Hello,

I'd like to change some program code bytes dynamical from my VxD. How do I do this ? I could supply my VxD with an address via the input buffer, but isn't this dangerous, because when the context changes, the address might become invalid. So, my question is, how do I change bytes from Ring 0 in a specific Ring 3 program segment ?
Posted on 2002-01-23 11:44:01 by _dante_
hi,

here a text-tutor (and include some example) about ring0-3. but i dont sure,
Posted on 2002-01-23 17:07:20 by CYDONIA
i found other text (html) about your answers . this text from old Ichelion w32asm forum [ http://hiroshimator.dyndns.org/ ]

have nice day,

CYDONIA
Posted on 2002-01-23 17:34:54 by CYDONIA
How about getting current process handle and compare?
and if need be simply switch context :=)

/me waves to f0dder btw
Posted on 2002-01-24 07:57:54 by NoodleSpa
NOODLEs! :D :D :D.
Posted on 2002-01-24 08:07:44 by f0dder
Thanks for the help, guys, but it's still not quite working.
I tried to alter the program code from form within my KMD in the following way: I supplied an input and output buffer, method_buffered, in the deviceiocontrol parameters. This buffer would be the address at which I would like to change some bytes. In my KMD I then read the system buffer and write back the bytes to it.

After the IO operation completed, the bytes in my program were indeed succesfully changed. BUT the problem here is that it only works if I specify a buffer that contains data ! If I supply a buffer address that contains program code, my KMD refuses to work and give me error message 998.

I then tried to do it another way. I hand over the code address I want to change via the input buffer to my KMD. Then in my KMD I read out the system buffer and DIRECTLY alter this address from within my KMD. So, in my KMD I do:

ASSUME EDI : PTR _IRP
MOV ebx, .SystemBuffer ;sys buffer contains my code address
MOV byte PTR , 90 ; write a NOP to the program code

This works ok. Problem here is that I'm afraid that window might swap my program code out of memory, just before my KMD tries to alter the program code, which might result in a serious error. Is this possible and if so, what do I do to prevend this from happening ?

Thanks in advance,
dante
Posted on 2002-01-25 07:57:18 by _dante_
What about setting up an exception handler to catch possible faults?
Also, I believe there are a set of functions to verify whether you
can read/write to an address or not. Darn, never messed much with
KMDs, as I have a strong dislike of 2k BSODs, and booting takes
so long time ;-P.
Posted on 2002-01-25 08:17:23 by f0dder
I just tested my previous method again and found out that this didnt' work either ! I tested it with a data address and this worked ok, but again, if I try to alter PROGRAM code, win NT crashes !! How is this possible ? I thought that in Ring 0 EVERYTHING was allowed and now NT crashes if I try to change program code ???
Posted on 2002-01-25 08:20:53 by _dante_
This does sound pretty weird. I'm afraid I can't help you here, it's
beyond my experience. Time for some heavy NTDDK reading? :).
Posted on 2002-01-25 08:31:02 by f0dder
Your problem is called memory protection.
code sections are not writable, you have to alter the protection of the memory page you wish to write to.
Windows supplies you with a nice way of doing this, you can choose to either Open the process for writing, or you can simply modify the protection flags with VirtualProtect(Ex) (api)
Not everything is allowed is ring 0, basically all you have access to is driver code and high memory areas and the full instruction set.
Memory protection on page level is still enforced regardless of protection ring.
You can however disable page level protection by clearing the write protect bit in cr0 but thats not really recommended since it will also override copy-on-write and blah blah blah.
Im not going to go on about this since im no longer a programmer

/me waves to f0dder again

P.S computers are boring and stupid
Posted on 2002-01-25 11:42:31 by Noodles
Hey, thanx Noodles, didn't know that ! You just made my day :-) I thought that EVERYTHING was allowed in ring0, I know, that sounded to good to be true :-)
Posted on 2002-01-25 13:16:34 by _dante_
Youre welcome, happy to be of service.
Actually you could say that everything is allowed from ring 0
but not blindly, code running at highest privilge can do basically anything but it has to be done properly.
I hope its working for you now and if you have any questions i will happily try to answer them to the best of my ability.

http://www.cellsalive.com/phage.htm :=))))
Posted on 2002-01-26 04:59:18 by Noodles