flat assembler
Message board for the users of flat assembler.
Index
> OS Construction > iret ring 3 - ( Finally there ) SOLVED :-) |
Author |
|
XanClic 26 Nov 2009, 18:46
This is all you need, even for ring 3. To use iret in ring 0, you just need
Code: push EFLAGS push CS push EIP iret |
|||
26 Nov 2009, 18:46 |
|
dosin 27 Nov 2009, 01:31
removed
Last edited by dosin on 07 Dec 2009, 09:02; edited 1 time in total |
|||
27 Nov 2009, 01:31 |
|
egos 27 Nov 2009, 12:01
dosin, you must push the usermode selectors (with RPL=3) and correct flags (IF=1, etc.)
|
|||
27 Nov 2009, 12:01 |
|
edfed 27 Nov 2009, 14:50
esi for int40 seems to be relative addressing, a pointer, but relative to what?
eax for int41 seems to be just an immediate value, then, it don't need a segment to be initialized. maybe the problem is there... |
|||
27 Nov 2009, 14:50 |
|
dosin 27 Nov 2009, 19:28
post removed!
Last edited by dosin on 05 Dec 2009, 05:58; edited 1 time in total |
|||
27 Nov 2009, 19:28 |
|
dosin 05 Dec 2009, 05:46
removed
Last edited by dosin on 07 Dec 2009, 09:01; edited 1 time in total |
|||
05 Dec 2009, 05:46 |
|
edfed 05 Dec 2009, 07:11
Quote: sysenter executes a fast call to a level 0 system procedure, sysexit execute a fast return to level 3 user code. is it what you try to do? |
|||
05 Dec 2009, 07:11 |
|
XanClic 05 Dec 2009, 13:09
dosin wrote: When you iret - to change to ring 3.. how use the tss struct so all the data in the tss struct is used with the iret/the app that uses it? As far as I know you don't need a TSS to switch to ring 3. It's only required when switching to ring 0 from ring 3, because ESP and SS for ring 0 are stored there. But I think you don't need a TSS to go back to ring 3 and hence it's also not used by the CPU. |
|||
05 Dec 2009, 13:09 |
|
dosin 05 Dec 2009, 19:09
Everything is good now - I can access all the rings 0 -3
|
|||
05 Dec 2009, 19:09 |
|
Pirata Derek 10 Jan 2010, 15:25
Some drivers i wrote have the routine to return from any ring
See the NATIVE API INTERCEPTOR (incomplete) project, and check for the ReturnFromDriver function (old version) or ReturnFromKernelMode function Or the INTERRUPT HOOKER DRIVER (incomplete) project Check there: http://board.flatassembler.net/topic.php?p=97618#97618 If you want some help for make the IRET STACK for the VIRTUAL MODE ask me... I'll complete these incomplete projects |
|||
10 Jan 2010, 15:25 |
|
Pirata Derek 10 Jan 2010, 15:47
THIS IS THE COMPLETED (corrected) PROJECT
You can find the FASM DRIVER KIT into the ILLUSION DRIVER THREAD I Hope this will useful for YOU to continue all your others projects. Code: ; *********************************************** ; * * ; * INTERRUPT HOOKER Driver - version 3.2 * ; * * ; *********************************************** ; By Pirata [PHOENIX] Derek L.S, Alias: Lord BIONS ; 30th December 2009 - Italy, unnamed city. ; For gentle concession to the Fasm Board Comunity ; Written in Flat Assembly language. Use FASM Format PE native 5.0 at 10000h include 'flat32\win32a.inc' include 'fasm driver kit\fasm ddk.inc' entry driver_entry section '.code' code readable executable notpageable proc driver_entry driver_object,registry_path invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,loading_driver,driver_entry .point: invoke KeRaiseIrql,DIRQL_LEVEL,original_irql cli sidt [idt_register] mov eax,INTERRUPT_VECTOR mov cl,8 mul cl add eax,[idt_register.offset] mov [location],eax sti movzx edx,word [idt_register.limit] invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,pointed_idt_and_interrupt,[idt_register.offset],edx,INTERRUPT_VECTOR,eax .backup: invoke KeRaiseIrql,HIGH_LEVEL,OldIrql invoke RtlMoveMemory,old_gate,[location],4*2 invoke KeLowerIrql,[OldIrql] invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,backup_old_gate,old_gate invoke KeRaiseIrql,HIGH_LEVEL,OldIrql invoke RtlMoveMemory,buffer,[location],4*2 invoke KeLowerIrql,[OldIrql] invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,hooking_vector,INTERRUPT_VECTOR mov ax,word [old_gate+2] mov [old_selector],ax mov cx,word [old_gate+6] rol ecx,16 mov cx,word [old_gate] mov [old_routine],ecx movzx ecx,[old_selector] invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,saved_original_selector_routine,ecx,old_selector,[old_routine],old_routine .update: mov dx,cs mov word [buffer+2],dx mov word [buffer+4],1110111000000000b mov edx,hooked_routine mov word [buffer],dx ror edx,16 mov word [buffer+6],dx invoke KeRaiseIrql,HIGH_LEVEL,OldIrql invoke RtlMoveMemory,[location],buffer,4*2 invoke KeLowerIrql,[OldIrql] invoke KeLowerIrql,[original_irql] invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,hook_complete,hooked_routine .dispatch: mov eax,[driver_object] mov dword [eax+DRIVER_OBJECT.DriverUnload],driver_unload invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,new_interrput_ready mov eax,STATUS_SUCCESS ret endp proc driver_unload driver_object invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,restore_interrupt invoke KeRaiseIrql,HIGH_LEVEL,OldIrql invoke RtlMoveMemory,[location],old_gate,4*2 invoke KeLowerIrql,[OldIrql] invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,unload_complete ret endp hooked_routine: pushfd popd [_eflags] mov [_eip],hooked_routine mov [_ebp],ebp mov [_esp],esp mov [_eax],eax mov [_ebx],ebx mov [_ecx],ecx mov [_edx],edx mov [_esi],esi mov [_edi],edi xor edx,edx mov dx,cs mov [_cs],edx mov dx,ds mov [_ds],edx mov dx,es mov [_es],edx mov dx,fs mov [_fs],edx mov dx,gs mov [_gs],edx mov dx,ss mov [_ss],edx mov edx,[esp] mov [_stack1],edx mov edx,[esp+4] mov [_stack2],edx mov edx,[esp+8] mov [_stack3],edx mov edx,[esp+0ch] mov [_stack4],edx mov edx,[esp+10h] mov [_stack5],edx mov edx,[esp+14h] mov [_stack6],edx sti invoke DbgPrintEx,DPFLTR_IHVVIDEO_ID,DPFLTR_MASK+DPFLTR_INFO_LEVEL,informations,[_eip],[_eflags],[_eax],[_ebx],[_ecx],[_edx],[_esi],[_edi],[_ebp],[_esp],[_cs],[_ds],[_es],[_fs],[_gs],[_ss],[_stack1],[_stack2],[_stack3],[_stack4],[_stack5],[_stack6] cli xor edx,edx mov edx,[_ds] mov ds,dx mov edx,[_es] mov es,dx mov edx,[_fs] mov fs,dx mov edx,[_gs] mov gs,dx mov edx,[_ss] mov ss,dx mov esp,[_esp] mov ebp,[_ebp] mov edx,[_stack1] mov [esp],edx mov edx,[_stack2] mov [esp+4],edx mov edx,[_stack3] mov [esp+8],edx mov edx,[_stack4] mov [esp+0ch],edx mov edx,[_stack5] mov [esp+10h],edx mov edx,[_stack6] mov [esp+14h],edx mov eax,[_eax] mov ebx,[_ebx] mov ecx,[_ecx] mov edx,[_edx] mov esi,[_esi] mov edi,[_edi] pushd [_eflags] popfd jmp far pword [old_routine] section '.data' data readable writeable notpageable loading_driver db "INTERRUPT HOOKER Driver - version 3.2",13,10,10 db "By Pirata [PHOENIX] Derek L.S, Alias: Lord BIONS",13,10 db "30th December 2009 - Italy, unnamed city.",13,10 db "For gentle concession to the Fasm Board Comunity",13,10,10 db "Loading the driver into non-paged RAM",13,10 db "Driver Entry is at 0x%.8X linear address.",13,10,10,0 pointed_idt_and_interrupt db "Pointing the current IDT",13,10 db " IDT base offset: 0x%.8X",13,10 db " IDT size limit: 0x%.4X",13,10,10 db "Interrupt vector to hook: 0x%.2X",13,10 db " Catched at address: 0x%.8X",13,10,10,0 backup_old_gate db "Original Interrupt gate is now dumped",13,10 db "into a temporary buffer at 0x%.8X",13,10,10,0 hooking_vector db "Editing the new (hooked) interrupt gate...",13,10,10 db "Authorization from: NT KERNEL AUTHORITY",13,10 db "Running at the MAXIMUM IRQL Possible to prevent",13,10 db "all hardware and software interruptions...",13,10,10 db "Hooked vector number is: 0x%.2X",13,10,10,0 saved_original_selector_routine db "New ISR linked with the old one!",13,10 db " the old gate selector was: 0x%.4X",13,10 db " this value stored at offset: 0x%.8X",13,10,10 db " the old ISR routine were at: 0x%.8X",13,10 db " its pointer is dumped at: 0x%.8X",13,10,10,0 hook_complete db "The new ISR is inserted into the current IDT.",13,10 db "Its service routine, localized at 0x%.8X",13,10 db "can be accessed in user-mode using the INT",13,10 db "instruction evrerywhere.",13,10,10,0 new_interrput_ready db "Execution completed successfully!",13,10 db "Unload the driver to restore the old ISR",13,10,10,0 restore_interrupt db "Restoring the original interrupt gate",13,10 db "from the temporary buffer...",13,10,10,0 unload_complete db "Driver deactivated and completly unloaded",13,10 db "from the kernel pool memory by the IO manager",13,10,10,0 informations db 13,10 db 'CURRENT HOOK INFORMATIONS',13,10,10 db 'EIP: 0x%.8X',13,10 db 'EFLAGS: 0x%.8X',13,10,10 db 'EAX: 0x%.8X',13,10 db 'EBX: 0x%.8X',13,10 db 'ECX: 0x%.8X',13,10 db 'EDX: 0x%.8X',13,10 db 'ESI: 0x%.8X',13,10 db 'EDI: 0x%.8X',13,10 db 'EBP: 0x%.8X',13,10 db 'ESP: 0x%.8X',13,10,10 db 'CS: 0x%.4X',13,10 db 'DS: 0x%.4X',13,10 db 'ES: 0x%.4X',13,10 db 'FS: 0x%.4X',13,10 db 'GS: 0x%.4X',13,10 db 'SS: 0x%.4X',13,10,10 db 'CALLER EIP: 0x%.8X',13,10 db 'CALLER CS: 0x%.8X',13,10 db 'CALLER EFLAGS: 0x%.8X',13,10 db 'CALLER ESP: 0x%.8X',13,10 db 'CALLER SS: 0x%.8X',13,10 db 'BOUND ERROR: 0x%.8X',13,10,0 _eip rd 1 _eax rd 1 _ebx rd 1 _ecx rd 1 _edx rd 1 _esi rd 1 _edi rd 1 _ebp rd 1 _esp rd 1 _eflags rd 1 _cs rd 1 _ds rd 1 _es rd 1 _fs rd 1 _gs rd 1 _ss rd 1 _stack1 rd 1 _stack2 rd 1 _stack3 rd 1 _stack4 rd 1 _stack5 rd 1 _stack6 rd 1 INTERRUPT_VECTOR = 66h ; <----------- ALL INTERRUPTS YOU WANT idt_register: .limit rw 1 .offset rd 1 location rd 1 buffer rd 2 old_gate rd 2 old_routine rd 1 old_selector rw 1 original_irql rd 1 OldIrql rd 1 section '.import' import readable writeable notpageable library ntoskrnl,'ntoskrnl.exe',\ hal,'hal.dll' include 'fasm driver kit\api\ntoskrnl api.inc' include 'fasm driver kit\api\hal api.inc' section '.reloc'fixups readable notpageable section '.rsrc' resource notpageable directory RT_VERSION,versions resource versions,1,LANG_NEUTRAL,version versioninfo version,VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ITALIAN+SUBLANG_DEFAULT,0,\ 'FileDescription','Interrupt Hooker Driver',\ 'LegalCopyright','The NT KERNEL Team ® 2009',\ 'FileVersion','3.2.0.0',\ 'ProductVersion','30th December 2009',\ 'OriginalFilename','IH.sys',\ 'Autore','Pirata Derek L.S.' Remember to give credit to my missing girlfriend because this driver is dedicated to her. |
|||
10 Jan 2010, 15:47 |
|
dosin 10 Jan 2010, 21:15
Thanks for the post.. looks very interesting.. I will read over!
I want to get the paging finished before contin with the rest of it.. But I would be gratefull for any help .. and would also give you credit for anything you would want to help with or offer... or if anyone esle would like to help with paging or devel for ring 3? |
|||
10 Jan 2010, 21:15 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.