flat assembler
Message board for the users of flat assembler.
Index
> Windows > NATIVE API INTERCEPTOR (last pages) Goto page Previous 1, 2, 3, 4 Next |
Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands) | |||||||||||||||||||||
|
|||||||||||||||||||||
Total Votes : 17 |
Author |
|
Pirata Derek 26 Jun 2009, 11:49
Quote: #3 - how do you ensure allocated memory is available across all processes? Manually hack up the pagetables? Yes it's one of my next jobs: 1) modify the gates, tasks and traps on IDT ( <---- current) 2) modify the TSS fields and TR 3) modify the GDT descriptors (after also LDT) 4) HARD: modify pool tags and physical pages entires 5) HARD: modify parts of RAM and NT kernel 6) VERY VERY HARD: a way to discard NT kernel from RAM and load a new personal kernel (new small OS like menuet) If i'm not on error, LDT should have the access settings to processes memory |
|||
26 Jun 2009, 11:49 |
|
Pirata Derek 26 Jun 2009, 12:34
Don't know why your system reboot on driver unload
My system hasn't this problem (loading and unloading illimited times) Maybe i should disable interrupts when hooking and unhooking sysenter! Can you report me the error status code and the registers values displayed in the blue screen? To show the blue screen and inhibit system reboots do these steps: 1) Right click on Computer resources or My computer icon (i have in italian: Risorse del computer) 2) Goto property 3) Click the label "Advanced" (on top) 4) Push the vertical button number 3 (i don't know how is called "Avvio e ripristino" button in english) 5) uncheck the automatic reboot on system error 6) apply the new settings 7) reboot the system to save new settings From now, if your system crashes it will not reboot but displays the Blue screen with the informations (CTRL+ALT+DEL to reboot). i'm going to relase to you another source (tested on my PC before) without this bug. (I need the crash errors detail before) |
|||
26 Jun 2009, 12:34 |
|
windwakr 26 Jun 2009, 13:33
Uh, ya....When I try to enable that I get an error about alerter service is disabled, I try to enable that and get an error that its dependencies are disabled....so screw this, don't need all those dumb services running...But looking in event viewer I see this, could it help you? If not, then forget it. I'm not turning all that crap I turned off back on.
Code: Error code 100000d1, parameter1 f7eee279, parameter2 000000ff parameter3 00000000, parameter4 f7eee279. |
|||
26 Jun 2009, 13:33 |
|
f0dder 26 Jun 2009, 13:41
Quote: 6) VERY VERY HARD: a way to discard NT kernel from RAM and load a new personal kernel (new small OS like menuet) Quote: If i'm not on error, LDT should have the access settings to processes memory |
|||
26 Jun 2009, 13:41 |
|
Pirata Derek 26 Jun 2009, 16:21
Yes, CR3 is saved in the Task State Segment of every processes.
I tell you about LDT because it is (with GDT) the BASE of Memory protection Download the Intel pentium programmes manual (system programming) and see the chapter 4 "Protection" on "Limit checking" |
|||
26 Jun 2009, 16:21 |
|
Pirata Derek 26 Jun 2009, 16:29
Windwakr:
Your problem is that Driver IRQL is not less or equal. It happens when kernel try to access into paged memory with its IRQL too high I'll make these modifications to GKP: 1) Disabling interrupts when hooking 2) Make all driver not pageable Tomorow i'll leave the new relase of GKP (tested on my PC) Last edited by Pirata Derek on 27 Jun 2009, 12:41; edited 1 time in total |
|||
26 Jun 2009, 16:29 |
|
f0dder 26 Jun 2009, 16:50
Quote: Yes, CR3 is saved in the Task State Segment of every processes. Quote: I tell you about LDT because it is (with GDT) the BASE of Memory protection |
|||
26 Jun 2009, 16:50 |
|
Pirata Derek 27 Jun 2009, 12:30
I TOLD THAT IS THE HARDWARE TASK-SWITCH TO USE THE TSS AUTOMATICALLY
FOR EVERY TASK IN WINDOWS! f0dder, you should read this DOCUMENT before post or reply From: "Intel Programmers Manual" Volume 3: "System Programming" Chapter 6: "Task Managment" _ "A task is a unit of work that a processor can dispatch, execute, and suspend" _ "The IA-32 architecture provides a mechanism for saving the state of a task, for dispatching tasks for execution, and for switching from one task to another." _ "A task is made up of two parts: a task execution space and a task-state segment (TSS)" _ "Prior to dispatching a task, all of these items are contained in the task’s TSS, except the state of the task register. Also, the complete contents of the LDTR register are not contained in the TSS, only the segment selector for the LDT." _ "Software or the processor can dispatch a task for execution in one of the following ways: • A explicit call to a task with the CALL instruction. • A explicit jump to a task with the JMP instruction. • An implicit call (by the processor) to an interrupt-handler task. • An implicit call to an exception-handler task. • A return (initiated with an IRET instruction) when the NT flag in the EFLAGS register is set." _ "The processor state information needed to restore a task is saved in a system segment called the task-state segment (TSS)." _ "CR3 control register field: Contains the base physical address of the page directory to be used by the task. Control register CR3 is also known as the page-directory base register (PDBR)." _ "The page-directory baseregister (CR3) also is reloaded on a task switch, allowing each task to have its own set of page tables." Has your processor/s the multi-tasking freature? If no then you are right, else to let your last post stand on you should: 1) Drop your current PC and get another with Mono-tasking freature. 2) Say "stupids, your processors don't use TSS" to processors bulider corporations 3) Stop your posts 4) prove your statements to me with some documents or others Last edited by Pirata Derek on 27 Jun 2009, 13:10; edited 1 time in total |
|||
27 Jun 2009, 12:30 |
|
Pirata Derek 27 Jun 2009, 12:39
Yesteday i assembled the modified version of GKP to you.
there's 2 modifications: 1) All sections are NOT PAGEABLES, so the system don't need to access in paged area with its IRQL. 2) Inserted the CLI and after STI to let driver change the MSR_SYSENTER_EIP without any interrupt. If the problem isn't resolved tell me.
|
|||||||||||
27 Jun 2009, 12:39 |
|
f0dder 27 Jun 2009, 14:46
Pirata Derek: trust me, Windows doesn't use TSS for context switching, like most OSes it does manual register loading since it's faster. And iirc in x64 mode you can't use TSS-based task switching anyway.
But even thoughTSS isn't used for context switches, you must set one up anyway - iirc this is required to handle ring switches (forgot the specifics, last time I touched my kernel.asm was back in 2001). |
|||
27 Jun 2009, 14:46 |
|
windwakr 27 Jun 2009, 16:13
Results are pretty much the same as before, after loading the driver the program only successfully finishes(reaches the second messagebox) about 50% of the time. When I try stopping the driver its still a 50/50 chance to reboot.
|
|||
27 Jun 2009, 16:13 |
|
Pirata Derek 28 Jun 2009, 10:48
f0dder:
You are telling me different things that others people don't. who should i believe? Please, send me or post the detailed method you think how windows does TASK SWITCH Last edited by Pirata Derek on 28 Jun 2009, 11:18; edited 1 time in total |
|||
28 Jun 2009, 10:48 |
|
Pirata Derek 28 Jun 2009, 11:18
I can't understand why GKP behaves so bad.
2 Month ago my system had the same problem when installing some audio drivers. After install finished the blue screen of death displayed the error "Driver not less or equal" every time! Then i decided to reinstall windows with the CD and during reinstallation the system told me: "There is a driver trying to damage the system!" AH! F***ing driver! I formatted all the hard-disk and after there were no problems. 1 mont later, during web search, my firewall OS (Zone Allarm) displayed the warning: "SVCHOST is loading the driver: ..... (i don't remember the path name)" I analyzed this driver with IDA and i've seen this is a virus driver (because in some strings there were the "HACK" word). I deleted it Maybe some drivers (rootkits) that interfere with normal system work... |
|||
28 Jun 2009, 11:18 |
|
f0dder 28 Jun 2009, 16:14
The Intel document shows you how to do TSS-based context switching, but it doesn't say you have to use this method - and as already mentioned, most OSes don't use TSS for context switching because it's slow (check some osdev resources), and doesn't handle full context anyway (fpu, xmm).
I don't have a disassembly of KiSwapContext lying around right now, and can't remember if the symbol is publicly exported from the kernel. I'll try loading up a 32bit xp virtual machine when I get home from work and see if I can produce a relevant disassembly listing for you PS: I'm not saying that TSS isn't used at all in the system, just that it's not used for context switches. |
|||
28 Jun 2009, 16:14 |
|
asmfan 28 Jun 2009, 17:00
Pirata Derek
I asked about some code of your first posts: Code: FastUserReturn: pushd 23h pushd ecx push ebx pushd 1bh push eax iretd cuz just haven't noticed you set them in advance in test program. Then other - why decided to use iretd? Isn't sysexit for "symmetry" the best? And what happen if the source selector is differen from code? suppose DEP disabled. Then result of such processing in interception? _________________ Any offers? |
|||
28 Jun 2009, 17:00 |
|
Pirata Derek 29 Jun 2009, 12:36
Yes it's true: Why doesn't my GKP use sysexit in FastUserReturn function?
I used sysexit but when debugging (Kernel-mode) Syser debugger display me that after sysexit the eflags remains unchanged!!! And sometime the system crashes when an exception occurs in test program Sysexit creates me some problems. Iretd does the same (return to user-mode) better, also you can decide the return EIP, the CS, the eflags, the ESP and the SS, but with sysexit only ESP and EIP (ecx, edx). The return to usermode library function with sysexit Code: FastUserReturn: pop edx ; the USER-MODE return EIP for sysexit mov ecx,[usermode_esp] ; the USER-MODE esp for sysexit sysexit The caller test program (example of exception): Code: ... ; some code ... invoke RelaseIOPL ; call the FastUserReturn in library nop xor edi,edi ; make an access violation exception (example) stosb ; <---- the system crash here ... Check how NT kernel do return to user-mode... Selector different from code... Program code or system code? post me some example for answer to you. the CPU always make a RPL segments (destination) check on privilege change. for example if destination CS RPL is 2 but destination IOPL (EFLAGS) is 3 there is an GP fault. If Destination CS RLP = 3 but destination IOPL = 0 there is nothing. |
|||
29 Jun 2009, 12:36 |
|
Japheth 29 Jun 2009, 16:11
Pirata Derek wrote: f0dder: I'd say: believe f0dder! As a proof - not 100%, but 99% - that there's no TSS based task-switching in Windows see this little prog: Code: .386 .MODEL FLAT printf proto c :ptr BYTE, :VARARG .CONST szHello db 10,"TR=%X",10,0 .CODE main proc c @@: str ax invoke printf, addr szHello, eax jmp @B main endp END If you launch this console program multiple times you'll see that the value 1) doesn't change and 2) is the same in all windows you started, which is an indication that WinXP doesn't change the value of TR for a task switches the source is Masm syntax, don't try with Fasm! |
|||
29 Jun 2009, 16:11 |
|
LocoDelAssembly 29 Jun 2009, 16:25
Code: format pe console include 'win32ax.inc' .printTR: str ax movzx eax, ax cinvoke printf, <"TR=%X (Press Ctrl+C to kill this program)", 10, 0>, eax jmp .printTR align 4 ; Just to be safe data import library msvcrt,'msvcrt.dll' import msvcrt,\ printf, 'printf' end data |
|||
29 Jun 2009, 16:25 |
|
Pirata Derek 29 Jun 2009, 17:57
Store Task Register instruction
Description: Stores the segment selector from the task register (TR) in the destination operand. The destination operand can be a general-purpose register or a memory location. The segment selector stored with this instruction points to the task state segment (TSS) for the currently running task. The examples display only the TR of their current process! P.S. Why don't you (all) install an Kernel-debugger and then analyze the IDT, GDT and LDT? You will find some task gates with differents TR selectors... use my GKP and execute a call into these gates (the CPU must execute a task switch) I'm going to create a task gate that point to my driver and it automatically shows me if the TR is different before and after calling the task gate (driver linked) I'll post the results |
|||
29 Jun 2009, 17:57 |
|
Goto page Previous 1, 2, 3, 4 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.