flat assembler
Message board for the users of flat assembler.
Index
> Windows > ring 0 without a kernel mode driver |
Author |
|
HarryTuttle 31 Jan 2005, 20:01
why
db 64h,67h,0FFh,36h,0,0 instead of simple: push [fs:0] ? is it better? _________________ Microsoft: brings power of yesterday to computers of today. |
|||
31 Jan 2005, 20:01 |
|
beppe85 31 Jan 2005, 20:50
HarryTuttle wrote: why Instructions one byte shorter. I remember I had saw in a thread about this, taking a word address to load a dword. Both disassembly the same and do the same. _________________ "I assemble, therefore I am" If you got some spare time, visit my blog: http://www.beppe.theblog.com.br/ and sign my guestmap |
|||
31 Jan 2005, 20:50 |
|
Tomasz Grysztar 31 Jan 2005, 21:31
It should be:
Code: push dword [fs:word 0] |
|||
31 Jan 2005, 21:31 |
|
r22 01 Feb 2005, 05:49
I made the code in version .56 so I had to use db in .57 it should work the normal way.
Anyways I'm going to try and implement the functions in advapi that I need to use to get access to /Device/PhysicalMemory then I'll repost an update. |
|||
01 Feb 2005, 05:49 |
|
r22 01 Feb 2005, 08:24
Code: format PE GUI 4.0 entry Start include '%fasminc%\win32a.inc' section '.data' data readable writeable fmt db '%lu',0 buffr rb 32 rjunk dd 0 myPID dd 0 pAddr dd 0 ntBad dd 0 MmIs db 'MmIsAddressValid',0 MmIsAddressValid dd 0 dAccess db 2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0 dd CUser CUser db 'C',0,'U',0,'R',0,'R',0,'E',0,'N',0,'T',0,5fh,0,'U',0,'S',0,'E',0,'R',0,0,0 align 4 devPhy db '\',0,'D',0,'e',0,'v',0,'i',0,'c',0,'e',0,'\',0,'P',0,'h',0,'y',0,'s',0,'i',0,'c',0,'a',0,'l',0,'M',0,'e',0,'m',0,'o',0,'r',0,'y',0,0,0 uniPhys db ',',0,2eh,0 dd devPhy align 4 phyMem db 18h,0,0,0,0,0,0,0 dd uniPhys db 40h,0,0,0 dd 0,0 hFileMapObj dd 0 DACL dd 0 NewACL dd 0 SecurityD dd 0 kernelLib dd 0 kernelBase dd 0 section '.code' code readable executable Start: call [GetCurrentProcessId] mov [myPID], eax push dword [FS: word 0] mov [fs: word 0],esp push 4 push 1000h push 100000h push 0 call [VirtualAlloc] mov [pAddr], eax push dword rjunk ;out ret len push 100000h push dword[pAddr] push dword 0Bh call [NtQuerySystemInformation] mov edx, dword[pAddr] mov eax, [edx+0ch] mov [ntBad],eax ;kernel base addr push phyMem push 60000h ;read write DAC push hFileMapObj call [NtOpenSection] push SecurityD push 0 push DACL push 0 push 0 push 4 push 6 push [hFileMapObj] call [GetSecurityInfo] push NewACL push [DACL] push dAccess push 1 call [SetEntriesInAcl] ;WideChar note .idata push 0 push [NewACL] push 0 push 0 push 4 push 6 push [hFileMapObj] call [SetSecurityInfo] push [NewACL] call [LocalFree] push [SecurityD] call [LocalFree] push [hFileMapObj] call [CloseHandle] push phyMem push 2 push hFileMapObj call [NtOpenSection] mov edx,[pAddr] movzx eax,word[edx+1eh] lea eax,[eax+edx+20h] push 1 push 0 push eax call [LoadLibrary] mov [kernelLib],eax push MmIs push eax call [GetProcAddress] sub eax,[kernelLib] add eax,[ntBad] ;real addr mov [MmIsAddressValid],eax mov esi,[kernelLib] mov ecx,[esi+3ch] add ecx,esi mov eax,[ecx+34h] mov ecx,[ecx+50h] add ecx,esi mov [kernelBase],eax ; ok now find PsActiveProcessHead ;first find "push 'egap'" 68 50 41 47 45 morefind: cmp esi,ecx jae failure lodsd sub esi,3 cmp eax,47415068h jnz morefind cmp byte [esi+3],45h jnz morefind dec esi ;more to come getting close to making the r3 to r0 call gate push eax push fmt push buffr call [wsprintf] failure: push 0 push buffr push buffr push 0 call [MessageBox] call [ExitProcess] r0code: section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',\ advapi32,'ADVAPI32.DLL',\ ntdll,'NTDLL.DLL',\ user32,'USER32.DLL' import ntdll,\ NtUnmapViewOfSection,'NtUnmapViewOfSection',\ NtQuerySystemInformation,'NtQuerySystemInformation',\ NtOpenSection,'NtOpenSection',\ NtMapViewOfSection,'NtMapViewOfSection' include "%fasminc%\apia\kernel32.inc" include "%fasminc%\apiw\advapi32.inc" include "%fasminc%\apia\user32.inc" section '.reloc' fixups data discardable I had to align phyMem so it would work and I also added the advapi functions needed. |
|||
01 Feb 2005, 08:24 |
|
Madis731 01 Feb 2005, 08:38
What is the reference you're using? I just can't understand where do you get all this.
|
|||
01 Feb 2005, 08:38 |
|
Tomasz Grysztar 01 Feb 2005, 08:53
One more thing. Instead of:
Code: db 'C',0,'U',0,'R',0,'R',0,'E',0,'N',0,'T',0,5fh,0,'U',0,'S',0,'E',0,'R',0,0,0 you can write: Code: du 'CURRENT_USER',0 |
|||
01 Feb 2005, 08:53 |
|
HarryTuttle 02 Feb 2005, 08:03
Code: ;**********************************************************************************************; ; Tentative de ring0 sous un OS U kernel NT ; ; basé sur l'article "Playing with Windows /dev/(k)mem" de crazylord ; ; ; ; 27/08/03 Chrishka commentaires,suggestions,nimp : chris.j84@free.fr ; ;**********************************************************************************************; .386 .model flat,stdcall option casemap :none include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\advapi32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\advapi32.lib ;!==================================================================================!; ; masm32 v8 ne fournit pas de library et d'include pour ntdll.dll ; ; j'ai fait ceux-lU U l'arrache (j'ai mis que ce dont j'avais besoin), ; ; si vous en avez un mieux n'hésitez pas ; ; ; include \masm32\include\ntdll.inc ; includelib \masm32\lib\ntdll.lib ; ; ; ;!==================================================================================!; ;______________________________________________________________________________________________________________________ ; ; les données ;______________________________________________________________________________________________________________________ .data? ALIGN DWORD dacl dd ? nexp dd ? hPhysicMem dd ? pSecuDescript dd ? pOldDacl dd ? pNewDacl dd ? unicode_str dw ? ;UNICODE_STRING{ USHORT Length dw ? ; USHORT MaxLength dd ? ; PWSTR Buffer }; obj_attrib dd ? ;OBJECT_ATTRIBUTES{ ULONG Length dd ? ; HANDLE RootDirectory dd ? ; UNICODE_STRING* ObjectName dd ? ; ULONG Attributes dd ? ; VOID* SecurityDescriptor dd ? ; VOID* SecurityQualityOfService }; Exp_Access dd ? ;EXPLICIT_ACCESS{ DWORD grfAccessPermissions dd ? ; ACCESS_MODE grfAccessMode dd ? ; DWORD grfInheritance ; TRUSTEE Trustee }; dd ? ;TRUSTEE{ TRUSTEE* pMultipleTrustee dd ? ; MULTIPLE_TRUSTEE_OPERATION MultipleTrusteeOperation dd ? ; TRUSTEE_FORM TrusteeForm dd ? ; TRUSTEE_TYPE TrusteeType dd ? ; LPSTR ptstrName }; gdt dw ? ;KGDTENTRY{ WORD LimitLow dw ? ; WORD BaseLow dw ? ; WORD BaseHigh }; pad1 dw ? Callgate dq ? ; PHYSICAL_ADDRESS pAddress dd ? ; VOID* MappedAddress dd ? ; CALLGATE_DESC* pDesc dw ? ; WORD Segment dw ? ; WORD LastEntry ViewSize dd ? CgCall df ? pad2 dw ? udevname db 46 dup(?) .const modname db "Ring0",0 err1 db "error",0 err2 db "error : access denied",0 devname db "\device\physicalmemory",0 user db "CURRENT_USER",0 ;______________________________________________________________________________________________________________________ ;______________________________________________________________________________________________________________________ ; ; le code ;______________________________________________________________________________________________________________________ .code Start: ;______________________________________________________________________________________________________________________ invoke MultiByteToWideChar,CP_ACP,MB_PRECOMPOSED,addr devname,-1,addr udevname,23 invoke RtlInitUnicodeString,addr unicode_str,addr udevname mov ebx,offset obj_attrib mov dword ptr [ebx],24 ; sizeof(OBJECT_ATTRIBUTES) mov dword ptr [ebx+4],NULL mov dword ptr [ebx+8],offset unicode_str mov dword ptr [ebx+12],OBJ_CASE_INSENSITIVE or dword ptr [ebx+12],OBJ_KERNEL_HANDLE mov dword ptr [ebx+16],NULL mov dword ptr [ebx+20],NULL mov edx,SECTION_MAP_READ or edx,SECTION_MAP_WRITE invoke NtOpenSection,addr hPhysicMem,edx,ebx .IF eax != ERROR_SUCCESS .IF eax == ACCESS_DENIED jmp needrw .ELSE invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF .ELSE mov pOldDacl,NULL jmp rw .ENDIF needrw: mov edx,WRITE_DAC or edx,READ_CONTROL invoke NtOpenSection,addr hPhysicMem,edx,addr obj_attrib .IF eax != ERROR_SUCCESS .IF eax == ACCESS_DENIED invoke MessageBox,NULL,addr err2,addr modname,MB_OK jmp fin .ELSE invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF .ENDIF invoke GetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,addr pOldDacl,NULL,addr pSecuDescript .IF eax != ERROR_SUCCESS invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF mov ebx,offset Exp_Access mov dword ptr [ebx],SECTION_ALL_ACCESS mov dword ptr [ebx+4],GRANT_ACCESS mov dword ptr [ebx+8],NO_INHERITANCE mov dword ptr [ebx+12],NULL mov dword ptr [ebx+16],NO_MULTIPLE_TRUSTEE mov dword ptr [ebx+20],TRUSTEE_IS_NAME mov dword ptr [ebx+24],TRUSTEE_IS_USER mov dword ptr [ebx+28],offset user invoke SetEntriesInAcl,1,addr Exp_Access,pOldDacl,addr pNewDacl .IF eax != ERROR_SUCCESS invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF invoke SetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL .IF eax != ERROR_SUCCESS invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF invoke LocalFree,pNewDacl invoke LocalFree,dacl invoke LocalFree,pSecuDescript invoke NtClose,hPhysicMem mov hPhysicMem,NULL ;______________________________________________________________________________________________________________________ ; ; installation du callgate ;______________________________________________________________________________________________________________________ mov edx,SECTION_MAP_READ or edx,SECTION_MAP_WRITE invoke NtOpenSection,addr hPhysicMem,edx,addr obj_attrib .IF eax != ERROR_SUCCESS .IF eax == 0C0000022h invoke MessageBox,NULL,addr err2,addr modname,MB_OK jmp fin .ELSE invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF .ENDIF rw: sgdt gdt mov ebx,offset gdt movzx eax,word ptr [ebx+2] movzx edx,word ptr [ebx+4] shl edx,16 or edx,eax .IF (edx < 80000000h) || (edx >= 0A0000000h) and edx,0FFFF000h .ELSE and edx,1FFFF000h .ENDIF mov ebx,offset Callgate mov dword ptr [ebx],edx mov dword ptr [ebx+4],0 push PAGE_READWRITE push 0 push 1 movzx edx,word ptr gdt mov ViewSize,edx push offset ViewSize mov eax,offset Callgate push eax push edx push 0 add eax,8 push eax push -1 push hPhysicMem call NtMapViewOfSection .IF eax != ERROR_SUCCESS invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF mov ebx,offset Callgate mov dword ptr [ebx+12],NULL mov dx,gdt and dx,0FFF8h movzx eax,dx mov ecx,[ebx+8] add eax,ecx .WHILE eax > ecx ; recherche d'un callgate descriptor libre dans la gdt. ; on regarde si le bit 'present' est U 0. s'il est U and byte ptr [eax+5],80h ; 1, c'est que la place est prise donc... jne @f ; ... on cherche ailleurs mov edx,Ring0 mov word ptr [eax],dx ; mot de poids faible de l'adresse de la fonction Ring0 mov word ptr [eax+2],KGDT_R0_CODE mov byte ptr [eax+4],1 ; nombre de param tres de Ring0, on passe 1 param tre ; attention, le nombre de param tre n'est codé que sur les ; 4 premiers bits de cet octet, donc pas plus de 15 param tres ; sinon on met U 1 des bits qui doivent tre U 0 dans cet octet mov byte ptr [eax+5],0ECh shr edx,16 mov word ptr [eax+6],dx ; mot de poids fort de l'adresse de la fonction Ring0 mov dword ptr [ebx+12],eax jmp fwh @@: sub eax,8 .ENDW fwh: .IF dword ptr [ebx+12] == NULL ; a-t-on trouvé un callgate descriptor libre ? si non, on arrte lU invoke MessageBox,NULL,addr err1,addr modname,MB_OK jmp fin .ENDIF mov edx,offset CgCall sub eax,ecx or al,3 mov word ptr [edx+4],ax mov dword ptr [edx],0 ;______________________________________________________________________________________________________________________ ; ; Appel de la fonction Ring0 ;______________________________________________________________________________________________________________________ push 12345678h ; exemple de param tre call fword ptr [CgCall] ;______________________________________________________________________________________________________________________ ; ; Désinstallation du callgate + un peu de nettoyage ;______________________________________________________________________________________________________________________ mov ebx,offset Callgate mov edi,[ebx+12] xor eax,eax stosd stosd invoke NtUnmapViewOfSection,-1,dword ptr [ebx+8] invoke NtClose,hPhysicMem .IF pOldDacl != NULL mov edx,WRITE_DAC or edx,READ_CONTROL invoke NtOpenSection,addr hPhysicMem,edx,addr obj_attrib invoke GetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,addr pOldDacl,NULL,addr pSecuDescript mov ebx,offset Exp_Access mov dword ptr [ebx],SECTION_ALL_ACCESS mov dword ptr [ebx+4],REVOKE_ACCESS mov dword ptr [ebx+8],NO_INHERITANCE mov dword ptr [ebx+12],NULL mov dword ptr [ebx+16],NO_MULTIPLE_TRUSTEE mov dword ptr [ebx+20],TRUSTEE_IS_NAME mov dword ptr [ebx+24],TRUSTEE_IS_USER mov dword ptr [ebx+28],offset user invoke SetEntriesInAcl,1,addr Exp_Access,pOldDacl,addr pNewDacl invoke SetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL invoke NtClose,hPhysicMem .ENDIF ;______________________________________________________________________________________________________________________ fin: invoke ExitProcess,0 ;______________________________________________________________________________________________________________________ ;______________________________________________________________________________________________________________________ ; ; LA fonction qui va tourner en kernel mode ; elle ne fait rien, U vous de la remplir , mais /!\ prudence /!\, le syst me se ; remet tr s difficilement d'une erreur en kernel mode, allez-y avec des pincettes, ; je me suis tapé des dizaines d'écrans bleu sous 2000 en développant ce truc... ;______________________________________________________________________________________________________________________ Ring0 PROC pushf ; on sauvegarde les flags mov eax,[esp+10] ; on récup re le param tre dans eax. cli ; some privileged instructions... mov ebx,cr0 mov ecx,dr7 ; dedicated to roticv lol popf ; restore les flags, réactive les interruptions au passage retf 4 ; on désempile un double mot Ring0 ENDP ;______________________________________________________________________________________________________________________ end Start _________________ Microsoft: brings power of yesterday to computers of today. |
|||
02 Feb 2005, 08:03 |
|
r22 02 Feb 2005, 18:54
Yep thats the stuff, porting it to fASM from mASM is a pain in EL BUTT though:P
|
|||
02 Feb 2005, 18:54 |
|
BoR0 03 Feb 2005, 22:03
Hi guys.. I've been all over the net and couldn't find ntdll.inc and ntdll.lib (though I found some files but the equates were not there).
I'd really appreciate it if you can zip that masm "ring3 to ring0" source with all the needed and include files. Thanks. |
|||
03 Feb 2005, 22:03 |
|
r22 04 Feb 2005, 02:03
the ntdll includes and libs aren't in the version of masm32 i have, I assume they were user made and not included with the code snippet from Harry Tuttle.
Its a shame the MASM source is so ambiguous, I guess the person coding it was trying to optimize, also I don't read the language the comments are in:P I wanted to compile it and then just use my disassembler at look at the source without all the macros. |
|||
04 Feb 2005, 02:03 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.