Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Access to \device\physicalmemory
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-09-2005, 23:41
souz souz is offline
Friend
  
Join Date: Jan 2005
Posts: 134
Rept. Given: 0
Rept. Rcvd 26 Times in 18 Posts
Thanks Given: 13
Thanks Rcvd at 86 Times in 35 Posts
souz Reputation: 26
Thanks.
i've read this. but at this address $c0000 is video card firmware and i can't write to it...
Can it be possible to intercept read attempts to such address and return the data bytes other than original???
Reply With Quote
  #2  
Old 02-10-2005, 00:52
JuneMouse
 
Posts: n/a
you have read what the phrack article or from the link i posted
any way here is a dump from my old little comp using physmembrowser

Code:
000C0000:  55 AA 40 EB 3D 37 34 30-30 30 30 30 30 30 30 30  Uª@ë=74000000000
000C0010:  30 30 30 30 30 30 30 A2-34 01 9E 2A A2 2A 49 42  0000000¢4.ž*¢*IB
000C0020:  4D 20 56 47 41 20 43 6F-6D 70 61 74 69 62 6C 65  M VGA Compatible
000C0030:  20 42 49 4F 53 2E 20 05-00 00 4E 01 5E 01 6C 01   BIOS. ...N.^.l.
000C0040:  00 C0 E9 55 7B 47 65 6E-65 72 69 63 20 49 6E 74  .À��U{Generic Int
000C0050:  65 6C 20 47 72 61 70 68-69 63 73 20 43 68 69 70  el Graphics Chip
000C0060:  20 41 63 63 65 6C 65 72-61 74 65 64 20 56 47 41   Accelerated VGA
000C0070:  20 42 49 4F 53 0D 0A 56-65 72 73 69 6F 6E 20 30   BIOS..Version 0
so i can read it it seems and dump it and the sdrestore can restore my symantec av hooking of ZwCLose and 7 other hooks back to original
so it must be possible in your case too i would assume any way good luck
Reply With Quote
  #3  
Old 02-10-2005, 02:29
omega_red
 
Posts: n/a
Example of reading descriptor tables using PhysicalMemory:
http://ry.pl/~omega/asm/sdt.zip

Example of writing to PhysicalMemory:
http://ry.pl/~omega/asm/ring0nt.zip
Reply With Quote
  #4  
Old 02-12-2005, 18:54
evaluator
 
Posts: n/a
heh, thanks to omega_red.
enjoed with bsod.. no prob..

Suggestion to all Ring0-jumperz:
Don't use Call_Gates, they are incompatible with Win-Ring0-stack
architecture..(designed for INTs only)

simple use INTs
Reply With Quote
  #5  
Old 02-12-2005, 20:42
Cobi Cobi is offline
Friend
  
Join Date: Sep 2004
Location: Germany
Posts: 55
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Cobi Reputation: 0
But you can't insert a new int from user-mode or how do you mean that?
(Even in Kernel-Mode you must edit CR0 to play with the IDT)
Argh,... sure,... we have \device\physicalmemory ^^,... but no sidt!?
Last edited by Cobi; 02-12-2005 at 20:50.
Reply With Quote
  #6  
Old 02-13-2005, 06:26
evaluator
 
Posts: n/a
of course, using same tool you can setup one IDT-entry (instead of GDT),
& go to Ring0. in XP from 42h to FFh INTs are reserved, so enjoy with them.

huh, why you need CR0 for write in IDT?? nop

[edit]:
forgot, when you will in Ring0, perform same action, wich does other system INTs..
save in same order registers, load then in FS-reg 30h..then only can be STI..
(stack should lowered on 68h or more from entered position)
Last edited by evaluator; 02-13-2005 at 06:33.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Api Hooking w/ Device Driver Peter[Pan] General Discussion 7 06-20-2005 02:57


All times are GMT +8. The time now is 03:40.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )