RING0 code implementation without driving under nt/2000

As you know, Windows nt/2000 to achieve its reliability, the system is strictly divided into kernel mode and user mode, in the i386 system corresponding to the CPU RING0 and Ring3 level. RING0, you can execute privilege level directives, have access to any I/O device, and so on. To achieve from the user state into the nuclear mentality, that is, from ring 3 into the ring 0 must rely on the CPU some kind of door mechanism, such as interrupt the door, call the door and so on. and Windows nt/2000 provides user-state execution system services (ring 0 routines) such as the system service int 2eh Interrupt service, and so on, strict parameter checking, can only strictly perform the services provided by Windows nt/2000, If you want to execute a user-supplied ring 0 code (meaning code that runs on the ring 0 privileges), the general approach seems to be to write only device drivers. This article describes a method for executing RING0 code in user state without any driver.

Windows nt/2000 The device driver into the kernel zone (common at address 0x80000000), and the ring 0 permissions are implemented by DPL 0 GDT Item 8, which is CS 8 o'clock. This article implements RING0 code by constructing a call gate (Callgate) that points to our code in the system. Based on this idea, to achieve this goal is mainly to construct their own callgate. The callgate is specified by the global table in the system called Global Descriptor Table (GDT). The GDT address can be obtained by the i386 instruction Sgdt (SGDT is not a privilege level instruction, and the ordinary Ring 3 program can be executed). The GDT address is stored in the KPCR (Processor control Region) structure in Windows nt/2000 (see "Talking about Windows nt/2000 Environment switching"). The callgate in GDT is the following format:

typedef struct
{
unsigned short offset_0_15;
unsigned short selector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system : 1;
unsigned char dpl : 2;
unsigned char present : 1;
unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR;

GDT is located in the kernel area, it is not possible for a general user state program to have direct access to this area of memory. Fortunately, Windows nt/2000 provides a section kernel object called PhysicalMemory located under the \device path. By definition, this section object allows you to manipulate physical memory. Use Objdir.exe to analyze this object as follows:

C:\NTDDK\bin>objdir /D \Device
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0xf001f - NT AUTHORITY\SYSTEM
Inherit:
Access: 0x001F and ( D RCtl WOwn WDacl )
Ace[ 1] - Grant - 0x2000d - BUILTIN\Administrators
Inherit:
Access: 0x000D and ( RCtl )

The

Ace of this object DACL from the dump shows that by default only system users have read and write access to the object, that is, that there is literacy in the physical, and that the administrator has only read access and the average user does not have permission at all. However, if we have administrator privileges, we can modify the ace of this object through the APIs getsecurityinfo, SetEntriesInAcl and SetSecurityInfo. This is why the code I provided requires an administrator. The implementation code is as follows:

VOID setphyscialmemorysectioncanbewrited (HANDLE hsection)
{
Pacl pdacl=null;
Pacl Pnewdacl=null;
Psecurity_descriptor Psd=null;
DWORD dwres;
Explicit_access EA;
if (Dwres=getsecurityinfo (hsection,se_kernel_object,dacl_security_information,
Null,null,&pdacl,null , &PSD)!=error_success
{
printf ("GetSecurityInfo ERROR%u\n", dwres);
Goto CleanUp;
}
ZeroMemory (&ea, sizeof (explicit_access));
Ea.grfaccesspermissions = Section_map_write;
Ea.grfaccessmode = grant_access;
Ea.grfinheritance= no_inheritance;
ea. Trustee.trusteeform = Trustee_is_name;
ea. Trustee.trusteetype = Trustee_is_user;
ea. Trustee.ptstrname = "Current_User";
if (Dwres=setentriesinacl (1,&EA,PDACL,&PNEWDACL)!=error_success)
{
printf ("SetEntriesInAcl%u\ n ", dwres);
Goto CleanUp;
}
if (Dwres=setsecurityinfo (hsection,se_kernel_object,dacl_security_information,
Null,null,pnewdacl, NULL)!=error_success)
{
printf ("SetSecurityInfo%u\n", dwres);
Goto CleanUp;
}
CleanUp:
if (PSD)
LocalFree (PSD);
if (pnewdacl)
LocalFree (PSD);
}
This code adds the following Ace to the object for a given handle:
PhysicalMemory
Section
DACL-
ace[0]-Grant-0x2-webcrazy\administrat or
Inherit:
access:0x0002//section_map_write