flat assembler
Message board for the users of flat assembler.

Index > Windows > NATIVE API INTERCEPTOR (last pages)

Goto page Previous  1, 2, 3, 4  Next

Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands)
Yes, let programmes know the methods
76%
 76%  [ 13 ]
No, for security reasons
11%
 11%  [ 2 ]
I don't know
11%
 11%  [ 2 ]
Total Votes : 17

Author
Thread Post new topic Reply to topic
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Asmfan:
I use the Syser Kernel Debugger to find bugs in GKP.
The IRET use this stack information to execute a privilege level change.
Check the GKP library source (page 1)

5) user-mode SS (23h is the most used by programs)
4) user-mode ESP (saved before by the GKP library)
3) user-mode EFLAGS (saved before by the GKP library)
2) user-mode CS (1Bh is the most used by programs)
1) user-mode EIP (provided by poping after the invoke to library)


This is the format for IRET stack when the IOPL is less privileged after IRET execution.
For the same privilege, IRET need only the number 3,2,1
Sometime Exceptions or NMI insert into IRET stack also the ERROR CODE (after the number 1)
It is a rule because the instruction fetching and execution is done by CPU.
Only if you have different or not standard cpu is not the same.
Google for IRET instruction


Last edited by Pirata Derek on 26 Jun 2009, 13:01; edited 5 times in total
Post 26 Jun 2009, 11:33
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Quote:
#3 - how do you ensure allocated memory is available across all processes? Manually hack up the pagetables?

Yes it's one of my next jobs:
1) modify the gates, tasks and traps on IDT ( <---- current)
2) modify the TSS fields and TR
3) modify the GDT descriptors (after also LDT)
4) HARD: modify pool tags and physical pages entires
5) HARD: modify parts of RAM and NT kernel
6) VERY VERY HARD: a way to discard NT kernel from RAM and load a new personal kernel (new small OS like menuet)

If i'm not on error, LDT should have the access settings to processes memory
Post 26 Jun 2009, 11:49
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Don't know why your system reboot on driver unload Sad
My system hasn't this problem (loading and unloading illimited times)
Maybe i should disable interrupts when hooking and unhooking sysenter!

Can you report me the error status code and the registers values displayed in the blue screen?

To show the blue screen and inhibit system reboots do these steps:
1) Right click on Computer resources or My computer icon (i have in italian: Risorse del computer)
2) Goto property
3) Click the label "Advanced" (on top)
4) Push the vertical button number 3 (i don't know how is called "Avvio e ripristino" button in english)
5) uncheck the automatic reboot on system error
6) apply the new settings
7) reboot the system to save new settings

From now, if your system crashes it will not reboot but displays the Blue screen with the informations (CTRL+ALT+DEL to reboot). Wink
i'm going to relase to you another source (tested on my PC before) without this bug.
(I need the crash errors detail before)
Post 26 Jun 2009, 12:34
View user's profile Send private message Send e-mail Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
Uh, ya....When I try to enable that I get an error about alerter service is disabled, I try to enable that and get an error that its dependencies are disabled....so screw this, don't need all those dumb services running...But looking in event viewer I see this, could it help you? If not, then forget it. I'm not turning all that crap I turned off back on.

Code:
Error code 100000d1, parameter1 f7eee279, parameter2 000000ff
parameter3 00000000, parameter4 f7eee279.
    
Post 26 Jun 2009, 13:33
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Quote:
6) VERY VERY HARD: a way to discard NT kernel from RAM and load a new personal kernel (new small OS like menuet)
I wouldn't even attempt this - there's way too much hardware initialization that you'd have to "undo".

Quote:
If i'm not on error, LDT should have the access settings to processes memory
LDT means just about nothing in this regard, you have to do some heavy pagetable manipulation (remember that CR3 is a per-process field; can't remember if it's part of the thread context, but it should only change per-process.)
Post 26 Jun 2009, 13:41
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Yes, CR3 is saved in the Task State Segment of every processes.

I tell you about LDT because it is (with GDT) the BASE of Memory protection
Download the Intel pentium programmes manual (system programming) and see the chapter 4 "Protection" on "Limit checking"
Post 26 Jun 2009, 16:21
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Windwakr:
Your problem is that Driver IRQL is not less or equal.
It happens when kernel try to access into paged memory with its IRQL too high

I'll make these modifications to GKP:
1) Disabling interrupts when hooking
2) Make all driver not pageable

Tomorow i'll leave the new relase of GKP (tested on my PC)


Last edited by Pirata Derek on 27 Jun 2009, 12:41; edited 1 time in total
Post 26 Jun 2009, 16:29
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Quote:
Yes, CR3 is saved in the Task State Segment of every processes.
Windows doesn't use TSS for it's context switches.

Quote:
I tell you about LDT because it is (with GDT) the BASE of Memory protection
I know about GDT and LDT, but those aren't used much in Windows, because of the flat memory space - all usermode processes use the same descriptors, and protection is handled through paging.
Post 26 Jun 2009, 16:50
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I TOLD THAT IS THE HARDWARE TASK-SWITCH TO USE THE TSS AUTOMATICALLY
FOR EVERY TASK IN WINDOWS!
Mad

f0dder, you should read this DOCUMENT before post or reply

From: "Intel Programmers Manual"
Volume 3: "System Programming"
Chapter 6: "Task Managment"


_ "A task is a unit of work that a processor can dispatch, execute, and suspend"
_ "The IA-32 architecture provides a mechanism for saving the state of a task, for dispatching tasks for execution, and for switching from one task to another."
_ "A task is made up of two parts: a task execution space and a task-state segment (TSS)"
_ "Prior to dispatching a task, all of these items are contained in the task’s TSS, except the state of the task register. Also, the complete contents of the LDTR register are not contained in the TSS,
only the segment selector for the LDT."
_ "Software or the processor can dispatch a task for execution in one of the following ways:
• A explicit call to a task with the CALL instruction.
• A explicit jump to a task with the JMP instruction.
• An implicit call (by the processor) to an interrupt-handler task.
• An implicit call to an exception-handler task.
• A return (initiated with an IRET instruction) when the NT flag in the EFLAGS register is
set."

_ "The processor state information needed to restore a task is saved in a system segment called the task-state segment (TSS)."
_ "CR3 control register field: Contains the base physical address of the page directory to be used by the task. Control register CR3 is also known as the page-directory base register (PDBR)."
_ "The page-directory baseregister (CR3) also is reloaded on a task switch, allowing each task to have its own set of page tables."


Has your processor/s the multi-tasking freature?
If no then you are right, else to let your last post stand on you should:


1) Drop your current PC and get another with Mono-tasking freature.
2) Say "stupids, your processors don't use TSS" to processors bulider corporations
3) Stop your posts
4) prove your statements to me with some documents or others


Last edited by Pirata Derek on 27 Jun 2009, 13:10; edited 1 time in total
Post 27 Jun 2009, 12:30
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Yesteday i assembled the modified version of GKP to you.
there's 2 modifications:

1) All sections are NOT PAGEABLES, so the system don't need to access in paged area with its IRQL.
2) Inserted the CLI and after STI to let driver change the MSR_SYSENTER_EIP without any interrupt.

If the problem isn't resolved tell me.


Description: GKP source corrected
By Pirata Derek L.S.

Download
Filename: Get kernel privilege (Not Pageable).zip
Filesize: 123.99 KB
Downloaded: 190 Time(s)

Post 27 Jun 2009, 12:39
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Pirata Derek: trust me, Windows doesn't use TSS for context switching, like most OSes it does manual register loading since it's faster. And iirc in x64 mode you can't use TSS-based task switching anyway.

But even thoughTSS isn't used for context switches, you must set one up anyway - iirc this is required to handle ring switches (forgot the specifics, last time I touched my kernel.asm was back in 2001).
Post 27 Jun 2009, 14:46
View user's profile Send private message Visit poster's website Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
Results are pretty much the same as before, after loading the driver the program only successfully finishes(reaches the second messagebox) about 50% of the time. When I try stopping the driver its still a 50/50 chance to reboot.
Post 27 Jun 2009, 16:13
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
f0dder:
You are telling me different things that others people don't.
who should i believe?

Please, send me or post the detailed method you think how windows does TASK SWITCH


Last edited by Pirata Derek on 28 Jun 2009, 11:18; edited 1 time in total
Post 28 Jun 2009, 10:48
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I can't understand why GKP behaves so bad.

2 Month ago my system had the same problem when installing some audio drivers.
After install finished the blue screen of death displayed the error "Driver not less or equal" every time!
Then i decided to reinstall windows with the CD and during reinstallation the system told me:
"There is a driver trying to damage the system!"
AH! F***ing driver!
I formatted all the hard-disk and after there were no problems.

1 mont later, during web search, my firewall OS (Zone Allarm) displayed the warning: "SVCHOST is loading the driver: ..... (i don't remember the path name)"
I analyzed this driver with IDA and i've seen this is a virus driver (because in some strings there were the "HACK" word).
I deleted it


Maybe some drivers (rootkits) that interfere with normal system work...
Post 28 Jun 2009, 11:18
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
The Intel document shows you how to do TSS-based context switching, but it doesn't say you have to use this method - and as already mentioned, most OSes don't use TSS for context switching because it's slow (check some osdev resources), and doesn't handle full context anyway (fpu, xmm).

I don't have a disassembly of KiSwapContext lying around right now, and can't remember if the symbol is publicly exported from the kernel. I'll try loading up a 32bit xp virtual machine when I get home from work and see if I can produce a relevant disassembly listing for you Smile

PS: I'm not saying that TSS isn't used at all in the system, just that it's not used for context switches.
Post 28 Jun 2009, 16:14
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
Pirata Derek
I asked about some code of your first posts:
Code:
 FastUserReturn: pushd 23h
                 pushd ecx
                 push ebx
                 pushd 1bh
                 push eax
                 iretd
    

cuz just haven't noticed you set them in advance in test program.

Then other - why decided to use iretd? Isn't sysexit for "symmetry" the best?
And what happen if the source selector is differen from code? suppose DEP disabled. Then result of such processing in interception?

_________________
Any offers?
Post 28 Jun 2009, 17:00
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Yes it's true: Why doesn't my GKP use sysexit in FastUserReturn function?

I used sysexit but when debugging (Kernel-mode) Syser debugger display me that after sysexit the eflags remains unchanged!!!
And sometime the system crashes when an exception occurs in test program

Sysexit creates me some problems.
Iretd does the same (return to user-mode) better, also you can decide the return EIP, the CS, the eflags, the ESP and the SS, but with sysexit only ESP and EIP (ecx, edx).

The return to usermode library function with sysexit
Code:
FastUserReturn:
     pop edx        ; the USER-MODE return EIP for sysexit
     mov ecx,[usermode_esp] ; the USER-MODE esp for sysexit
     sysexit    

The caller test program (example of exception):
Code:
     ...    ; some code
     ...
     invoke RelaseIOPL   ; call the FastUserReturn in library
     nop
     xor edi,edi      ; make an access violation exception (example)
     stosb             ; <---- the system crash here 
     ...    

Check how NT kernel do return to user-mode...

Selector different from code... Program code or system code?
post me some example for answer to you.

the CPU always make a RPL segments (destination) check on privilege change.
for example if destination CS RPL is 2 but destination IOPL (EFLAGS) is 3 there is an GP fault.
If Destination CS RLP = 3 but destination IOPL = 0 there is nothing.
Post 29 Jun 2009, 12:36
View user's profile Send private message Send e-mail Reply with quote
Japheth



Joined: 26 Oct 2004
Posts: 151
Japheth
Pirata Derek wrote:
f0dder:
You are telling me different things that others people don't.
who should i believe?


I'd say: believe f0dder!

As a proof - not 100%, but 99% - that there's no TSS based task-switching in Windows see this little prog:

Code:
        .386
        .MODEL FLAT
printf proto c :ptr BYTE, :VARARG
        .CONST
szHello  db 10,"TR=%X",10,0
        .CODE
main proc c
@@:
    str ax
    invoke  printf, addr szHello, eax
    jmp @B
main endp

        END
    


If you launch this console program multiple times you'll see that the value

1) doesn't change and
2) is the same in all windows you started,

which is an indication that WinXP doesn't change the value of TR for a task switches

the source is Masm syntax, don't try with Fasm!
Post 29 Jun 2009, 16:11
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
format pe console
include 'win32ax.inc'

.printTR:
  str     ax
  movzx   eax, ax
  cinvoke printf, <"TR=%X (Press Ctrl+C to kill this program)", 10, 0>, eax
  jmp     .printTR

align 4 ; Just to be safe
data import 
  library msvcrt,'msvcrt.dll'

  import msvcrt,\
         printf, 'printf'
end data    
Smile
Post 29 Jun 2009, 16:25
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Store Task Register instruction

Description:
Stores the segment selector from the task register (TR) in the destination operand. The destination operand can be a general-purpose register or a memory location. The segment selector stored with this instruction points to the task state segment (TSS) for the currently running task.

The examples display only the TR of their current process!

P.S. Why don't you (all) install an Kernel-debugger and then analyze the IDT, GDT and LDT?
You will find some task gates with differents TR selectors...
use my GKP and execute a call into these gates (the CPU must execute a task switch)

I'm going to create a task gate that point to my driver and it automatically shows me if the TR is different before and after calling the task gate (driver linked)

I'll post the results Wink
Post 29 Jun 2009, 17:57
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.