
SYSENTER gets executed?

>>>this is a copy from ZwCreateFile.ntdll
>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>>> 7C90EB8D |. 0F34 SYSENTER
>>> 7C90EB8F |. 90 NOP
>>> 7C90EB90 |. 90 NOP
>>> 7C90EB91 |. 90 NOP
>>> 7C90EB92 |. 90 NOP
>>> 7C90EB93 |. 90 NOP
>>> 7C90EB94 >$ C3 RETN

i’m sure that is possible, because the context have to be restored
when entering ring 3 again…
so please tell me some functions, or concepts…links etc.

best regards, stefan

DP> Dan

DP> ----- Original Message -----
DP> From: “Sellmer Stefan”
DP> To: “Windows System Software Devs Interest List”
DP> Sent: Friday, December 24, 2004 3:59 PM
DP> Subject: Re[2]: [ntdev] hooking and getting caller context

>> Hello Dan,
>>
>> Friday, December 24, 2004, 2:11:35 PM, you wrote:
>>
>> i what to trace back the call stack.
>> so i need esp and ebp.
>>
>> at the end it should run as an kind of stack protection
>>
>> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
>> your
>> DP> problem in another , safer , documented way.
>>
>> every solution is welcome
>>
>>
>>
>> best regards,stefan
>>
>>
>>
>>
>> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
>> your
>> DP> problem in another , safer , documented way.
>> DP> Yes, it is possible to get the user mode CPU context of the calling
>> thread.
>> DP> But what do you want to accomplish ?
>>
>> DP> Dan
>>
>>
>> DP> ----- Original Message -----
>> DP> From: “Sellmer Stefan”
>> DP> To: “Windows System Software Devs Interest List”
>> DP> Sent: Friday, December 24, 2004 3:03 PM
>> DP> Subject: [ntdev] hooking and getting caller context
>>
>>
>>>> Hello ntdev,
>>>>
>>>> I’m new to this list, and driver development.
>>>>
>>>> i hooked ZwCreateFile in the ServiceDescriptorTable.
>>>> But is it now possible to get the thread context of the user-mode
>>>> program, which called ZwCreateFile.
>>>>
>>>>
>>>> this is a copy from ZwCreateFile.ntdll
>>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>>>> 7C90EB8D |. 0F34 SYSENTER
>>>> 7C90EB8F |. 90 NOP
>>>> 7C90EB90 |. 90 NOP
>>>> 7C90EB91 |. 90 NOP
>>>> 7C90EB92 |. 90 NOP
>>>> 7C90EB93 |. 90 NOP
>>>> 7C90EB94 >$ C3 RETN
>>>>
>>>> is it possible to get exactly all registers before SYSENTER get called
>>>> ? i.e the thread context…
>>>>
>>>> can anybody please give me a hint??
>>>>
>>>> best regards
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> DP> —
>> DP> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
>> DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>> –
>> Best regards,
>> Sellmer mailto:xxxxx@gmx.net
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com

DP> —
DP> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
DP> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Best regards,
Sellmer mailto:xxxxx@gmx.net

Try to backtrace in Windows XP through 10 system DLLs whithout symbols, and
you will see
that you will fail in many situations. Keep in mind that EBP can be used by
optimizing compilers
as a general purpose register. many functions will have FPO optimizations in
place. You will
find out that for (too) many situations, the original caller EIP cannot be
retrieved, whithout using symbolic debug info,
thus you cant determine accurately if the code is running on stack or not.
You can guarnatee only one level of accuarcy,
thats it.

I dont regulate how you use your time, I point to a flawed aprroach.

Dan

----- Original Message -----
From: “Sellmer Stefan”
To: “Windows System Software Devs Interest List”
Sent: Saturday, December 25, 2004 2:10 PM
Subject: Re[4]: [ntdev] hooking and getting caller context

> Hello ntdev,
>
> Saturday, December 25, 2004, 10:38:41 AM, you wrote:
>
>
>
> DP> From various reasons, your aproach in flawed for the purpose of stack
> DP> protection.
> DP> Dont waste your time.
>
> i know there are some problems, but generally a very interesting
> approach…
> http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf
>
> so please don’t regulate me, how i have to use my time!
>
> is there a way to get the virtual memory and the thread context before
> SYSENTER gets executed?
>>>>>this is a copy from ZwCreateFile.ntdll
>>>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>>>>> 7C90EB8D |. 0F34 SYSENTER
>>>>> 7C90EB8F |. 90 NOP
>>>>> 7C90EB90 |. 90 NOP
>>>>> 7C90EB91 |. 90 NOP
>>>>> 7C90EB92 |. 90 NOP
>>>>> 7C90EB93 |. 90 NOP
>>>>> 7C90EB94 >$ C3 RETN
>
>
> i’m sure that is possible, because the context have to be restored
> when entering ring 3 again…
> so please tell me some functions, or concepts…links etc.
>
> best regards, stefan
>
>
> DP> Dan
>
> DP> ----- Original Message -----
> DP> From: “Sellmer Stefan”
> DP> To: “Windows System Software Devs Interest List”
> DP> Sent: Friday, December 24, 2004 3:59 PM
> DP> Subject: Re[2]: [ntdev] hooking and getting caller context
>
>
>>> Hello Dan,
>>>
>>> Friday, December 24, 2004, 2:11:35 PM, you wrote:
>>>
>>> i what to trace back the call stack.
>>> so i need esp and ebp.
>>>
>>> at the end it should run as an kind of stack protection
>>>
>>> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
>>> your
>>> DP> problem in another , safer , documented way.
>>>
>>> every solution is welcome
>>>
>>>
>>>
>>> best regards,stefan
>>>
>>>
>>>
>>>
>>> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
>>> your
>>> DP> problem in another , safer , documented way.
>>> DP> Yes, it is possible to get the user mode CPU context of the calling
>>> thread.
>>> DP> But what do you want to accomplish ?
>>>
>>> DP> Dan
>>>
>>>
>>> DP> ----- Original Message -----
>>> DP> From: “Sellmer Stefan”
>>> DP> To: “Windows System Software Devs Interest List”
>>>
>>> DP> Sent: Friday, December 24, 2004 3:03 PM
>>> DP> Subject: [ntdev] hooking and getting caller context
>>>
>>>
>>>>> Hello ntdev,
>>>>>
>>>>> I’m new to this list, and driver development.
>>>>>
>>>>> i hooked ZwCreateFile in the ServiceDescriptorTable.
>>>>> But is it now possible to get the thread context of the user-mode
>>>>> program, which called ZwCreateFile.
>>>>>
>>>>>
>>>>> this is a copy from ZwCreateFile.ntdll
>>>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>>>>> 7C90EB8D |. 0F34 SYSENTER
>>>>> 7C90EB8F |. 90 NOP
>>>>> 7C90EB90 |. 90 NOP
>>>>> 7C90EB91 |. 90 NOP
>>>>> 7C90EB92 |. 90 NOP
>>>>> 7C90EB93 |. 90 NOP
>>>>> 7C90EB94 >$ C3 RETN
>>>>>
>>>>> is it possible to get exactly all registers before SYSENTER get called
>>>>> ? i.e the thread context…
>>>>>
>>>>> can anybody please give me a hint??
>>>>>
>>>>> best regards
>>>>>
>>>>>
>>>>> —
>>>>> Questions? First check the Kernel Driver FAQ at
>>>>> http://www.osronline.com/article.cfm?id=256
>>>>>
>>>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>> DP> —
>>> DP> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
>>> DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>> –
>>> Best regards,
>>> Sellmer mailto:xxxxx@gmx.net
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> DP> —
> DP> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
> DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> –
> Best regards,
> Sellmer mailto:xxxxx@gmx.net
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

As Dan points out, there are a lot of problems with this approach. Also, be
aware that the paper you cite is definitely based on old technology, and is
highly simplified. Yes many system calls treat the stack the way the paper
implies, but having hooked all the system calls in Windows 2000 for a
security effort (something I would never do again), be aware that there are
a ton of special cases that will bite you. After reading the paper, my
reaction is that the products they mention will never be on any system I
control!

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Dan Partelly” wrote in message news:xxxxx@ntdev…
> Try to backtrace in Windows XP through 10 system DLLs whithout symbols,
and
> you will see
> that you will fail in many situations. Keep in mind that EBP can be used
by
> optimizing compilers
> as a general purpose register. many functions will have FPO optimizations
in
> place. You will
> find out that for (too) many situations, the original caller EIP cannot
be
> retrieved, whithout using symbolic debug info,
> thus you cant determine accurately if the code is running on stack or not.
> You can guarnatee only one level of accuarcy,
> thats it.
>
> I dont regulate how you use your time, I point to a flawed aprroach.
>
>
> Dan
>
>
>
> ----- Original Message -----
> From: “Sellmer Stefan”
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, December 25, 2004 2:10 PM
> Subject: Re[4]: [ntdev] hooking and getting caller context
>
>
> > Hello ntdev,
> >
> > Saturday, December 25, 2004, 10:38:41 AM, you wrote:
> >
> >
> >
> > DP> From various reasons, your aproach in flawed for the purpose of
stack
> > DP> protection.
> > DP> Dont waste your time.
> >
> > i know there are some problems, but generally a very interesting
> > approach…
> >
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf
> >
> > so please don’t regulate me, how i have to use my time!
> >
> > is there a way to get the virtual memory and the thread context before
> > SYSENTER gets executed?
> >>>>>this is a copy from ZwCreateFile.ntdll
> >>>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
> >>>>> 7C90EB8D |. 0F34 SYSENTER
> >>>>> 7C90EB8F |. 90 NOP
> >>>>> 7C90EB90 |. 90 NOP
> >>>>> 7C90EB91 |. 90 NOP
> >>>>> 7C90EB92 |. 90 NOP
> >>>>> 7C90EB93 |. 90 NOP
> >>>>> 7C90EB94 >$ C3 RETN
> >
> >
> > i’m sure that is possible, because the context have to be restored
> > when entering ring 3 again…
> > so please tell me some functions, or concepts…links etc.
> >
> > best regards, stefan
> >
> >
> > DP> Dan
> >
> > DP> ----- Original Message -----
> > DP> From: “Sellmer Stefan”
> > DP> To: “Windows System Software Devs Interest List”

> > DP> Sent: Friday, December 24, 2004 3:59 PM
> > DP> Subject: Re[2]: [ntdev] hooking and getting caller context
> >
> >
> >>> Hello Dan,
> >>>
> >>> Friday, December 24, 2004, 2:11:35 PM, you wrote:
> >>>
> >>> i what to trace back the call stack.
> >>> so i need esp and ebp.
> >>>
> >>> at the end it should run as an kind of stack protection
> >>>
> >>> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
> >>> your
> >>> DP> problem in another , safer , documented way.
> >>>
> >>> every solution is welcome
> >>>
> >>>
> >>>
> >>> best regards,stefan
> >>>
> >>>
> >>>
> >>>
> >>> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
> >>> your
> >>> DP> problem in another , safer , documented way.
> >>> DP> Yes, it is possible to get the user mode CPU context of the
calling
> >>> thread.
> >>> DP> But what do you want to accomplish ?
> >>>
> >>> DP> Dan
> >>>
> >>>
> >>> DP> ----- Original Message -----
> >>> DP> From: “Sellmer Stefan”
> >>> DP> To: “Windows System Software Devs Interest List”
> >>>
> >>> DP> Sent: Friday, December 24, 2004 3:03 PM
> >>> DP> Subject: [ntdev] hooking and getting caller context
> >>>
> >>>
> >>>>> Hello ntdev,
> >>>>>
> >>>>> I’m new to this list, and driver development.
> >>>>>
> >>>>> i hooked ZwCreateFile in the ServiceDescriptorTable.
> >>>>> But is it now possible to get the thread context of the user-mode
> >>>>> program, which called ZwCreateFile.
> >>>>>
> >>>>>
> >>>>> this is a copy from ZwCreateFile.ntdll
> >>>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
> >>>>> 7C90EB8D |. 0F34 SYSENTER
> >>>>> 7C90EB8F |. 90 NOP
> >>>>> 7C90EB90 |. 90 NOP
> >>>>> 7C90EB91 |. 90 NOP
> >>>>> 7C90EB92 |. 90 NOP
> >>>>> 7C90EB93 |. 90 NOP
> >>>>> 7C90EB94 >$ C3 RETN
> >>>>>
> >>>>> is it possible to get exactly all registers before SYSENTER get
called
> >>>>> ? i.e the thread context…
> >>>>>
> >>>>> can anybody please give me a hint??
> >>>>>
> >>>>> best regards
> >>>>>
> >>>>>
> >>>>> —
> >>>>> Questions? First check the Kernel Driver FAQ at
> >>>>> http://www.osronline.com/article.cfm?id=256
> >>>>>
> >>>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> >>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>>
> >>>
> >>> DP> —
> >>> DP> Questions? First check the Kernel Driver FAQ at
> >>> http://www.osronline.com/article.cfm?id=256
> >>>
> >>> DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
> >>> DP> To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >>>
> >>>
> >>>
> >>> –
> >>> Best regards,
> >>> Sellmer mailto:xxxxx@gmx.net
> >>>
> >>>
> >>> —
> >>> Questions? First check the Kernel Driver FAQ at
> >>> http://www.osronline.com/article.cfm?id=256
> >>>
> >>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> >>> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > DP> —
> > DP> Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
> > DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> > –
> > Best regards,
> > Sellmer mailto:xxxxx@gmx.net
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Sellmer Stefan wrote:

DP> From various reasons, your aproach in flawed for the purpose of stack
DP> protection.
DP> Dont waste your time.

i know there are some problems, but generally a very interesting
approach…
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf

so please don’t regulate me, how i have to use my time!

Hey Stefan… Let ME regulate how you use your time: Do your homework
before posting in the forum, OK? Like, how about searching the archive
for “hook” or “hooking”? If you STILL want to ask a question on this
topic, do so.

As others have already pointed out, you’re not likely to make what
you’re trying to do work. And, in case you’re not aware, “stack
protection” (at least in my definition) is already part of Windows…

Peter
Senior Distinguished List Slave