SYSENTER hook

[bilbo]

hi, niom,

Quote:

should i setup a new handlerproc through WRMSR and SYSENTER_CS, SYSENTER_ESP, ..?

Yes! on a theorethical point of view you are right. In the same way one replaces INT 3 handler with a preamble (e.g. for tracing purposes) and then jumps to the old handler, the same guy on Windows XP must replace MSR register 176 (EIP) - which points currently at KiFastCallEntry - with some preamble and then jump to KiFastCallEntry.
You only need to write a kernel driver very similar to that which replace the INT 2E handler. Look for example at the code by sinister (http://www.xfocus.net/articles/200303/499.html).
Obviously you can always hook single system services.

But if you look more deeply at Windows XP architecture, you will find that:

(a) the fuc.ed SYSENTER is in userland (even if in read-only memory, and you cannot use WriteProtect on it to make it writeable because the address (0x7FFE0300) is outside the VadRoot of all the processes)

(b) on AMD processor there is no SYSENTER but INT 2E

So, we can replace SYSENTER with INT 2E and use the same tools we have for Windows 2K, don't we?

In fact after many reboots I finally manage to change on the fly the two ways to enter system services, from SYSENTER to INT 2E and vice versa, and all this without any driver involved!

It is as simple as replacing

Code:

7FFE0300: (physical 41300)      8BD4 mov edx, esp
                                0F34 sysenter
                                C3   ret

with

Code:

7FFE0300:      8D542408    lea edx, [esp+8]
               CD2E        int 2eh
               C3          ret

with some little trick to avoid system crash

Quote:

does anybody have a codesnipped for this?

Maybe a tutorial... but bilbo has a lot of things to write and maybe nobody is interested... who knows...

Best regards, bilbo