-
August 31st, 2004, 01:22 PM
#1
Getting in ring 0 on winXp
I am writing a program in 16 bit x86 assembly which has to work on NT based systems.
Now unlike in win9x, I read one cannot do certain low-level operations in user mode like using int 13h which is exactly what I have to use.
Various sources say to write a virtual device driver (VxD) which then runs in ring 0, but that goes beyond my capabilities (I think). I have not really found what I'm looking for.
Can somebody explain how I get in ring 0 (kernel privileges). A code example of the most simple program with such privileges would be very helpful.
Anyway, I only need to be able to use int 13h.
Thank you
EDIT: apparantly, VxD is obsolete and has been replaced by WDM:
Wikipedia says:
In computing WDM stands for Windows Driver Model. It provides a framework for device drivers that operate under Microsoft Windows 98/ME/2000/XP and Server 2003. WDM is a successor of VxD, which was used on older versions of Windows. WDM drivers are layered in a complex hierarchy and communicate with each other via IO Request Packets IRPs.
Do I really need to write a WDM to use int 13 ?
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me
www.elhalf.com
-
September 2nd, 2004, 09:14 AM
#2
I'm not offering any help (yet), but since nobody else replies, which function of int 13h are you going to use? I mean, AH = ? What are you trying to do anyway?
Peace always,
<jdenny>
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
-
September 2nd, 2004, 06:46 PM
#3
I am overwriting the Master Boot Record.
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me
www.elhalf.com
-
September 2nd, 2004, 07:43 PM
#4
el-half, take a lot on this site:
http://www.beyondlogic.org/porttalk/porttalk.htm
and see if it helps you. you can d/l a sys driver sample and adapt for you needs.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
September 2nd, 2004, 08:04 PM
#5
Re: Getting in ring 0 on winXp
Originally posted here by el-half
[B]I am writing a program in 16 bit x86 assembly which has to work on NT based systems.
So you are targetting NTVDM then, the NT virtual dos machine. It only has a subset of DOS functions which are safe to implement in Windows.
Now unlike in win9x, I read one cannot do certain low-level operations in user mode like using int 13h which is exactly what I have to use.
For raw block device access? Use win32 CreateFile with physical devices.
Various sources say to write a virtual device driver (VxD) which then runs in ring 0...
They lie. VXDs are only for the old win9x systems and do not work on WinNT.
To get ring0 in NT you need to write an NT device driver, which is definitely different from a VXD (it's a .sys file, for a start)
Can somebody explain how I get in ring 0 (kernel privileges). A code example of the most simple program with such privileges would be very helpful.
You can't, without writing a NT device driver.
Anyway, I only need to be able to use int 13h.
Surely performing the int13 functions in some other way would be acceptable?
Slarty
-
September 2nd, 2004, 08:07 PM
#6
Originally posted here by el-half
I am overwriting the Master Boot Record.
Only hard drives have a master boot record.
You can do raw disc access to floppies by using CreateFile with the NT raw device names. I don't know exactly what these are, something like \\.\PhysicalDevice\blah\wibble\0. There is some documentation which tell you what these are.
It opens them as block devices, I think you can use readfile and writefile on them. Certainly should work for floppies, not sure about HDs.
Slarty
-
September 3rd, 2004, 03:40 PM
#7
Yah, it was about the first I visited....
Only hard drives have a master boot record.
Lol, I know that obviously. I want to write on a hard disk.
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me
www.elhalf.com
-
September 3rd, 2004, 03:51 PM
#8
and didnt help you?
some fact i collected:
- to get access phys device you should be in ring 0.
- there is no standard service for ring 3 programs goes to ring 0 (if was it was kinda dumb, isnt it?)
- the only way a program in ring 0 call that service for you or change direct your ring bit.
- only kernel and device drivers runs in ring 0
- so to get there, you should write a device driver, since you cant write a kernel (you aready have one )
- as far i read, on the site you've already visited, there is a sample of a .sys driver and a sample program that uses it. Ive browsed some file and doenst look (too) hard.
what is your concern about that?
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
September 4th, 2004, 08:43 AM
#9
Yes, but I wonder if you can use int 13 without having to write a device driver.
The sample driver deals with writing a device driver that modifies the I/O permission bitmap. Is this only applicable for having permission to access physical I/O ports?
Or would I also be able to overwrite the Master Boot Record?
Thanks for the help.
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me
www.elhalf.com
-
September 6th, 2004, 01:59 AM
#10
This is a real challenge, since the OS seems to be designed to
deliberately prevent it (big security hole). Int 13 only works
normally in real mode, before the windows kernel takes over.
Once windows is up and running, it traps int 13 calls and
handles them its own way, not really passing them down
to the BIOS as you would hope.
http://computing.net/programming/www...rum/10875.html
It obviously must be possible to write to the mbr from protected
mode because viruses do it.
http://www.avp.ch/avpve/bootmult/hare.stm
So it's a matter of getting permission. There's probably an existing driver
in the system that can do it. Your prog just needs to know what function
to call, and convince the OS that the call is from a "trusted" program.
Since most users run as admin or an
>admin equiv user, a virus thus has complete control to the system. Writing
>to the MBR is as simple as issuing a CreateFile request
http://lists.virus.org/dshield-0109/msg00276.html
I came in to the world with nothing. I still have most of it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|