flat assembler
Message board for the users of flat assembler.

Index > OS Construction > Control registers analisys with C.R.A.D.

Author
Thread Post new topic Reply to topic
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I made a NT kernel driver that analize all the control registers freatures, like paging, page directory base, PAE and others flags...

It does that, at driver load (the results are sended to the kernel debugger).
You should use a kernel debug messages reader to see them.

The driver is compatible with windows seven, but you have to use the right kernel debug messages reader (is different from the sysinternel's XP one)

The following attachment contains the driver, its source and a screen shot to demonstrate its work.

Only the CR1 register can't be analized, damn...


Description: C.R.A.D. binary with source and screen shot
Download
Filename: Analyze Controls.zip
Filesize: 372.54 KB
Downloaded: 93 Time(s)

Post 09 Jan 2010, 10:11
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Can some one suggest me an idea to analize the page directory table and all its associated structures?
Post 09 Jan 2010, 10:14
View user's profile Send private message Send e-mail Reply with quote
egos



Joined: 10 Feb 2009
Posts: 144
egos
Usually in 32-bit Windows without PAE the total 4 mb page tab is placed at 0xC0000000 (for uniformity you can scan page dir for self link). This table contains user space PTEs (usually 0xC0000000-0xC01FFFFF), taken out by 4 mb pages PTEs (usually 0xC0200000-0xC027FFFF), kernel space PTEs (usually 0xC0280000-0xC02FFFFF), PDEs (usually 0xC0300000-0xC0300FFF), hyper space PTEs (usually 0xC0301000-0xC0301FFF), kernel space PTEs (usually 0xC0302000-0xC03FFFFF). Invalid PTEs contain protection mask and probably address info.
Post 09 Jan 2010, 12:53
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
good.
I'm gonna insert that analisys functions into the new CRAD version.
Post 09 Jan 2010, 17:02
View user's profile Send private message Send e-mail Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
good job,,,,i just want see more driver develop under x64!!!
Post 10 Jan 2010, 08:23
View user's profile Send private message ICQ Number Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I would make drivers in 64 bit, i can but my processor is still 32 bit.

until i change the processor, i can't test and see my drivers works in 64 bit mode.... Sad

My current project is a driver that HOOK ALL THE INTERRUPT DESCRIPTOR TABLE!

Its name is "The MASTER _I_ DRIVER"

Now i'm at the 75%
Post 10 Jan 2010, 15:02
View user's profile Send private message Send e-mail Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Pirata Derek wrote:
The driver is compatible with windows seven, but you have to use the right kernel debug messages reader (is different from the sysinternel's XP one)
Do you mean DebugView 4.76 Confused

It's okay but IIRC maybe you have to set the registry

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter]
"DEFAULT"=dword:0000000f    
Post 25 Feb 2010, 13:06
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I told that to prevent someone uses the wrong kernel debug messages filter and then crashes the own system ( W7 ).
Post 25 Feb 2010, 15:57
View user's profile Send private message Send e-mail Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Pirata Derek wrote:
Quote:
My current project is a driver that HOOK ALL THE INTERRUPT DESCRIPTOR TABLE!

after hooking IDT (no matter whether IDT_base or only 1 entry in original IDT) under x64 versions of ms windows (even XP64/win2003serverx64), you can expect reboots in range upto 5-10 minutes caused by fuckguard
http://www.uninformed.org/?v=8&a=5&t=sumry

years ago I successfully detected that ugly kernel thing using debug registers breakpoint and debug register access breakpoint and was able to halt it, but then the whole OS hanged (there were no way how to resume the OS from the point of intercepting fuckguard - erased stack, no way to find any address where to resume execution...) - I needed to hook interrupts to catch DebugCtl and Branching registers - I needed to do that for my fdbg project to support single stepping on branching instructions and recording RIP of branching instructions, later I solved that in completely diffent way without any necessity of driver and modifying kernel structures, I did it comfortable and easy from ring3 using DR7.GE, DR7.LE bits.

I suggest you to use hypervisor to manipulate interrupts transparently for guest, so then OS and even fuckguard knows nothing about your activity.
Post 26 Feb 2010, 08:18
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Thanks for the suggestion.

Kernel Patch Protection (KPP) never disturbed my works.
About 2 weeks ago i changed my old 32 bit uniprocessor computer to a 64 bit dual core. (only x64 bits editions have it)

Should We make the PKPP ? Laughing

(Patching Kernel Patch Protection)
Post 27 Feb 2010, 18:46
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.