flat assembler
Message board for the users of flat assembler.
Index
> OS Construction > Control registers analisys with C.R.A.D. |
Author |
|
Pirata Derek 09 Jan 2010, 10:11
I made a NT kernel driver that analize all the control registers freatures, like paging, page directory base, PAE and others flags...
It does that, at driver load (the results are sended to the kernel debugger). You should use a kernel debug messages reader to see them. The driver is compatible with windows seven, but you have to use the right kernel debug messages reader (is different from the sysinternel's XP one) The following attachment contains the driver, its source and a screen shot to demonstrate its work. Only the CR1 register can't be analized, damn...
|
|||||||||||
09 Jan 2010, 10:11 |
|
Pirata Derek 09 Jan 2010, 10:14
Can some one suggest me an idea to analize the page directory table and all its associated structures?
|
|||
09 Jan 2010, 10:14 |
|
Pirata Derek 09 Jan 2010, 17:02
good.
I'm gonna insert that analisys functions into the new CRAD version. |
|||
09 Jan 2010, 17:02 |
|
charme 10 Jan 2010, 08:23
good job,,,,i just want see more driver develop under x64!!!
|
|||
10 Jan 2010, 08:23 |
|
Pirata Derek 10 Jan 2010, 15:02
I would make drivers in 64 bit, i can but my processor is still 32 bit.
until i change the processor, i can't test and see my drivers works in 64 bit mode.... My current project is a driver that HOOK ALL THE INTERRUPT DESCRIPTOR TABLE! Its name is "The MASTER _I_ DRIVER" Now i'm at the 75% |
|||
10 Jan 2010, 15:02 |
|
Alphonso 25 Feb 2010, 13:06
Pirata Derek wrote: The driver is compatible with windows seven, but you have to use the right kernel debug messages reader (is different from the sysinternel's XP one) It's okay but IIRC maybe you have to set the registry Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter] "DEFAULT"=dword:0000000f |
|||
25 Feb 2010, 13:06 |
|
Pirata Derek 25 Feb 2010, 15:57
I told that to prevent someone uses the wrong kernel debug messages filter and then crashes the own system ( W7 ).
|
|||
25 Feb 2010, 15:57 |
|
Feryno 26 Feb 2010, 08:18
Pirata Derek wrote:
Quote: My current project is a driver that HOOK ALL THE INTERRUPT DESCRIPTOR TABLE! after hooking IDT (no matter whether IDT_base or only 1 entry in original IDT) under x64 versions of ms windows (even XP64/win2003serverx64), you can expect reboots in range upto 5-10 minutes caused by fuckguard http://www.uninformed.org/?v=8&a=5&t=sumry years ago I successfully detected that ugly kernel thing using debug registers breakpoint and debug register access breakpoint and was able to halt it, but then the whole OS hanged (there were no way how to resume the OS from the point of intercepting fuckguard - erased stack, no way to find any address where to resume execution...) - I needed to hook interrupts to catch DebugCtl and Branching registers - I needed to do that for my fdbg project to support single stepping on branching instructions and recording RIP of branching instructions, later I solved that in completely diffent way without any necessity of driver and modifying kernel structures, I did it comfortable and easy from ring3 using DR7.GE, DR7.LE bits. I suggest you to use hypervisor to manipulate interrupts transparently for guest, so then OS and even fuckguard knows nothing about your activity. |
|||
26 Feb 2010, 08:18 |
|
Pirata Derek 27 Feb 2010, 18:46
Thanks for the suggestion.
Kernel Patch Protection (KPP) never disturbed my works. About 2 weeks ago i changed my old 32 bit uniprocessor computer to a 64 bit dual core. (only x64 bits editions have it) Should We make the PKPP ? (Patching Kernel Patch Protection) |
|||
27 Feb 2010, 18:46 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.