dosin 26 Nov 2009, 18:26
basicly I am trying to use iret to switch from ring0 - 3

but 1st I want to get it working in ring 0..

So my question is - Is there more that needs to be pushed on the stack before the iret -

   push  SS 
   push  ESP 
   push  EFLAGS 
   push  CS 
   push  EIP 

or is this all thats needed...

Thanks in advance...

XanClic 26 Nov 2009, 18:46
This is all you need, even for ring 3. To use iret in ring 0, you just need
push  EFLAGS
push  CS
push  EIP
dosin 27 Nov 2009, 01:31

egos 27 Nov 2009, 12:01
dosin, you must push the usermode selectors (with RPL=3) and correct flags (IF=1, etc.)
edfed 27 Nov 2009, 14:50
esi for int40 seems to be relative addressing, a pointer, but relative to what?

eax for int41 seems to be just an immediate value, then, it don't need a segment to be initialized.

maybe the problem is there...
dosin 27 Nov 2009, 19:28
dosin 05 Dec 2009, 05:46

edfed 05 Dec 2009, 07:11
sysenter executes a fast call to a level 0 system procedure, sysexit execute a fast return to level 3 user code.

is it what you try to do?
XanClic 05 Dec 2009, 13:09
dosin wrote:
When you iret - to change to ring 3.. how use the tss struct so all the data in the tss struct is used with the iret/the app that uses it?

As far as I know you don't need a TSS to switch to ring 3. It's only required when switching to ring 0 from ring 3, because ESP and SS for ring 0 are stored there.
But I think you don't need a TSS to go back to ring 3 and hence it's also not used by the CPU.
dosin 05 Dec 2009, 19:09
Everything is good now - I can access all the rings 0 -3

Very Happy Very Happy Very Happy Very Happy Very Happy
Pirata Derek 10 Jan 2010, 15:25
Some drivers i wrote have the routine to return from any ring
See the NATIVE API INTERCEPTOR (incomplete) project, and check for the

ReturnFromDriver function (old version) or
ReturnFromKernelMode function

Or the INTERRUPT HOOKER DRIVER (incomplete) project

Check there: http://board.flatassembler.net/topic.php?p=97618#97618

If you want some help for make the IRET STACK for the VIRTUAL MODE ask me...

I'll complete these incomplete projects
Pirata Derek 10 Jan 2010, 15:47

I Hope this will useful for YOU to continue all your others projects.
 ; ***********************************************
 ; *                                             *
 ; *   INTERRUPT HOOKER Driver  -  version 3.2   *
 ; *                                             *
 ; ***********************************************

 ; By Pirata [PHOENIX] Derek L.S, Alias: Lord BIONS
 ; 30th December 2009 - Italy, unnamed city.

 ; For gentle concession to the Fasm Board Comunity

 ; Written in Flat Assembly language. Use FASM

 Format PE native 5.0 at 10000h
        include 'flat32\win32a.inc'
        include 'fasm driver kit\fasm ddk.inc'
        entry driver_entry

 section '.code' code readable executable notpageable

        proc driver_entry driver_object,registry_path
             invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,loading_driver,driver_entry
             .point: invoke KeRaiseIrql,DIRQL_LEVEL,original_irql
                     sidt [idt_register]
                     mov eax,INTERRUPT_VECTOR
                     mov cl,8
                     mul cl
                     add eax,[idt_register.offset]
                     mov [location],eax
                     movzx edx,word [idt_register.limit]
                     invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,pointed_idt_and_interrupt,[idt_register.offset],edx,INTERRUPT_VECTOR,eax
             .backup: invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
                      invoke RtlMoveMemory,old_gate,[location],4*2
                      invoke KeLowerIrql,[OldIrql]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,backup_old_gate,old_gate
                      invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
                      invoke RtlMoveMemory,buffer,[location],4*2
                      invoke KeLowerIrql,[OldIrql]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,hooking_vector,INTERRUPT_VECTOR
                      mov ax,word [old_gate+2]
                      mov [old_selector],ax
                      mov cx,word [old_gate+6]
                      rol ecx,16
                      mov cx,word [old_gate]
                      mov [old_routine],ecx
                      movzx ecx,[old_selector]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,saved_original_selector_routine,ecx,old_selector,[old_routine],old_routine
             .update: mov dx,cs
                      mov word [buffer+2],dx
                      mov word [buffer+4],1110111000000000b
                      mov edx,hooked_routine
                      mov word [buffer],dx
                      ror edx,16
                      mov word [buffer+6],dx
                      invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
                      invoke RtlMoveMemory,[location],buffer,4*2
                      invoke KeLowerIrql,[OldIrql]
                      invoke KeLowerIrql,[original_irql]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,hook_complete,hooked_routine
             .dispatch: mov eax,[driver_object]
                        mov dword [eax+DRIVER_OBJECT.DriverUnload],driver_unload
                        invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,new_interrput_ready
                        mov eax,STATUS_SUCCESS

        proc driver_unload driver_object
             invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,restore_interrupt
             invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
             invoke RtlMoveMemory,[location],old_gate,4*2
             invoke KeLowerIrql,[OldIrql]
             invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,unload_complete

        hooked_routine:  pushfd
                         popd [_eflags]
                         mov [_eip],hooked_routine
                         mov [_ebp],ebp
                         mov [_esp],esp
                         mov [_eax],eax
                         mov [_ebx],ebx
                         mov [_ecx],ecx
                         mov [_edx],edx
                         mov [_esi],esi
                         mov [_edi],edi
                         xor edx,edx
                         mov dx,cs
                         mov [_cs],edx
                         mov dx,ds
                         mov [_ds],edx
                         mov dx,es
                         mov [_es],edx
                         mov dx,fs
                         mov [_fs],edx
                         mov dx,gs
                         mov [_gs],edx
                         mov dx,ss
                         mov [_ss],edx
                         mov edx,[esp]
                         mov [_stack1],edx
                         mov edx,[esp+4]
                         mov [_stack2],edx
                         mov edx,[esp+8]
                         mov [_stack3],edx
                         mov edx,[esp+0ch]
                         mov [_stack4],edx
                         mov edx,[esp+10h]
                         mov [_stack5],edx
                         mov edx,[esp+14h]
                         mov [_stack6],edx
                         invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,informations,[_eip],[_eflags],[_eax],[_ebx],[_ecx],[_edx],[_esi],[_edi],[_ebp],[_esp],[_cs],[_ds],[_es],[_fs],[_gs],[_ss],[_stack1],[_stack2],[_stack3],[_stack4],[_stack5],[_stack6]
                         xor edx,edx
                         mov edx,[_ds]
                         mov ds,dx
                         mov edx,[_es]
                         mov es,dx
                         mov edx,[_fs]
                         mov fs,dx
                         mov edx,[_gs]
                         mov gs,dx
                         mov edx,[_ss]
                         mov ss,dx
                         mov esp,[_esp]
                         mov ebp,[_ebp]
                         mov edx,[_stack1]
                         mov [esp],edx
                         mov edx,[_stack2]
                         mov [esp+4],edx
                         mov edx,[_stack3]
                         mov [esp+8],edx
                         mov edx,[_stack4]
                         mov [esp+0ch],edx
                         mov edx,[_stack5]
                         mov [esp+10h],edx
                         mov edx,[_stack6]
                         mov [esp+14h],edx
                         mov eax,[_eax]
                         mov ebx,[_ebx]
                         mov ecx,[_ecx]
                         mov edx,[_edx]
                         mov esi,[_esi]
                         mov edi,[_edi]
                         pushd [_eflags]
                         jmp far pword [old_routine]

 section '.data' data readable writeable notpageable

 loading_driver db "INTERRUPT HOOKER Driver  -  version 3.2",13,10,10

                db "By Pirata [PHOENIX] Derek L.S, Alias: Lord BIONS",13,10
                db "30th December 2009 - Italy, unnamed city.",13,10
                db "For gentle concession to the Fasm Board Comunity",13,10,10

                db "Loading the driver into non-paged RAM",13,10
                db "Driver Entry is at 0x%.8X linear address.",13,10,10,0

 pointed_idt_and_interrupt db "Pointing the current IDT",13,10
                           db "         IDT base offset:   0x%.8X",13,10
                           db "         IDT size limit:    0x%.4X",13,10,10

                           db "Interrupt vector to hook:   0x%.2X",13,10
                           db "      Catched at address:   0x%.8X",13,10,10,0

 backup_old_gate db "Original Interrupt gate is now dumped",13,10
                 db "into a temporary buffer at 0x%.8X",13,10,10,0

 hooking_vector db "Editing the new (hooked) interrupt gate...",13,10,10

                db "Authorization from:   NT KERNEL AUTHORITY",13,10
                db "Running at the MAXIMUM IRQL Possible to prevent",13,10
                db "all hardware and software interruptions...",13,10,10

                db "Hooked vector number is:  0x%.2X",13,10,10,0

 saved_original_selector_routine db "New ISR linked with the old one!",13,10
                                 db "         the old gate selector was:    0x%.4X",13,10
                                 db "         this value stored at offset:  0x%.8X",13,10,10

                                 db "         the old ISR routine were at:  0x%.8X",13,10
                                 db "         its pointer is dumped at:     0x%.8X",13,10,10,0

 hook_complete db "The new ISR is inserted into the current IDT.",13,10
               db "Its service routine, localized at 0x%.8X",13,10
               db "can be accessed in user-mode using the INT",13,10
               db "instruction evrerywhere.",13,10,10,0

 new_interrput_ready db "Execution completed successfully!",13,10
                     db "Unload the driver to restore the old ISR",13,10,10,0

 restore_interrupt db "Restoring the original interrupt gate",13,10
                   db "from the temporary buffer...",13,10,10,0

 unload_complete db "Driver deactivated and completly unloaded",13,10
                 db "from the kernel pool memory by the IO manager",13,10,10,0

 informations db 13,10
              db 'CURRENT HOOK INFORMATIONS',13,10,10

              db 'EIP:     0x%.8X',13,10
              db 'EFLAGS:  0x%.8X',13,10,10

              db 'EAX:     0x%.8X',13,10
              db 'EBX:     0x%.8X',13,10
              db 'ECX:     0x%.8X',13,10
              db 'EDX:     0x%.8X',13,10
              db 'ESI:     0x%.8X',13,10
              db 'EDI:     0x%.8X',13,10
              db 'EBP:     0x%.8X',13,10
              db 'ESP:     0x%.8X',13,10,10

              db 'CS:      0x%.4X',13,10
              db 'DS:      0x%.4X',13,10
              db 'ES:      0x%.4X',13,10
              db 'FS:      0x%.4X',13,10
              db 'GS:      0x%.4X',13,10
              db 'SS:      0x%.4X',13,10,10

              db 'CALLER EIP:    0x%.8X',13,10
              db 'CALLER CS:     0x%.8X',13,10
              db 'CALLER EFLAGS: 0x%.8X',13,10
              db 'CALLER ESP:    0x%.8X',13,10
              db 'CALLER SS:     0x%.8X',13,10
              db 'BOUND ERROR:   0x%.8X',13,10,0

        _eip rd 1
        _eax rd 1
        _ebx rd 1
        _ecx rd 1
        _edx rd 1
        _esi rd 1
        _edi rd 1
        _ebp rd 1
        _esp rd 1
        _eflags rd 1
        _cs rd 1
        _ds rd 1
        _es rd 1
        _fs rd 1
        _gs rd 1
        _ss rd 1
        _stack1 rd 1
        _stack2 rd 1
        _stack3 rd 1
        _stack4 rd 1
        _stack5 rd 1
        _stack6 rd 1

        INTERRUPT_VECTOR = 66h   ;           <----------- ALL INTERRUPTS YOU WANT

        idt_register: .limit rw 1
                      .offset rd 1

        location rd 1
        buffer rd 2
        old_gate rd 2

        old_routine rd 1
        old_selector rw 1

        original_irql rd 1
        OldIrql rd 1

 section '.import' import readable writeable notpageable

        library ntoskrnl,'ntoskrnl.exe',\
        include 'fasm driver kit\api\ntoskrnl api.inc'
        include 'fasm driver kit\api\hal api.inc'

 section '.reloc'fixups readable notpageable

 section '.rsrc' resource notpageable

        directory RT_VERSION,versions
        resource versions,1,LANG_NEUTRAL,version
                    'FileDescription','Interrupt Hooker Driver',\
                    'LegalCopyright','The NT KERNEL Team ® 2009',\
                    'ProductVersion','30th December 2009',\
                    'Autore','Pirata Derek L.S.'

Remember to give credit to my missing girlfriend because this driver is dedicated to her.
dosin 10 Jan 2010, 21:15
Thanks for the post.. looks very interesting.. I will read over! Very Happy

I want to get the paging finished before contin with the rest of it..

But I would be gratefull for any help .. and would also give you credit for anything you would want to help with or offer... Wink

or if anyone esle would like to help with paging or devel for ring 3?
