Getting in ring 0 on winXp
Results 1 to 10 of 10

Thread: Getting in ring 0 on winXp

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    772

    Getting in ring 0 on winXp

    I am writing a program in 16 bit x86 assembly which has to work on NT based systems.
    Now unlike in win9x, I read one cannot do certain low-level operations in user mode like using int 13h which is exactly what I have to use.

    Various sources say to write a virtual device driver (VxD) which then runs in ring 0, but that goes beyond my capabilities (I think). I have not really found what I'm looking for.

    Can somebody explain how I get in ring 0 (kernel privileges). A code example of the most simple program with such privileges would be very helpful.

    Anyway, I only need to be able to use int 13h.


    Thank you

    EDIT: apparantly, VxD is obsolete and has been replaced by WDM:

    Wikipedia says:
    In computing WDM stands for Windows Driver Model. It provides a framework for device drivers that operate under Microsoft Windows 98/ME/2000/XP and Server 2003. WDM is a successor of VxD, which was used on older versions of Windows. WDM drivers are layered in a complex hierarchy and communicate with each other via IO Request Packets IRPs.

    Do I really need to write a WDM to use int 13 ?
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    I'm not offering any help (yet), but since nobody else replies, which function of int 13h are you going to use? I mean, AH = ? What are you trying to do anyway?

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    I am overwriting the Master Boot Record.
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    el-half, take a lot on this site:
    http://www.beyondlogic.org/porttalk/porttalk.htm

    and see if it helps you. you can d/l a sys driver sample and adapt for you needs.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    Re: Getting in ring 0 on winXp

    Originally posted here by el-half
    [B]I am writing a program in 16 bit x86 assembly which has to work on NT based systems.
    So you are targetting NTVDM then, the NT virtual dos machine. It only has a subset of DOS functions which are safe to implement in Windows.

    Now unlike in win9x, I read one cannot do certain low-level operations in user mode like using int 13h which is exactly what I have to use.
    For raw block device access? Use win32 CreateFile with physical devices.

    Various sources say to write a virtual device driver (VxD) which then runs in ring 0...
    They lie. VXDs are only for the old win9x systems and do not work on WinNT.

    To get ring0 in NT you need to write an NT device driver, which is definitely different from a VXD (it's a .sys file, for a start)

    Can somebody explain how I get in ring 0 (kernel privileges). A code example of the most simple program with such privileges would be very helpful.
    You can't, without writing a NT device driver.

    Anyway, I only need to be able to use int 13h.
    Surely performing the int13 functions in some other way would be acceptable?

    Slarty

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Originally posted here by el-half
    I am overwriting the Master Boot Record.
    Only hard drives have a master boot record.

    You can do raw disc access to floppies by using CreateFile with the NT raw device names. I don't know exactly what these are, something like \\.\PhysicalDevice\blah\wibble\0. There is some documentation which tell you what these are.

    It opens them as block devices, I think you can use readfile and writefile on them. Certainly should work for floppies, not sure about HDs.

    Slarty

  7. #7
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    el-half, take a lot on this site:
    http://www.beyondlogic.org/porttalk/porttalk.htm

    and see if it helps you. you can d/l a sys driver sample and adapt for you needs.
    Yah, it was about the first I visited....

    Only hard drives have a master boot record.
    Lol, I know that obviously. I want to write on a hard disk.
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    and didnt help you?
    some fact i collected:
    - to get access phys device you should be in ring 0.
    - there is no standard service for ring 3 programs goes to ring 0 (if was it was kinda dumb, isnt it?)
    - the only way a program in ring 0 call that service for you or change direct your ring bit.
    - only kernel and device drivers runs in ring 0
    - so to get there, you should write a device driver, since you cant write a kernel (you aready have one )
    - as far i read, on the site you've already visited, there is a sample of a .sys driver and a sample program that uses it. Ive browsed some file and doenst look (too) hard.

    what is your concern about that?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    Yes, but I wonder if you can use int 13 without having to write a device driver.

    The sample driver deals with writing a device driver that modifies the I/O permission bitmap. Is this only applicable for having permission to access physical I/O ports?
    Or would I also be able to overwrite the Master Boot Record?

    Thanks for the help.
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  10. #10
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    This is a real challenge, since the OS seems to be designed to
    deliberately prevent it (big security hole). Int 13 only works
    normally in real mode, before the windows kernel takes over.

    Once windows is up and running, it traps int 13 calls and
    handles them its own way, not really passing them down
    to the BIOS as you would hope.

    http://computing.net/programming/www...rum/10875.html

    It obviously must be possible to write to the mbr from protected
    mode because viruses do it.

    http://www.avp.ch/avpve/bootmult/hare.stm

    So it's a matter of getting permission. There's probably an existing driver
    in the system that can do it. Your prog just needs to know what function
    to call, and convince the OS that the call is from a "trusted" program.

    Since most users run as admin or an
    >admin equiv user, a virus thus has complete control to the system. Writing
    >to the MBR is as simple as issuing a CreateFile request
    http://lists.virus.org/dshield-0109/msg00276.html
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •