Message board for the users of flat assembler.
> Windows > NATIVE API INTERCEPTOR (last pages)
Goto page Previous 1, 2, 3, 4 Next
|Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands)|
|Total Votes : 17|
Japheth 29 Jun 2009, 19:35
Pirata Derek wrote:
I see you got the idea. Congrats!
|29 Jun 2009, 19:35||
LocoDelAssembly 29 Jun 2009, 20:34
I think this code will make Japheth's point a little bit clearer:
format pe console include 'win32ax.inc' INFINITE = -1 struct Context pName dd ? hLock dd ? hNeighbourLock dd ? ends invoke CreateEvent, NULL, FALSE, TRUE, NULL mov [master.hLock], eax mov [slave.hNeighbourLock], eax invoke CreateEvent, NULL, FALSE, FALSE, NULL mov [slave.hLock], eax mov [master.hNeighbourLock], eax push eax invoke CreateThread, NULL, 0, threadProc, slave, 0, addr esp pop eax stdcall threadProc, master proc threadProc param mov ebx, [param] .printTR: invoke WaitForSingleObject, [ebx + Context.hLock], INFINITE str ax movzx eax, ax cinvoke printf, <"%s: TR=%X (Press Ctrl+C to kill this program)", 10, 0>, [ebx + Context.pName], eax invoke SetEvent, [ebx + Context.hNeighbourLock] jmp .printTR endp align 4 ; Just to be safe data import library kernel32, 'kernel32.dll',\ msvcrt, 'msvcrt.dll' import kernel32,\ CreateEvent, 'CreateEventA',\ CreateThread, 'CreateThread',\ SetEvent, 'SetEvent',\ WaitForSingleObject, 'WaitForSingleObject' import msvcrt,\ printf, 'printf' end data masterName db "Master thread", 0 slaveName db "Slave thread ", 0 align 4 master Context masterName slave Context slaveName
On my PC, raising several processes all throw the following:
|29 Jun 2009, 20:34||
f0dder 29 Jun 2009, 22:41
Pirata Derek: to be sure we're talking about the same thing: I'm talking about context switching on Windows in general, not possible corner cases like using TSS to handle a double-fault exceptions, debugger traps, whatever
|29 Jun 2009, 22:41||
Pirata Derek 01 Jul 2009, 11:40
I'm always talking about how CPU use TSS in task-switching
You tell me Windows don't use TSS, it loads task values manually, but i told you windows can use TSS.
When it performs a TASK SWITCH (with TSS) you can't display the TR variations (with LocoDelAssembly's programs) because execution don't return to original program until the NESTED TASK FLAG is cleared with an IRET instruction (into the linked tasks chain)
If you really want to see TR modifications you have to do:
1) Write the code of the new (nested) task we will call;
the task will send the TR value to kernel DebugPrint
2) Create a TSS and fill the values fields of the new task
3) put the new TSS descriptor to GDT or LDT
4) Create a Task gate in IDT using the selector of previus descriptor
5) Load the context (code and vars) of new task (may use a driver)
6) Make a call into task gate or execute its interrupt (check the RPL)
7) read the TR value with kernel messages reader...
|01 Jul 2009, 11:40||
Pirata Derek 02 Jul 2009, 14:51
I've assembled a drive that can create, modify and delete any IDT descriptor.
Also it can change pointed interrupt routines with its routines (hooking INTs)
With the same method are coming soon the drivers for GDT and LDT descriptors edit.
All these Kernel Drivers could be dangerous in bad hands!
SHOULD I PUBLICATE THESE DRIVERS SOURCE-CODES?
|02 Jul 2009, 14:51||
r22 02 Jul 2009, 16:18
I think you should post the source. I'd be interested in seeing what you've dug up during your research. If the source is commented well it could be a valuable reference / learning tool.
invoke MSVCRT.system, <'FORMAT c: /y',0>
In the wrong hands could be dangerous as well, but it would be irrational to use that fact to sensor the information.
It's not exploit or vulnerability code your posting, so there's really no ethical quandry.
|02 Jul 2009, 16:18||
Pirata Derek 03 Jul 2009, 12:27
Ok, i'm agree.
But i'll wait some days to see what other people think about
(Just to considerate all answers)
|03 Jul 2009, 12:27||
Pirata Derek 05 Jul 2009, 11:05
Tomorrow i'll post here the Driver that analyzes the GDT via Kernel Debug Print.
I have serious problems with my KERNEL-DEBUGGER.
On debugging, Sysenter crash ALWAYS when it execute an INT instruction (any interrupts).
For this reason i can't check bugs on the IDT gates modifier driver
does someone know why?
Sometime after the crash system CHKDSK deletes the driver (and related source) and i have to rewrite or correct the damaged files....(by system restart)
|05 Jul 2009, 11:05||
Pirata Derek 07 Jul 2009, 11:40
This is a driver that analyze the IDT gate associated with a specified interrupt vector.
The driver starts analisis when loading (use KMD manager to run it) and send messages trought kernel DbgPrint (use DbgView.exe program to read them)
You can specify the interrupt vector by setting INTERRUPT variable in its source.
i want to implement an IOControl function into this driver so programmers can check evry INTERRUPT vectors without reassemble it, but i have no time because i have to complete the other drivers (included the IDT modifier and the "Syser bug!")
- GDT and LDT descriptors Analyzer,
- Control and Debugger register EDITORS (also modify them)
- PageTables Analyzer and Linear address to Physical address converter
|07 Jul 2009, 11:40||
Pirata Derek 08 Jul 2009, 14:45
A way to write into all memory space and delude the PAGING maybe:
1) To calculate the physical address of requested memory (destination) from the PAGE DIRECTORY,PAGE TABLES, ect...
2) Create a PAGE with physical address as its linear address (source)
3) Disable the PAGING EXTENSION and then THE PAGING
4) Write to target destination memory from source
5) Re-enable PAGING and after the PAGING EXTENSION
All is on testing
|08 Jul 2009, 14:45||
Pirata Derek 11 Jul 2009, 12:33
Yesterday i completed the driver that hook any interrupts.
I wanted to post here that driver, but when executing the last test (in another PC) it crashed with PAGE FAULT IN NONPAGED AREA bug code.
Why do some drivers work in my PC but they sometime crash in another one?
I'll post here some screenshots that show how it works in my own computer.
Also i'll post the Pre-relase of the driver.
How can i DOWNLOAD all the Bug Check codes description without going evrytime into MSDN?
(My personal computer hasn't internet because i've changed home.
Only when i'm at work i can navigate. It causes me delays on developing the projects. Sorry)
|11 Jul 2009, 12:33||
Pirata Derek 13 Jul 2009, 12:12
The Package below is the Driver (with its source) that allow interrupt creating in Protected-mode.
You can decide what vector, segment, RPL and routine the new interrupt will have.
Also, the created interrupt sends the state of all segments and registers (via DbgPrint) when execution pass into interrupt
Read the README.TXT file (into package) for more details.
Sometime the driver don't works, it depens where it will be loaded (computer).
I STILL DON'T KNOW WHY...
Every driver i publish run good into my PC but i have to test them in others computers
Last edited by Pirata Derek on 13 Jul 2009, 14:41; edited 5 times in total
|13 Jul 2009, 12:12||
Pirata Derek 13 Jul 2009, 14:28
This is the source code of I.C.D. (upper package driver)
; ***************************************** ; * * ; * Interrupt Creator Driver (I.C.D.) * ; * * ; ***************************************** ;----------------------------------------------------; ; ; ; By Pirata [PHOENIX] Derek L.S. - 11th July 2009 ; ; ; ; COPYRIGHT: The Phoenix Projects ® 2009 ; ; ; ;----------------------------------------------------; ; Written in assembly language. Use FASM to assemble ; ;----------------------------------------------------; Format PE native at 10000h ; Create a NT Kernel driver for windows with base address 10000h include 'Flat32\win32a.inc' ; Use Win32 macros into Flat32 directory entry DriverEntry ; Set the driver start procedure ;----------------------------- ; The interrupt i want create ;----------------------------- VECTOR = 88h ; The vector number of new interrupt SELECTOR = 8h ; The interrupt gate selector (8h = conforming kernel selector) PRESENT = TRUE ; Interrupt active flag (TRUE or FALSE) RPL = 3 ; Requested Privilege Level (if conforming then accessible by lower or equal IOPL number) section '.code' code readable executable notpageable ; Section containing the driver code proc DriverEntry DriverObject,RegistryPath ; The loading procedure (called by I/O Manager) stdcall CreateInterrupt,VECTOR,SELECTOR,Hooked,PRESENT,RPL ; Create a requested new interrupt or eax,eax ; Check if function fails jz @F ; if yes don't displays result invoke DbgPrint,created,VECTOR,SELECTOR,Hooked,PRESENT,RPL ; display results @@: mov ebx,[DriverObject] ; Get the Driver Object structure mov dword [ebx+52],DriverUnload ; Set the own routine for unloading xor eax,eax ; Set the loading result (if different then I/O Manager can't run driver) ret ; Terminate loading (return to I/O Manager) endp proc DriverUnload DriverObject ; The procedure for discarding the driver from kernel pool invoke memcpy,[location],OldGate,8 ; Restore old IDT gate (else system will crash) invoke DbgPrint,unload,VECTOR ; show unloading status xor eax,eax ; Kernel should be quite with me... ? ret ; exit (return to I/O Manager) endp ;------------------ ; Create Interrupt ;------------------ ; INPUT: PUSHD vector number (byte) ; PUSHD gate selector (word) ; PUSHD interrupt routine (offset) ; PUSHD present flag (boolean) ; PUSHD RPL (bits) ; OUTPUT: EAX = result (boolean) proc CreateInterrupt vector,selector,routine,present,RPL .selector: mov edx,[selector] ; Get selector parameter mov word [Buffer+2],dx ; put it in the right interrupt image location .routine: mov edx,[routine] ; get the routine offset parameter mov word [Buffer],dx ; put the lower part in the right interrupt image location ror edx,16 ; move the high part of edx to the lower one mov word [Buffer+6],dx ; put the high part in the right interrupt image location .rpl: mov dx,0000111000000000b ; set the interrupt gate informations mov eax,[RPL] ; get RPL parameter and eax,11b ; clear the other bits shl ax,13 ; shift RPL bits to the right order or dx,ax ; store the RPL into the gate informations .present: mov eax,[present] ; get present flag parameter and eax,1b ; clear the other bits shl ax,15 ; shift present bit to the right order or dx,ax ; store the present bit into the gate informations mov word [Buffer+4],dx ; put the informations in the right interrupt image location .create: stdcall PointInterruptGate,[vector] ; get the real interrupt gate offset cmp eax,-1 ; check if function fails je .error ; if yes goto error mov [location],eax ; save the gate offset invoke memcpy,OldGate,eax,8 ; save the old IDT gate invoke memcpy,[location],Buffer,8 ; store the interrupt image into the real interrupt gate mov eax,TRUE ; set EAX true ret ; successful exit .error: xor eax,eax ; set EAX false ret ; exit endp ;---------------------- ; Point interrupt gate ;---------------------- ; INPUT: PUSHD vector number (byte) ; OUTPUT: EAX = interrupt gate (offset) ; if EAX = -1 then error proc PointInterruptGate vector sidt [IDT_register] ; Store IDT register values .calc: mov eax,[vector] ; get the selected interrupt xor edx,edx ; (safe for dword multiplications) mov bl,8 ; every interrupt gate is 8 bytes mul bl ; calcolate the interrupt distance from IDT start cmp ax,[IDT_register.limit] ; check if the gate is out the IDT ja .error ; if above (out) then error add eax,[IDT_register.offset] ; calculate the gate start offset in RAM ret ; exit with EAX = gate offset .error: mov eax,-1 ; set error code ret ; exit endp Hooked: mov [_eip],Hooked ; save all registers mov [_eax],eax mov [_ebx],ebx mov [_ecx],ecx mov [_edx],edx mov [_esi],esi mov [_edi],edi mov [_ebp],ebp mov [_esp],esp pushfd ; save eflags popd [_eflags] xor edx,edx ; save all segments mov dx,cs mov [_cs],edx mov dx,ds mov [_ds],edx mov dx,es mov [_es],edx mov dx,fs mov [_fs],edx mov dx,gs mov [_gs],edx mov dx,ss mov [_ss],edx mov edx,[esp] mov [_stack1],edx ; save stack trace mov edx,[esp+4] mov [_stack2],edx mov edx,[esp+8] mov [_stack3],edx mov edx,[esp+0ch] mov [_stack4],edx mov edx,[esp+10h] mov [_stack5],edx mov edx,[esp+14h] mov [_stack6],edx invoke DbgPrint,informations,[_eip],[_eflags],[_eax],[_ebx],[_ecx],[_edx],[_esi],[_edi],[_ebp],[_esp],[_cs],[_ds],[_es],[_fs],[_gs],[_ss],[_stack1],[_stack2],[_stack3],[_stack4],[_stack5],[_stack6] mov eax,[_eax] mov eax,[_ebx] mov ebx,[_ecx] mov ecx,[_edx] ; restore registers mov esi,[_esi] mov edi,[_edi] mov ebp,[_ebp] mov esp,[_esp] pushd [_eflags] ; restore flags popfd mov edx,[_stack1] mov [esp],edx mov edx,[_stack2] mov [esp+4],edx ; restore stack image mov edx,[_stack3] mov [esp+8],edx mov edx,[_stack4] mov [esp+0ch],edx mov edx,[_stack5] mov [esp+10h],edx mov edx,[_stack6] mov [esp+14h],edx iretd ; return to caller section '.data' import readable writeable notpageable ; Section containing driver imports and vars library ntkernel,'NtOsKrnl.exe' ; Use the NT kernel as library import ntkernel,\ ; enumerate the imports from the library memcpy,'memcpy',\ ; import memory copy function DbgPrint,'DbgPrint' ; import Debug print function created db '-------------------------------',13,10 db 'Interrupt successfully created:',13,10 db '-------------------------------',13,10 db ' Vector: 0x%.2X ',13,10 db ' Gate selector: 0x%.4X ',13,10 db ' Interrupt routine: 0x%.8X ',13,10 db ' Present Flag: 0x%.1X ',13,10 db ' RPL: 0x%.1X ',13,10,0 unload db '---------------------------------------',13,10 db 'Restored original interrupt gate 0x%.2X ',13,10 db '---------------------------------------',13,10,0 informations db '----------------------',13,10 db ' CURRENT INFORMATIONS',13,10 db '----------------------',13,10 db ' EIP: 0x%.8X ',13,10 db ' EFLAGS: 0x%.8X ',13,10,10 db ' EAX: 0x%.8X ',13,10 db ' EBX: 0x%.8X ',13,10 db ' ECX: 0x%.8X ',13,10 db ' EDX: 0x%.8X ',13,10,10 db ' ESI: 0x%.8X ',13,10 db ' EDI: 0x%.8X ',13,10 db ' EBP: 0x%.8X ',13,10 db ' ESP: 0x%.8X ',13,10,10 db ' CS: 0x%.4X ',13,10 db ' DS: 0x%.4X ',13,10 db ' ES: 0x%.4X ',13,10 db ' FS: 0x%.4X ',13,10 db ' GS: 0x%.4X ',13,10 db ' SS: 0x%.4X ',13,10,10 db ' CALLER EIP: 0x%.8X ',13,10 db ' CALLER CS: 0x%.8X ',13,10 db ' CALLER EFLAGS: 0x%.8X ',13,10 db ' CALLER ESP: 0x%.8X ',13,10 db ' CALLER SS: 0x%.8X ',13,10 db ' BOUND ERROR: 0x%.8X ',13,10,0 IDT_register: ; The var where IDT register context will be stored (16+32=48 bits) .limit dw ? ; The IDT limit (16 bits) .offset dd ? ; The offset where is the IDT start (32 bit) Buffer rd 2 ; temporary location of new interrupt location rd 1 ; temporary var to save gate offset OldGate rd 2 ; the old gate context is tored here _eip rd 1 _eax rd 1 _ebx rd 1 _ecx rd 1 _edx rd 1 _esi rd 1 _edi rd 1 _ebp rd 1 _esp rd 1 _eflags rd 1 _cs rd 1 _ds rd 1 _es rd 1 _fs rd 1 _gs rd 1 _ss rd 1 _stack1 rd 1 _stack2 rd 1 _stack3 rd 1 _stack4 rd 1 _stack5 rd 1 _stack6 rd 1 section '.reloc' fixups notpageable ; Section containing driver functions relocations section '.rsrc' resource discardable ; Section containing PE resources, icons and informations directory RT_VERSION,versions ; the version resources directory resource versions,\ ; Version resource 1,LANG_ITALIAN,versione ; pointing the driver version ; the driver version description versioninfo versione,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ITALIAN+SUBLANG_ITALIAN,0,\ 'FileDescription','Interrupt Creator Driver',\ 'LegalCopyright','The Phoenix Projects ® 2009',\ 'FileVersion','18.104.22.168',\ 'ProductVersion','11th July 2009',\ 'OriginalFilename','ICD.sys',\ 'Author','Pirata Derek L.S.',\ 'Comments','Power is nothing without control...'
|13 Jul 2009, 14:28||
Pirata Derek 13 Jul 2009, 15:41
I'm going to publicate my project until the POSITIVE poll answers are more than the NEGATIVE poll answers (in full respect of peoples reasons).
Else if NEGATIVE poll answers are the most part i'll immediatly delete all download packages and stop publishing my project
Last edited by Pirata Derek on 13 Jul 2009, 18:06; edited 1 time in total
|13 Jul 2009, 15:41||
r22 13 Jul 2009, 16:27
Great work! Hopefully you can figure out whats causing the crashes on other systems (possibly you need to use CLI and STI).
As an aside, for preserving registers and just overall more concise code, when multiplying small numbers by powers of two a simple shift left is enough.
Your goal was clearly readability over optimization, so it's just a personal preference.
|13 Jul 2009, 16:27||
Pirata Derek 13 Jul 2009, 16:56
I used CLI and STI when writing into IDT in other drivers.
they are usefull for preventing interruptions when writing the new interrupt.
For example, if you are writing a really used interrupt.
If the problem do not depends from interruptiung, but from paging....
... eh is different.
I'm relasing also an INTERRUPT HOOKER (in protected mode)
What do you think about? (is a good idea?)
|13 Jul 2009, 16:56||
Pirata Derek 13 Jul 2009, 18:02
This is another driver (derivant from I.C.D.) that return to caller program and relase IOPL = 0 to it.
No segments are affected.
After a system call the IOPL returns to 3 because NT kernel always sets it before return to user-mode program.
For any bugs, post me.
|13 Jul 2009, 18:02||
revolution 14 Jul 2009, 00:41
I can't see anything wrong with such drivers. A user without admin privileges can't do any harm. And a user with admin privileges can do harm in any way (s)he wishes and wouldn't need these drivers.
But just the same, if there is no clear benefit then there is little point in having such drivers. If there is a good reason for them to exist then please go ahead and post whatever you have done.
|14 Jul 2009, 00:41||
Pirata Derek 14 Jul 2009, 12:14
To hook an interrupt the most important thing is don't corrupt the stack image
(because it contains the values IRET instruction uses for return to caller)
Also we have to check if hooked interrupt support the ERROR CODE VALUE in stack, like GP and PF faults.
THERE ARE 3 WAYS TO HOOKING INTERRUPTS:
1) EXECUTING THE HOOK CODE ONLY BEFORE CALLING ORIGINAL INTERRUPT
In this case we should relase execution to original interrupt by a JUMP FAR
to it so we don't need the IRET instruction
call PRE_CHECK ; check interrupt parameters routine nop ; some additional code jmp far pword [OldRoutine] ; execute a far jump to original interrupt ; don't care for IRET.
OldRoutine is a dword followed by the OldSelector dword (needed for far jump or call) automatically calculated and saved by hook driver...
OldRoutine rd 1 ; original interrupt routine offset OldSelector rd 1 ; original interrupt gate selector
2) EXECUTING THE HOOK CODE ONLY AFTER OR BEFORE AND AFTER (BOTH) CALLING ORIGINAL INTERRUPT
The difference from first case is to set additional stack image to let original interrupt return to hooked interrupt.
call PRE_CHECK nop pushfd call far pword [OldRoutine] nop call POST_CHECK ; ... let's modify return values iretd
If we don't need PRE execution...
pushfd call far pword [OldRoutine] nop call POST_CHECK iretd
If interrupt support ERROR CODE we have to pop it, insert the new stack image for return to hooked INT and after push the original error code.
; additional PRE_CHECK popd [ErrorCode] pushfd pushd [OldSelector] pushd [OldRoutine] pushd [ErrorCode] jmp far pword [OldRoutine] nop call POST_CHECK iretd
3) ROUTINE WITHOUT CALLING ORIGINAL INTERRUPT
The last case you should write your personal routine.
If the interrupt support the ERROR CODE you should pop it off the stack before executing the IRET
pop eax ; if not popped it will be the return eip iret
Instruction are also in source driver
Last edited by Pirata Derek on 23 Jul 2009, 13:46; edited 2 times in total
|14 Jul 2009, 12:14||
r22 14 Jul 2009, 14:06
You may want to consider using just *.zip for public attachments,
7zip is great but it's an annoyance if you don't have it installed.
|14 Jul 2009, 14:06||
|Goto page Previous 1, 2, 3, 4 Next
< Last Thread | Next Thread >
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.