flat assembler
Message board for the users of flat assembler.

Index > Windows > instead of hook but always in ring3

Author
Thread Post new topic Reply to topic
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle
Hi all,
I do not expect you to write an example or even piece of code.
only theory would be appropriate.

Because of human curious habit I want to know how to walk on the sea;)
it is impossible so i change my mind and would like to won't change once again.

as you all know, external devices use two general ways to tell the system about state changing. The system can retrieve this information through device drivers which use that two ways to communicate with these devices.

One way is get info by quiz. The driver sets the time interval and regular gets the information from the device. It take more time and some of data can be lost if the frequency of "sampling" is not big enough.

The second and IMHO better way is to get information from external devices only when external IRQ signal appears. That way is used by system to read for example the keyboard.

After the IRQ appears EIP is change to point the address the code that do all job included translation retrieved data to system dependent messages.
I passed over the IRQ priority and many things that can drive the main think wrong way.

If you are follow me to this moment I congratulate you your patience;) Don't give up, it's almost the finish;)

about hook: Hook is real, hook is done, everybody know and can do hook.dll and inject it to another process address space by API calls, system knows that is hooked. It's not trivial but you know, it is not like walking on the water.

So, what?...
I would like to change IDT from ring 3 and after IRQ appears (i.e. from keyboard) set the vector to own routine that at the end will be able to call the original system procedure.

I can't see another solution yet, but it is possible that it exist.
My idea is just an idea and seems to be impossible, but I still dream about walk on the sea...

_________________
Microsoft: brings power of yesterday to computers of today.
Post 11 Feb 2004, 11:32
View user's profile Send private message Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle
thx PEOPLE who post me solutions, I wonder why on win32asmmcommunity acount instead of here:?:
but may be they want to remain anonymouse and have two different(or more) nicks in these forums Smile

the first step was done.
in win32 exist possibility to overwrite physical memory, add LDT by API calls and indirect IDT, but only one thing I can't do yet: find the base of IDT into physical memory from the ring 3 and test which describtor is responsible for keyboad-IO routine. When I was reading the zins I received from disinterested programmer I sit down with mortal fear. I shudder to think what could be happend when any bad gay possess this knowledge. I can't post it here and only in good acquaintance with the person can talk about it via e-mail. The pm isn't out of the question as well as co-operation.
I post it here because the omniscient people are from here and I think this is not a crime to be inteligent. Do not afraid I am not agent SMITH nor FBI neiter another maniac. I rather rarely check the win32asmcommunity board and everyday I am here, so you can post private messages as well as e-mails: g_a@o2.pl

cheers,

harry

_________________
Microsoft: brings power of yesterday to computers of today.
Post 12 Feb 2004, 14:36
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.