flat assembler
Message board for the users of flat assembler.
Index
> Windows > Memory mapping from kernel mode driver |
Author |
|
Aaron Sfektu 16 Apr 2007, 13:25
Hello, guys!
I’m sorry, I’m new to this forum, but I really need your assistance. So, when Microsoft released a Service Pack 1 for Windows 2003 and x64 software developers got a headache, because they can’t read memory ranges from user mode application any more. The only way to get a handle of the \Device\PhysicalMemory object is to call a function from Ring0 mode. Here is a TechNet note. Before releasing Service Pack 1 I used ZwOpenSection function to get a handle of the \Device\PhysicalMemory object, then I call ZwMapViewOfSection API function to map a memory address range into the address range of my processor. Now I have a problem: I don’t know which functions I need to use in the kernel mode driver written by František Gábriš. My there is small example, huh? Thanks guys for help! |
|||
16 Apr 2007, 13:25 |
|
Aaron Sfektu 17 Apr 2007, 10:32
Hello, Feryno!
Oh, great! Thanks for your answer! Well, it would be better if the driver would call API functions itself and then return an output buffer filled with memory data likewise the ZwMapViewOfSection (NtMapViewOfSection) API function works. BTW, Feryno could you tell me please, is there a thread at this forum in order I could discuss a topic about driver signing for Vista? I’m very interesting on this topic. Also, there is an ultimate KMCS_Walkthrough.doc document called Kernel-Mode Code Signing Walkthrough from Microsoft that explains all the steps in signing drivers for the new OS. Thanks for the reply! |
|||
17 Apr 2007, 10:32 |
|
Feryno 17 Apr 2007, 11:08
Hello Aaron,
I'm looking forward trying what happens when ring0 executes ring3 API, that's very interesting idea. I successfully made hardly imaginable thing - an executable (write_device_32_bit.exe) which is allmost 32-bit, only small part in it holds 64-bit code and that file cooperates with a05.sys driver (which is pure 64-bit code) very well. 64-bit drivers hasn't any possibility as WOW emulation for 32-bit code under 64-bit ring3 applications. Would you post the application runnig well in older versions of win accessing \Device\PhysicalMemory ? I suppose it is pure 32-bit app but I can easily convert it into win64 if its size isn't too huge. I haven't found any thread about signing drivers for Vista here in the forum yet. Perhaps you can start it. I think that Vista stores info about drivers in Windows\System32\catroot\*.cat and ...\catroot2\*.* files, every cat file has strong CRC (or hash or checksum) and the whole catalog is protected against attacking with strong CRC again I have the utility for signing drivers but the problem is purchasing licence file which is necessary input to create signed *.cat file for driver. Licence for 1 year costs about 400 US$. I refuse (and perhaps everybody here in the forum) to pay anything because we are only asm fans and not firms earning money with programming. Perhaps we can debug application for drivers signing to find the know-how (it's size is only about 200-300 kB, but it heavily calls various security and crypto APIs and calculates a lot of checksums). Perhaps the easiest way is to discover where is the signature in some drivers which are loaded during Vista boot (speedup without wasting time with walking through several MB of catalogue files) - these files have signature directly in *.sys file as well in catalogue files - perhaps crc in sys is not so strong as in catalogue... I don't know... But I think that the present security is so strong that it is cheaper to pay that money and then in the feature only set the time back to the year when the licence is valid, sign the driver, reset the time... Or we can press F8 every boot and bypass signing protection, but you know - we all are to lazy to press 3 extra keys every boot... |
|||
17 Apr 2007, 11:08 |
|
vid 17 Apr 2007, 12:35
Quote: Perhaps we can debug application for drivers signing to find the know-how (it's size is only about 200-300 kB, but it heavily calls various security and crypto APIs and calculates a lot of checksums) Personally i doubt they made it so weak that we would be able to break it somehow. Much more fun would be to have signed driver which disables driver checking by patching system |
|||
17 Apr 2007, 12:35 |
|
Aaron Sfektu 17 Apr 2007, 14:41
Feryno, the driver may call the MmMapIoSpace function. This function maps a physical address space to a non-paged process address space and is exported from ntoskrn.exe library. It seems it is more simpler than ZwMapViewOfSection exported from ntdll.dll. I think it is better to give you two examples of binary drivers instead of to put here an Object Pascal language source code. Well, the first one is from ASUS PCProbe utility and uses the ZwMapViewOfSection API function and the second one is from my driver binary collection and calls MmMapIoSpace function.
As for driver signing, I’m sure, we can manage with signing tools coming with Microsoft SDK package. We just need the latest versions of makesert.exe, makecat.exe, signcode.exe and some of cross-certificates that can be downloaded at Microsoft’s web site for free to sign the driver. Also here is a very interesting start from the document I mentioned earlier: Test-signed kernel-mode drivers are supported on Windows Vista only for testing purposes. They must not be used for production purposes or released to customers for use with Windows Vista RC1 or Windows Vista release to manufacturing (RTM).
|
|||||||||||
17 Apr 2007, 14:41 |
|
Feryno 18 Apr 2007, 05:42
Hello Aaron,
I tried yesterday's ideas and I realized that it was wrong way. The only one API which successfully passed ring0 was GetCommandLineA because it had only 2 instructions mov rax,[...] ret All other caused reboots: CreateFileA + WriteFile + CloseHandle MessageBoxA Then I remembered that I had had a small driver in nibitor package for accessing IO space of my graphic card. I played a bit with it and it did this: 1. it scaned PCI bus directly using ports 2. to access VGA chip memory it did HalTranslateBusAddress and then MmMapIoSpace The size of that driver was only 2304 bytes so it was easy to play with it. I have Vista RTM WDK - makesert.exe, makecat.exe should be there. I also downloaded newer file for signing - perhaps signcode.exe - several months ago. I will have to look into my home PC to be sure... Thank for samples. |
|||
18 Apr 2007, 05:42 |
|
Feryno 20 Apr 2007, 05:33
Hello Aaron,
would you test this thing whether it is suitable for you (06_test.bat saves BIOS area memory FFFF0000-FFFFFFFF into a file) ? I tested it in Win2003 server SP1 and I'll test it in Vista during weekend. Now to solve how to sign drivers for Vista (or bypass it in a lazy method) and everything would be fine.
|
|||||||||||
20 Apr 2007, 05:33 |
|
Aaron Sfektu 20 Apr 2007, 16:21
Oh, damn it! What’s a good job! I very appreciate you, feryno! You are really freaking cool driver developer! Your kernel mode driver and a small sample application work great! Yesterday, I downloaded the latest Service Pack 2 srv03_sp2_rtm.070216-1710 and updated my Windows x64 SP1 with it. There is no any problem too! Thanks a lot, feryno! Yea, I should spend much more time to learn FASM…
So, as to driver signing, I have already got tools (makecert.exe, etc) for this purpose, but I think a program version of all tools is too old, it’s 5.131.1863.1. Also, I have downloaded cross-certificates from Microsoft’s website, they are: MSCV-EquifaxSecure.exe, MSCV-VSClass3.exe, MSCV-BCyberTrust.exe and MSCV-GlobalSign.exe. Well, I need more time to read that document deeply. Also, I will install Vista this weekend. Thanks for the support, feryno! |
|||
20 Apr 2007, 16:21 |
|
Feryno 23 Apr 2007, 13:05
Hello Aaron,
the skeleton of simple driver was done in a05.sys, so I had to do only little changes to make a06.sys driver. The hardest task was to create a05.sys driver allmost 1 year ago. Security is nice thing but most of assembler coders need to access hardware so we are made to make drivers like these. The first testing OS for a06.sys was Win2003 server SP1 - the kernel should be very close to XP's one (if not the the same). I tested it in Vista this weekend and it worked well again after disabling driver signature check. I downloaded the latest Vista RTM WDK directly from microsoft months ago. I had subscribed myself as a participant in windows driver development kit, but in fact I didn't helped them in any way because I haven't installed WDK yet. I thought that it would be usefull to install it in the feature. Today I have downloaded cross-certificates and I'm going to try to sign drivers this weekend. All new utilities for signing should be in the WDK. Btw, I was in Norway in july 1994. Very kind people, beautifull country, fascinating nature. I lived 2 weeks in the students region Kringsja in Oslo. I wondered how many people practiced biking instead of traveling by cars. I wondered that students' bikes were leaved for the whole summer's holidays outside - multiple bikes secured with only one simple chain - in my country allmost all bikes would be stolen the first day or night... Citizens of capitol Oslo told me that it was the hottest summer they could remember, water in the see was about 20 degrees centigrade above zero which was fine for swimming in fjords. I also remember dinner on a boat (after the dinner I jumped into the see from the boat, swam there a lot and at the end my friends rose the rope stair and they were smiling at me from the boat for a long time while I was trying to return to the board). I also remember entertainment park Tusenfryd, barbeque dinner near nice mountain like and various fun games like runnig on snow-shoes at summer lawn (a lot of us had this device on our feet for our first time so we fell several times at short distances) - perhaps it is easier to walk at the snow surface than at the gras. The meal in students dinning hall was excelent. I also remember that I had problems to pass control on Fornebu on our back-fly - something dangerous was shown on X-ray control in my hand-bag, it looked like a real grenade, it shielded X-rays as a metal shields, policeman put half of my things out of the bag and this thing was still there in the bag... at the end we discovered that it was my medal in such a position that it was shown under X-rays like a grenade - big circle plate rotated by 45 degrees was elliptic, the relief on the medal surface after rotation looked like the surface of a grenade, the piece where to tie the ribbon looked like an intiator... I also remember that I brought in your country 2 liters of home made (by myself) 'slivovica' (plum brandy) without any bad idea - but I broke all 3 rules for importing alcohol into your country (I was only 18 and I had to be 21, only 1 liter per person but I had 2, concentration limit 40% - my slivovica was 53%...) - I was lucky, nobody checked me after my arriving... After leaving customs-man empty check-area I was waiting for a bus in the airport hall and I was boring a bit, so then I read by chance the rules for importing spirits from a small paper on the table in the hall. I'm not able to remember any bad memory, everything there was totally perfect. The whole accomodation was paid by foreign agencies - we even got free a small ammount of money for spending but in fact we didn't need it because everything was paid already. It sounds like a dream but it was the reality. So I still feel myself as having big debt for Norway and people living there. |
|||
23 Apr 2007, 13:05 |
|
LocoDelAssembly 23 Apr 2007, 16:34
Quote:
Add my country to the list too Ultimately there is no need for leaving the bike tied outside for few minutes to get stolen, now even tying the bikes to the railings of the stairs INSIDE the faculty building some people had lost its bike anyway... (And note that the things used to tie the bikes are really hard to cut) |
|||
23 Apr 2007, 16:34 |
|
vid 23 Apr 2007, 17:24
53% slivovica? nice
|
|||
23 Apr 2007, 17:24 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.