flat assembler
Message board for the users of flat assembler.

Index > OS Construction > iret ring 3 - ( Finally there ) SOLVED :-)

Author
Thread Post new topic Reply to topic
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
basicly I am trying to use iret to switch from ring0 - 3

but 1st I want to get it working in ring 0..

So my question is - Is there more that needs to be pushed on the stack before the iret -

example:
Code:
   push  SS 
   push  ESP 
   push  EFLAGS 
   push  CS 
   push  EIP 
   iret   
    


or is this all thats needed...


Thanks in advance...


Last edited by dosin on 07 Dec 2009, 09:00; edited 2 times in total
Post 26 Nov 2009, 18:26
View user's profile Send private message Reply with quote
XanClic



Joined: 06 Sep 2009
Posts: 16
Location: Germany
XanClic
This is all you need, even for ring 3. To use iret in ring 0, you just need
Code:
push  EFLAGS
push  CS
push  EIP
iret    
Post 26 Nov 2009, 18:46
View user's profile Send private message Visit poster's website Reply with quote
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
removed


Last edited by dosin on 07 Dec 2009, 09:02; edited 1 time in total
Post 27 Nov 2009, 01:31
View user's profile Send private message Reply with quote
egos



Joined: 10 Feb 2009
Posts: 144
egos
dosin, you must push the usermode selectors (with RPL=3) and correct flags (IF=1, etc.)
Post 27 Nov 2009, 12:01
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4240
Location: 2018
edfed
esi for int40 seems to be relative addressing, a pointer, but relative to what?

eax for int41 seems to be just an immediate value, then, it don't need a segment to be initialized.

maybe the problem is there...
Post 27 Nov 2009, 14:50
View user's profile Send private message Visit poster's website Reply with quote
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
post removed!


Last edited by dosin on 05 Dec 2009, 05:58; edited 1 time in total
Post 27 Nov 2009, 19:28
View user's profile Send private message Reply with quote
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
removed


Last edited by dosin on 07 Dec 2009, 09:01; edited 1 time in total
Post 05 Dec 2009, 05:46
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4240
Location: 2018
edfed
Quote:
sysenter executes a fast call to a level 0 system procedure, sysexit execute a fast return to level 3 user code.


is it what you try to do?
Post 05 Dec 2009, 07:11
View user's profile Send private message Visit poster's website Reply with quote
XanClic



Joined: 06 Sep 2009
Posts: 16
Location: Germany
XanClic
dosin wrote:
When you iret - to change to ring 3.. how use the tss struct so all the data in the tss struct is used with the iret/the app that uses it?


As far as I know you don't need a TSS to switch to ring 3. It's only required when switching to ring 0 from ring 3, because ESP and SS for ring 0 are stored there.
But I think you don't need a TSS to go back to ring 3 and hence it's also not used by the CPU.
Post 05 Dec 2009, 13:09
View user's profile Send private message Visit poster's website Reply with quote
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
Everything is good now - I can access all the rings 0 -3

Very Happy Very Happy Very Happy Very Happy Very Happy
Post 05 Dec 2009, 19:09
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Some drivers i wrote have the routine to return from any ring
See the NATIVE API INTERCEPTOR (incomplete) project, and check for the

ReturnFromDriver function (old version) or
ReturnFromKernelMode function

Or the INTERRUPT HOOKER DRIVER (incomplete) project

Check there: http://board.flatassembler.net/topic.php?p=97618#97618

If you want some help for make the IRET STACK for the VIRTUAL MODE ask me...


I'll complete these incomplete projects
Post 10 Jan 2010, 15:25
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
THIS IS THE COMPLETED (corrected) PROJECT
You can find the FASM DRIVER KIT into the ILLUSION DRIVER THREAD

I Hope this will useful for YOU to continue all your others projects.
Code:
 ; ***********************************************
 ; *                                             *
 ; *   INTERRUPT HOOKER Driver  -  version 3.2   *
 ; *                                             *
 ; ***********************************************

 ; By Pirata [PHOENIX] Derek L.S, Alias: Lord BIONS
 ; 30th December 2009 - Italy, unnamed city.

 ; For gentle concession to the Fasm Board Comunity

 ; Written in Flat Assembly language. Use FASM

 Format PE native 5.0 at 10000h
        include 'flat32\win32a.inc'
        include 'fasm driver kit\fasm ddk.inc'
        entry driver_entry

 section '.code' code readable executable notpageable

        proc driver_entry driver_object,registry_path
             invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,loading_driver,driver_entry
             .point: invoke KeRaiseIrql,DIRQL_LEVEL,original_irql
                     cli
                     sidt [idt_register]
                     mov eax,INTERRUPT_VECTOR
                     mov cl,8
                     mul cl
                     add eax,[idt_register.offset]
                     mov [location],eax
                     sti
                     movzx edx,word [idt_register.limit]
                     invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,pointed_idt_and_interrupt,[idt_register.offset],edx,INTERRUPT_VECTOR,eax
             .backup: invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
                      invoke RtlMoveMemory,old_gate,[location],4*2
                      invoke KeLowerIrql,[OldIrql]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,backup_old_gate,old_gate
                      invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
                      invoke RtlMoveMemory,buffer,[location],4*2
                      invoke KeLowerIrql,[OldIrql]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,hooking_vector,INTERRUPT_VECTOR
                      mov ax,word [old_gate+2]
                      mov [old_selector],ax
                      mov cx,word [old_gate+6]
                      rol ecx,16
                      mov cx,word [old_gate]
                      mov [old_routine],ecx
                      movzx ecx,[old_selector]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,saved_original_selector_routine,ecx,old_selector,[old_routine],old_routine
             .update: mov dx,cs
                      mov word [buffer+2],dx
                      mov word [buffer+4],1110111000000000b
                      mov edx,hooked_routine
                      mov word [buffer],dx
                      ror edx,16
                      mov word [buffer+6],dx
                      invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
                      invoke RtlMoveMemory,[location],buffer,4*2
                      invoke KeLowerIrql,[OldIrql]
                      invoke KeLowerIrql,[original_irql]
                      invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,hook_complete,hooked_routine
             .dispatch: mov eax,[driver_object]
                        mov dword [eax+DRIVER_OBJECT.DriverUnload],driver_unload
                        invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,new_interrput_ready
                        mov eax,STATUS_SUCCESS
                        ret
        endp

        proc driver_unload driver_object
             invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,restore_interrupt
             invoke KeRaiseIrql,HIGH_LEVEL,OldIrql
             invoke RtlMoveMemory,[location],old_gate,4*2
             invoke KeLowerIrql,[OldIrql]
             invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,unload_complete
             ret
        endp

        hooked_routine:  pushfd
                         popd [_eflags]
                         mov [_eip],hooked_routine
                         mov [_ebp],ebp
                         mov [_esp],esp
                         mov [_eax],eax
                         mov [_ebx],ebx
                         mov [_ecx],ecx
                         mov [_edx],edx
                         mov [_esi],esi
                         mov [_edi],edi
                         xor edx,edx
                         mov dx,cs
                         mov [_cs],edx
                         mov dx,ds
                         mov [_ds],edx
                         mov dx,es
                         mov [_es],edx
                         mov dx,fs
                         mov [_fs],edx
                         mov dx,gs
                         mov [_gs],edx
                         mov dx,ss
                         mov [_ss],edx
                         mov edx,[esp]
                         mov [_stack1],edx
                         mov edx,[esp+4]
                         mov [_stack2],edx
                         mov edx,[esp+8]
                         mov [_stack3],edx
                         mov edx,[esp+0ch]
                         mov [_stack4],edx
                         mov edx,[esp+10h]
                         mov [_stack5],edx
                         mov edx,[esp+14h]
                         mov [_stack6],edx
                         sti
                         invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,informations,[_eip],[_eflags],[_eax],[_ebx],[_ecx],[_edx],[_esi],[_edi],[_ebp],[_esp],[_cs],[_ds],[_es],[_fs],[_gs],[_ss],[_stack1],[_stack2],[_stack3],[_stack4],[_stack5],[_stack6]
                         cli
                         xor edx,edx
                         mov edx,[_ds]
                         mov ds,dx
                         mov edx,[_es]
                         mov es,dx
                         mov edx,[_fs]
                         mov fs,dx
                         mov edx,[_gs]
                         mov gs,dx
                         mov edx,[_ss]
                         mov ss,dx
                         mov esp,[_esp]
                         mov ebp,[_ebp]
                         mov edx,[_stack1]
                         mov [esp],edx
                         mov edx,[_stack2]
                         mov [esp+4],edx
                         mov edx,[_stack3]
                         mov [esp+8],edx
                         mov edx,[_stack4]
                         mov [esp+0ch],edx
                         mov edx,[_stack5]
                         mov [esp+10h],edx
                         mov edx,[_stack6]
                         mov [esp+14h],edx
                         mov eax,[_eax]
                         mov ebx,[_ebx]
                         mov ecx,[_ecx]
                         mov edx,[_edx]
                         mov esi,[_esi]
                         mov edi,[_edi]
                         pushd [_eflags]
                         popfd
                         jmp far pword [old_routine]

 section '.data' data readable writeable notpageable

 loading_driver db "INTERRUPT HOOKER Driver  -  version 3.2",13,10,10

                db "By Pirata [PHOENIX] Derek L.S, Alias: Lord BIONS",13,10
                db "30th December 2009 - Italy, unnamed city.",13,10
                db "For gentle concession to the Fasm Board Comunity",13,10,10

                db "Loading the driver into non-paged RAM",13,10
                db "Driver Entry is at 0x%.8X linear address.",13,10,10,0

 pointed_idt_and_interrupt db "Pointing the current IDT",13,10
                           db "         IDT base offset:   0x%.8X",13,10
                           db "         IDT size limit:    0x%.4X",13,10,10

                           db "Interrupt vector to hook:   0x%.2X",13,10
                           db "      Catched at address:   0x%.8X",13,10,10,0

 backup_old_gate db "Original Interrupt gate is now dumped",13,10
                 db "into a temporary buffer at 0x%.8X",13,10,10,0

 hooking_vector db "Editing the new (hooked) interrupt gate...",13,10,10

                db "Authorization from:   NT KERNEL AUTHORITY",13,10
                db "Running at the MAXIMUM IRQL Possible to prevent",13,10
                db "all hardware and software interruptions...",13,10,10

                db "Hooked vector number is:  0x%.2X",13,10,10,0

 saved_original_selector_routine db "New ISR linked with the old one!",13,10
                                 db "         the old gate selector was:    0x%.4X",13,10
                                 db "         this value stored at offset:  0x%.8X",13,10,10

                                 db "         the old ISR routine were at:  0x%.8X",13,10
                                 db "         its pointer is dumped at:     0x%.8X",13,10,10,0

 hook_complete db "The new ISR is inserted into the current IDT.",13,10
               db "Its service routine, localized at 0x%.8X",13,10
               db "can be accessed in user-mode using the INT",13,10
               db "instruction evrerywhere.",13,10,10,0

 new_interrput_ready db "Execution completed successfully!",13,10
                     db "Unload the driver to restore the old ISR",13,10,10,0

 restore_interrupt db "Restoring the original interrupt gate",13,10
                   db "from the temporary buffer...",13,10,10,0

 unload_complete db "Driver deactivated and completly unloaded",13,10
                 db "from the kernel pool memory by the IO manager",13,10,10,0

 informations db 13,10
              db 'CURRENT HOOK INFORMATIONS',13,10,10

              db 'EIP:     0x%.8X',13,10
              db 'EFLAGS:  0x%.8X',13,10,10

              db 'EAX:     0x%.8X',13,10
              db 'EBX:     0x%.8X',13,10
              db 'ECX:     0x%.8X',13,10
              db 'EDX:     0x%.8X',13,10
              db 'ESI:     0x%.8X',13,10
              db 'EDI:     0x%.8X',13,10
              db 'EBP:     0x%.8X',13,10
              db 'ESP:     0x%.8X',13,10,10

              db 'CS:      0x%.4X',13,10
              db 'DS:      0x%.4X',13,10
              db 'ES:      0x%.4X',13,10
              db 'FS:      0x%.4X',13,10
              db 'GS:      0x%.4X',13,10
              db 'SS:      0x%.4X',13,10,10

              db 'CALLER EIP:    0x%.8X',13,10
              db 'CALLER CS:     0x%.8X',13,10
              db 'CALLER EFLAGS: 0x%.8X',13,10
              db 'CALLER ESP:    0x%.8X',13,10
              db 'CALLER SS:     0x%.8X',13,10
              db 'BOUND ERROR:   0x%.8X',13,10,0

        _eip rd 1
        _eax rd 1
        _ebx rd 1
        _ecx rd 1
        _edx rd 1
        _esi rd 1
        _edi rd 1
        _ebp rd 1
        _esp rd 1
        _eflags rd 1
        _cs rd 1
        _ds rd 1
        _es rd 1
        _fs rd 1
        _gs rd 1
        _ss rd 1
        _stack1 rd 1
        _stack2 rd 1
        _stack3 rd 1
        _stack4 rd 1
        _stack5 rd 1
        _stack6 rd 1

        INTERRUPT_VECTOR = 66h   ;           <----------- ALL INTERRUPTS YOU WANT

        idt_register: .limit rw 1
                      .offset rd 1

        location rd 1
        buffer rd 2
        old_gate rd 2

        old_routine rd 1
        old_selector rw 1

        original_irql rd 1
        OldIrql rd 1

 section '.import' import readable writeable notpageable

        library ntoskrnl,'ntoskrnl.exe',\
                hal,'hal.dll'
        include 'fasm driver kit\api\ntoskrnl api.inc'
        include 'fasm driver kit\api\hal api.inc'

 section '.reloc'fixups readable notpageable

 section '.rsrc' resource notpageable

        directory RT_VERSION,versions
        resource versions,1,LANG_NEUTRAL,version
        versioninfo version,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ITALIAN+SUBLANG_DEFAULT,0,\
                    'FileDescription','Interrupt Hooker Driver',\
                    'LegalCopyright','The NT KERNEL Team ® 2009',\
                    'FileVersion','3.2.0.0',\
                    'ProductVersion','30th December 2009',\
                    'OriginalFilename','IH.sys',\
                    'Autore','Pirata Derek L.S.'
    

Remember to give credit to my missing girlfriend because this driver is dedicated to her.
Post 10 Jan 2010, 15:47
View user's profile Send private message Send e-mail Reply with quote
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
Thanks for the post.. looks very interesting.. I will read over! Very Happy

I want to get the paging finished before contin with the rest of it..

But I would be gratefull for any help .. and would also give you credit for anything you would want to help with or offer... Wink

or if anyone esle would like to help with paging or devel for ring 3?
Post 10 Jan 2010, 21:15
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.