Question: rootkit hook [6] -- sysenter hook
Author: combojiang
Time: 2008-02-26, 12: 25
Chain: http://bbs.pediy.com/showthread.php? T = 60247
Haha, this article is relatively simple today.
Syseneter is an assembly Command provided in Pentium II and later processors and is part of fast system calls. Sysenter/sysexit commands are specifically used for fast calling. Before that, int 0x2e is used. Int 0x2e requires stack switching during system calls. Because interrupt/exception handler calls are implemented through the gate of call/trap/task, this method will implement stack switching, and the information such as the system stack address is provided by TSS. This approach may cause multiple memory accesses (to get these switching information), so from PentiumII, The IA-32 introduced a new command: sysenter/sysexit. With these two commands,
From user-level to privileged-level stack and command pointer conversion, this command can be used to implement and the address of the new stack to be switched, as well as the location of the first instruction in the corresponding process, there is a set of special registers to achieve this kind of special registers in the IA-32 called MSR (model specific register ). Three special registers are involved:
Sysenter_cs_msr: new code segment selector 0X174
Sysenter_esp_msr: New stack pointer 0x175
Sysenter_eip_msr: New Instruction Pointer 0x176
The three hexadecimal numbers marked here correspond to the addresses of these three registers respectively. This address is used to read/write these three registers through the rdmsr/wrmsr command in kernel debug. The procedure is as follows:
Views: 2138
File Size: 8.0 kb "style =" margin: 2px "alt =" Name: 10.jpg
Views: 2138
File Size: 8.0 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 11982 & D = 1203999641 "onLoad =" If (this. width> screen. width * 0.6) {This. width = screen. width * 0.6; this. alt = ''; this. onmouseover = This. style. cursor = 'pointer '; this. onclick = function () {window. open ('HTTP: // bbs.pediy.com/attachment.php? Attachmentid = 11982 & D = 1203999641 ')} "border =" 0 ">
1. Load sysenter_cs_msr to the CS register and set the target code segment.
2. Load sysenter_eip_msr to the EIP register and set the target command.
3. Load sysenter_cs_msr + 8 to the SS register and set the stack segment
4. Load sysenter_esp_msr to the ESP register and set the stack frame.
5. Switch to ring0.
6. Clear the VM flag of eflags
7. Execute the ring0 routine
Views: 2130
File Size: 7.0 kb "style =" margin: 2px "alt =" Name: 11.jpg
Views: 2130
File Size: 7.0 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 11983 & D = 1203999670 "onLoad =" If (this. width> screen. width * 0.6) {This. width = screen. width * 0.6; this. alt = ''; this. onmouseover = This. style. cursor = 'pointer '; this. onclick = function () {window. open ('HTTP: // bbs.pediy.com/attachment.php? Attachmentid = 11983 & D = 1203999670 ')} "border =" 0 ">
1. Load sysenter_cs_msr + 16 to the CS register
2. Send the edX value to the EIP
3. Load sysenter_cs_msr + 24 to SS registers
4. Send the value of ECx to ESP
5. switch back to ring3
6. Run the ring3 command at the EIP.
In windbg, we can check the situation of these three registers. This is the situation on my machine.
Lkd> rdmsr 176
MSR [176] = 00000000 '8053dad0
Lkd> rdmsr 175
MSR [175] = 00000000 'ba4e0000
Lkd> rdmsr 174
MSR [174] = 00000000 '00000008
We can see the values of the three registers in my machine: sysenter_eip_msr, sysenter_esp_msr, and sysenter_cs_msr.
We found the settings for these three registers in the kernel wrk published by Microsoft. The value of sysenter_eip_msr is kifastcallentry.
The Code is as follows:
Void
Kiloadfastsyscallmachinespecificregisters (
In plong Context
)
/* ++
Routine description:
Load MSRs used to support fast syscall/return. This routine is
Run on all processors.
Arguments:
None.
Return Value:
None.
--*/
{
Pkprcb prcb;
Unreferenced_parameter (context );
If (kifastsystemcallisia32 ){
Prcb = kegetcurrentprcb ();
//
// Use intel defined way of doing this.
//
Wrmsr (msr_sysenter_cs, kgdt_r0_code );
Wrmsr (msr_sysenter_eip, (ulonglong) (ulong) kifastcallentry );
Wrmsr (msr_sysenter_esp, (ulonglong) (ulong) prcb-> dpcstack );
}
}
Check my computer as follows:
Lkd> rdmsr 176
MSR [176] = 00000000 '8053dad0
Lkd> U 8053dad0
NT! Kifastcallentry:
8053dad0 b923000000 mov ECx, 23 h
8053dad5 6a30 PUSH 30 h
8053dad7 0fa1 pop FS
8053dad9 8ed9 mov ds, CX
8053 dadb 8ec1 mov es, CX
8053 dadd 8b0d40f0dfff mov ECx, dword ptr ds: [0ffdff040h]
8053dae3 8b6104 mov ESP, dword ptr [ECx + 4]
8053dae6 6a23 push 23 h
The following is an example of rootkit.com. This example is a bit unfriendly. When you uninstall it, bsod will be added. I modified it briefly and paste the Code as follows:
# Include "ntddk. H"
Ulong d_origkifastcallentry; // original value of ntoskrnl! Kifastcallentry
Void onUnload (in pdriver_object driverobject)
{
_ ASM
{
Movecx, 0x176
XOR edX, EDX
MoV eax, d_origkifastcallentry // hook function address
Wrmsr // write to the ia32_sysenter_eip register
}
}
// Hook Function
_ Declspec (naked) mykifastcallentry ()
{
_ ASM {
JMP [d_origkifastcallentry]
}
}
Ntstatus DriverEntry (in pdriver_object thedriverobject, in punicode_string theregistrypath)
{
Thedriverobject-> driverunload = onUnload;
_ ASM {
Movecx, 0x176
Rdmsr // read the value of the ia32_sysenter_eip register
MoV d_origkifastcallentry, eax
MoV eax, mykifastcallentry // hook function address
Wrmsr // write to the ia32_sysenter_eip register
}
Return STATUS_SUCCESS;
}
Note that when you use windbg, configure the symbol path,
Views: 2149
File Size: 17.0 kb "style =" margin: 2px "alt =" Name: 9.jpg
Views: 2149
File Size: 17.0 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 11984 & D = 1203999678 "onLoad =" If (this. width> screen. width * 0.6) {This. width = screen. width * 0.6; this. alt = ''; this. onmouseover = This. style. cursor = 'pointer '; this. onclick = function () {window. open ('HTTP: // bbs.pediy.com/attachment.php? Attachmentid = 11984 & D = 1203999678 ')} "border =" 0 ">
Post on the last fallen genius to write the article link: http://bbs.pediy.com/showthread.php? T = 42705,
He hooked kifastcallentry in inline and used the detour method, which is well written.