Index
> Windows > common bug? |
| Author |
|
|
edfed 13 Feb 2010, 14:31
yep, some stdcall functions return values in registers. then, there is not always the need to save them.
and it is not CPL specific. |
|||
13 Feb 2010, 14:31 |
|
|
revolution 13 Feb 2010, 14:45
Registers are only modified if your kernel allows that. You can also make your kernel preserve all registers (and flags). It just depends upon your needs.
|
|||
|
13 Feb 2010, 14:45 |
|
|
asmmsa 13 Feb 2010, 16:32
i know cpu doesnt touch gpr's, but for exmample windows return data in those registers. and not only eax, eax has return value.
ecx/edx, flags have sometimes interesting values that disclouse parts of kernel wich they shouldnt. |
|||
|
13 Feb 2010, 16:32 |
|
|
revolution 13 Feb 2010, 16:47
Are you talking about the API or the kernel? I don't think the kernel leaves just any data in the app registers.
Can you give an example of a kernel function that has "interesting values that disclose parts of kernel"? |
|||
|
13 Feb 2010, 16:47 |
|
|
chaoscode 16 Feb 2010, 01:46
the stdcalling convention has some registers which are preserved.
that means, that these registers must be the same on function return. the function is allowed to change the registers, but before that the function hast to save them and restore them on function exit. preserved registers are in 32 bit mode EBX, ESI, EDI, EBP, ESP they should never change on a stdcall and some are not preserved. the can be changed after a functioncall. the calling procedure has to save them. (or not if thei're not important) EAX, ECX, EDX i've found at http://code.google.com/p/asmjit/wiki/Calling_Conventions |
|||
|
16 Feb 2010, 01:46 |
|
|
revolution 16 Feb 2010, 02:51
Passing control in/out of the kernel uses an entirely different mechanism from the stdcall convention of 'call'.
asmmsa: Are you sure you mean the kernel? Perhaps you are just talking about the API functions? |
|||
|
16 Feb 2010, 02:51 |
|
|
asmmsa 16 Feb 2010, 10:17
windows kernel, 100% sure.
ecx/edx are from kernel, containing kernel loaded data. eax is ofc return value. |
|||
|
16 Feb 2010, 10:17 |
|
|
revolution 16 Feb 2010, 10:25
asmmsa: Don't confuse the API with the kernel. The API won't care about ecx/edx. It is not a security hole since the API runs in your app memory space.
However if you know of a kernel call that leaks information into ecx/edx then that is a different matter. Do you know of such a call? |
|||
|
16 Feb 2010, 10:25 |
|
|
asmmsa 16 Feb 2010, 10:38
yyy... every call?
just run any app under debugger, and trap sysenter/syscall/intXX and im not sure, but i guess exceptions also fall under this condition. ecx/edx/flags are changed, but since flags are saved on stack its transparent to userland. |
|||
|
16 Feb 2010, 10:38 |
|
|
revolution 16 Feb 2010, 11:19
The Intel docs say: wrote: Prior to executing SYSEXIT, software must specify the privilege level 3 code segment and code entry point, and the privilege level 3 stack segment and stack pointer by writing values into the following MSR and general-purpose registers: |
|||
|
16 Feb 2010, 11:19 |
|
|
asmmsa 16 Feb 2010, 11:51
and what about intXX?
it works just like call, so calling kernel api via int you can get some info in ecx and edx. |
|||
|
16 Feb 2010, 11:51 |
|
|
revolution 16 Feb 2010, 12:18
Do you have an example please?
|
|||
|
16 Feb 2010, 12:18 |
|
|
asmmsa 16 Feb 2010, 13:33
Code: f db 'EDI: %.8X',13,10,'ESI: %.8X',13,10,'EBP: %.8X',13,10,'ESP: %.8X',13,10,'EBX: %.8X',13,10,'EDX: %.8X (changed?)',13,10,'ECX: %.8X (changed?)',13,10,'EAX: %.8X',13,10,0 entry $ ;set registers mov eax,0x0BADC0DE mov ecx,0x0BADC0DE mov edx,0x0BADC0DE mov ebx,0x0BADC0DE mov esp,esp mov ebp,0x0BADC0DE mov esi,0x0BADC0DE mov edi,0x0BADC0DE int 0x2E ;try all gates with DPL = 3 pushad ;push registers push f call [printf] add esp,36 ret put this inside MZ/PE format |
|||
|
16 Feb 2010, 13:33 |
|
|
revolution 16 Feb 2010, 13:37
So what is the output you get?
|
|||
|
16 Feb 2010, 13:37 |
|
|
asmmsa 16 Feb 2010, 13:43
if you disassemble isr handler, you will see that somewere in line 25 you have ecx overwrite without saving it.
Code: EDI: 0BADC0DE ESI: 0BADC0DE EBP: 0BADC0DE ESP: 0006FFC4 EBX: 0BADC0DE EDX: 00401190 (changed?) ECX: 0006FFC4 (changed?) EAX: C0000005 |
|||
|
16 Feb 2010, 13:43 |
|
|
revolution 16 Feb 2010, 13:45
Have you looked at the values of ecx/edx? Do you find that they are simply your EIP and ESP values before the int 0x2e? Just like was explained above with the sysexit. There is no leak that I can see.
|
|||
|
16 Feb 2010, 13:45 |
|
|
revolution 16 Feb 2010, 13:52
Moving this to Windows section since it is related to Windows only.
|
|||
|
16 Feb 2010, 13:52 |
|
|
asmmsa 16 Feb 2010, 15:03
maybe windows take care of that.
maybe not. hardware doesnt provide security in this case. so it is possible, that kernel could leak something. maybe microsoft take care of that, but 3rd party software - good place to check. Quote: Just like was explained above with the sysexit. sorry, i didnt read manual about sysenter yet, but i have about IDT. edx and ecx are NOT used unless you call a task gate, then they swapped with TSS values. iret doesnt require anything, just return address, selector, flags and ss:esp if cpl != dpl of new cs. also ss.rpl must be = cs.rpl, dont know why or iret will cause GPF. |
|||
|
16 Feb 2010, 15:03 |
|
< Last Thread | Next Thread > |
Forum Rules:
|