While reading the VxD tutorials, I noticed it says it only works on Win 9x. This raises the question; how can I execute code in Ring 0 on Windows 2000 (or any other NT)?

More specifically, I am looking to execute cli and sti on a 8086 based CPU. While I could do this from DOS or without an OS at all, the true challenge is in making it work on NT. This will earn me some major credit on the "operating systems" class I am currently enrolled in.

Thanks,
- Fahr
Posted on 2005-02-18 02:41:37 by Fahr
http://www.assembly-journal.com/viewissue.php
<<Kernel Mode Driver Tutorial for MASM32 Programmers ->>
Part 1 The Basics Abstract
___Four-F
Posted on 2005-02-18 03:10:31 by dcskm4200
Cool! thanks :)

I'll take a look and let you know the outcome :)
Posted on 2005-02-18 03:39:15 by Fahr
KMDKIT v 1.8
http://www.freewebs.com/four-f/
Posted on 2005-02-18 11:18:30 by Opcode
In particular, it was the same Opcode which posted in this forum that nice driver to allow CLI and STI instructions from an application!
Look at http://www.win32asmcommunity.net/board/viewtopic.php?t=18859

Regards, bilbo
Posted on 2005-02-22 04:44:21 by bilbo
Oops :-D
This is true.
Sorry for the incomplete answer.

Thanx bilbo
Posted on 2005-02-22 16:02:02 by Opcode
Sorry for the late reply, I suddenly stopped receiving notifications and thought the thread was dead...

Anyway, thanks for that code, Opcode :) It's really convenient, especially since it allows for execution of ALL privileged instructions. In my mind I already built a framework of a driver that would execute cli, then run a higher layer callback in driver space and then issue sti. This is much more convenient.

One question though; the driver is loaded with that separate load program that also requires some DLLs. Is it not possible to load the driver from the app that needs it and unload when terminating? That would require only 2 files (the app and the driver), whereas the current solution requires at least 4 (app, driver, loader, loader dll).

Just wondering.

Thanks,
- Fahr
Posted on 2005-04-07 03:06:31 by Fahr
Hi Fahr,

At the time when I wrote the code, I was using the Schreiber w2k_load tool at
http://www.orgon.com/w2k_internals/cd.html.
This tool requires a dll.
BTW, this book is a very good for those who is interested in kernel programming.

But you can use the excellent KmdManager tool created by Four-F.
Get it inside the kmdkit10.zip in:
http://www.website.masmforum.com/tutorials/kmdtute/
The kmdmanager don't need a DLL to run.

Regards,
Opcode
Posted on 2005-04-07 06:46:56 by Opcode
Hi Opcode,

Thanks for the quick reply. I already figured I needed the tool and DLL (in fact, I already got the entire thing working). I guess what I'm really asking is; would it be possible to load the driver from my own code WITHOUT an external tool?

Thanks,
- Fahr
Posted on 2005-04-07 07:58:22 by Fahr

would it be possible to load the driver from my own code WITHOUT an external tool?

Yes, and it's not very hard - it just requires that you call the SCM. I'm attaching a zip with my Ring3MSR driver, it has code that interfaces with the SCM. It's in C, but it should be easy to translate to assembly. You might also be interested in studying the driver, it handles IOCTL and such.
Attachments:
Posted on 2005-04-07 09:29:51 by f0dder
Hi,

Fahr:
The attachment has an example 100% coded in assembly.

f0dder:
Very nice you article about CPUID instruction in AMD boxes.

Regards,
Opcode
Attachments:
Posted on 2005-04-07 11:35:38 by Opcode
Thank you both for the sources. I think I'm going to go with the C one, it seems slightly more convenient to code the upper level app in C.

Also, Opcode, your source is limited to execution on WinXP. I run Win2K, I haven't tested if it also works on 2K, but I'm thinking not.
It seems that, to be able to run it on all NT OSs, you have to invoke the SCM (correct me if I'm wrong).

I guess I'm going to play around a bit. Considering the nature of Opcode's driver, do I still need to create that file to interface with the driver? I'm thinking no, since it reacts on an interrupt...

Thanks,
- Fahr
Posted on 2005-04-07 12:02:24 by Fahr
Hi,

The attachment that I sent to you is created to run only in XP boxes because
it is a very specific program to windows XP.

But the way that the program installs the driver is the same for the windows 2k.

Take a look in the Four-F tutorials to learn more information about SCM:
http://www.website.masmforum.com/tutorials/kmdtute/

Regards,
Opcode
Posted on 2005-04-07 12:17:28 by Opcode
The same for Win2K? But I scanned your sources and couldn't find anything about the SCM?

Maybe I'm blind? :P Does your source use SCM to install the driver or not?

- Fahr
Posted on 2005-04-07 13:00:34 by Fahr
Yes, it uses SCM to install the driver.

In EXE\getvar.asm:


BeginProcessing proc hDlg:HWND
LOCAL stPathBuffer:CHAR
LOCAL lpFilePart:DWORD
LOCAL hService:HANDLE
LOCAL hSCManager:HANDLE
LOCAL _ss:SERVICE_STATUS
invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
.if eax != NULL
mov hSCManager, eax
invoke GetFullPathName, $CTA0("getvar.sys"), sizeof stPathBuffer, \
addr stPathBuffer, addr lpFilePart
invoke CreateService, hSCManager, $CTA0("getvar"), $CTA0("Getvar module"), \
SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr stPathBuffer, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
.if eax != NULL
invoke IOCTLcenter, hDlg
invoke ControlService, hService, SERVICE_CONTROL_STOP, addr _ss
.else
invoke MessageBox, NULL, $CTA0("StartService failed"), \
$CTA0("Process Hunter"), MB_OK + MB_ICONSTOP
.endif
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, $CTA0("Can't register driver. CreateServiceFailed"), \
$CTA0("GetVar"), MB_OK + MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), \
$CTA0("GetVar"),MB_OK + MB_ICONSTOP
.endif

ret
BeginProcessing endp



Cheers,
Opcode
Posted on 2005-04-07 13:40:02 by Opcode
Ah, I must be blind indeed :P

Anyway, I already rewrote f0dder's wrapper to load your driver from C. I don't open the file, I just call the interrupt from an __asm block.

Thanks a bunch guys, you've really been a great help! :) If anyone's interested, in my attempts I've created some other amazingly useful programs which I would like to call "BSOD-on-command" and "freeze-on-command". If anyone's interested, let me know :P

Thanks again,
- Fahr
Posted on 2005-04-07 14:09:19 by Fahr