|
#1
|
|||
|
|||
SYSENTER hook
in 2k, i have a table of interupt handler pointers which can easily be modified, but what about xp and SYSENTER?
should i setup a new handlerproc through WRMSR and SYSENTER_CS, SYSENTER_ESP, ..? does anybody have a codesnipped for this? thxalot |
#2
|
|||
|
|||
hi, niom,
Quote:
You only need to write a kernel driver very similar to that which replace the INT 2E handler. Look for example at the code by sinister (http://www.xfocus.net/articles/200303/499.html). Obviously you can always hook single system services. But if you look more deeply at Windows XP architecture, you will find that: (a) the fuc.ed SYSENTER is in userland (even if in read-only memory, and you cannot use WriteProtect on it to make it writeable because the address (0x7FFE0300) is outside the VadRoot of all the processes) (b) on AMD processor there is no SYSENTER but INT 2E So, we can replace SYSENTER with INT 2E and use the same tools we have for Windows 2K, don't we? In fact after many reboots I finally manage to change on the fly the two ways to enter system services, from SYSENTER to INT 2E and vice versa, and all this without any driver involved! It is as simple as replacing Code:
7FFE0300: (physical 41300) 8BD4 mov edx, esp 0F34 sysenter C3 ret Code:
7FFE0300: 8D542408 lea edx, [esp+8] CD2E int 2eh C3 ret Quote:
Best regards, bilbo |
#3
|
|||
|
|||
Quote:
thx but i have a new question: do you think, it is possible to "instrument" all ntoskrnl exports like detours does? (detours inserts a jump at the function entry, that points to a custom trampoline, which calls the old code: http://research.microsoft.com/~galenh/Publications/HuntUsenixNt99.pdf) or do you know an easier way to intercept ring0->ring0 calls? |
#4
|
|||
|
|||
just done driver to revert back to INT2E from SYSENTER..
i'm interesting about SP2 NTOSKRNL.EXE.. also code on 7FFE0300h on AMD machines.. at Woodmann.com posted.. |
#5
|
|||
|
|||
to bilbo:
AMD very well has own "SYSENTER-SYSEXIT": SYSCALL 0F05h SYSRET 0F07h exactly about this i'm interesting: do someone see usage of these on AMD at 7FFE0300h? |
#6
|
|||
|
|||
Well done, evaluator!
The trick I told before is just avoiding to copy the INT 2E snippet on top of SYSENTER snippet: in this way you would fuck all the pending system calls! You are copying it at a displacement of 16 bytes: good. You have also done a lot of checks... even address FFDF0300 (which is the same physical memory as 7FFE0300), SYSEXIT(at KiSystemService), the code inside KiSystemService (which force you to detect eventually softice) and two times the SYSENTER snippet... but better sure than unsure... I found also it is not necessary to patch KiSystemCallExitBranch from 7506 (jnz KiSystemCallExit2) to 7505 (jnz KiSystemCallExit). Quote:
niom: it looks like you are interested to ring0 detouring. This is for you: http://www.rootkit.com/newsread.php?newsid=152 It comes with nice code too Regards, bilbo Edited for evaluator... Regarding ring0 detouring suggestion, it was for niom, as I wrote, not for you... Regarding 9th post: look where I posted the answer, and look to my previous posts, please... Regarding SYSEXIT patching... I have posted on WOODMANN a snippet which does not patch anything more than necessary... Please don't be so aggressive... We are here to learn, not to flame each other Best regards! P.S. only 3 addresses for phys 41000? or 4? Do PHYS 41000 and you will know!!! Last edited by bilbo; 08-02-2004 at 21:53. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows Hook | user1 | Source Code | 0 | 04-24-2021 05:23 |
How can I hook DllMain ? | ioannis | General Discussion | 12 | 07-29-2015 01:09 |