ring0-new SSDT entry for communication (handy code)

http://blog.csdn.net/hgy413/article/details/7107009

The following is only for 32-bit systems, tested under XP:
Here's how XP is called in Ring3:

[CPP]View Plaincopy

2. Xp
4. ntdll! Ntreadfile:
6. 7c92d9b0 b8b7000000 mov eax,0b7h
8. 7C92D9B5 ba0003fe7f mov edx,offset shareduserdata! SystemCallStub (7ffe0300)
10. 7c92d9ba Ff12 call DWORD ptr [edx] ds:0023:7ffe0300={ntdll! Kifastsystemcall (7C92E4F0)}
12. 7C92D9BC c22400 ret 24h
14. 7C92D9BF-NOP
20. ntdll! Kifastsystemcall:
22. 7C92E4F0 8BD4 mov edx,esp
24. 7C92E4F2 0f34 Sysenter

So the principle is also relatively simple, imitation can be, note SSDT to remove write protection!
Ring3:

[CPP]View Plaincopy

2. #include "stdafx.h"
4. #include <Windows.h>
8. __declspec (naked) void Mykifastsystemcall ()
10. {
12. __asm
14. {
16. MOV edx,esp;
18. __emit 0x0f;
20. __emit 0x34;
22. }
24. };
28. __declspec (naked) NTSTATUS Ntapi
30. Iosystemcontrol (
32. in ULONG Ioctrl,
34. in PVOID inputbuf,
36. in ULONG Inputbuflen,
38. Out PVOID outputbuf,
40. in ULONG Outputlen,
42. Out Pulong Returnlen)
44. {
46. __asm
48. {
50. mov eax, 11Ch;
52. Call Mykifastsystemcall
54. RETN 0x18;
56. }
58. }
62. int _tmain (int argc, _tchar* argv[])
64. {
66. char szbuf[100] = {0};
68. ULONG outlen = 0;
70. Iosystemcontrol (0x12345678,"hgy413", strlen ("hgy413"), Szbuf,99,&outlen);
72. printf ("%s-%d\n", Szbuf, Outlen);
76. GetChar ();
78. return 0;
80. }

RING0:

[CPP]View Plaincopy

2. #include "Main.h"
4. Def
6. typedef struct _kservice_table_descriptor
8. {
10. Pulong Servicetablebase; //SSTD Base Address
12. Pulong Count; //contains a counter for the number of invocations per service in SSDT. This counter is typically updated by Sysenter
14. ULONG tablesize; //number of services described by Servicetablebase
16. Puchar argumenttable; //contains the base address of each system service parameter byte table-system service parameter list each table entry is a uchar that represents a function parameter length
18. } kservice_table_descriptor, *pkservice_table_descriptor;
22. SSDT table has been exported, and here's the routine
24. extern Pkservice_table_descriptor keservicedescriptortable;
26. Kservice_table_descriptor ssdt_copy;
28. ULONG newssdtservicetablebase[1024] = {0};
30. UCHAR newssdtservicetablenumber[1024] = {0};
34. NTSTATUS
36. Iosystemcontrol ( in ULONG Controlcode,
38. in PVOID inputbuffer OPTIONAL,
40. in ULONG inputbufferlength,
42. Out PVOID outputbuffer OPTIONAL,
44. in ULONG outputbufferlength,
46. Out pulong returnlength OPTIONAL
48. )
50. {
52. NTSTATUS Status = status_success;
56. if (Outputbuffer&&mmisaddressvalid (OutputBuffer))
58. {
60. Kdprint (("%s\r\n", InputBuffer));
62. memset (OutputBuffer, 0x41, outputbufferlength); //Outgoing buf becomes AAAAA ...
64. if (returnlength&& mmisaddressvalid (returnlength))
66. {
68. *returnlength = 10; //Outgoing size arbitrarily set to ten
70. }
72. }
74. return Status;
76. }
82. void Ntosaddssdtservicetable (
84. PVOID newfunction,
86. ULONG Newnumber
88. )
90. {
92. NTSTATUS Status = status_success;
94. Peprocess Process;
98. //Prohibit write protection, otherwise blue screen
100. __asm
102. {
104. MOV EAX, CR0;
106. OR EAX, 10000H;
108. MOV CR0, EAX;
110. STI;
112. }
116. //Copy original service table
118. //Copy the original table to our array
120. memcpy
122. Newssdtservicetablebase,
124. Keservicedescriptortable->servicetablebase,
126. Keservicedescriptortable->tablesize * 4
128. );
132. //number of primitive functions
134. memcpy
136. Newssdtservicetablenumber,
138. Keservicedescriptortable->argumenttable,
140. Keservicedescriptortable->tablesize
142. );
146. //Modify SSDT Table Add service function
148. Newssdtservicetablebase[ssdt_copy. Tablesize] = newfunction;
150. Newssdtservicetablenumber[ssdt_copy. Tablesize] = Newnumber;
154. //update memory inside Export keservicedescriptortable SSDT table
156. Keservicedescriptortable->servicetablebase = Newssdtservicetablebase;
158. keservicedescriptortable->argumenttable = Newssdtservicetablenumber;
160. Keservicedescriptortable->tablesize = ssdt_copy. Tablesize + 1;
164. //Resume write protection
166. __asm
168. {
170. MOV EAX, CR0;
172. OR EAX, 10000H;
174. MOV CR0, EAX;
176. STI;
178. }
180. }
184. VOID ddkunload (in Pdriver_object pdriverobject)
186. {
188. Kdprint (("[ddkunload]-start\n"));
192. //Restore the original
194. Keservicedescriptortable->servicetablebase = ssdt_copy. Servicetablebase;
196. Keservicedescriptortable->count = ssdt_copy. Count;
198. Keservicedescriptortable->tablesize = ssdt_copy. Tablesize;
200. keservicedescriptortable->argumenttable = ssdt_copy. argumenttable;
204. Kdprint (("[ddkunload]-end\n"));
206. }
210. NTSTATUS DriverEntry (in Pdriver_object pdriverobject,
212. In Punicode_string Pregistrypath)
214. {
216. Kdprint (("[driverentry]-start\n"));
218. Pdriverobject->driverunload = Ddkunload;
222. //Save the original
224. Ssdt_copy. Servicetablebase = keservicedescriptortable->servicetablebase;
226. Ssdt_copy. Count = keservicedescriptortable->count;
228. Ssdt_copy. Tablesize = keservicedescriptortable->tablesize;
230. Ssdt_copy. Argumenttable = keservicedescriptortable->argumenttable;
234. //We call the Custom function to add memory to the SSDT table
236. Ntosaddssdtservicetable (Iosystemcontrol, 24);
240. Kdprint (("[driverentry]-end\n"));
242. return status_success;
244. }

After the driver is loaded, you can see:

To run the Ring3 applet, you can see that the outbuf is aaaaa., size 10:

ring0-new SSDT entry for communication (handy code)