Sysenter hook-RDMSR-WRMSR under XP

1. For more information about sysenter sysexit wrmsr rdmsr, see CPU manual.
P4_ia32 intel architecture software developer's Manual
24547110. PDF
Pages 3-763

2. XP initialization process
Keinitsystem-> kiinitmachinedependent-> kirestorefastsyscallreturnstate-> kiloadfastsyscallmachinespecificregisters-> wrmsr

. Text: 00439a80
. Text: 00439a80; why? S u B r o u t I n e?
. Text: 00439a80
. Text: 00439a80
. Text: 00439a80; _ stdcall kiloadfastsyscallmachinespecificregisters (X)
. Text: 00439a80 _ kiloadfastsyscallmachinespecificregisters @ 4 proc near
. Text: 00439a80; Data xref: kirestorefastsyscallreturnstate () + 31o
. Text: 00439a80 8B FF mov EDI, EDI
. Text: 00439a82 56 push ESI
. Text: 00439a83 dB 3eh
. Text: 00439a83 3E A1 20 F0 df ff mov eax, DS: 0ffdff020h
. Text: 00439a89 80 3D FC 20 48 00 00 cmp ds: _ kifastsystemcallisia32, 0
. Text: 00439a90 8B F0 mov ESI, eax
. Text: 00439a92 74 31 JZ short loc_439ac5
. Text: 00439a94 6a 00 push 0
. Text: 00439a96 6a 08 push 8
. Text: 00439a98 68 74 01 00 00 push 174 h
. Text: 00439a9d E8 2B 00 00 call _ wrmsr @ 12; wrmsr (x, x, x)
. Text: 00439aa2 6a 00 push 0
. Text: 00439aa4 68 F0 76 40 00 push offset _ kifastcallentry
. Text: 00439aa9 68 76 01 00 00 push 176 H
. Text: 00439aae E8 1A 00 00 call _ wrmsr @ 12; wrmsr (x, x, x)
. Text: 00439ab3 6a 00 push 0
. Text: 00439ab5 FF B6 68 08 00 00 push dword ptr [ESI + 868 H]
. Text: 00439abb 68 75 01 00 00 push 175 H
. Text: 00439ac0 E8 08 00 00 call _ wrmsr @ 12; wrmsr (x, x, x)
. Text: 00439ac5
. Text: 00439ac5 loc_439ac5:; Code xref: kiloadfastsyscallmachinespecificregisters (x) + 12j
. Text: 00439ac5 5E pop ESI
. Text: 00439ac6 C2 04 00 retn 4
. Text: 00439ac6 _ kiloadfastsyscallmachinespecificregisters @ 4 endp
. Text: 00439ac6

. Text: 00439ac9
. Text: 00439ac9; why? S u B r o u t I n e?
. Text: 00439ac9
. Text: 00439ac9
. Text: 00439ac9; _ fastcall rdmsr (X)
. Text: 00439ac9 @ rdmsr @ 4 proc near; Code xref: kiloadmtrr (x) + 53 p
. Text: 00439ac9; kdpsysreadmsr (x, x) + 14 p...
. Text: 00439ac9 0f 32 rdmsr
. Text: 00439acb C3 retn
. Text: 00439acb @ rdmsr @ 4 endp
. Text: 00439acb
. Text: 00439acb; where where?

. Text: 00439acd
. Text: 00439acd; why? S u B r o u t I n e?
. Text: 00439acd
. Text: 00439acd
. Text: 00439acd; _ stdcall wrmsr (x, x, x)
. Text: 00439acd _ wrmsr @ 12 proc near; Code xref: kiloadfastsyscallmachinespecificregisters (x) + 1dp
. Text: 00439acd; kiloadfastsyscallmachinespecificregisters (x) + 2ep...
. Text: 00439acd
. Text: 00439acd arg_0 = dword ptr 4
. Text: 00439acd arg_4 = dword ptr 8
. Text: 00439acd arg_8 = dword ptr 0ch
. Text: 00439acd
. Text: 00439acd 8B 4C 24 04 mov ECx, [esp + arg_0]
. Text: 00439ad1 8B 44 24 08 mov eax, [esp + arg_4]
. Text: 00439ad5 8B 54 24 0C mov edX, [esp + arg_8]
. Text: 00439ad9 0f 30 wrmsr
. Text: 00439adb C2 0C 00 retn 0ch
. Text: 00439adb _ wrmsr @ 12 endp
. Text: 00439adb

Init: 005ebd9d; why are there too many other problems? S u B r o u t I n e?
Init: 005ebd9d
Init: 005ebd9d
Init: 005ebd9d; _ stdcall kiamdk6initializemtrr ()
Init: 005ebd9d _ kiamdk6initializemtrr @ 0 proc near; Code xref: kiinitmachinedependent (): loc_5e3783p
Init: 005ebd9d 83 25 68 17 48 00 FC and DS: _ kiamdk6mtrr, 0 fffffffch
Init: 005ebda4 83 25 6C 17 48 00 FC and DS: dword_48176c, 0 fffffffch
Init: 005 ebdab 83 25 70 17 48 00 00 and DS: _ amdmtrrhwusagecount, 0
Init: 005ebdb2 C7 05 74 17 48 00 02 00 + mov DS: _ amdk6regioncount, 2
Init: 005 ebdbc 33 C0 XOR eax, eax
Init: 005 ebdbe
Init: 005 ebdbe loc_5ebdbe:; Code xref: kiamdk6initializemtrr () + 35j
Init: 005 ebdbe 83 88 80 17 48 00 FF or ds: _ amdk6regions [eax], 0 ffffffffh
Init: 005ebdc5 83 A0 8C 17 48 00 00 and DS: dword_48178c [eax], 0
Init: 005 ebdcc 83 C0 10 Add eax, 10 h
Init: 005 ebdcf 83 F8 20 CMP eax, 20 h
Init: 005ebdd2 72 ea jb short loc_5ebdbe
Init: 005ebdd4 53 push EBX
Init: 005ebdd5 56 push ESI
Init: 005ebdd6 be BC 17 48 00 mov ESI, offset _ kirangelock
Init: 005 ebddb 56 push ESI; spinlock
Init: 005 ebddc E8 E3 77 E1 FF call _ keinitializespinlock @ 4; keinitializespinlock (X)
Init: 005ebde1 8B ce mov ECx, ESI; spinlock
Init: 005ebde3 FF 15 C8 05 40 00 call DS :__ imp _ @ kfacquirespinlock @ 4; _ declspec (dllimport) kfacquirespinlock (X)
Init: 005ebde9 B9 85 00 00 C0 mov ECx, 0c0000085h
Init: 005 ebdee 8A D8 mov BL, Al
Init: 005ebdf0 E8 D4 DC E4 FF call @ rdmsr @ 4; rdmsr (X)
Init: 005ebdf5 50 push eax
Init: 005ebdf6 A3 68 17 48 00 mov DS: _ kiamdk6mtrr, eax
Init: 005 ebdfb 89 15 6C 17 48 00 mov DS: dword_48176c, EDX
Init: 005ebe01 E8 49 CD F9 FF call _ kiamdk6mtrraddregionfromhw @ 4; kiamdk6mtrraddregionfromhw (X)
Init: 005ebe06 FF 35 6C 17 48 00 push ds: dword_48176c
Init: 005ebe0c E8 3E CD F9 FF call _ kiamdk6mtrraddregionfromhw @ 4; kiamdk6mtrraddregionfromhw (X)
Init: 005ebe11 8B ce mov ECx, ESI
Init: 005ebe13 5E pop ESI
Init: 005ebe14 8A D3 mov DL, BL
Init: 005ebe16 5B pop EBX
Init: 005ebe17 FF 25 C4 05 40 00 jmp ds :__ imp _ @ kfreleasespinlock @ 8; _ declspec (dllimport) kfreleasespinlock (x, x)
Init: 005ebe17 _ kiamdk6initializemtrr @ 0 endp
Init: 005ebe17
Init: 005ebe17; where where?

3. Some code. Thanks to vxk.
Hook fastcall
This is too difficult. By replacing the content of the msr_sysenter_eip register, the system sends the sysenter command and enters our preset processing code,
Instead of the original kifastcallentry routine.
Copied some wowocock code
Let's take a look at the code. The details are as follows ::
Rawmsr_sysenter_eip dd 0
Lea EBX, [EBP + offset rawmsr_sysenter_eip]
Push EBX
Call [EBP + _ mmlockpagabledatasection]
Lea EBX, [EBP + offset mysysenter_proc]
Push EBX
Call [EBP + _ mmlockpagablecodesection]
Call getmsr_eip
Call setmsr_eip; Set mysysenter_proc to the sysenter entry

Testproc proc
Write our processing here
Testproc endp

Mysysenter_proc proc; after the system sends the sysenter command, it enters the entry of mysysenter_proc
Local TR: Word

Sgdt gdt; set the kernel ring0 Stack
STR word PTR [tr]

Movzx ECx, tr
Add ECx, gdt. gdtbase
MoV ESP, dword ptr [ECx + 2]
And ESP, 0 ffffffh
MoV ECx, dword ptr [ECx + 4]
And ECx, 0ff000000h
Or ESP, ECx; esp-> TSS
MoV ESP, dword ptr [esp + 4]

Pushad
Pushfd
Push FS
MoV BX, 30 h
MoV FS, BX
PUSH DS
Push es

Call testproc;

Pop es
Pop DS
Pop FS
Popfd
Popad
JMP [EBP + offset rawmsr_sysenter_eip];

Mysysenter_proc endp

; **************************************** *****************
; Read the value of MSR [ECx]. Here it is sysenter_eip_msr
; **************************************** *****************
Getmsr_eip proc
Pushad
MoV ECx, 176 h; sysenter_eip_msr 176 H
Rdmsr
MoV [EBP + offset rawmsr_sysenter_eip], eax
Popad
RET
Getmsr_eip endp
; **************************************** *************
; Set the value of MSR [ECx]. Here it is sysenter_eip_msr
; **************************************** *************

Setmsr_eip proc
Pushad
CLI
XOR edX, EDX
Lea eax, [EBP + offset mysysenter_proc]
Movecx, 176 H
Wrmsr
STI
Popad
RET
Setmsr_eip endp