Everyone knows that Windows NT / 2000 is strictly divided into kernel mode and user mode in the I386 system, respectively corresponds to the RING0 and RING3 levels of the CPU in the I386 system. Under RING0, the privileged command can be performed, and there are access rights to any I / O device. To achieve a core state from a user state, ie entering RING 0 from Ring 3 must with a certain door mechanism of the CPU, such as interrupt gates, call doors, etc. Windows NT / 2000 provides users with user-state execution system services (Ring 0 routines), the system service's int 2EH interrupt service, etc., strict parameter checks, can only strictly perform the services provided by Windows NT / 2000, and If you want to execute the Ring 0 code provided by the user (pointing the code running in Ring 0), the general method seems to have only the device driver. This article will show a method of performing Ring0 code in a user state without any driver. Windows NT / 2000 Tumbs the device driver into the kernel area (common on the address 0x80000000), which implements RING 0 when the DPL is 0, ie the CS is 8. This article implements RING0 code by constructing a call gate pointing to our code in the system. Based on this idea, it is mainly to construct your CallGate mainly for this purpose. Callgate is specified by the overall table called Global Descriptor Table (GDT). The GDT address can be obtained by the I386 command SGDT (SGDT is not a privileged command, and ordinary Ring 3 programs can be performed). The GDT address is saved in the Windows NT / 2000 in the KPCR Control Region structure (see "Talking about Windows NT / 2000 Environment Switch"). The GDT CallGate is the following format: typedef struct {unsigned short offset_0_15; unsigned short selector; unsigned char param_count: 4; unsigned char some_bits: 4; unsigned char type: 4; unsigned char app_system: 1; unsigned char dpl: 2; Unsigned char present: 1; unsigned short offset_16_31;} Callgate_descriptor; GDT is located in the kernel area, and the general user-state program is impossible to have direct access to this memory area. Fortunately, Windows NT / 2000 provides a section kernel object called PhysicalMemory under the path of / device. As the name suggests, physical memory can be operated by this section object.
Use Objdir.exe to analyze this object as follows: C: / NTDDK / BIN> Objdir / D / Device PhysicalMemory Section Dacl - Ace [0] - GRANT - 0XF001F - NTHORITY / SYSTEM inherit: access: 0x001f and (D RCTL WOWN WDACL ACE [1] - GRANT - 0X2000D - Builtin / Administrators Inherit: Access: 0x000d and (rctl) From DUMP Out of this object DACL ACE can see that only System users have read and write permissions for this object by default. That is, the physical memory has read and write capabilities, and the Administrator only has read permissions, and ordinary users have no permissions. However, if we have Administrator permissions, you can modify this object's ACE via GetSecurityInfo, STENTRIESINAACL with the setsecurityInfo these APIs. This is also the reason why the code I have requires administrator.
Code is implemented as follows: VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection) {PACL pDacl = NULL; PACL pNewDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if (dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, & pDacl !, NULL, & pSD) = ERROR_SUCCESS) {printf ( "GetSecurityInfo Error% u / n", dwRes); goto CleanUp;} ZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if (! dwRes = SetEntriesInAcl (1, & ea, pDacl, & pNewDacl) = ERROR_SUCCESS) {Printf ("setENTRIESINAACL% U / N", DWRES); goto cleanup;} if (dwres = setsecurityInfo (HSECTION, SE_kernel_o ! BJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL) = ERROR_SUCCESS) {printf ( "SetSecurityInfo% u / n", dwRes); goto CleanUp;} CleanUp: if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (PSD); this code adds the following Ace: PhysicalMemory Section Dacl - Ace: PhysicalMemory Section Dacl - Ace: PhysicalMemory Section Dacl - ACE: 0x0002 // Section_Map_Write So we are in Administrator privileges Under the conditions, there is a read and write ability for physical memory. But to modify the GDT table to implement the Ring 0 code.
We will face another problem, because the GDT address obtained by the SGDT command is a virtual address (linear address), and we only have the physical address of the GDT table to modify the GDT table through the / Device / PhysicalMemory object, which involves the conversion of linear addresses. Problem of physical address.
Let's take a look at the Windows NT / 2000 is how to achieve this are: kd> u nt MmGetPhysicalAddress l 30 ntoskrnl MmGetPhysicalAddress:!! 801374e0 56 push esi 801374e1 8b742408 mov esi, [esp 0x8] 801374e5 33d2 xor edx, edx 801374e7 81fe00000080 cmp esi, 0x80000000 801374ed 722c jb ntoskrnl! MmGetPhysicalAddress 0x2b (8013751b) 801374ef 81fe000000a0 cmp esi, 0xa0000000 801374f5 7324 jnb ntoskrnl! MmGetPhysicalAddress 0x2b (8013751b) 801374f7 39153ce71780 cmp [ntoskrnl! MmKseg2Frame (8017e73c)], edx 801374fd 741c jz ntoskrnl! MmGetPhysicalAddress 0x2b (8013751b) 801374ff 8bc6 mov eax, esi 80137501 c1e80c shr eax, 0xc 80137504 25ffff0100 and eax, 0x1ffff 80137509 6a0c push 0xc 8013750b 59 pop ecx 8013750c e8d3a7fcff call ntoskrnl! _allshl (80101ce4) 80137511 81e6ff0f0000 and esi, 0xfff 80137517 03c6 add eax, esi 80137519 eb17 jmp ntoskrnl! MmGetPhysicalAddress 0x57 (80137532) 8013751b 8bc6 mov eax, esi 8013751d c1e80a shr eax, 0xa 80137520 25fcff3f00 and eax, 0x3ffffc 80137525 2d00000040 sub eax, 0x40000000 8013752a 8b00 mov eax, [eax] 8013752c a801 test al, 0x1 8013752e 7506 jnz ntoskrnl! MmGetPhysicalAddress 0x44 (80137536) 80137530 33c0 xor eax, eax 80137532 5e pop esi 80137533 c20400 ret 0x4 assembly code can be seen from this, if the linear address 0x80000000 in the range 0xa0000000, simply The shift operation (located at the 801374FF-80137519 instruction) and does not check the page table.
I want Microsoft to arrange this definitely because of the efficiency of performing. This also specifies a line of shirts because the GDT table is in this area in this area in Windows NT / 2000 (I don't know if the Windows NT / 2000 of the / 3GB switch). After such an analysis, we can only modify the GDT table by the user program. And adding a CallGate is not what I can introduce, find this Intel manual to see it.
Specific codes are as follows: typedef struct gdtr {short Limit; short BaseLow; short BaseHigh;} Gdtr_t, * PGdtr_t; ULONG MiniMmGetPhysicalAddress (ULONG virtualaddress) {if (virtualaddress <0x80000000 || virtualaddress> = 0xA0000000) return 0; return virtualaddress & 0x1FFFF000;} BOOL ExecRing0Proc (ULONG Entry, ULONG seglen) {Gdtr_t gdt; __asm sgdt gdt; |; (! mapAddr) ULONG mapAddr = MiniMmGetPhysicalAddress (gdt.BaseHigh << 16U gdt.BaseLow) if return 0; HANDLE hSection = NULL; NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING objName; CALLGATE_DESCRIPTOR * cg; status = STATUS_SUCCESS; RtlInitUnicodeString (& objName, L "// Device // PhysicalMemory"); InitializeObjectAttributes (& objectAttributes, & objName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, (PSECURITY_DESCRIPTOR) NULL); status = ZwOpenSection (& hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, & objectAttributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& hSection, READ_CONTROL | WRITE_DAC, & objectAttributes); SetPhyscialMemorySectionCanBeWrited (hSection); ZwClose (hSection); status = ZwOpenSection (& hSection, SECTION_MAP_WRITE | SECTION_MAP_WRITE, & objectAttributes);} if (status = STATUS_SUCCESS!) {printf ( "Error Open PhysicalMemory Section Object, Status:% 08X / n", status); return 0;
} PVOID BaseAddress; BaseAddress = MapViewOfFile (hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, mapAddr, // low part (gdt.Limit 1)); if (BaseAddress!) {Printf ( "Error MapViewOfFile:"); PrintWin32Error (GetLastError ( )); Return 0;} BOOL setcg = false; for (cg = (CLLGATE_DESCRIPTOR *) ((Ulong) BaseAddress (gdt.limit & 0xff8)); (Ulong) CG> (Ulong) BaseEaddress; cg -) IF (CG- > type == 0) {cg-> Offset_0_15 = loword (entry); cg-> selector = 8; cg-> param_count = 0; cg-> Some_bits = 0; cg-> type = 0xc; // 386 Call Gate CG-> app_system = 0; // a system descriptor cg-> DPL = 3; // Ring 3 code can call cg-> present = 1; cg-> offset_16_31 = HiWord (entry); setcg = true; Break;} IF (! Setcg) {zwclose (HSECTION); return 0;} short farcall [3]; farcall [2] = ((Ulong) CG- (Ulong) baseaddress) | 3; // Ring 3 CallGate; IF ! VirtualLock ((PVOID) Entry, seglen)) {printf ( "Error VirtualLock:"); PrintWin32Error (GetLastError ()); return 0;} SetThreadPriority (GetCurrentThread (), THREAD_PRIORITY_TIME_CRITICAL); Sleep (0); _asm call fword ptr [farcall] setthreadPriority (GetCurrentThread (), thread_priority_normal; VirtualUnlock ((pvoid) entry, seglen;
// clear callgate * (ulong *) cg = 0; * (ulong *) cg 1) = 0; zwclose (hsection); return true;} I am demonstrating the CONTROL Register and I / O in the code. Port operation. The CIH virus is in Windows 9x because it has a certain harm because of Ring 0 permissions, but Windows NT / 2000 is not Windows 9x, she already has more security audit mechanisms, and the code provided herein also requires Administrator privileges. However, if there is a loophole, such as buffer overflow, etc., it is possible to obtain this permission, so I don't have any responsibility for the methods provided herein. All discussion is just a technical enthusiast in discussing technology. Thank you! Reference: 1.intel corp << Intel Architecture Software Developer's Manual, Volume 3 >> ------------------------------- -------------------------------------------------- - Articles from: http://www.geocities.jp/webcrazyjp/ntring0.htm Author website: Webcrazy (http://webcrazy.yeah.net/)
