interrupt handler problem [Archive] - RCE Messageboard's Regroupment

View Full Version : interrupt handler problem

0rp

September 4th, 2004, 15:33

hi,

i've written a driver, wich does detours like instrumenting of functions (it replaces the first 5+ byte with a jump to an own function..) in ring0

problems occur, if i hook interrupt 0x01 (debug trap) and this is weird, since the same technique works for int 0x2B (wich is heavily used)

this is what i'm currently trying:

Code:

jmp my instr 0  -------->  my instr 0

original instr 2 <----.    my instr 1

orginial instr 3      |    my instr 2

orginial instr 4      |    my instr 3

iretd                 |    orginal instr 0

                      |    original instr 1

                      '--- jmp original instr 2

i alloc with ExAllocPool(NonPaged) memory and copy my instrs, the saved original instrs and the jmp into it.

could there be a problem regarding different segements (and DPLs) between original handler code and my alloced code?

and why does it work for int 2B? is it because 2B ints are always traps and no faults ?

thx

Alorent

September 5th, 2004, 06:14

Hello,

Your proposition looks OK. In which IRQL are you hooking that? I think you have to do it from PASSIVE LEVEL to succeed.

Regards,
Alorent

0rp

September 5th, 2004, 07:03

hi,

i install the hook at passive level, but it gets called at a higher prio.

windbg says

Code:

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: f694e9e2, memory referenced

Arg2: 000000ff, IRQL

Arg3: 00000000, value 0 = read operation, 1 = write operation

Arg4: f70a60e0, address which referenced memory

the faulting instructions is: mov edx,[edx] (which is not the first instruction of the original handler, but prolly the first memory access)

nikolatesla20

September 5th, 2004, 08:39

Have you tried to trace your hook with SoftICE so you can see what the result of ExAllocPool really was? Just put an int3 in your driver before the ExAlloc, then "bpint 3" in SI, and then load the driver and call it to install the hook. SI will pop up, and then you can walk from there. You need to make sure ExAllocPool worked right, and not only that, that all your pointers to it are correct (perhaps you have a bad pointer arithmetic somewhere). The only way to know for sure is to use SoftICE.

After all, that's what SoftICE was primarily made for, was tracking down driver issues.

You should also consider doing a PUSH, RET combo instead of using a JMP. Whereas JMPS need to be calculated at run time, a PUSH , RET can use the straight up Virtual Address. For example, PUSH <actual address of my code>, RET. It's a much more reliable method. You could use the same technique at the end of your code to come back.

-nt20

0rp

September 5th, 2004, 09:15

i checked the hooking code in ring3 with olly and it works as expected

but this sample could be a problem for my detouring technique:

Code:



F7BC3076: EB 04                               jmp	+0x4

F7BC3077: AA                                  stosb

F7BC3078: 06                                  push	es

F7BC307A: FE FF                               jmp	edi

F7BC307C: 6A 00                               push	0x0

F7BC3083: 66 C7 44 24 02 00 00                mov	[esp+02], 0x0

F7BC3085: 8B EC                               mov	ebp, esp

F7BC3086: FC                                  cld

....

i would copy the relative jmp (EB 04) into my buf which results in a completely wrong codeflow

damn
:/

lifewire

September 5th, 2004, 11:41

that is a nasty problem

but i'm not very into ring0, but isn't it much easier to patch the idt?

0rp

September 5th, 2004, 11:52

ye, its possible to modify the IDT entries, but its also easy detectable

btw, why does an anti softice app not scans these IDT entries, and if it finds entries located at 0xF_______, softice is found ?

i use now this code to surround my own stuff and i detect this funny jmp +4 (not very generic, but it works):

Code:



pushad             

pushfd             

push fs     

mov bx, 30h

mov fs, bx 

push ds     

push es



own stuff



pop es     

pop ds     

pop fs     

popfd              

popad



old instructions

push oldcode + offset

ret

Alorent

September 6th, 2004, 01:38

Do you save/restore (pushad/popad) all the registers before and after passing the control to the original INT1 vector?