Hi,

Inspired by this thread in another forum , I created
a Windows 2000/XP/2k3 device driver that will allow
user-mode programs to execute the CLI and STI instructions.

The device driver will create an entry in the IDT for the interrupt 0EDh.
If a user-mode program execute:
int 0edh

the interrupt handler will change the IOPL flag of the
user-mode program to be equal 3, allowing the program to
execute the IO-sensitive instructions like CLI and STI.

Now you can profile your code without being interrupted!

Guidelines:
01. Always load the driver by executing the load.bat in the bin folder.
02. Never execute the int 0edh instruction after you have unloaded the driver
by the unload.bat (you will need to run load.bat again).
If you run with after the driver was loaded and unload, you will get
a beautiful BSOD :grin:
03. Don't forget to execute STI if you don't want your code to freeze.
04. Take care with the IN/OUT instructions, I'm not responsible
for any damage.

To compile the source, use the MASMv8 and
the Four-F KMD Kit

Just to fun, if you want to freeze your system:


int 0edh
cli
jmp $


Report any bugs in to this thread, please.

Regards,
Opcode
Posted on 2004-07-13 07:22:14 by Opcode
Sorry,

To the load.bat execute it will need the w2k_load.exe of Sven Schereiber.
But the package is uncomplete.
It need the currect dlls (w2k_lib.dll)
The whole package is attached.
Extract it in %WINDIR%System32.

Regards,
Opcode
Posted on 2004-07-13 10:31:42 by Opcode
Opcode, thank you. I liked four-f's example in his tutorial (#2?) where he used IN/OUT privlaged instructions but this is much more "intresting" to say the least, lot easier to comprehend aswell. Thanks for your work.
Posted on 2004-07-13 16:54:43 by archphase

Opcode, thank you. I liked four-f's example in his tutorial (#2?) where he used IN/OUT privlaged instructions but this is much more "intresting" to say the least, lot easier to comprehend aswell. Thanks for your work.


yes thank you Opcode.
Posted on 2004-07-13 20:09:15 by mark_larson
I'm glad to see that the device driver is useful to someone. :grin:

Regards,
Opcode
Posted on 2004-07-14 06:45:45 by Opcode
Great stuff!! But disabling interrupt in winnt/2k for a longer time is dangerous, isn't it?
Posted on 2004-08-17 22:52:26 by optimus
I hope not :grin:

But I avoid to call the interrupt when my box is connect to some network
or while is executing some important hard disk operation .

If you find any bug or problem, send me a PM.

Regards,
Opcode
Posted on 2004-08-18 06:28:47 by Opcode
Sorry,

To the load.bat execute it will need the w2k_load.exe of Sven Schereiber.
But the package is uncomplete.
It need the currect dlls (w2k_lib.dll)
The whole package is attached.
Extract it in %WINDIR%System32.

Regards,
Opcode


Howdy Opcode, your download zip is corrupt :(

MATRIX
Posted on 2004-09-29 19:08:27 by >Matrix<
Hi >Matrix< ,

This iopl_module.zip was fixed. Make sure the MD5sum of your zip is
75d6a89eb25bd13ed31e5c6d272a81d0.

The w2k_internals.zip you can get the original at http://www.orgon.com/w2k_internals/w2k_internals.zip

Please, notify me of any question.

Regards,
Opcode
Posted on 2004-09-30 22:14:15 by Opcode
Thnx,
but there are weird differences between the two files, you might wanna take a look.

the first one is an inserted dash

MATRIX
Posted on 2004-10-01 05:44:46 by >Matrix<
The w2k_internals.zip attachment was updated.

Regards,
Opcode
Posted on 2004-10-01 23:55:16 by Opcode
its not loading on my windows xp.
anyways to fix this?
Posted on 2004-11-14 15:40:05 by pwn
What is the error message after running the load.bat file ?
Posted on 2004-11-14 15:48:49 by Opcode
Loading "C:\masm32\code\w2k_internals" ... ERROR
i used the w2k_load.exe from the complete package.

but now i downloaded the iopl module too, and ran load.bat from there and it worked. so my bad. just thought it would be inside the w2k_internals package..
Posted on 2004-11-14 19:16:59 by pwn
No problem :alright:

Regards,
Opcode
Posted on 2004-11-14 19:28:19 by Opcode
ok im using the driver and getting bsod when i try to access memory.
this is very peculiar because when i push and pop it has no problems.
other then that it works good just for usual opcodes that dont access memory.
Im using Windows XP Pro + hotfixes (with no service packs)
I successfuly load the driver with load.bat and get it working.
crashes are quite nasty usually resulting in file corruption and somtimes total file loss.
the following program crashes on my box:



.586
.model flat, stdcall
.data
temp dd 0

.code
_start:

int 0edh
mov edx, offset temp
cli
mov [edx], eax
sti
ret

end _start
Posted on 2004-11-15 03:43:50 by pwn
this version, without the cli and sti, will work fine.
im not a memory wiz, but im assuming it needs interrupts to map the offset address, to actual memory address where data is. because i know different process run under 401000 memory address, but the memory mapper maps data to actual process memory by the process context.
anyways that pretty much defeats the point of benchmarking with interrupts disabled (cli) if you cant access memory at all. its going to be a pretty hard task to do anything.



int 0edh
mov edx, offset temp
mov [edx], eax
ret
Posted on 2004-11-15 03:51:45 by pwn
Hi pwn,

You are currect !
The data section is initially not present in the memory.
When your code try to access it, it will trigger a page fault exception
that is handled by the KiTrap0E function.

The solution is simple, access your variables before the beggining
of the profile code.

This code will FAIL:




;==========
; DATA
;==========
.data
resultstr dd 0
test1 dd 0aabbccddh
test2 dd 0deadbeefh

;==========
; CODE
;==========
.code
start:

int 0edh

nop
cli
rdtsc
mov ebx, eax
rdtsc

mov edx, test1 ; <-- Page fault here
mov edx, test2
sub eax, ebx
sti
nop

invoke wsprintf, addr resultstr, $CTA0("%08Xh clock cycles"), eax
invoke MessageBox, NULL, ecx, $CTA0("Opcode IOPL hack"), MB_OK

invoke ExitProcess, 0
end start


And this code will work without problems:


;==========
; DATA
;==========
.data
resultstr dd 0
test1 dd 0aabbccddh
test2 dd 0deadbeefh

;===========
; CODE
;===========
.code
start:


mov edx, test1 ; Accessing the data section before trying to use it
mov edx, test2 ; This will make the memory present

int 0edh

nop
cli
rdtsc
mov ebx, eax
rdtsc
mov edx, test1
mov edx, test2
sub eax, ebx
sti
nop

invoke wsprintf, addr resultstr, $CTA0("%08Xh clock cycles"), eax
invoke MessageBox, NULL, ecx, $CTA0("Opcode IOPL hack"), MB_OK

invoke ExitProcess, 0
end start


Thanks for pointing this problem.

Regards,
Opcode
Posted on 2004-11-15 09:44:44 by Opcode
The source and binary can be downloaded here:
http://www.bitrake.com/phpBB2/viewtopic.php?p=447#447

Regards,
Opcode
Posted on 2004-12-07 07:17:22 by Opcode
Is there a reason that you wrote a driver to do this rather than using the ProcessUserModeIOPL(16) PROCESSINFOCLASS with NtSetInformationProcess? The primary difference would seem to be that the approach you are using does not require SeTcbPrivilege, though I may be missing something.
Posted on 2004-12-08 08:32:34 by nohaven