flat assembler
Message board for the users of flat assembler.

Index > Windows > common bug?

Author
Thread Post new topic Reply to topic
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
ive found, that stdcall functions returning from kernel leave registers modified.

Is that ok? In normal cpl3 <> cpl3 it has no diffrence because both sdes have full access to entire space, but cpl3 <> cpl0?

when returning from cpl0 regusters should be cleared, or better restored.
It can be used to obtain some info about kernel, maybe even read arbitary value
Post 13 Feb 2010, 14:24
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4242
Location: 2018
edfed
yep, some stdcall functions return values in registers. then, there is not always the need to save them.

and it is not CPL specific.
Post 13 Feb 2010, 14:31
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
Registers are only modified if your kernel allows that. You can also make your kernel preserve all registers (and flags). It just depends upon your needs.
Post 13 Feb 2010, 14:45
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
i know cpu doesnt touch gpr's, but for exmample windows return data in those registers. and not only eax, eax has return value.

ecx/edx, flags have sometimes interesting values that disclouse parts of kernel wich they shouldnt.
Post 13 Feb 2010, 16:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
Are you talking about the API or the kernel? I don't think the kernel leaves just any data in the app registers.

Can you give an example of a kernel function that has "interesting values that disclose parts of kernel"?
Post 13 Feb 2010, 16:47
View user's profile Send private message Visit poster's website Reply with quote
chaoscode



Joined: 21 Nov 2006
Posts: 64
chaoscode
the stdcalling convention has some registers which are preserved.
that means, that these registers must be the same on function return.
the function is allowed to change the registers, but before that the function hast to save them
and restore them on function exit.
preserved registers are in 32 bit mode
EBX, ESI, EDI, EBP, ESP
they should never change on a stdcall

and some are not preserved.
the can be changed after a functioncall.
the calling procedure has to save them. (or not if thei're not important)
EAX, ECX, EDX

i've found at
http://code.google.com/p/asmjit/wiki/Calling_Conventions
Post 16 Feb 2010, 01:46
View user's profile Send private message ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
Passing control in/out of the kernel uses an entirely different mechanism from the stdcall convention of 'call'.

asmmsa: Are you sure you mean the kernel? Perhaps you are just talking about the API functions?
Post 16 Feb 2010, 02:51
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
windows kernel, 100% sure.

ecx/edx are from kernel, containing kernel loaded data.
eax is ofc return value.
Post 16 Feb 2010, 10:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
asmmsa: Don't confuse the API with the kernel. The API won't care about ecx/edx. It is not a security hole since the API runs in your app memory space.

However if you know of a kernel call that leaks information into ecx/edx then that is a different matter. Do you know of such a call?
Post 16 Feb 2010, 10:25
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
yyy... every call?
just run any app under debugger, and trap sysenter/syscall/intXX

and im not sure, but i guess exceptions also fall under this condition.

ecx/edx/flags are changed, but since flags are saved on stack its transparent to userland.
Post 16 Feb 2010, 10:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
The Intel docs say: wrote:
Prior to executing SYSEXIT, software must specify the privilege level 3 code segment and code entry point, and the privilege level 3 stack segment and stack pointer by writing values into the following MSR and general-purpose registers:
•IA32_SYSENTER_CS — Contains a 32-bit value, of which the lower 16 bits are the segment selector for the privilege level 0 code segment in which the processor is currently executing. This value is used to compute the segment selectors for the privilege level 3 code and stack segments.
•EDX — Contains the 32-bit offset into the privilege level 3 code segment to the first instruction to be executed in the user code.
•ECX — Contains the 32-bit stack pointer for the privilege level 3 stack.
Is that the ecx/edx you are talking about?
Post 16 Feb 2010, 11:19
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
and what about intXX?
it works just like call, so calling kernel api via int you can get some info in ecx and edx.
Post 16 Feb 2010, 11:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
Do you have an example please?
Post 16 Feb 2010, 12:18
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
Code:
f db 'EDI: %.8X',13,10,'ESI: %.8X',13,10,'EBP: %.8X',13,10,'ESP: %.8X',13,10,'EBX: %.8X',13,10,'EDX: %.8X  (changed?)',13,10,'ECX: %.8X  (changed?)',13,10,'EAX: %.8X',13,10,0
entry $
;set registers
mov eax,0x0BADC0DE
mov ecx,0x0BADC0DE
mov edx,0x0BADC0DE
mov ebx,0x0BADC0DE
mov esp,esp
mov ebp,0x0BADC0DE
mov esi,0x0BADC0DE
mov edi,0x0BADC0DE
int 0x2E ;try all gates with DPL = 3
pushad ;push registers
push f
call [printf]
add esp,36
ret
    


put this inside MZ/PE format
Post 16 Feb 2010, 13:33
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
So what is the output you get?
Post 16 Feb 2010, 13:37
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
if you disassemble isr handler, you will see that somewere in line 25 you have ecx overwrite without saving it.


Code:
EDI: 0BADC0DE
ESI: 0BADC0DE
EBP: 0BADC0DE
ESP: 0006FFC4
EBX: 0BADC0DE
EDX: 00401190  (changed?)
ECX: 0006FFC4  (changed?)
EAX: C0000005    
Post 16 Feb 2010, 13:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
Have you looked at the values of ecx/edx? Do you find that they are simply your EIP and ESP values before the int 0x2e? Just like was explained above with the sysexit. There is no leak that I can see.
Post 16 Feb 2010, 13:45
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17667
Location: In your JS exploiting you and your system
revolution
Moving this to Windows section since it is related to Windows only.
Post 16 Feb 2010, 13:52
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
maybe windows take care of that.
maybe not. hardware doesnt provide security in this case.

so it is possible, that kernel could leak something. maybe microsoft take care of that, but 3rd party software - good place to check.

Quote:
Just like was explained above with the sysexit.

sorry, i didnt read manual about sysenter yet, but i have about IDT.

edx and ecx are NOT used unless you call a task gate, then they swapped with TSS values. iret doesnt require anything, just return address, selector, flags and ss:esp if cpl != dpl of new cs.
also ss.rpl must be = cs.rpl, dont know why or iret will cause GPF.
Post 16 Feb 2010, 15:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.