interrupt changing

#1
Guest_h4x_*

Posted 28 September 2009 - 01:55 PM

Guests

id like to discuss everything related to the interrupts.
i though its easy as it should be, but thanks to developers it isnt.

so, my problem is that im trying to replace interrupt function.

format pe native

section '' readable writeable executable

data import

dd RVA ntoskrnl_table,0,0,RVA ntoskrnl_name,RVA ntoskrnl_table

dd 0,0,0,0,0

end data


ntoskrnl_table:

DbgPrint dd RVA _DbgPrint

dd 0

ntoskrnl_name db 'ntoskrnl.exe',0

_DbgPrint db 0,0,'DbgPrint',0



entry $

mov eax,[esp+4]

mov dword [eax+52],DriverUnload



sidt fword [idt]



mov ecx,dword [idt+2]





movzx eax,word [ecx+368+6] ;368 = 0x2e * 8

shl eax,16

mov ax,word [ecx+368+0]


mov byte [eax],0xCF ;iret right after entry to `ISR`


push eax

push f

call [DbgPrint]

add esp,8







xor eax,eax

retn 8


DriverUnload:




retn 4



align 8

idt rf 1

f db '%p',0




section '' fixups discardable

this code get address of 0x2e isr and write under it iret instruction. 2 seconds later im getting reboot, not even a bsod.

mov use DS segment, so perhaps this is an issue. But i really dont think so, however... But i belive that default DS (0x10+0 = 0x10) is used, so? whats the issue here?

ok checked, DS = 0x23.
lets see...
0x20 = gdt dpl = 3
rpl in segment = 3
wtf -,-


push ds

mov cx,0x10

mov ds,cx

mov byte [eax],0xCF ;iret right after entry to `ISR`

pop ds

result in reset.
0x10 = ring0 read/write, rpl = 0.
i give up, enlight me whats going on, now im laughting of someone who created this thing.

Edited by TkTech, 28 September 2009 - 10:09 PM.
Do. Not. Tripple post

#2
dargueta

Posted 28 September 2009 - 02:37 PM

Writes binary right handed and hex left handed

Moderators
4,705 posts

Programming Language:C, Java, C++, PHP, Python, Perl, Assembly, Bash, Others
Learning:JavaScript

What's the segment limit on DS? More importantly, what's the value of EAX? If it's not aligned properly (on an 8-byte boundary, I believe) you'll get an alignment fault and the CPU will freak out. Also, you need to check the IOPL and the CPL to make sure they're correct.

sudo rm -rf /

#3
Guest_h4x_*

Posted 28 September 2009 - 02:42 PM

Guests

well, i guess iopl is fine because i can access ring0 addreses.
ds limit is flat, 0 to 0xFFFFFFFF.
value of eax?
iile in code above, this is just addition, eax =

movzx eax,word [ecx+368+6] ;368 = 0x2e * 8
shl eax,16
mov ax,word [ecx+368+0]

mov byte [eax],0xCF ;iret right after entry to `ISR`

and dbgprint confirm its address of handler of int 0x2e.

But for some reason i cant write there.

Wait a minute, are idt/gdt addreses physical addreses, or virtual? I assume they are virtual, but i have my doubts.

#4
dargueta

Posted 28 September 2009 - 02:51 PM

Writes binary right handed and hex left handed

Moderators
4,705 posts

Programming Language:C, Java, C++, PHP, Python, Perl, Assembly, Bash, Others
Learning:JavaScript

You did check the CPL, right?

sudo rm -rf /

#5
Guest_h4x_*

Posted 29 September 2009 - 11:52 AM

Guests

cpl is only for instruction fetching, and i dont fetdch from this address.
and cpl is 0,0

i tried everything i know, reset every time.

what about paging? can page in tlb be marked as read only?
how do i fix that?

#6
dargueta

Posted 29 September 2009 - 12:02 PM

Writes binary right handed and hex left handed

Moderators
4,705 posts

Programming Language:C, Java, C++, PHP, Python, Perl, Assembly, Bash, Others
Learning:JavaScript

Oooh, yes, I forgot about that. Check the segment type in either the GDT or LDT. Bit 2 of the segment register should indicate whether you should check the GDT (0) or the LDT (1); check bit 12 of the second half of the descriptor entry (byte 5, bit 4, I think). Also make sure that bit 15 (byte 5, bit 7) is set to 1.

sudo rm -rf /

#7
Guest_h4x_*

Posted 29 September 2009 - 12:28 PM

Guests

segment type?
what you mean?
0020 00000000 FFFFFFFF 3 P 4Kb Read/Write, accessed

bit 2 is zero, so GDT.
bit 12 of second half = 1
bit 15 = 1

this gdt descriptor is just lame. base in 4 diffrent places, way to go.

and i cant write there, why? just why? everything should work but its not and i dont have a clue why.

#8
dargueta

Posted 29 September 2009 - 12:33 PM

Writes binary right handed and hex left handed

Moderators
4,705 posts

Programming Language:C, Java, C++, PHP, Python, Perl, Assembly, Bash, Others
Learning:JavaScript

Looks like it's labeled as a code segment, which is non-writable. I know there;s a way to get around the security measure that disables writing to code segments, but I don't remember it at the moment. What's bit 11 of the second dword in the GDT descriptor set to?

sudo rm -rf /

#9
Guest_h4x_*

Posted 29 September 2009 - 12:46 PM

Guests

no, segments are just a mean of access.
mov use default DS, and i can override it anyway, so?
if i use mov with DS, it will check ds segment to access.
it was in manuals.

what you mean by labeled as code segment? what else i dont know?

#10
dargueta

Posted 29 September 2009 - 12:51 PM

Writes binary right handed and hex left handed

Moderators
4,705 posts

Programming Language:C, Java, C++, PHP, Python, Perl, Assembly, Bash, Others
Learning:JavaScript

Read section 3.4.5 of volume 3A of the Intel Architecture Software Developer's Manual; there's a description of segment protection there. And using DS to override won't do anything for you, because the value of the segment selector is the same. The only difference is the register. In either case, the same descriptor is being looked up in the GDT.

sudo rm -rf /