SYSENTER hook

[Mkz]

evaluator,

On an AMD this is what I get (XP SP1):

Code:

7FFE0300   8BD4             MOV EDX,ESP
7FFE0302   0F34             SYSENTER
7FFE0304   C3               RETN ; ring0 returns to this line

This is the rest of the code, but it isn't called:

Code:

7FFE0305   9C               PUSHFD
7FFE0306   810C24 00010000  OR DWORD PTR SS:[ESP],100
7FFE030D   9D               POPFD
7FFE030E   C3               RETN
7FFE030F   8BD4             MOV EDX,ESP
7FFE0311   0F05             SYSCALL
7FFE0313   C3               RETN
7FFE0314   9C               PUSHFD
7FFE0315   810C24 00010000  OR DWORD PTR SS:[ESP],100
7FFE031C   9D               POPFD
7FFE031D   C3               RETN
7FFE031E   C2 0800          RETN 8

And here's a sample call

Code:

77D6E285   B8 41110000      MOV EAX,1141
77D6E28A   BA 0003FE7F      MOV EDX,7FFE0300
77D6E28F   FFD2             CALL EDX
77D6E291   C2 1000          RETN 10

Seems that the same instruction is used as in Intel, not the 0F05 variant...

Here's the cpu info before you say it's a pentium

Code:

[ WCPUID Version 3.0g  (c) 1996-2002  By H.Oda! ]

  Processor #1 : AMD Athlon (Model 4) / ...
      Platform : Socket A (Socket 462)
 Vendor String : AuthenticAMD
      CPU Type : Original OEM Processor (0)
        Family : 6  (7)
         Model : 4  (4)
   Stepping ID : 4  (4)
         Brand : ----
          APIC : ----
   Name String : AMD Athlon(tm) Processor

Internal Clock : 1399.32 MHz
    System Bus :  266.54 MHz DDR
  System Clock :  133.27 MHz
    Multiplier :   10.5  

    L1 I-Cache :   64K Byte
    L1 D-Cache :   64K Byte
    L1 T-Cache :  ----
    L1  Cache  :  ----
    L2  Cache  :  256K Byte
    L2  Speed  : 1399.32 MHz (Full)

    MMX   Unit : Supported
    SSE   Unit : Not Supported
   SSE2   Unit : Not Supported
   MMX2   Unit : Supported
  3DNow!  Unit : Supported
  3DNow!+ Unit : Supported

www.bindview.com/Support/RAZOR/ Utilities/Windows/strace_readme.cfm

[Mkz]

While looking at "ntoskrnl.exe", I just found another way to disable the SYSCALL/SYSENTER stuff and revert to the old INT 2E.

Go to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel and create an entry named "FastSystemCallDisable" with a DWORD value of 1.

This isn't an "on-the-fly" solution, you must reboot to make it active, so I guess the posted driver will be more handy if it works for you. Unless you don't mind having your machine permanently configured for INT 2E, that is.
Still this seems to be an officially supported flag, it shouldn't stop working when you apply an SP or hotfix.

To find the code in ntoskrnl, search for the unicode text "FastSystemCallDisable". It's referenced in a table of key names and memory locations. The loc associated with that variable is then referenced in the routine that checks the processor capabilities and sets up the ring3/ring0 transition. It will end up writing the chosen stub to the 0xFFDF0300 offset which seems to be the KM equivalent to 0x7FFE0300 in user mode.

Hi, instead of looking for ways to hook int 2E or sysenter/exit, you should consider hooking the function ptr table after this system service stub. Check the kernel api spy example published by Shreiber in his "Undocumented windows 2000" book.

The idea is to find out the KiServiceTable (exported by w2k and xp) and one of its member points to this function ptr table. You probably need a good kernel device driver to accomplish this task though.

Have fun