Message board for the users of flat assembler.
> Windows > NATIVE API INTERCEPTOR (last pages)
Goto page 1, 2, 3, 4 Next
|Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands)|
|Total Votes : 17|
Pirata Derek 23 Jun 2009, 10:48
A way to hook all system call on windows XP kernel
I'm tryng to make a simple way to let all user programs get the kernel privileges....
I hate the I/O privileged instruction restriction because i'm building the HAL of my own operating system (NAXOS) and i can only test it into a Virtual machine.
I'm not agree to this condition then i started my project again the windowx kernel.
This is the start of my project (packages)
Who can help me to continue studies?
- How to modify GDT descriptors
- How to edit call gates on IDT
- Next studios: Do the same things on Linux kernel
Last edited by Pirata Derek on 25 Jul 2009, 14:15; edited 6 times in total
|23 Jun 2009, 10:48||
Pirata Derek 23 Jun 2009, 11:53
This is a modification of previus program (Hook Sysenter) that has the
"Fast User return" function after intercepting the system call.
Previus program hasn't the capability of dispatch the system call return
infact it leave the execution to kernel.
FastUserReturn: pushd 23h ; selector for user-mode SS pushd ecx ; user-mode stack pointer pushd ebx ; user-mode eflags pushd 1Bh ; selector for user-mode CS pushd eax ; user-mode EIP (return) iretd ; return
Last edited by Pirata Derek on 23 Jun 2009, 14:17; edited 5 times in total
|23 Jun 2009, 11:53||
Pirata Derek 23 Jun 2009, 12:48
This is an example of direct driver comunication using a hooked system call.
There're two modules:
1) the Driver that hooks any sysenter system call and analyze them for intercept a driver comunication call.
2) The library that makes the direct comunications (sends a command code) and the driver execute the receved command code.
I should implement more functionality....
Last edited by Pirata Derek on 23 Jun 2009, 14:08; edited 2 times in total
|23 Jun 2009, 12:48||
Pirata Derek 23 Jun 2009, 12:56
I'm developing some methods to give ALL KERNEL PRIVILEGES to any programs using:
- Dispatch by hooiking driver
- Building special IDT gates that return to calling application
- Modifing the calling Task state segment
Last edited by Pirata Derek on 23 Jun 2009, 14:18; edited 1 time in total
|23 Jun 2009, 12:56||
asmcoder 23 Jun 2009, 13:44
Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total
|23 Jun 2009, 13:44||
Pirata Derek 23 Jun 2009, 13:54
To use SMP (simmetric multi-processing) you need a operating sistem that support the vantage of multi processors.
(Advantages and disadvantages)
Now i've implemented the function for standard Mono-processor
( 1 Processor --> 1 core --> 1 MSR --> or not? )
If you give me some time, when i finish my current project i'll study to make the same also for SMP
Just a moment
Writing and executing good code in kernel mode (and testing)
is not simple.
Do you know how many times drivers on test crashed my system?
I've spent weeks to end the drivers you can see in my topic
(without the help of any programmes or manual, just FASM user guide and some internet researches)
|23 Jun 2009, 13:54||
Pirata Derek 25 Jun 2009, 07:48
Resolved the problem relative to the crash on testing (debugging)
When ESP is changed from Kernel mode to user mode it cause sometime a system crash...
(I've seen it using SYSER KERNEL DEBUGGER)
Kernel_mode_dispatcher: ; Hooked by driver or edx,edx jz @F jmp dword [nt_kernel_gate] @@: mov esp,edi ; <------------ CRASH! ret
NOTE: EDI points to the user-mode calling program return EIP into the stack
[EDI] = return to caller (offset)
Last edited by Pirata Derek on 25 Jun 2009, 09:42; edited 5 times in total
|25 Jun 2009, 07:48||
Pirata Derek 25 Jun 2009, 09:16
WHIT THIS PROGRAM I RESOLVED AND FINISHED THE FIRST PART OF MY PROJECT AGAINST THE NT KERNEL
The package below contains the first (i think) way to give kernel privileges to any programs...
After a programs run from user-mode to kernel-mode DON'T EXECUTE ANY SYSENTER INSTRUCTIONS!!
The sysenter instruction in kernel-mode will refer to the GDT null descriptor and then cause a machine crash!
You must use INT 2Eh or return in user-mode
HAVE PHUN IN "DIRECT" SYSTEM PROGRAMMING!
For any questions to kernel and drivers or prevents errors (Crash) in Ring0, contact me.
To respect my missing girlfriend, people who use my GKP sources
MUST NOT DELETE the dedication of my project to her.
For the corrected version of GKP goto HERE
Last edited by Pirata Derek on 27 Jun 2009, 13:34; edited 6 times in total
|25 Jun 2009, 09:16||
Pirata Derek 25 Jun 2009, 09:20
The source of the G.K.P. Library that request to the GKP driver the privileges
; Get Kernel Privilege Library ;----------------------------- ; By Pirata [PHOENIX] Derek L.S. ; 18th June 2009 - ITALY ; For gentle concession by The PHOENIX's Projects 2009 ; Dedicated to my loved IRENE Format PE GUI 5.0 DLL include 'Flat32\win32a.inc' entry DllStart section '.code' code readable executable proc DllStart DllHandle,Reason,Reserved ; Loading dll mov eax,TRUE ret endp GetPrivilege: pop ebx ; User-mode caller return EIP mov [usermode_esp],esp ; User-mode caller esp pushfd ; User-mode caller Eflags popd [usermode_eflags] xor edx,edx ; Let driver intercept this call sysenter ; to driver hooked system call RelasePrivilege: pop esi ; User-mode caller return EIP pushd 23h ; User-mode stack segment selector pushd [usermode_esp] pushd [usermode_eflags] pushd 1Bh ; User-mode code segment selector push esi iretd ; Return to user-mode section '.data' export readable writeable export 'GKPL.dll',\ ; EXPORT THESE BEATIFUL FUINCTIONS!! GetPrivilege,'GetPrivilege',\ RelasePrivilege,'RelasePrivilege' usermode_esp rd 1 usermode_eflags rd 1 section '.reloc' fixups discardable
Last edited by Pirata Derek on 25 Jun 2009, 10:26; edited 2 times in total
|25 Jun 2009, 09:20||
Pirata Derek 25 Jun 2009, 09:27
This is the source code (corrected) of the G.K.P. hook driver that give the kernel privileges
You must load it before using the GKP library (see up)
; Get Kernel Privilege Driver Not pageable ;----------------------------- ; By Pirata [PHOENIX] Derek L.S. ; 17th June 2009 - ITALY ; For gentle concession by The PHOENIX's Projects 2009 ; Dedicated to my loved IRENE Format PE native at 10000h include 'flat32\win32a.inc' entry DriverEntry section '.code' code readable executable notpageable proc DriverEntry DriverObject,RegistryPath .store: cli mov ecx,176h rdmsr mov [old_sys_eip],eax .modify: mov ecx,176h mov eax,HookedSystemCall xor edx,edx wrmsr .dispatch: mov eax,[DriverObject] mov dword [eax+UNLOAD],DriverUnload mov eax,STATUS_SUCCESS sti ret endp proc DriverUnload DriverObject .restore: cli mov ecx,176h mov eax,[old_sys_eip] xor edx,edx wrmsr sti ret endp HookedSystemCall: or edx,edx jz @F jmp dword [old_sys_eip] @@: jmp dword esi section '.data' data readable writeable notpageable STATUS_SUCCESS = 0 STATUS_UNSUCCESSFUL = 0C0000001h UNLOAD = 52 old_sys_eip dd ? section '.reloc' fixups notpageable section '.rsrc' resource notpageable directory RT_VERSION,versions resource versions,\ 1,LANG_NEUTRAL,version versioninfo version,VOS_WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ITALIAN+SUBLANG_DEFAULT,0,\ 'FileDescription','Get Kernel Privilege Driver (N.P.)',\ 'LegalCopyright','The Phoenix ® 2009',\ 'FileVersion','1.2.0',\ 'ProductVersion','27th June 2009',\ 'OriginalFilename','GKPD-NT.sys for Windows XP',\ 'Autore','Pirata Derek L.S. for his loved Irene'
To download the program goto upon these pages...
Last edited by Pirata Derek on 27 Jun 2009, 13:45; edited 4 times in total
|25 Jun 2009, 09:27||
r22 25 Jun 2009, 13:31
Minimal code, maximum result.
It's simplicity is impressive.
Good job, I wonder if Win64 version would be a simple port.
|25 Jun 2009, 13:31||
f0dder 25 Jun 2009, 13:44
But imho not very useful, since calling kernel mode functions is more bother than doing it from a driver. Not to mention that it introduces a gaping security hole on the system.
Minimal code, maximum result.
It won't be, since win-x64 PatchGuard watches over the LSTAR MSR.
Good job, I wonder if Win64 version would be a simple port.
|25 Jun 2009, 13:44||
Pirata Derek 25 Jun 2009, 15:18
f0dder, you think it's not useful? Bah...
Maybe you forget one IMPORTANT utility of this program....
KERNEL DRIVERS WORKS ONLY IN KERNEL-MODE, BUT MY PROGRAMS CAN WORK IN USER-MODE AND ALSO IN KERNEL-MODE by requesting privileges to my driver.
1) I can get a process handle in user-mode an after i can kill this program by erasing its bytes into RAM on kernel-mode...
2) I can spy the operations of an user (in user-mode) and then lock or prohibit some accesses in kernel-mode.
3) I can display a dialog with some functions for hardware managment and execute the user requested function in kernel-mode
4) ........ THE LIST OF OPERATIONS IS TOOOOOOOOOO LOOOOOOONG!
If i want i can make a program that scan ALL THE RAM in kernel-mode for searching arrays of bytes (like virus signature) and then erase all the found corrispondences.... like an ANTI-RESIDENT-VIRUS.
NOW, IS IT NOT USEFUL
Last edited by Pirata Derek on 25 Jun 2009, 15:33; edited 1 time in total
|25 Jun 2009, 15:18||
r22 25 Jun 2009, 15:33
Security is irrelevant, it's a hack to allow Ring0 code without having to write the functionality into drivers.
This is perfect for home-made peripheral testing or for people that want to learn more about Ring0 restricted opcodes/instructions, BUT aren't comfortable with driver programming.
|25 Jun 2009, 15:33||
Pirata Derek 25 Jun 2009, 15:39
Yes, r22, it's irrelevant
it was only an example of the power a program has, when it can run in the privilege level it wants...
|25 Jun 2009, 15:39||
f0dder 25 Jun 2009, 16:12
No, I don't see it as terribly useful
For messing around with hardware devices, you can only do the simplest of operations (port banging), since there's no reliable way to set up an ISR in user mode. You're better off with a dedicated DOS testing machine (or a proper driver).
It's not useful for "prototyping" a real driver, since you can't call the standard kernel routines (well, you can, but it's going to be more work than doing it from a regular driver).
For learning about privileged coding, again I believe a dedicated DOS testing machine (or a VM) is better, since you have full control that way, and can mess with timers, IRQ handlers etc. without having to play by windows' rules.
For poking around kernel memory and doing some simplistic prototypes, it saves a short amount of time compared to adding un+reload of a driver to your test procedure. But don't we already have the physicalmemory virtual device?
|25 Jun 2009, 16:12||
Pirata Derek 25 Jun 2009, 17:09
1) All Virtual Machine I've used can't execute the privileged instructions( MS virtual PC, Virtual BOX ,etc...)
They crash always when i execute for example LIDT instruction (see virual mode in intel architetture manuals)
2) When executing a Virtual-mode interrupt, processor returns to protected mode to complete its ISR
(so it is only a long way to execute the same thing), but with GKP you do it in protected-mode directly.
3) With the support of the GKP i'm creating programs that modify ISRs, Interrupts, gates and all about GDT and IDT descriptors
(i'm getting good results, i'll send them to you if you want)
4) During tests i've seen some physical memory locations (on protected-mode) are locked from writing
because they are linked to GDT or LDT descriptors fields settings like R/W...
IMAGINE ON PHYSICAL MEMORY VIRTUAL DEVICE:
HOW MANY RESTRICTIONS WILL BE ONTO?!?!
nooooo..... Now if i can't use the Virtual Machines, i feel better. I hate them for the reasons below (and much more)
I'M AGREE FOR THE "TERRIBLE USE" MY PROJECT HAS!
I'll create a way to disable IMMEDIATLY the GKP for people security
|25 Jun 2009, 17:09||
f0dder 25 Jun 2009, 22:47
#1 - you're probably better off with an emulator like BOCHS or QEMU that are used by a lot of osdev people - vmware etc emply various optimization tricks that don't always work well with lowlevel code outside of supported OSes.
#2 - I'm talking about real dos, not a NTVDM or win9x dos box - if you want really raw access, go for a raw "OS", imho
#3 - how do you ensure allocated memory is available across all processes? Manually hack up the pagetables?
Anyway, if the project works for you, then good - I personally prefer the normal methods of ring0 on windows.
|25 Jun 2009, 22:47||
windwakr 26 Jun 2009, 02:10
I think you should include the License files for both debugview, FASM, and KMD manager.
Also, everytime I try to "stop" the driver my computer reboots, very annoying.
|26 Jun 2009, 02:10||
asmfan 26 Jun 2009, 09:47
So you just traced or you read somewhere on correct return from priveledged to unpriveledged via iretd? And what values exactly in these registers you use on return. Are they the same for each windoze? Sure?
|26 Jun 2009, 09:47||
|Goto page 1, 2, 3, 4 Next
< Last Thread | Next Thread >
Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.