flat assembler
Message board for the users of flat assembler.

Index > Windows > NATIVE API INTERCEPTOR (last pages)

Goto page 1, 2, 3, 4  Next

Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands)
Yes, let programmes know the methods
76%
 76%  [ 13 ]
No, for security reasons
11%
 11%  [ 2 ]
I don't know
11%
 11%  [ 2 ]
Total Votes : 17

Author
Thread Post new topic Reply to topic
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 23 Jun 2009, 10:48
A way to hook all system call on windows XP kernel

I'm tryng to make a simple way to let all user programs get the kernel privileges....

I hate the I/O privileged instruction restriction because i'm building the HAL of my own operating system (NAXOS) and i can only test it into a Virtual machine.
I'm not agree to this condition then i started my project again the windowx kernel.


This is the start of my project (packages)

Who can help me to continue studies?

- How to modify GDT descriptors
- How to edit call gates on IDT
- Next studios: Do the same things on Linux kernel


Description: Hook any sysenter system call source with test programs
Download
Filename: Hook system call.zip
Filesize: 407.37 KB
Downloaded: 675 Time(s)



Last edited by Pirata Derek on 25 Jul 2009, 14:15; edited 6 times in total
Post 23 Jun 2009, 10:48
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 23 Jun 2009, 11:53
This is a modification of previus program (Hook Sysenter) that has the
"Fast User return" function after intercepting the system call.

Previus program hasn't the capability of dispatch the system call return
infact it leave the execution to kernel.


Code:
FastUserReturn:
    pushd 23h     ; selector for user-mode SS
    pushd ecx      ; user-mode stack pointer
    pushd ebx     ; user-mode eflags
    pushd 1Bh     ; selector for user-mode CS
    pushd eax     ; user-mode EIP (return)
    iretd             ; return
    


Description: fast Return to user mode (from kernel mode) source with test programs
Download
Filename: Return from kernel mode.zip
Filesize: 120.83 KB
Downloaded: 618 Time(s)



Last edited by Pirata Derek on 23 Jun 2009, 14:17; edited 5 times in total
Post 23 Jun 2009, 11:53
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 23 Jun 2009, 12:48
This is an example of direct driver comunication using a hooked system call.

There're two modules:

1) the Driver that hooks any sysenter system call and analyze them for intercept a driver comunication call.

2) The library that makes the direct comunications (sends a command code) and the driver execute the receved command code.

I should implement more functionality.... Twisted Evil


Description: Modules and sources for direct driver comunication
Download
Filename: comunication with driver.zip
Filesize: 123.99 KB
Downloaded: 613 Time(s)



Last edited by Pirata Derek on 23 Jun 2009, 14:08; edited 2 times in total
Post 23 Jun 2009, 12:48
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 23 Jun 2009, 12:56
I'm developing some methods to give ALL KERNEL PRIVILEGES to any programs using:

- Dispatch by hooiking driver
- Building special IDT gates that return to calling application
- Modifing the calling Task state segment
- ecc...


Last edited by Pirata Derek on 23 Jun 2009, 14:18; edited 1 time in total
Post 23 Jun 2009, 12:56
View user's profile Send private message Send e-mail Reply with quote
asmcoder



Joined: 02 Jun 2008
Posts: 784
asmcoder 23 Jun 2009, 13:44
[content deleted]


Last edited by asmcoder on 14 Aug 2009, 14:50; edited 1 time in total
Post 23 Jun 2009, 13:44
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 23 Jun 2009, 13:54
To use SMP (simmetric multi-processing) you need a operating sistem that support the vantage of multi processors.

SEE: http://en.wikipedia.org/wiki/Symmetric_multiprocessing
(Advantages and disadvantages)

Now i've implemented the function for standard Mono-processor
( 1 Processor --> 1 core --> 1 MSR --> or not? )
If you give me some time, when i finish my current project i'll study to make the same also for SMP


Just a moment Confused

Writing and executing good code in kernel mode (and testing)
is not simple.
Do you know how many times drivers on test crashed my system? Sad

I've spent weeks to end the drivers you can see in my topic
(without the help of any programmes or manual, just FASM user guide and some internet researches)
Post 23 Jun 2009, 13:54
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 07:48
Resolved the problem relative to the crash on testing (debugging)
When ESP is changed from Kernel mode to user mode it cause sometime a system crash...

(I've seen it using SYSER KERNEL DEBUGGER)
Code:
Kernel_mode_dispatcher: ; Hooked by driver
or edx,edx
jz @F
jmp dword [nt_kernel_gate]
@@: mov esp,edi  ; <------------ CRASH!
ret    

NOTE: EDI points to the user-mode calling program return EIP into the stack
[EDI] = return to caller (offset)


Last edited by Pirata Derek on 25 Jun 2009, 09:42; edited 5 times in total
Post 25 Jun 2009, 07:48
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 09:16
WHIT THIS PROGRAM I RESOLVED AND FINISHED THE FIRST PART OF MY PROJECT AGAINST THE NT KERNEL

The package below contains the first (i think) way to give kernel privileges to any programs... Cool

WARNING:
After a programs run from user-mode to kernel-mode DON'T EXECUTE ANY SYSENTER INSTRUCTIONS!!
The sysenter instruction in kernel-mode will refer to the GDT null descriptor and then cause a machine crash!
You must use INT 2Eh or return in user-mode
Confused

HAVE PHUN IN "DIRECT" SYSTEM PROGRAMMING!
For any questions to kernel and drivers or prevents errors (Crash) in Ring0, contact me.

To respect my missing girlfriend, people who use my GKP sources
MUST NOT DELETE the dedication of my project to her.

THANKS

For the corrected version of GKP goto HERE


Description: Sources and test programs (FUNCTIONAL) of the
G.K.P. by Pirata [PHOENIX] Derek L.S.
"The PHOENIX projects 2009" 1° part

Download
Filename: Get Kernel Privileges.zip
Filesize: 121.99 KB
Downloaded: 671 Time(s)



Last edited by Pirata Derek on 27 Jun 2009, 13:34; edited 6 times in total
Post 25 Jun 2009, 09:16
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 09:20
The source of the G.K.P. Library that request to the GKP driver the privileges
Code:
 ; Get Kernel Privilege Library
 ;-----------------------------
 ; By Pirata [PHOENIX] Derek L.S.
 ; 18th June 2009 - ITALY
 ; For gentle concession by The PHOENIX's Projects 2009

 ; Dedicated to my loved IRENE

 Format PE GUI 5.0 DLL
 include 'Flat32\win32a.inc'
 entry DllStart

 section '.code' code readable executable

 proc DllStart DllHandle,Reason,Reserved ; Loading dll
      mov eax,TRUE
      ret
 endp

 GetPrivilege:
     pop ebx  ; User-mode caller return EIP
     mov [usermode_esp],esp  ; User-mode caller esp
     pushfd  ; User-mode caller Eflags
     popd [usermode_eflags]
     xor edx,edx  ; Let driver intercept this call
     sysenter   ; to driver hooked system call

 RelasePrivilege:
     pop esi  ; User-mode caller return EIP
     pushd 23h ; User-mode stack segment selector
     pushd [usermode_esp]
     pushd [usermode_eflags]
     pushd 1Bh ; User-mode code segment selector
     push esi
     iretd ; Return to user-mode

 section '.data' export readable writeable

 export 'GKPL.dll',\  ; EXPORT THESE BEATIFUL FUINCTIONS!!
    GetPrivilege,'GetPrivilege',\
    RelasePrivilege,'RelasePrivilege'

 usermode_esp rd 1
 usermode_eflags rd 1

 section '.reloc' fixups discardable    


Last edited by Pirata Derek on 25 Jun 2009, 10:26; edited 2 times in total
Post 25 Jun 2009, 09:20
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 09:27
This is the source code (corrected) of the G.K.P. hook driver that give the kernel privileges
You must load it before using the GKP library (see up)
Code:
 ; Get Kernel Privilege Driver Not pageable
 ;-----------------------------
 ; By Pirata [PHOENIX] Derek L.S.
 ; 17th June 2009 - ITALY
 ; For gentle concession by The PHOENIX's Projects 2009

 ; Dedicated to my loved IRENE

 Format PE native at 10000h
 include 'flat32\win32a.inc'
 entry DriverEntry

 section '.code' code readable executable notpageable

 proc DriverEntry DriverObject,RegistryPath
      .store: cli
              mov ecx,176h
              rdmsr
              mov [old_sys_eip],eax
      .modify: mov ecx,176h
               mov eax,HookedSystemCall
               xor edx,edx
               wrmsr
      .dispatch: mov eax,[DriverObject]
                 mov dword [eax+UNLOAD],DriverUnload
                 mov eax,STATUS_SUCCESS
                 sti
                 ret
 endp

 proc DriverUnload DriverObject
      .restore: cli
                mov ecx,176h
                mov eax,[old_sys_eip]
                xor edx,edx
                wrmsr
                sti
      ret
 endp

 HookedSystemCall: or edx,edx
                   jz @F
                   jmp dword [old_sys_eip]
                   @@: jmp dword esi

 section '.data' data readable writeable notpageable

 STATUS_SUCCESS = 0
 STATUS_UNSUCCESSFUL = 0C0000001h
 UNLOAD = 52

 old_sys_eip dd ?

 section '.reloc' fixups notpageable

 section '.rsrc' resource notpageable

 directory RT_VERSION,versions

 resource versions,\
          1,LANG_NEUTRAL,version

versioninfo version,VOS_WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ITALIAN+SUBLANG_DEFAULT,0,\
   'FileDescription','Get Kernel Privilege Driver (N.P.)',\
   'LegalCopyright','The Phoenix ® 2009',\
   'FileVersion','1.2.0',\
   'ProductVersion','27th June 2009',\
   'OriginalFilename','GKPD-NT.sys for Windows XP',\
   'Autore','Pirata Derek L.S. for his loved Irene'    

To download the program goto upon these pages...


Last edited by Pirata Derek on 27 Jun 2009, 13:45; edited 4 times in total
Post 25 Jun 2009, 09:27
View user's profile Send private message Send e-mail Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 25 Jun 2009, 13:31
Minimal code, maximum result.

It's simplicity is impressive.

Good job, I wonder if Win64 version would be a simple port.
Post 25 Jun 2009, 13:31
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 Jun 2009, 13:44
r22 wrote:
Minimal code, maximum result.
But imho not very useful, since calling kernel mode functions is more bother than doing it from a driver. Not to mention that it introduces a gaping security hole on the system.

r22 wrote:
Good job, I wonder if Win64 version would be a simple port.
It won't be, since win-x64 PatchGuard watches over the LSTAR MSR.
Post 25 Jun 2009, 13:44
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 15:18
f0dder, you think it's not useful? Bah...
Maybe you forget one IMPORTANT utility of this program....

KERNEL DRIVERS WORKS ONLY IN KERNEL-MODE, BUT MY PROGRAMS CAN WORK IN USER-MODE AND ALSO IN KERNEL-MODE by requesting privileges to my driver.

For example:
1) I can get a process handle in user-mode an after i can kill this program by erasing its bytes into RAM on kernel-mode...
2) I can spy the operations of an user (in user-mode) and then lock or prohibit some accesses in kernel-mode.
3) I can display a dialog with some functions for hardware managment and execute the user requested function in kernel-mode
4) ........ THE LIST OF OPERATIONS IS TOOOOOOOOOO LOOOOOOONG! Razz

If i want i can make a program that scan ALL THE RAM in kernel-mode for searching arrays of bytes (like virus signature) and then erase all the found corrispondences.... like an ANTI-RESIDENT-VIRUS.

NOW, IS IT NOT USEFUL Question


Last edited by Pirata Derek on 25 Jun 2009, 15:33; edited 1 time in total
Post 25 Jun 2009, 15:18
View user's profile Send private message Send e-mail Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 25 Jun 2009, 15:33
Security is irrelevant, it's a hack to allow Ring0 code without having to write the functionality into drivers.

This is perfect for home-made peripheral testing or for people that want to learn more about Ring0 restricted opcodes/instructions, BUT aren't comfortable with driver programming.
Post 25 Jun 2009, 15:33
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 15:39
Yes, r22, it's irrelevant
it was only an example of the power a program has, when it can run in the privilege level it wants... Smile
Post 25 Jun 2009, 15:39
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 Jun 2009, 16:12
No, I don't see it as terribly useful Smile

For messing around with hardware devices, you can only do the simplest of operations (port banging), since there's no reliable way to set up an ISR in user mode. You're better off with a dedicated DOS testing machine (or a proper driver).

It's not useful for "prototyping" a real driver, since you can't call the standard kernel routines (well, you can, but it's going to be more work than doing it from a regular driver).

For learning about privileged coding, again I believe a dedicated DOS testing machine (or a VM) is better, since you have full control that way, and can mess with timers, IRQ handlers etc. without having to play by windows' rules.

For poking around kernel memory and doing some simplistic prototypes, it saves a short amount of time compared to adding un+reload of a driver to your test procedure. But don't we already have the physicalmemory virtual device? Smile
Post 25 Jun 2009, 16:12
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 25 Jun 2009, 17:09
1) All Virtual Machine I've used can't execute the privileged instructions( MS virtual PC, Virtual BOX ,etc...)
They crash always when i execute for example LIDT instruction (see virual mode in intel architetture manuals)

2) When executing a Virtual-mode interrupt, processor returns to protected mode to complete its ISR
(so it is only a long way to execute the same thing), but with GKP you do it in protected-mode directly.

3) With the support of the GKP i'm creating programs that modify ISRs, Interrupts, gates and all about GDT and IDT descriptors
(i'm getting good results, i'll send them to you if you want)

4) During tests i've seen some physical memory locations (on protected-mode) are locked from writing
because they are linked to GDT or LDT descriptors fields settings like R/W...

IMAGINE ON PHYSICAL MEMORY VIRTUAL DEVICE:
HOW MANY RESTRICTIONS WILL BE ONTO?!?!

nooooo..... Sad Now if i can't use the Virtual Machines, i feel better. I hate them for the reasons below (and much more)

I'M AGREE FOR THE "TERRIBLE USE" MY PROJECT HAS!
I'll create a way to disable IMMEDIATLY the GKP for people security
Post 25 Jun 2009, 17:09
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 Jun 2009, 22:47
#1 - you're probably better off with an emulator like BOCHS or QEMU that are used by a lot of osdev people - vmware etc emply various optimization tricks that don't always work well with lowlevel code outside of supported OSes.

#2 - I'm talking about real dos, not a NTVDM or win9x dos box Smile - if you want really raw access, go for a raw "OS", imho Smile

#3 - how do you ensure allocated memory is available across all processes? Manually hack up the pagetables?

Anyway, if the project works for you, then good - I personally prefer the normal methods of ring0 on windows.
Post 25 Jun 2009, 22:47
View user's profile Send private message Visit poster's website Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
windwakr 26 Jun 2009, 02:10
I think you should include the License files for both debugview, FASM, and KMD manager.

Also, everytime I try to "stop" the driver my computer reboots, very annoying.
Post 26 Jun 2009, 02:10
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 26 Jun 2009, 09:47
So you just traced or you read somewhere on correct return from priveledged to unpriveledged via iretd? And what values exactly in these registers you use on return. Are they the same for each windoze? Sure?
Post 26 Jun 2009, 09:47
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.