Hi all,
just a simple question I'm wondering about.

I know different methods useful to execute ring0 code from inside a ring3 application, using INT3, LDT (Locale Descriptor Table) and the SEH, but all these methods are documented to worn only in Win9x/ME systems and not on XP system.

According to documentation in XP systems all these tricks are not working because this possibility has been removed from the O.S.

The only way left to switch to ring0 seems to use .sys external files or vdx drivers.

Is that true?

For example I was looking how hardware breakpoint works and the debug registers can be only modified in ring0. This would mean that to manage debug registers you would need ring0 code and thus a .sys driver. But Olly for example doesn't have any .sys driver inside (nor in the resources), so it much probably uses another trick..

So here's where my theory fails. Where am I wrong?

Well, an exception handler even in XP is allowed to modify the DRX registers. Some protectors use this to erase BPM's for example.

Olly can do what it wants since it's running as a debugger, and the debugger calls system API's such as GetThreadContext() and SetThreadContext() which of course go thru NTDLL.DLL which become a system call (an interrupt 2E) which then causes the processor to switch to ring0 and run the code.

Otherwise the only way to access ring0 is to have a .sys driver. They are not too difficult to write, especially with SoftICE with DriverStudio, since they include a Driver Wizard. You need the Windows XP DDK however (Device Driver Kit).

There are some ways to access memory even when not in ring0 (open a handle to \\physicalmemory for example) but I would not rely on them - use a .sys driver, they aren't that hard to write.

-nt20

See my crude example of exploiting PhysicalMemory: ry.pl/~omega/asm/ring0nt.zip
Not that it's very useful, you can't call almost all of native APIs. Just a proof of concept. And if I recall correctly, access to PhysicalMemory is blocked for ALL ring3 code in w2k3 server.

thanks to both.

I erroneusly supposed that functions such as getthreadcontext would have been unable to set/erase debug breakpoints from ring3 but only to read them. as nikolatesla20 said this is not the case and I can also modify debug register and the DR7 from ring3 using those apis, isn't it?

10x for the example, omega_red, I'll have a look.

I've just tested it on 2k3. It runs OK without SP1, but with SP1 we can't set the object to be writable from user mode.

Hello,

You can also reste hardware BPs (Drx) with an SEH.

Here's a simple code I've made for this purpose (binary + source code included)

Open the binary file with Olly and try to set an hardware BP on one of those NOP. Therefore, with the SEH, it could never be reached since they are erased.

well, indeed this is not exactly the original question, but it's interesting for another thing I published a little ago on our site (ARTeam). Neitsa, could I use this code into one of my tuts?

No problem Shub-nigurrath, use it and share it as you want