Re: intercept nt/2k kernel api?

["Nicolas RUFF (lists)" <ruff.lists () edelweb fr>]

> Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:
>
> *. Can I already being in kernel mode intercept Zw* and Nt* functions?
> *. Can I write to kernel memory being in kernel mode (executable memory)?
> *. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)?
> *. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/
>     for particular function, but mebbe)
> *. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system    applications on 
> new amd 64bit cpus?

1/ Yes

Basically, NTDLL functions are in charge of setting up parameters and calling the right kernel 
service through the following ASM code :
MOV EAX, _syscall_number
INT 0x2E

So if you are already in kernel mode you can receive the call by patching the "syscall table" 
(KiSystemServiceTable). I guess "1 Nt* function" = "1 INT 0x2E", but I remember there might be 
exceptions.

More info :
http://www.sysinternals.com/ntw2k/info/ntdll.shtml
See strace for Windows :
http://razor.bindview.com/tools/desc/strace_readme.html

2/ Of course

If your code is a ".VXD" or a ".SYS", it runs at "ring 0" privilege level and can use all 
descriptors marked as "ring 0"-useable. Everything should be transparent for your application. The 
trick is that if your IRQ_LEVEL is high, you should check whether the destination memory page is 
physically in memory or has been swapped out, because you might run at higher level than the swapper 
and cause a BSoD "IRQ_NOT_LESS_OR_EQUAL" :-(

3/ Yes

All memory ranging from 0x80000000 to 0xFFFFFFFF is accessible from kernel code.
If you boot with the /3GB switch, kernel memory ranges from 0xC0000000 to 0xFFFFFFFF.
Of course you still cannot write to a segment marked as "read only" ! (MOV CS:[_var],XXX will fail)

4/ Many problems :-)

IRQ_LEVEL is one of the most tricky, but you should also pay attention to the fact that kernel 
threads are interruptible, you should consider using asynchronous procedure calls for 
computation-intensive threads, etc.

If it was really easy, there would be less drivers crashing and less BSoD :-)

5/ Yes

I did not check myself because I do not have such a CPU, but (as for XP SP2 RC1) you can enforce 
non-executable user pages globally or on a per-program basis. Time to upgrade to "level 2" 
shellcodes :-)


You will find nice code samples in the "Undocumented Windows 2000 Secrets" book.
http://www.orgon.com/w2k_internals/

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff () edelweb fr
-----------------------------------