flat assembler
Message board for the users of flat assembler.

Index > Windows > Memory mapping from kernel mode driver

Author
Thread Post new topic Reply to topic
Aaron Sfektu



Joined: 16 Apr 2007
Posts: 4
Location: Norway
Aaron Sfektu
Hello, guys!

I’m sorry, I’m new to this forum, but I really need your assistance. So, when Microsoft released a Service Pack 1 for Windows 2003 and x64 software developers got a headache, because they can’t read memory ranges from user mode application any more. The only way to get a handle of the \Device\PhysicalMemory object is to call a function from Ring0 mode. Here is a TechNet note.

Before releasing Service Pack 1 I used ZwOpenSection function to get a handle of the \Device\PhysicalMemory object, then I call ZwMapViewOfSection API function to map a memory address range into the address range of my processor.

Now I have a problem:
I don’t know which functions I need to use in the kernel mode driver written by František Gábriš. My there is small example, huh? Embarassed

Thanks guys for help!
Post 16 Apr 2007, 13:25
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Hello, Aaron!

a05.sys driver from that package allows you to execute user mode application code in ring0
so perhaps editing e.g. save_cmos procedure in src\write_device.asm may help
Please be carefull not to make any mistake there because you can get into very quick reboot.
The very interesting question is whether common ring3 API (e.g. Kernel32.CreatFileA) can be called from ring0. Unfortunatelly I don't have immediatelly access to my home PC to test it now. Anyway, when driver (ring0) executes ring3 code, memory is mapped at the same offsets in ring0 and ring3 so DLL should be mapped at the same memory offsets, and theoretically it should work. But testing in reality is necessary. I'm going to try it at home. I'm not able to let you know the result sooner than tomorrow.
Don't be frustrated after encountering several reboots. It's only a question of time when a present problem brokes and solves.
Btw i got not less than 20 reboots (I'm not able to remember the exact number) when preparing that driver...
The another problem of a05.sys driver is the fact that it isn't digitally signed, so if you need to test it in Vista x64 you have to press F8 at the boot and select Disable Driver Signature Enforcement

If the above way doesn't work, then perhaps calling api from ntoskrnl.exe by a driver itself (not as a procedure of ring3 application) may help but then the question is whether the returned handle can be used in ring3. If not then let the driver itself reads from \Device\PhysicalMemory and let it send the data to ring3 app.
Post 17 Apr 2007, 08:17
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Aaron Sfektu



Joined: 16 Apr 2007
Posts: 4
Location: Norway
Aaron Sfektu
Hello, Feryno!

Oh, great! Thanks for your answer! Well, it would be better if the driver would call API functions itself and then return an output buffer filled with memory data likewise the ZwMapViewOfSection (NtMapViewOfSection) API function works.

BTW, Feryno could you tell me please, is there a thread at this forum in order I could discuss a topic about driver signing for Vista? I’m very interesting on this topic. Also, there is an ultimate KMCS_Walkthrough.doc document called Kernel-Mode Code Signing Walkthrough from Microsoft that explains all the steps in signing drivers for the new OS.

Thanks for the reply!
Post 17 Apr 2007, 10:32
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Hello Aaron,
I'm looking forward trying what happens when ring0 executes ring3 API, that's very interesting idea.
I successfully made hardly imaginable thing - an executable (write_device_32_bit.exe) which is allmost 32-bit, only small part in it holds 64-bit code and that file cooperates with a05.sys driver (which is pure 64-bit code) very well. 64-bit drivers hasn't any possibility as WOW emulation for 32-bit code under 64-bit ring3 applications.

Would you post the application runnig well in older versions of win accessing \Device\PhysicalMemory ? I suppose it is pure 32-bit app but I can easily convert it into win64 if its size isn't too huge.

I haven't found any thread about signing drivers for Vista here in the forum yet. Perhaps you can start it. I think that Vista stores info about drivers in Windows\System32\catroot\*.cat and ...\catroot2\*.* files, every cat file has strong CRC (or hash or checksum) and the whole catalog is protected against attacking with strong CRC again
I have the utility for signing drivers but the problem is purchasing licence file which is necessary input to create signed *.cat file for driver. Licence for 1 year costs about 400 US$. I refuse (and perhaps everybody here in the forum) to pay anything because we are only asm fans and not firms earning money with programming.
Perhaps we can debug application for drivers signing to find the know-how (it's size is only about 200-300 kB, but it heavily calls various security and crypto APIs and calculates a lot of checksums). Perhaps the easiest way is to discover where is the signature in some drivers which are loaded during Vista boot (speedup without wasting time with walking through several MB of catalogue files) - these files have signature directly in *.sys file as well in catalogue files - perhaps crc in sys is not so strong as in catalogue... I don't know...
But I think that the present security is so strong that it is cheaper to pay that money and then in the feature only set the time back to the year when the licence is valid, sign the driver, reset the time...

Or we can press F8 every boot and bypass signing protection, but you know - we all are to lazy to press 3 extra keys every boot...
Post 17 Apr 2007, 11:08
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
Perhaps we can debug application for drivers signing to find the know-how (it's size is only about 200-300 kB, but it heavily calls various security and crypto APIs and calculates a lot of checksums)
That makes reversing it easier. You know what every API function does.

Personally i doubt they made it so weak that we would be able to break it somehow.

Much more fun would be to have signed driver which disables driver checking by patching system Wink
Post 17 Apr 2007, 12:35
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Aaron Sfektu



Joined: 16 Apr 2007
Posts: 4
Location: Norway
Aaron Sfektu
Feryno, the driver may call the MmMapIoSpace function. This function maps a physical address space to a non-paged process address space and is exported from ntoskrn.exe library. It seems it is more simpler than ZwMapViewOfSection exported from ntdll.dll. I think it is better to give you two examples of binary drivers instead of to put here an Object Pascal language source code. Well, the first one is from ASUS PCProbe utility and uses the ZwMapViewOfSection API function and the second one is from my driver binary collection and calls MmMapIoSpace function.

As for driver signing, I’m sure, we can manage with signing tools coming with Microsoft SDK package. We just need the latest versions of makesert.exe, makecat.exe, signcode.exe and some of cross-certificates that can be downloaded at Microsoft’s web site for free to sign the driver. Also here is a very interesting start from the document I mentioned earlier:

Test-signed kernel-mode drivers are supported on Windows Vista only for testing purposes. They must not be used for production purposes or released to customers for use with Windows Vista RC1 or Windows Vista release to manufacturing (RTM).


Description:
Download
Filename: DriverSamples.zip
Filesize: 9.14 KB
Downloaded: 123 Time(s)

Post 17 Apr 2007, 14:41
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Hello Aaron,
I tried yesterday's ideas and I realized that it was wrong way. The only one API which successfully passed ring0 was GetCommandLineA because it had only 2 instructions mov rax,[...] ret
All other caused reboots: CreateFileA + WriteFile + CloseHandle
MessageBoxA

Then I remembered that I had had a small driver in nibitor package for accessing IO space of my graphic card. I played a bit with it and it did this:
1. it scaned PCI bus directly using ports
2. to access VGA chip memory it did HalTranslateBusAddress and then MmMapIoSpace

The size of that driver was only 2304 bytes so it was easy to play with it.

I have Vista RTM WDK - makesert.exe, makecat.exe should be there. I also downloaded newer file for signing - perhaps signcode.exe - several months ago. I will have to look into my home PC to be sure...
Thank for samples.
Post 18 Apr 2007, 05:42
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Hello Aaron,
would you test this thing whether it is suitable for you (06_test.bat saves BIOS area memory FFFF0000-FFFFFFFF into a file) ?
I tested it in Win2003 server SP1 and I'll test it in Vista during weekend.

Now to solve how to sign drivers for Vista (or bypass it in a lazy method) and everything would be fine.


Description: drivers for windows x64
a05.sys for accessing ports and executing ring0 privileged instructions
a06.sys for accessing physical memory

Download
Filename: drivers.zip
Filesize: 43.33 KB
Downloaded: 114 Time(s)

Post 20 Apr 2007, 05:33
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Aaron Sfektu



Joined: 16 Apr 2007
Posts: 4
Location: Norway
Aaron Sfektu
Oh, damn it! What’s a good job! I very appreciate you, feryno! You are really freaking cool driver developer! Your kernel mode driver and a small sample application work great! Yesterday, I downloaded the latest Service Pack 2 srv03_sp2_rtm.070216-1710 and updated my Windows x64 SP1 with it. There is no any problem too! Thanks a lot, feryno! Yea, I should spend much more time to learn FASM…

So, as to driver signing, I have already got tools (makecert.exe, etc) for this purpose, but I think a program version of all tools is too old, it’s 5.131.1863.1. Also, I have downloaded cross-certificates from Microsoft’s website, they are: MSCV-EquifaxSecure.exe, MSCV-VSClass3.exe, MSCV-BCyberTrust.exe and MSCV-GlobalSign.exe. Well, I need more time to read that document deeply. Also, I will install Vista this weekend.

Thanks for the support, feryno!
Post 20 Apr 2007, 16:21
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Hello Aaron,
the skeleton of simple driver was done in a05.sys, so I had to do only little changes to make a06.sys driver.
The hardest task was to create a05.sys driver allmost 1 year ago.

Security is nice thing but most of assembler coders need to access hardware so we are made to make drivers like these.

The first testing OS for a06.sys was Win2003 server SP1 - the kernel should be very close to XP's one (if not the the same).
I tested it in Vista this weekend and it worked well again after disabling driver signature check.
I downloaded the latest Vista RTM WDK directly from microsoft months ago. I had subscribed myself as a participant in windows driver development kit, but in fact I didn't helped them in any way because I haven't installed WDK yet. I thought that it would be usefull to install it in the feature. Today I have downloaded cross-certificates and I'm going to try to sign drivers this weekend. All new utilities for signing should be in the WDK.

Btw, I was in Norway in july 1994. Very kind people, beautifull country, fascinating nature. I lived 2 weeks in the students region Kringsja in Oslo. I wondered how many people practiced biking instead of traveling by cars. I wondered that students' bikes were leaved for the whole summer's holidays outside - multiple bikes secured with only one simple chain - in my country allmost all bikes would be stolen the first day or night... Citizens of capitol Oslo told me that it was the hottest summer they could remember, water in the see was about 20 degrees centigrade above zero which was fine for swimming in fjords. I also remember dinner on a boat (after the dinner I jumped into the see from the boat, swam there a lot and at the end my friends rose the rope stair and they were smiling at me from the boat for a long time while I was trying to return to the board). I also remember entertainment park Tusenfryd, barbeque dinner near nice mountain like and various fun games like runnig on snow-shoes at summer lawn (a lot of us had this device on our feet for our first time so we fell several times at short distances) - perhaps it is easier to walk at the snow surface than at the gras. The meal in students dinning hall was excelent. I also remember that I had problems to pass control on Fornebu on our back-fly - something dangerous was shown on X-ray control in my hand-bag, it looked like a real grenade, it shielded X-rays as a metal shields, policeman put half of my things out of the bag and this thing was still there in the bag... at the end we discovered that it was my medal in such a position that it was shown under X-rays like a grenade - big circle plate rotated by 45 degrees was elliptic, the relief on the medal surface after rotation looked like the surface of a grenade, the piece where to tie the ribbon looked like an intiator... I also remember that I brought in your country 2 liters of home made (by myself) 'slivovica' (plum brandy) without any bad idea - but I broke all 3 rules for importing alcohol into your country (I was only 18 and I had to be 21, only 1 liter per person but I had 2, concentration limit 40% - my slivovica was 53%...) - I was lucky, nobody checked me after my arriving... After leaving customs-man empty check-area I was waiting for a bus in the airport hall and I was boring a bit, so then I read by chance the rules for importing spirits from a small paper on the table in the hall.
I'm not able to remember any bad memory, everything there was totally perfect. The whole accomodation was paid by foreign agencies - we even got free a small ammount of money for spending but in fact we didn't need it because everything was paid already.
It sounds like a dream but it was the reality.
So I still feel myself as having big debt for Norway and people living there.
Post 23 Apr 2007, 13:05
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

in my country allmost all bikes would be stolen the first day or night...

Add my country to the list too Sad Ultimately there is no need for leaving the bike tied outside for few minutes to get stolen, now even tying the bikes to the railings of the stairs INSIDE the faculty building some people had lost its bike anyway... (And note that the things used to tie the bikes are really hard to cut)
Post 23 Apr 2007, 16:34
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
53% slivovica? nice Wink
Post 23 Apr 2007, 17:24
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.