obtain sysenter msr 176 address

#10339 by madaboo
Tue Dec 13, 2011 3:11 pm

Hi,

Any ideas how to obtain SYSENTER_EIP_MSR (unexported nt!kiFastCallEntry) in kernel module?
Only way I see is to attach to user process, call any zw api then get call stack and tkae address of kitrap - however I'm not sure if it can work?
Any ideas guys?

Thanks!

Username

madaboo

Posts

Joined

Sun Aug 21, 2011 8:32 am

Re: obtain sysenter msr 176 address

#10343 by rkhunter
Tue Dec 13, 2011 4:19 pm

Code: Select all

mov ecx, 176h
rdmsr

EAX -> address (KiFastCallEntry on clean system). Look Intel Manuals - rdmsr instruction, vol 2B as i remember at
http://www.kernelmode.info/forum/viewto ... f=13&t=994

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: obtain sysenter msr 176 address

#10345 by madaboo
Tue Dec 13, 2011 4:24 pm

rkhuner.. Yeah I know I can do it like this .. but I'm looking for C/C++ solution without asm..
but maybe there is no such solution?

Thanks a lot anyway!

Username

madaboo

Posts

Joined

Sun Aug 21, 2011 8:32 am