Quote:
|
Originally Posted by jemos
Saves vector 1 and 3 of IDT. Changes the access flags of
some blocks of memory allocated at runtime and IDT page from
super-visor to user-mode.
|
hm
Code:
kd> !descriptor idt 1
------------------- Interrupt Gate Descriptor --------------------
IDT base = 0x8003F400, Index = 0x01, Descriptor @ 0x8003f408
8003f408 6f ad 08 00 00 8e 4d 80
Segment is present, DPL = 0, System segment, 32-bit descriptor
Target code segment selector = 0x0008 (GDT Index = 1, RPL = 0)
Target code segment offset = 0x804dad6f
[....]
kd> g
Winlicense driver loaded in memory
kd> !descriptor idt 1
------------------- Interrupt Gate Descriptor --------------------
IDT base = 0x8003F400, Index = 0x01, Descriptor @ 0x8003f408
8003f408 6f ad 08 00 00 ee 4d 80
Segment is present, DPL = 3, System segment, 32-bit descriptor
Target code segment selector = 0x0008 (GDT Index = 1, RPL = 0)
Target code segment offset = 0x804dad6f
it seems that they change the dpl of int1 from 0 to 3. this makes some sense because they are using some int1 instructions in their usermode code.
and why is there almost no communication between the app and the driver?
do they use the driver only for the handling of exceptions that are generated by their usermode code?
and how the hell do they detect vmware? (they are not using the 'documented' backdoor IO port)