Quote:
Originally posted by Clandestiny
Interesting question. How exactly do you detect when the IDT has been changed? To me its seems related to the question of 'how do you detect read / write access on a memory range ?'... If you could detect a write access on the memory range for the IDT, you could theoretically rehook the interrupt the IDT at the changed address before any nasty anti-SI tricks had a chance to be performed.
|
Hiya,
Now we're getting into the meaty stuff...
Your question is a good one that strikes into the heart of the matter. If we assume an app will use Ring3 to hook the IDT (of course we all know what happens when we ass-U-me don't we?

, then if you are in Ring 0 you should be able to detect that. How is unclear, but there is code available that does just that, even if it's shrouded in some mystery.
My thought was more on a Ring0 - Ring0 equal footing basis. If the app was using a Win9x vxd, NT kmd or sys file could a change to any critical system area be detected? Is it possible to protect certain areas of memory against any kind of read/write such that a fault could be redirected to your own exception handler?
Again, +Spath's document is always illuminating.
------------------------------------------------
"BPR is SoftICE's breakpoint on memory range, which can detect read
and write accesses to a (hardcoded) maximum range of 400000h bytes.
This is done by marking the corresponding page (or pages, up to 1024)
as non present : when an access to a non present 4k page is made, a
page fault occur, SoftICE's page fault handler is called and checks
if the faulting address is in the required range.
It should be noted that since the non-present bit of the PTE is used,
this can detect accesses from any privilege level, yet SoftICE will
only trigger for accesses from ring3. This means that for some reason
SoftICE page fault handler filters accesses from ring0 (and therefore
limits this breakpoint's capabilities).
-----------------------------------------------
It seems that Softice itself detects access to a protected page from Ring0, but only reacts to Ring3 attempts to read/write to that page. Detecting Read and Write are apparently 2 different schemes, I don't know how 'eXecute' in the BPM <address> R W RW X scheme is handled differently. From what I can gather Softice uses INT 0Eh for its BPR page fault detection. This is the Hard Drive Interrupt?
The VMM Reference says in the above post that each page can be assigned specific permissions. Question is, how do you assign a permission to a page? This might be a valid way to detect an access to the page containing the IDT or the other descriptor tables. I've also heard about "touching or pre-touching" a page in memory to force it present, anybody know about this?
One interesting thing is when Softice has hooked it's 16 interrupt vectors in the system IDT it makes a backup copy of the original IDT that it "presents" to you when you type 'IDT', giving you false handler address information.
-----------------------------------------------------------
The 'IDT' command does not reveal this [hooking the interrupts], but instead shows these interrupt
descriptors pointing to their original locations (usually VMM). This is
because SoftICE saved the original IDT before setting its hooks, and when
the user types the command, it reloads IDTR to use the saved IDT, executes
a "real" 'IDT' command, and restores IDTR to the system IDT. Thanks to
this nice implementation, one can quite easily patch his winice.exe to
always see the real IDT.
-------------------------------------------------------------
On another note, using Softice's tricks itself to protect Softice:
--------------------------------------------------------------
Since SoftICE is registered as driver, winice.exe will receive all
VxD system messages (SoftICE only handles SYS_CRITICAL_INIT, DEVICE_INIT,
INIT_COMPLETE, SYS_CRITICAL_EXIT, W32_DEVICEIOCONTROL, SET_DEVICE_FOCUS,
DESTROY_VM).
--------------------------------------------------------------
I find the idea of hooking the W32_DEVICEIOCONTROL message interesting as a way of detecting communication between an app and its vxd, and vice versa. From the Windows 98 DDK:
--------------------------------
W32_DEVICEIOCONTROL
mov ebx, VMHandle
mov eax, W32_DEVICEIOCONTROL
mov esi, OFFSET32 dioparams
VMMCall System_Control
Passes a control code and related information to a virtual device driver. This message is sent to a VxD when an application specifies the name of a VxD in the CreateFile function and when an application specifies the device handle of the VxD in a call to the DeviceIoControl or CloseHandle function.
---------------------------------
From the sounds of this if you could detect this message being sent you could tell when an app is loading and talking to its vxd.
BTW, the program with source code I mentioned that hides SoftIce from detection by other programs, is called IceGhost and was written primarily by yAtEs. If I'm not mistaken you can get it in the ID-Rip archive. Would make a good project to duplicate and enhance ;-)
Kayaker