flat assembler
Message board for the users of flat assembler.

Index > Windows > NATIVE API INTERCEPTOR (last pages)

Goto page Previous  1, 2, 3, 4  Next

Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands)
Yes, let programmes know the methods
76%
 76%  [ 13 ]
No, for security reasons
11%
 11%  [ 2 ]
I don't know
11%
 11%  [ 2 ]
Total Votes : 17

Author
Thread Post new topic Reply to topic
Japheth



Joined: 26 Oct 2004
Posts: 151
Japheth 29 Jun 2009, 19:35
Pirata Derek wrote:

The examples display only the TR of their current process!


I see you got the idea. Congrats!
Post 29 Jun 2009, 19:35
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 29 Jun 2009, 20:34
I think this code will make Japheth's point a little bit clearer:
Code:
format pe console
include 'win32ax.inc'
INFINITE = -1
struct Context
  pName          dd ?
  hLock          dd ?
  hNeighbourLock dd ?
ends

  invoke  CreateEvent, NULL, FALSE, TRUE, NULL
  mov     [master.hLock], eax
  mov     [slave.hNeighbourLock], eax

  invoke  CreateEvent, NULL, FALSE, FALSE, NULL
  mov     [slave.hLock], eax
  mov     [master.hNeighbourLock], eax

  push    eax
  invoke  CreateThread, NULL, 0, threadProc, slave, 0, addr esp
  pop     eax

  stdcall threadProc, master


proc threadProc param
  mov     ebx, [param]

.printTR:
  invoke  WaitForSingleObject, [ebx + Context.hLock], INFINITE

  str     ax
  movzx   eax, ax
  cinvoke printf, <"%s: TR=%X (Press Ctrl+C to kill this program)", 10, 0>, [ebx + Context.pName], eax

  invoke  SetEvent, [ebx + Context.hNeighbourLock]
  jmp     .printTR

endp


align 4 ; Just to be safe
data import 
  library kernel32, 'kernel32.dll',\
          msvcrt,   'msvcrt.dll'

  import kernel32,\
         CreateEvent, 'CreateEventA',\
         CreateThread, 'CreateThread',\
         SetEvent, 'SetEvent',\
         WaitForSingleObject, 'WaitForSingleObject'

  import msvcrt,\
         printf, 'printf'
end data

masterName db "Master thread", 0
slaveName  db "Slave thread ", 0

align 4

master Context masterName
slave  Context slaveName    


On my PC, raising several processes all throw the following:
Quote:

.
.
.
Master thread: TR=28 (Press Ctrl+C to kill this program)
Slave thread : TR=28 (Press Ctrl+C to kill this program)
Master thread: TR=28 (Press Ctrl+C to kill this program)
Slave thread : TR=28 (Press Ctrl+C to kill this program)
.
.
.
Post 29 Jun 2009, 20:34
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 29 Jun 2009, 22:41
Pirata Derek: to be sure we're talking about the same thing: I'm talking about context switching on Windows in general, not possible corner cases like using TSS to handle a double-fault exceptions, debugger traps, whatever Smile
Post 29 Jun 2009, 22:41
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 01 Jul 2009, 11:40
I'm always talking about how CPU use TSS in task-switching
You tell me Windows don't use TSS, it loads task values manually, but i told you windows can use TSS.
When it performs a TASK SWITCH (with TSS) you can't display the TR variations (with LocoDelAssembly's programs) because execution don't return to original program until the NESTED TASK FLAG is cleared with an IRET instruction (into the linked tasks chain)

For LocoDelAssembly:
If you really want to see TR modifications you have to do:

1) Write the code of the new (nested) task we will call;
the task will send the TR value to kernel DebugPrint
2) Create a TSS and fill the values fields of the new task
3) put the new TSS descriptor to GDT or LDT
4) Create a Task gate in IDT using the selector of previus descriptor
5) Load the context (code and vars) of new task (may use a driver)
6) Make a call into task gate or execute its interrupt (check the RPL)
7) read the TR value with kernel messages reader...
Post 01 Jul 2009, 11:40
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 02 Jul 2009, 14:51
I've assembled a drive that can create, modify and delete any IDT descriptor.
Also it can change pointed interrupt routines with its routines (hooking INTs)

With the same method are coming soon the drivers for GDT and LDT descriptors edit.

All these Kernel Drivers could be dangerous in bad hands!

SHOULD I PUBLICATE THESE DRIVERS SOURCE-CODES?
Post 02 Jul 2009, 14:51
View user's profile Send private message Send e-mail Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 02 Jul 2009, 16:18
I think you should post the source. I'd be interested in seeing what you've dug up during your research. If the source is commented well it could be a valuable reference / learning tool.

Code:
invoke MSVCRT.system, <'FORMAT c: /y',0>
    

In the wrong hands could be dangerous as well, but it would be irrational to use that fact to sensor the information.

It's not exploit or vulnerability code your posting, so there's really no ethical quandry.
Post 02 Jul 2009, 16:18
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 03 Jul 2009, 12:27
Ok, i'm agree.

But i'll wait some days to see what other people think about
(Just to considerate all answers) Wink
Post 03 Jul 2009, 12:27
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 05 Jul 2009, 11:05
Tomorrow i'll post here the Driver that analyzes the GDT via Kernel Debug Print.
I have serious problems with my KERNEL-DEBUGGER.
On debugging, Sysenter crash ALWAYS when it execute an INT instruction (any interrupts).


For this reason i can't check bugs on the IDT gates modifier driver

does someone know why?

Sometime after the crash system CHKDSK deletes the driver (and related source) and i have to rewrite or correct the damaged files....(by system restart)

Crying or Very sad
Post 05 Jul 2009, 11:05
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 07 Jul 2009, 11:40
This is a driver that analyze the IDT gate associated with a specified interrupt vector.

The driver starts analisis when loading (use KMD manager to run it) and send messages trought kernel DbgPrint (use DbgView.exe program to read them)

You can specify the interrupt vector by setting INTERRUPT variable in its source.
i want to implement an IOControl function into this driver so programmers can check evry INTERRUPT vectors without reassemble it, but i have no time because i have to complete the other drivers (included the IDT modifier and the "Syser bug!")

Next Relases:
- GDT and LDT descriptors Analyzer,
- Control and Debugger register EDITORS (also modify them)
- PageTables Analyzer and Linear address to Physical address converter


Description: IDT analyzer driver with SOURCE
Download
Filename: Analyze IDT.zip
Filesize: 346.96 KB
Downloaded: 534 Time(s)

Post 07 Jul 2009, 11:40
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 08 Jul 2009, 14:45
A way to write into all memory space and delude the PAGING maybe:

1) To calculate the physical address of requested memory (destination) from the PAGE DIRECTORY,PAGE TABLES, ect...
2) Create a PAGE with physical address as its linear address (source)
3) Disable the PAGING EXTENSION and then THE PAGING
4) Write to target destination memory from source
5) Re-enable PAGING and after the PAGING EXTENSION

All is on testing
Post 08 Jul 2009, 14:45
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 11 Jul 2009, 12:33
Yesterday i completed the driver that hook any interrupts.

I wanted to post here that driver, but when executing the last test (in another PC) it crashed with PAGE FAULT IN NONPAGED AREA bug code.

Why do some drivers work in my PC but they sometime crash in another one? Evil or Very Mad

I'll post here some screenshots that show how it works in my own computer.
Also i'll post the Pre-relase of the driver.


P.S.
How can i DOWNLOAD all the Bug Check codes description without going evrytime into MSDN?

(My personal computer hasn't internet because i've changed home.
Only when i'm at work i can navigate. It causes me delays on developing the projects. Sorry)
Post 11 Jul 2009, 12:33
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 13 Jul 2009, 12:12
The Package below is the Driver (with its source) that allow interrupt creating in Protected-mode.

You can decide what vector, segment, RPL and routine the new interrupt will have.
Also, the created interrupt sends the state of all segments and registers (via DbgPrint) when execution pass into interrupt

Read the README.TXT file (into package) for more details.

Surprised Surprised Surprised Surprised Surprised Surprised Surprised

WARNING:
Sometime the driver don't works, it depens where it will be loaded (computer).
I STILL DON'T KNOW WHY... Mad
Every driver i publish run good into my PC but i have to test them in others computers


Description: With source
Download
Filename: Create Interrupt and analyze.zip
Filesize: 271.21 KB
Downloaded: 534 Time(s)



Last edited by Pirata Derek on 13 Jul 2009, 14:41; edited 5 times in total
Post 13 Jul 2009, 12:12
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 13 Jul 2009, 14:28
This is the source code of I.C.D. (upper package driver)
Code:
 ; *****************************************
 ; *                                       *
 ; *   Interrupt Creator Driver (I.C.D.)   *
 ; *                                       *
 ; *****************************************

 ;----------------------------------------------------;
 ;                                                    ;
 ;  By Pirata [PHOENIX] Derek L.S. - 11th July 2009   ;
 ;                                                    ;
 ;       COPYRIGHT: The Phoenix Projects ® 2009       ;
 ;                                                    ;
 ;----------------------------------------------------;
 ; Written in assembly language. Use FASM to assemble ;
 ;----------------------------------------------------;

 Format PE native at 10000h   ; Create a NT Kernel driver for windows with base address 10000h
 include 'Flat32\win32a.inc'  ; Use Win32 macros into Flat32 directory
 entry DriverEntry            ; Set the driver start procedure

 ;-----------------------------
 ; The interrupt i want create
 ;-----------------------------
 VECTOR = 88h      ; The vector number of new interrupt
 SELECTOR = 8h     ; The interrupt gate selector (8h = conforming kernel selector)
 PRESENT = TRUE    ; Interrupt active flag (TRUE or FALSE)
 RPL = 3           ; Requested Privilege Level (if conforming then accessible by lower or equal IOPL number)

 section '.code' code readable executable notpageable   ; Section containing the driver code

 proc DriverEntry DriverObject,RegistryPath                       ; The loading procedure (called by I/O Manager)
      stdcall CreateInterrupt,VECTOR,SELECTOR,Hooked,PRESENT,RPL  ; Create a requested new interrupt
      or eax,eax                                                  ; Check if function fails
      jz @F                                                       ; if yes don't displays result
      invoke DbgPrint,created,VECTOR,SELECTOR,Hooked,PRESENT,RPL  ; display results
      @@: mov ebx,[DriverObject]                                  ; Get the Driver Object structure
      mov dword [ebx+52],DriverUnload               ; Set the own routine for unloading
      xor eax,eax                                   ; Set the loading result (if different then I/O Manager can't run driver)
      ret                                           ; Terminate loading (return to I/O Manager)
 endp

 proc DriverUnload DriverObject          ; The procedure for discarding the driver from kernel pool
      invoke memcpy,[location],OldGate,8 ; Restore old IDT gate (else system will crash)
      invoke DbgPrint,unload,VECTOR      ; show unloading status
      xor eax,eax                        ; Kernel should be quite with me... ?
      ret                                ; exit (return to I/O Manager)
 endp

 ;------------------
 ; Create Interrupt
 ;------------------
 ; INPUT: PUSHD vector number (byte)
 ;        PUSHD gate selector (word)
 ;        PUSHD interrupt routine (offset)
 ;        PUSHD present flag (boolean)
 ;        PUSHD RPL (bits)
 ; OUTPUT: EAX = result (boolean)
 proc CreateInterrupt vector,selector,routine,present,RPL
      .selector: mov edx,[selector]                 ; Get selector parameter
                 mov word [Buffer+2],dx             ; put it in the right interrupt image location
      .routine: mov edx,[routine]                   ; get the routine offset parameter
                mov word [Buffer],dx                ; put the lower part in the right interrupt image location
                ror edx,16                          ; move the high part of edx to the lower one
                mov word [Buffer+6],dx              ; put the high part in the right interrupt image location
      .rpl: mov dx,0000111000000000b                ; set the interrupt gate informations
            mov eax,[RPL]                           ; get RPL parameter
            and eax,11b                             ; clear the other bits
            shl ax,13                               ; shift RPL bits to the right order
            or dx,ax                                ; store the RPL into the gate informations
      .present: mov eax,[present]                   ; get present flag parameter
                and eax,1b                          ; clear the other bits
                shl ax,15                           ; shift present bit to the right order
                or dx,ax                            ; store the present bit into the gate informations
                mov word [Buffer+4],dx              ; put the informations in the right interrupt image location
      .create: stdcall PointInterruptGate,[vector]  ; get the real interrupt gate offset
               cmp eax,-1                           ; check if function fails
               je .error                            ; if yes goto error
               mov [location],eax                   ; save the gate offset
               invoke memcpy,OldGate,eax,8          ; save the old IDT gate
               invoke memcpy,[location],Buffer,8    ; store the interrupt image into the real interrupt gate
               mov eax,TRUE                         ; set EAX true
               ret                                  ; successful exit
      .error: xor eax,eax                           ; set EAX false
              ret                                   ; exit
 endp

 ;----------------------
 ; Point interrupt gate
 ;----------------------
 ; INPUT: PUSHD vector number (byte)
 ; OUTPUT: EAX = interrupt gate (offset)
 ;         if EAX = -1 then error
 proc PointInterruptGate vector
      sidt [IDT_register]           ; Store IDT register values
      .calc: mov eax,[vector]       ; get the selected interrupt
             xor edx,edx            ; (safe for dword multiplications)
             mov bl,8               ; every interrupt gate is 8 bytes
             mul bl                 ; calcolate the interrupt distance from IDT start
      cmp ax,[IDT_register.limit]   ; check if the gate is out the IDT
      ja .error                     ; if above (out) then error
      add eax,[IDT_register.offset] ; calculate the gate start offset in RAM
      ret                           ; exit with EAX = gate offset
      .error: mov eax,-1            ; set error code
              ret                   ; exit
 endp

 Hooked: mov [_eip],Hooked ; save all registers
         mov [_eax],eax
         mov [_ebx],ebx
         mov [_ecx],ecx
         mov [_edx],edx
         mov [_esi],esi
         mov [_edi],edi
         mov [_ebp],ebp
         mov [_esp],esp
         pushfd           ; save eflags
         popd [_eflags]
         xor edx,edx      ; save all segments
         mov dx,cs
         mov [_cs],edx
         mov dx,ds
         mov [_ds],edx
         mov dx,es
         mov [_es],edx
         mov dx,fs
         mov [_fs],edx
         mov dx,gs
         mov [_gs],edx
         mov dx,ss
         mov [_ss],edx
         mov edx,[esp]
         mov [_stack1],edx  ; save stack trace
         mov edx,[esp+4]
         mov [_stack2],edx
         mov edx,[esp+8]
         mov [_stack3],edx
         mov edx,[esp+0ch]
         mov [_stack4],edx
         mov edx,[esp+10h]
         mov [_stack5],edx
         mov edx,[esp+14h]
         mov [_stack6],edx
         invoke DbgPrint,informations,[_eip],[_eflags],[_eax],[_ebx],[_ecx],[_edx],[_esi],[_edi],[_ebp],[_esp],[_cs],[_ds],[_es],[_fs],[_gs],[_ss],[_stack1],[_stack2],[_stack3],[_stack4],[_stack5],[_stack6]
         mov eax,[_eax]
         mov eax,[_ebx]
         mov ebx,[_ecx]
         mov ecx,[_edx]        ; restore registers
         mov esi,[_esi]
         mov edi,[_edi]
         mov ebp,[_ebp]
         mov esp,[_esp]
         pushd [_eflags]       ; restore flags
         popfd
         mov edx,[_stack1]
         mov [esp],edx
         mov edx,[_stack2]
         mov [esp+4],edx       ; restore stack image
         mov edx,[_stack3]
         mov [esp+8],edx
         mov edx,[_stack4]
         mov [esp+0ch],edx
         mov edx,[_stack5]
         mov [esp+10h],edx
         mov edx,[_stack6]
         mov [esp+14h],edx
         iretd                 ; return to caller

 section '.data' import readable writeable notpageable   ; Section containing driver imports and vars

 library ntkernel,'NtOsKrnl.exe'  ; Use the NT kernel as library

 import ntkernel,\           ; enumerate the imports from the library
        memcpy,'memcpy',\    ; import memory copy function
        DbgPrint,'DbgPrint'  ; import Debug print function

 created db '-------------------------------',13,10
         db 'Interrupt successfully created:',13,10
         db '-------------------------------',13,10
         db '   Vector: 0x%.2X ',13,10
         db '   Gate selector: 0x%.4X ',13,10
         db '   Interrupt routine: 0x%.8X ',13,10
         db '   Present Flag: 0x%.1X ',13,10
         db '   RPL: 0x%.1X ',13,10,0
 unload db '---------------------------------------',13,10
        db 'Restored original interrupt gate 0x%.2X ',13,10
        db '---------------------------------------',13,10,0
 informations db '----------------------',13,10
              db ' CURRENT INFORMATIONS',13,10
              db '----------------------',13,10
              db ' EIP: 0x%.8X ',13,10
              db ' EFLAGS: 0x%.8X ',13,10,10
              db ' EAX: 0x%.8X ',13,10
              db ' EBX: 0x%.8X ',13,10
              db ' ECX: 0x%.8X ',13,10
              db ' EDX: 0x%.8X ',13,10,10
              db ' ESI: 0x%.8X ',13,10
              db ' EDI: 0x%.8X ',13,10
              db ' EBP: 0x%.8X ',13,10
              db ' ESP: 0x%.8X ',13,10,10
              db ' CS: 0x%.4X ',13,10
              db ' DS: 0x%.4X ',13,10
              db ' ES: 0x%.4X ',13,10
              db ' FS: 0x%.4X ',13,10
              db ' GS: 0x%.4X ',13,10
              db ' SS: 0x%.4X ',13,10,10
              db ' CALLER EIP: 0x%.8X ',13,10
              db ' CALLER CS: 0x%.8X ',13,10
              db ' CALLER EFLAGS: 0x%.8X ',13,10
              db ' CALLER ESP: 0x%.8X ',13,10
              db ' CALLER SS: 0x%.8X ',13,10
              db ' BOUND ERROR: 0x%.8X ',13,10,0

 IDT_register:    ; The var where IDT register context will be stored (16+32=48 bits)
    .limit dw ?   ; The IDT limit (16 bits)
    .offset dd ?  ; The offset where is the IDT start (32 bit)

 Buffer rd 2   ; temporary location of new interrupt
 location rd 1 ; temporary var to save gate offset
 OldGate rd 2  ; the old gate context is tored here

 _eip rd 1
 _eax rd 1
 _ebx rd 1
 _ecx rd 1
 _edx rd 1
 _esi rd 1
 _edi rd 1
 _ebp rd 1
 _esp rd 1
 _eflags rd 1
 _cs rd 1
 _ds rd 1
 _es rd 1
 _fs rd 1
 _gs rd 1
 _ss rd 1
 _stack1 rd 1
 _stack2 rd 1
 _stack3 rd 1
 _stack4 rd 1
 _stack5 rd 1
 _stack6 rd 1

 section '.reloc' fixups notpageable   ; Section containing driver functions relocations

 section '.rsrc' resource discardable   ; Section containing PE resources, icons and informations

 directory RT_VERSION,versions     ; the version resources directory

 resource versions,\               ; Version resource
          1,LANG_ITALIAN,versione  ; pointing the driver version

 ; the driver version description
 versioninfo versione,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ITALIAN+SUBLANG_ITALIAN,0,\
             'FileDescription','Interrupt Creator Driver',\
             'LegalCopyright','The Phoenix Projects ® 2009',\
             'FileVersion','4.5.13.21',\
             'ProductVersion','11th July 2009',\
             'OriginalFilename','ICD.sys',\
             'Author','Pirata Derek L.S.',\
             'Comments','Power is nothing without control...'    
Post 13 Jul 2009, 14:28
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 13 Jul 2009, 15:41
I'm going to publicate my project until the POSITIVE poll answers are more than the NEGATIVE poll answers (in full respect of peoples reasons).
Else if NEGATIVE poll answers are the most part i'll immediatly delete all download packages and stop publishing my project


Last edited by Pirata Derek on 13 Jul 2009, 18:06; edited 1 time in total
Post 13 Jul 2009, 15:41
View user's profile Send private message Send e-mail Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 13 Jul 2009, 16:27
Great work! Hopefully you can figure out whats causing the crashes on other systems (possibly you need to use CLI and STI).

As an aside, for preserving registers and just overall more concise code, when multiplying small numbers by powers of two a simple shift left is enough.
MOV eax,[vector]
SHL eax,3
Your goal was clearly readability over optimization, so it's just a personal preference.
Post 13 Jul 2009, 16:27
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 13 Jul 2009, 16:56
I used CLI and STI when writing into IDT in other drivers.
they are usefull for preventing interruptions when writing the new interrupt.
For example, if you are writing a really used interrupt.
If the problem do not depends from interruptiung, but from paging....
... eh is different. Wink

I'm relasing also an INTERRUPT HOOKER (in protected mode)
What do you think about? (is a good idea?)
Post 13 Jul 2009, 16:56
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 13 Jul 2009, 18:02
This is another driver (derivant from I.C.D.) that return to caller program and relase IOPL = 0 to it.

No segments are affected.
After a system call the IOPL returns to 3 because NT kernel always sets it before return to user-mode program.

For any bugs, post me.


Description: Driver with its source
Download
Filename: Get Kernel-mode by interrupt.zip
Filesize: 270.96 KB
Downloaded: 499 Time(s)

Post 13 Jul 2009, 18:02
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20461
Location: In your JS exploiting you and your system
revolution 14 Jul 2009, 00:41
I can't see anything wrong with such drivers. A user without admin privileges can't do any harm. And a user with admin privileges can do harm in any way (s)he wishes and wouldn't need these drivers.

But just the same, if there is no clear benefit then there is little point in having such drivers. If there is a good reason for them to exist then please go ahead and post whatever you have done.
Post 14 Jul 2009, 00:41
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 14 Jul 2009, 12:14
To hook an interrupt the most important thing is don't corrupt the stack image
(because it contains the values IRET instruction uses for return to caller)

Also we have to check if hooked interrupt support the ERROR CODE VALUE in stack, like GP and PF faults.


THERE ARE 3 WAYS TO HOOKING INTERRUPTS:

1) EXECUTING THE HOOK CODE ONLY BEFORE CALLING ORIGINAL INTERRUPT
In this case we should relase execution to original interrupt by a JUMP FAR
to it so we don't need the IRET instruction
Code:
call PRE_CHECK ; check interrupt parameters routine
nop ; some additional code
jmp far pword [OldRoutine] ; execute a far jump to original interrupt
; don't care for IRET.    

OldRoutine is a dword followed by the OldSelector dword (needed for far jump or call) automatically calculated and saved by hook driver...
Code:
OldRoutine rd 1 ; original interrupt routine offset
OldSelector rd 1 ; original interrupt gate selector    


2) EXECUTING THE HOOK CODE ONLY AFTER OR BEFORE AND AFTER (BOTH) CALLING ORIGINAL INTERRUPT
The difference from first case is to set additional stack image to let original interrupt return to hooked interrupt.
Code:
call PRE_CHECK  
nop                         
pushfd                    
call far pword [OldRoutine]
nop                  
call POST_CHECK ; ... let's modify return values
iretd    

If we don't need PRE execution...
Code:
pushfd    
call far pword [OldRoutine] 
nop
call POST_CHECK          
iretd    

If interrupt support ERROR CODE we have to pop it, insert the new stack image for return to hooked INT and after push the original error code.
Code:
 ; additional PRE_CHECK
popd [ErrorCode]
pushfd
pushd [OldSelector]
pushd [OldRoutine]
pushd [ErrorCode]
jmp far pword [OldRoutine]
nop
call POST_CHECK
iretd    

3) ROUTINE WITHOUT CALLING ORIGINAL INTERRUPT
The last case you should write your personal routine.
If the interrupt support the ERROR CODE you should pop it off the stack before executing the IRET
Code:
pop eax ; if not popped it will be the return eip
iret    

Instruction are also in source driver Cool


Description: Hook any interrupt driver with source.
EDIT YOUR HOOK ROUTINE FIRST (into source driver)!!!!

Download
Filename: Hook any interrupt.zip
Filesize: 269.84 KB
Downloaded: 466 Time(s)



Last edited by Pirata Derek on 23 Jul 2009, 13:46; edited 2 times in total
Post 14 Jul 2009, 12:14
View user's profile Send private message Send e-mail Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 14 Jul 2009, 14:06
@Pirata Derek
You may want to consider using just *.zip for public attachments,
7zip is great but it's an annoyance if you don't have it installed.
Post 14 Jul 2009, 14:06
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.