Log in

View Full Version : interrupt handler problem


0rp
September 4th, 2004, 15:33
hi,

i've written a driver, wich does detours like instrumenting of functions (it replaces the first 5+ byte with a jump to an own function..) in ring0

problems occur, if i hook interrupt 0x01 (debug trap) and this is weird, since the same technique works for int 0x2B (wich is heavily used)

this is what i'm currently trying:
Code:
jmp my instr 0 --------> my instr 0
original instr 2 <----. my instr 1
orginial instr 3 | my instr 2
orginial instr 4 | my instr 3
iretd | orginal instr 0
| original instr 1
'--- jmp original instr 2


i alloc with ExAllocPool(NonPaged) memory and copy my instrs, the saved original instrs and the jmp into it.

could there be a problem regarding different segements (and DPLs) between original handler code and my alloced code?

and why does it work for int 2B? is it because 2B ints are always traps and no faults ?

thx

Alorent
September 5th, 2004, 06:14
Hello,

Your proposition looks OK. In which IRQL are you hooking that? I think you have to do it from PASSIVE LEVEL to succeed.

Regards,
Alorent

0rp
September 5th, 2004, 07:03
hi,

i install the hook at passive level, but it gets called at a higher prio.

windbg says
Code:
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f694e9e2, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f70a60e0, address which referenced memory


the faulting instructions is: mov edx,[edx] (which is not the first instruction of the original handler, but prolly the first memory access)

nikolatesla20
September 5th, 2004, 08:39
Have you tried to trace your hook with SoftICE so you can see what the result of ExAllocPool really was? Just put an int3 in your driver before the ExAlloc, then "bpint 3" in SI, and then load the driver and call it to install the hook. SI will pop up, and then you can walk from there. You need to make sure ExAllocPool worked right, and not only that, that all your pointers to it are correct (perhaps you have a bad pointer arithmetic somewhere). The only way to know for sure is to use SoftICE.

After all, that's what SoftICE was primarily made for, was tracking down driver issues.

You should also consider doing a PUSH, RET combo instead of using a JMP. Whereas JMPS need to be calculated at run time, a PUSH , RET can use the straight up Virtual Address. For example, PUSH <actual address of my code>, RET. It's a much more reliable method. You could use the same technique at the end of your code to come back.


-nt20

0rp
September 5th, 2004, 09:15
i checked the hooking code in ring3 with olly and it works as expected

but this sample could be a problem for my detouring technique:
Code:

F7BC3076: EB 04 jmp +0x4
F7BC3077: AA stosb
F7BC3078: 06 push es
F7BC307A: FE FF jmp edi
F7BC307C: 6A 00 push 0x0
F7BC3083: 66 C7 44 24 02 00 00 mov [esp+02], 0x0
F7BC3085: 8B EC mov ebp, esp
F7BC3086: FC cld
....


i would copy the relative jmp (EB 04) into my buf which results in a completely wrong codeflow

damn
:/

lifewire
September 5th, 2004, 11:41
that is a nasty problem
but i'm not very into ring0, but isn't it much easier to patch the idt?

0rp
September 5th, 2004, 11:52
ye, its possible to modify the IDT entries, but its also easy detectable

btw, why does an anti softice app not scans these IDT entries, and if it finds entries located at 0xF_______, softice is found ?



i use now this code to surround my own stuff and i detect this funny jmp +4 (not very generic, but it works):

Code:

pushad
pushfd
push fs
mov bx, 30h
mov fs, bx
push ds
push es

own stuff

pop es
pop ds
pop fs
popfd
popad

old instructions
push oldcode + offset
ret

Alorent
September 6th, 2004, 01:38
Do you save/restore (pushad/popad) all the registers before and after passing the control to the original INT1 vector?