Thread: SYSENTER hook
View Single Post
  #6  
Old 08-02-2004, 16:40
bilbo bilbo is offline
Friend
 
Join Date: Jul 2004
Posts: 103
Rept. Given: 36
Rept. Rcvd 15 Times in 12 Posts
Thanks Given: 15
Thanks Rcvd at 17 Times in 11 Posts
bilbo Reputation: 15
Well done, evaluator!
The trick I told before is just avoiding to copy the INT 2E snippet on top of SYSENTER snippet: in this way you would fuck all the pending system calls!
You are copying it at a displacement of 16 bytes: good.
You have also done a lot of checks... even address FFDF0300 (which is the same physical memory as 7FFE0300), SYSEXIT(at KiSystemService), the code inside KiSystemService (which force you to detect eventually softice) and two times the SYSENTER snippet... but better sure than unsure...

I found also it is not necessary to patch KiSystemCallExitBranch from 7506 (jnz KiSystemCallExit2) to 7505 (jnz KiSystemCallExit).

Quote:
do someone see usage of these on AMD at 7FFE0300h?
No, my experiments were done on a rather old AMD K6 and there INT 2E was used.

niom: it looks like you are interested to ring0 detouring. This is for you: http://www.rootkit.com/newsread.php?newsid=152
It comes with nice code too

Regards, bilbo


Edited for evaluator...
Regarding ring0 detouring suggestion, it was for niom, as I wrote, not for you...
Regarding 9th post: look where I posted the answer, and look to my previous posts, please...
Regarding SYSEXIT patching... I have posted on WOODMANN a snippet which does not patch anything more than necessary...
Please don't be so aggressive... We are here to learn, not to flame each other
Best regards!

P.S. only 3 addresses for phys 41000? or 4? Do PHYS 41000 and you will know!!!

Last edited by bilbo; 08-02-2004 at 21:53.
Reply With Quote