Getting in ring 0 on winXp

Printable View

August 31st, 2004, 01:22 PM
el-half

Getting in ring 0 on winXp

I am writing a program in 16 bit x86 assembly which has to work on NT based systems.
Now unlike in win9x, I read one cannot do certain low-level operations in user mode like using int 13h which is exactly what I have to use.

Various sources say to write a virtual device driver (VxD) which then runs in ring 0, but that goes beyond my capabilities (I think). I have not really found what I'm looking for.

Can somebody explain how I get in ring 0 (kernel privileges). A code example of the most simple program with such privileges would be very helpful.

Anyway, I only need to be able to use int 13h.

Thank you

EDIT: apparantly, VxD is obsolete and has been replaced by WDM:

Wikipedia says:
In computing WDM stands for Windows Driver Model. It provides a framework for device drivers that operate under Microsoft Windows 98/ME/2000/XP and Server 2003. WDM is a successor of VxD, which was used on older versions of Windows. WDM drivers are layered in a complex hierarchy and communicate with each other via IO Request Packets IRPs.

Do I really need to write a WDM to use int 13 ?
September 2nd, 2004, 09:14 AM
jdenny

I'm not offering any help (yet), but since nobody else replies, which function of int 13h are you going to use? I mean, AH = ? What are you trying to do anyway?

Peace always,
<jdenny>
September 2nd, 2004, 06:46 PM
el-half

I am overwriting the Master Boot Record.
September 2nd, 2004, 07:43 PM
cacosapo

el-half, take a lot on this site:
http://www.beyondlogic.org/porttalk/porttalk.htm

and see if it helps you. you can d/l a sys driver sample and adapt for you needs.
September 2nd, 2004, 08:04 PM
slarty

Re: Getting in ring 0 on winXp

Quote:

Originally posted here by el-half
[B]I am writing a program in 16 bit x86 assembly which has to work on NT based systems.

So you are targetting NTVDM then, the NT virtual dos machine. It only has a subset of DOS functions which are safe to implement in Windows.

Quote:

Now unlike in win9x, I read one cannot do certain low-level operations in user mode like using int 13h which is exactly what I have to use.

For raw block device access? Use win32 CreateFile with physical devices.

Quote:

Various sources say to write a virtual device driver (VxD) which then runs in ring 0...

They lie. VXDs are only for the old win9x systems and do not work on WinNT.

To get ring0 in NT you need to write an NT device driver, which is definitely different from a VXD (it's a .sys file, for a start)

Quote:

Can somebody explain how I get in ring 0 (kernel privileges). A code example of the most simple program with such privileges would be very helpful.

You can't, without writing a NT device driver.

Quote:

Anyway, I only need to be able to use int 13h.

Surely performing the int13 functions in some other way would be acceptable?

Slarty
September 2nd, 2004, 08:07 PM
slarty

Quote:

Originally posted here by el-half
I am overwriting the Master Boot Record.

Only hard drives have a master boot record.

You can do raw disc access to floppies by using CreateFile with the NT raw device names. I don't know exactly what these are, something like \\.\PhysicalDevice\blah\wibble\0. There is some documentation which tell you what these are.

It opens them as block devices, I think you can use readfile and writefile on them. Certainly should work for floppies, not sure about HDs.

Slarty
September 3rd, 2004, 03:40 PM
el-half

Quote:

el-half, take a lot on this site:
http://www.beyondlogic.org/porttalk/porttalk.htm

and see if it helps you. you can d/l a sys driver sample and adapt for you needs.

Yah, it was about the first I visited....

Quote:

Only hard drives have a master boot record.

Lol, I know that obviously. I want to write on a hard disk.
September 3rd, 2004, 03:51 PM
cacosapo

and didnt help you?
some fact i collected:
- to get access phys device you should be in ring 0.
- there is no standard service for ring 3 programs goes to ring 0 (if was it was kinda dumb, isnt it?)
- the only way a program in ring 0 call that service for you or change direct your ring bit.
- only kernel and device drivers runs in ring 0
- so to get there, you should write a device driver, since you cant write a kernel (you aready have one :D)
- as far i read, on the site you've already visited, there is a sample of a .sys driver and a sample program that uses it. Ive browsed some file and doenst look (too) hard.

what is your concern about that?
September 4th, 2004, 08:43 AM
el-half

Yes, but I wonder if you can use int 13 without having to write a device driver.

The sample driver deals with writing a device driver that modifies the I/O permission bitmap. Is this only applicable for having permission to access physical I/O ports?
Or would I also be able to overwrite the Master Boot Record?

Thanks for the help.
September 6th, 2004, 01:59 AM
rcgreen

This is a real challenge, since the OS seems to be designed to
deliberately prevent it (big security hole). Int 13 only works
normally in real mode, before the windows kernel takes over.

Once windows is up and running, it traps int 13 calls and
handles them its own way, not really passing them down
to the BIOS as you would hope.

http://computing.net/programming/www...rum/10875.html

It obviously must be possible to write to the mbr from protected
mode because viruses do it.

http://www.avp.ch/avpve/bootmult/hare.stm

So it's a matter of getting permission. There's probably an existing driver
in the system that can do it. Your prog just needs to know what function
to call, and convince the OS that the call is from a "trusted" program.

Quote:

Since most users run as admin or an
>admin equiv user, a virus thus has complete control to the system. Writing
>to the MBR is as simple as issuing a CreateFile request

http://lists.virus.org/dshield-0109/msg00276.html
:cool: