how use sysinter to call kernel-mode function

#4187 by R00tKit
Wed Dec 29, 2010 7:14 pm

hi
how can use sysenter to call kernel-mode function in user mode ? ( like native api in NTDLL.DLL ) for example

mov eax, 0x47    
sysenter

or pass other SSDT index to eax !! how pass argument??

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: how use sysinter to call kernel-mode function

#4188 by r2nwcnydc
Wed Dec 29, 2010 8:01 pm

Yes you can. Parameters are passed using edx.

Take a look at ntdll in IDA and you can see how it does done:

Here is NtCreateFile:

Code: Select all

.text:7DE90044                 mov     eax, 52h        ; NtCreateFile
.text:7DE90049                 xor     ecx, ecx
.text:7DE9004B                 lea     edx, [esp+arg_0]
.text:7DE9004F                 call    large dword ptr fs:0C0h
.text:7DE90056                 add     esp, 4
.text:7DE90059                 retn    2Ch

Username

r2nwcnydc

Posts

66

Joined

Mon Dec 06, 2010 3:28 pm

Re: how use sysinter to call kernel-mode function

#4193 by Cr4sh
Thu Dec 30, 2010 11:51 am

Here is an example with calling NtProtectVirtualMemory from the kernel driver (can be used in a user mode also):

Code: Select all

__declspec(naked) NTSTATUS NTAPI _MyProtectVirtualMemory(
    HANDLE ProcessHandle,
    PVOID *BaseAddress,
    PSIZE_T NumberOfBytesToProtect,
    ULONG NewAccessProtection,
    PULONG OldAccessProtection)
{
    __asm
    {
        cmp     SDT_NtProtectVirtualMemory, 0
        jz      _failed
        mov     eax, SDT_NtProtectVirtualMemory
        lea     edx, [esp+4]
        int     0x2E ; legacy
        retn    0x14

_failed:
        mov     eax, 0xc00000001
        retn    0x14
    }
}

http://blog.cr4.sh/

Username

Cr4sh

Posts

77

Joined

Sun Mar 14, 2010 6:07 pm