Hi every, I've just read some trickeies for entering the ring0 state.I followed and enter into ring0 state successfully. But then I'm confused, I can't use any bios interrupts any more in that state, and can't access any specific memory(such as video memory, and keyboard memory etc.) directly.So What can I do in ring0 state? and if there is any way to access the low level resources,what's the way.
Can anyone give me any advises? thank you very much.
By the way ,The system I'm working is Windows 2003 Server
Zhou,
Normally ring0 access is obtained by writing a driver, apart from security breaches, there is little use for accessing ring0 arapt from driver design. Tell us why you want ring0 access.
Yes,I know access ring0 need writing a driver, and I just juse a driver to enter ring0 (a source code from internet).but that example code just run a simple instruction "mov eax,cr0" when entered ring0.I tried some other instructions,like some bios interrupt calls or instructions accessing memory directly,but failed.
I've studied and used asm programing during "dos" period.but drop it for many years.I've told that in windows system,I cannot do everything what i want like in dos.This kindled my fight.But with the experiences during these days,I know this is indeed not easy.
Hey there. This ring0 thingy seems interesting. Just the other day a guy came into this chat room i was in, looking for some answers regardiing this. He wanted to switch to ring0 to debug a driver he was working on. I looked it up on the internet, but, the examples i found are written either in C# or this strange ÃSM format. I couldn't relly understand it. Can someone explain how to switch from normal to kernel mode? I don't understand much of those registers nor global descriptors.
Ty guys
that subject isn't expanded much in this forum, as it opens doors for malicious individuals
there have been a few times i wanted ring 0 access, myself
mainly, i would like to be able to perform direct I/O on the counter/timers and serial/parallel ports like i did under win 98
but, haven't had a pressing need for it just yet :bg i have looked around a little bit as well - it doesn't seem that difficult
i do, however, get the impression that programmers writing the code are intentionally cryptic about the method and intent - lol
here's the masm32 driver sdk http://www.freewebs.com/four-f/ , show's some neat things you can do if you like playing in kernel mode, aka ring o, aka the ring of power. For win2k+ drivers are .sys and on win me below drivers are .vxd and the only info I know about vxd's are at http://win32assembly.online.fr/tutorials.html
For 32bit Windows versions prior to Server 2003 ( NT, 2k and XP), one can enter ring 0 directly from a Win32 application, without the help of a driver - if you have administrator privilege:
;--- ring0 access for NT platforms
;--- won't work with new versions of this OS
.386p
.model flat, stdcall
option casemap:none
;--- ntdll
NtOpenSection proto :ptr dword, :dword, :dword
;--- kernel32
ExitProcess proto :dword
GetStdHandle proto :dword
WriteFile proto :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
CloseHandle proto :dword
MapViewOfFile proto :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
UnmapViewOfFile proto :DWORD
;--- advapi32
GetSecurityInfo proto :dword, :dword, :dword, :dword, :dword, :dword, :dword, :dword
SetSecurityInfo proto :dword, :dword, :dword, :dword, :dword, :dword, :dword
SetEntriesInAclA proto :dword, :dword, :dword, :dword
;--- user32
wvsprintfA proto :dword, :dword, :dword
NULL equ 0
STD_OUTPUT_HANDLE equ -11
OBJ_CASE_INSENSITIVE equ 40h
SECTION_MAP_WRITE equ 2
SECTION_MAP_READ equ 4
MEM_PRIVATE equ 20000h
MEM_MAPPED equ 40000h
DACL_SECURITY_INFORMATION equ 4
SE_KERNEL_OBJECT equ 6
GRANT_ACCESS equ 1
NO_MULTIPLE_TRUSTEE equ 0
TRUSTEE_IS_NAME equ 1
TRUSTEE_IS_USER equ 1
INTNUMBER equ 0ffh
UNICODE_STRING struct
Length_ WORD ?
MaximumLength WORD ?
Buffer DWORD ?;
UNICODE_STRING ends
OBJECT_ATTRIBUTES struct
Length_ DD ?
RootDirectory DD ?
ObjectName DD ? ;ptr UNICODE_STRING
Attributes DD ?
SecurityDescriptor DD ?
SecurityQualityOfService DD ?
OBJECT_ATTRIBUTES ends
TRUSTEE_A struct
pMultipleTrustee DWORD ?
MultipleTrusteeOperation DWORD ?
TrusteeForm DWORD ?
TrusteeType DWORD ?
ptstrName DWORD ?
TRUSTEE_A ends
EXPLICIT_ACCESS_A struct
grfAccessPermissions DWORD ?
grfAccessMode DWORD ?
grfInheritance DWORD ?
Trustee TRUSTEE_A <>
EXPLICIT_ACCESS_A ends
;--- CStr() define a string in .CONST
CStr macro text:VARARG
local sym
.const
sym db text,0
.code
exitm <offset sym>
endm
;---- L() defines a wide string
;---- usage: StringName dw L(stringvalue)
L macro parms:VARARG
local wstr,i,c,tstr
wstr textequ <>
i = 0
for parm,<parms>
c SubStr <parm>,1,1
ifidn c,<">
tstr SubStr <parm>,2,@SizeStr(parm)-2
% forc chr$,<tstr>
if i
wstr CatStr wstr,<,>
endif
wstr CatStr wstr,<'&chr$'>
i = i + 1
endm
else
if i
wstr CatStr wstr,<,>
endif
wstr CatStr wstr,<parm>
endif
endm
exitm <wstr>
endm
.data
align 4
object_buffer dw L("\device\physicalmemory")
align 4
object_name UNICODE_STRING { sizeof object_buffer, sizeof object_buffer + 2, offset object_buffer }
object_attributes OBJECT_ATTRIBUTES { sizeof OBJECT_ATTRIBUTES, 0, offset object_name, OBJ_CASE_INSENSITIVE, 0, 0 }
explicit_access EXPLICIT_ACCESS_A { SECTION_MAP_WRITE,
GRANT_ACCESS, 0,
{ NULL, NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_NAME, TRUSTEE_IS_USER, offset szCurrent_user } }
szCurrent_user db "CURRENT_USER", 0
.code
printf proc c uses ebx pszFormat:ptr BYTE, args:VARARG
local dwWritten:DWORD
local secinfo:DWORD
local dacl:DWORD
local newacl:DWORD
local szOut[256]:byte
invoke GetStdHandle, STD_OUTPUT_HANDLE
mov ebx, eax
invoke wvsprintfA, addr szOut, pszFormat, addr args
lea ecx, dwWritten
invoke WriteFile, ebx, addr szOut, eax, ecx, NULL
ret
align 4
printf endp
ring0rou:
mov eax, cr0
iretd
align 4
main proc
local hSection:ptr
local dacl:dword
local newacl:dword
local secinfo:dword
;--- try to open "\device\physicalmemory" for writing
invoke NtOpenSection, addr hSection, SECTION_MAP_READ or SECTION_MAP_WRITE, offset object_attributes
test eax, eax
jns hook_interrupt
;--- call didn't succeed, must change ACL
invoke NtOpenSection, addr hSection, MEM_MAPPED or MEM_PRIVATE, offset object_attributes
test eax, eax
js error
;--- get Dacl and SecurityDescriptor
invoke GetSecurityInfo, hSection, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, addr dacl, NULL, addr secinfo
;--- modify ACL
invoke SetEntriesInAclA, 1, offset explicit_access, dacl, addr newacl
;--- pDacl = NULL (access for everyone)
invoke SetSecurityInfo, hSection, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL
invoke CloseHandle, hSection
;--- retry to open "\device\physicalmemory"
invoke NtOpenSection, addr hSection, SECTION_MAP_READ or SECTION_MAP_WRITE, offset object_attributes
test eax, eax
js error
hook_interrupt:
push eax
sidt fword ptr [esp - 2]
pop esi
btr esi, 1fh
invoke MapViewOfFile, hSection, SECTION_MAP_WRITE, 0, esi, 1
mov edi, eax
and esi, 0fffh
lea esi, dword ptr [eax + esi + INTNUMBER * 8]
fild qword ptr [esi] ;save gate
mov eax, offset ring0rou
mov word ptr [esi + 0], ax ;set LOWORD(eip)
mov byte ptr [esi + 2], 8
mov byte ptr [esi + 5], 0eeh
shr eax, 16
mov word ptr [esi + 6], ax ;set HIWORD(eip)
int INTNUMBER
fistp qword ptr [esi] ;restore gate
push eax
invoke UnmapViewOfFile, edi
invoke CloseHandle, hSection
pop eax
invoke printf, CStr("CR3=%X",13,10), eax
ret
error:
invoke printf, CStr("NtOpenSection() failed [%X]",13,10), eax
ret
align 4
main endp
start:
call main
invoke ExitProcess, 0
end start
Be carefull with Ring0, if you do not do things properly, you'll 'bomb' the system - Be ready for many re-installs or restarts - Have a CD-Boot utility disk on hand to correct your 'mess ups' :bg MS doesn't always give out this info, for their own (OS) protection.
:8)
Quote from: vanjast on December 16, 2009, 12:52:22 PM
Be carefull with Ring0, if you do not do things properly, you'll 'bomb' the system - Be ready for many re-installs or restarts - Have a CD-Boot utility disk on hand to correct your 'mess ups' :bg MS doesn't always give out this info, for their own (OS) protection.
:8)
Orrrrrrr be smart and do it in a VM