Have anyone got to ring0 in XP maybe even gave it his own name... I need to get to the lowest level POSSIBLE in XP and 2000 and do some work from there. I don't know much about KMD and Drivers. I want to hook some api's at a low level in those OS so that my stuff will work for it and 9x too.

Could someone point me in the right direction so that i can start my studys from that point and not waist my time barking up the wrong tree thinking i was there when i really was not. KMD or Drivers or are they all the same. Is there some other deep ring that can be had.

Also what is the big deal about MS not allowing Ring0 in all OS... I thought OS was suppose to be build with programmer in mind. Don't seem fair to me from a programmer point of view.

Thanks
Posted on 2002-09-07 22:31:22 by cmax
The reason is one of protection. No program should be able to crash your program and your program shouldn't be able to crash other programs. The system should keep running no matter what an application does. I advise against trying to access ring0 from an application - that level of access is forbiden by design.
Posted on 2002-09-07 22:38:26 by bitRAKE
But don't they think that some of the programmers out here can be resposible enoght to see to it that that don't happen. There are some super programmers ( expecially from the dos days ) better that the OS itself out here if they are not all dead yet... But i do totally understand your point. there more A** Holes than PRO's
Posted on 2002-09-07 23:01:09 by cmax
cmax, the rule is simple: if you program for a certain OS, you'll need to obey the rules of that OS. If you don't want this, you'll have to write your own OS :)
Windows says you shouldn't use ring0 in normal applications, so you don't. This has good reasons. Programs running in ring0 can crash the whole system and have much more rights than normal programs. You might say that good programmer's can handle it safely but it would still break the OS rules then.
Ring0 access was possible in win9x due to a bug, in NT no such bug has been found AFAIK. But even if it is found, it's still a bug and will be patched in the next service pack so you can't rely on it.

btw, what do you need ring0 for?

Thomas
Posted on 2002-09-08 03:55:39 by Thomas


Ring0 access was possible in win9x due to a bug, in NT no such bug has been found AFAIK. But even if it is found, it's still a bug and will be patched in the next service pack so you can't rely on it.


Lol, that should read:

in XP no such bug has been found.

Was a couple in NT along the way, but as you said, all patched. None in XP yet, or people are holding on to their findings ;)

Fake
Posted on 2002-09-08 04:33:34 by Fake51
; Here is a driver and loader that works in 2000.
; But I have been told that my fourth function does not
; work in XP because Microsoft did away with ZwGetTickCount
; in ntdll.lib and........
; also, after you call the fourth call twice you get the BSOD in XP
; take out the * to download
; h*ttp://freehafer.tripod.com/zip/zaspekerd.zip
Posted on 2002-09-08 09:33:30 by roaknog
Thanks Mr. Thomas

I forgot about that... So Ring0 was only a crack on 95 .... It do make since that an OS should be design like that or anyone could just go in and mess things up. But it would have been nice if we could have some say so about what our app can run with,but most impotantly, what we don't want our app to run with ....

I just stick to seeking infomation about Drivers. But That exactly why i want to go to ring0 to turn of another app namly anything that try dump me for starters. Also please excuse my bad lang, i been piss of for the pass few days trying to study difference things that can be done all in a day. But it is fun trying and learning new things. It's another world.

roaknog zaspekerd is going to be very interesting to get into. Thanks a lot
Posted on 2002-09-08 10:42:30 by cmax
I recently read about a massive security hole in all versions of windows. It should be fairly simple to exploit to get at least "system" level access on NT/XP. It involves how messages are passed between programs. For instance if you send a bogus wm_timer message to an app that is running as system with your own fake timer proc address code execution will just jump to that address, and run with whatever priveleges that app had. The good/bad news is that the hole is theoretically unpatchable without requiring a mass rewrite of all win32 api code, and is cross platform. There are a ton of other api's that are exploitable with fake messages in this way. Microsoft says they are working on a fix but it is most people there's opinion that it cannot be fixed with anything less than palladium.So I think you can count on it not being fixed soon. Here is a link ...
http://security.tombom.co.uk/shatter.html
Use it wisely :cool: Although I doubt anyone else will. Its the end of windows security as we know it :)
Posted on 2002-09-08 12:50:02 by emonk
"foon" is "fool" misspelt. Fame-seeking linux retard. Problem is very easy
to avoid in your own apps (not that it will matter unless you're stupid enough
to not split up services and their interfaces), and the WM_TIMER can even be
patched rather easily, most likely without breaking any existing app. As alway,
http://f0dder.has.it ;) It's under articles and "Evil WM_TIMER... and workarounds".

If you want ring0 (which you most likely have no business with, cmax), you'll
need to do it from a vxd (9x) or KMD (NT). Anything else is a stupid hack.
KMDs (thank whatever_deity) requires administrator (or better) privileges,
with very good reasons.

There's been various hacks to achieve admin status from a nonprivileged
user (like the upnp stuff in XP), but don't depend on any of them... or better
yet, do, so your ring0 app will fail. Applications using ring0 without very good
reasons should be left to whither and die. No, "protection" is not a valid reason,
as it will be 0wned anyway, and only leave inconveniences for the end-user.
Posted on 2002-09-08 13:01:51 by f0dder
You have a Great Site f0dder,

There are only two things i want to stop and that is getting dump and getting debug and thats it. I don't care about other stuff, just theses two things. I am not out to interfer with the End_Users Programs in any way unless they attempt to mess with me. If so, I chosse to simply turn them off. And thats it... That can't be asking for much, and there got to be a simple way to do it on a simple computer.... How about victors. .. can i hole the SWITCH just in case.... Only The Safe ones so the i don't reboot the machine or cause any other problems with no one other than the inturdeing app.

Well going to read about the timer thing but i think i rather find a sure decent way to do it...but this might be it .. i don't know.

Thanks f0dder
Thanks emonk
Posted on 2002-09-08 22:11:17 by cmax
If you want to stop ppl from dumping and debugging your app, using ring0 tricks is a bad way. As f0dder noted, it'll probably end up a problem for the end user (one of the typical instances being that normal people running soft-ice can't run some software, because some programmers equal the presence of soft-ice with the intention to crack their program .... which is silly).

It's a much better idea to wrap your app, making it impossible to debug it without dumping it. Then, secondly, make sure that all of the app is never present unpacked in mem at any given time: encrypt and decrypt not just once, but several times. If you do a routine that's nice enough, and don't encrypt 10 megs at a time, the end user won't feel the difference.

Done the right way, this accomplishes the same that you want to do ring0, but without relying on windows tricks that aren't sure to be forward compatible.

Fake
Posted on 2002-09-09 02:10:57 by Fake51
cmax,
a KMD is very similar to a service, but with a slightly different setup, and it runs in Ring 0 instead of Ring 3. A driver is different yet again, and XP takes a new approach to dealing with them, this is to avoid one driver bringing down the system (IMO this will just lead to shitty coding, if your driver crashes the system then you *have* to get it right, letting the OS kill it is just a cheap way out).

Some of the guys have pointed out that you shouldn't try to run Ring 0 from Ring 3, this is true, but you should remember that there is no reason why you cannot *communicate* with an app already running in Ring 0 (obviously you have to write the ring 0 app and set up the communication mechanism).

For primo information on doing drivers, visit www.osr.com.
Posted on 2002-09-09 06:07:07 by sluggy
fodder,
Thanks for the enlightening read. Your site is very good, and you actually update it :) You are a smart guy, and sometimes a smart ass :)

Everyone,
I know you guys like to discourage promiscuos ring0 access for a reason, but sometimes you need to cheat a little to learn a lot. I agree that for an end-user application however there is no room for such things as a ring 0 hack. I was under the apparently mistaken impression that cmax just needed something for himself to use experimentally.

cmax,
If this is an end-user app you had better stick with writing a KMD or something. Dirty tricks are no way to code professional software :)
Posted on 2002-09-09 07:59:54 by emonk
I might be a smartass sometimes, but I don't deny it.
And that foon guy really is a fool.

ring0 hacks == NO_GO. While one might play with these for fun, code doing
ring0 hacks should never leave your own box... especially not in commercial
software.

Cmax, don't rely on ring0 code (drivers, hacks, whatever) for protection. This
will NOT give you security ("we" and "they" know very well how to deal with
ring0 code), but will give trouble for the end-user. Either an administrator will
have to install the software (and set up your ring0 service to load at boottime),
or the users using the application will have to have administrative rights (to
dynamically load the ring0 service). And, frankly, I wouldn't want to run anything
written by most people in here in ring0. There aren't too many people that are
capable of writing ring0 code... stable and nondirty ring0 code, that is.

And again... you might be able to get protection against procdump by using
ring0 stuff, but procdump (and other ring3 tools) aren't the main tools anymore,
and it will take a LOT to prevent even widespread tools from succeeding... and
know that there are far far far more powerful private/internal-use-only tools.

Stopping the app (or crashing the box / whatever) on presence of a debugger
is very lame. I often have softice running, because it's about the only thing
that can debug some of the stuff I do (I don't have a second box I can use
for windbg serial/firewire link). It's not very often I dip inside other people's
programs anymore (sure, I do it every now and then, but my primary use for
softice is for my *own* code), and a lot of people have similar usage patterns.

Whatever you do, stick with ring3. Don't play dirty in any way. Your best bet
is probably to get a license for asprotect - and use it *correctly*. While asprotect
is dumped+fixed every day, that's mainly because the shareware authors using
asprotect are clueless piles of goo who don't know how to use it correctly.
Not a big loss anyway, considering how lame most shareware is these days.
Posted on 2002-09-09 11:43:33 by f0dder
I don't think there is a coder in the world that test a piece of code like i do... I don't mean with special tools because i don't know how to use them anyway. But i mean putting it inside a super large app and using it for months at a time than surround it with my new finding just to see the affect.... Checking everything such as mem used while other apps are running and soooooooo on....THAT'S WHY I AM SO FAR BEHIND YOU GUYS...

I am taking 6 - 10 - 18 months of stripping and re-setting so even if i do learn some ring0 stuff, If i deside to use it you can bet your life it will never fail or interfer. I DON'T PLAY. I deal with ONE thing and ONE thing only, and i know it like a book ... Can't NOTHING get pass me here ... Trust Me on this one ...

As far as the name Dirty Tricks, what do you think half of the OS is all about... If you don't know just wait until i am finish and you will see for yourself. Anyway these are some great points made here and i will respect and repeat to myself ever word in my quest to get this last job done.

"but sometimes you need to cheat a little to learn a lot"

How true ... How true ... But i would not call it cheating... I learned a heck of a lot while trying to do it althought much never worked anyway, but some did work flawlessly so I be dame if i just stop looking into it just because someone deam it to be a bad thing. Virse is a bad thing, it even look SICK... Yes i went to the Valley of the Dead, The Zombees Site.....Not much for me there.

But as far as going to the lowest point possible in a system, Is any Assebler dream. What real programmer have not tried yet... you all did... Now its my turn to see what i can see. Who to say i can make it work, just because someone else did not. Maybe others were looking for too much out of it.... This is not my case... Now what's your BEEF...

Thanks Everybody

Ring0 in XP... I would if i could, can't wait to see someone do it... If the hole is there than what.... Is that my fault.... Every body here would jump at the chance if it was here before us right now...

f0dder be the first to go :) :) :) Posted on 2002-09-09 19:04:01 by cmax
There's holes, there's been holes, new holes will be found. And holes will be
closed as people discover them. Using holes for ring0 is lame. Sure, can be
fun to *tinker* with, but *using* them is lame. One such hole on NT was the
debug "elevate to admin privilege" bug. Get admin from unprivileged account,
interface with the service manager and have it load your KMD. Presto, ring0.

And I repeat... don't do ring0 unless you have to - and if you have to, do it
with the accepted and published methods.
Posted on 2002-09-10 10:53:17 by f0dder
OK, OK, OK


T


Posted on 2002-09-10 20:44:54 by cmax
After reading more into Ring0 past posts and other web sites and code i now understand what you guy are really saying now....The Key word finally kicked in....

PRACTICE

Good Coding Practice.

Seems very serious even to many who know how to do it everday just on GP (general everyday s**t). ALL of them said "it's all about Good Coding Practice" and it seems that they really mean it just like you do, so accept my apoligy because i thought that all of you were nuts or holding out for a minute or two (but that was my problem though).

Anyway, Driver will be very interesting to get into so wish me luck and i think it would have sent myself on a 50 years mission to get to Ring0 in ALL platforms anyway because it would be bug FREE by than. So it do seems to make you a bit to greedy once you see just a tincy wincy parts of it. But when someone ask please don't say write your own OS, because he will only say to himself "WHY SHOULD I when got WINDOWS . Not much will ever replace M$ for a good 200 years" .

Not saying i give up before even getting started but if i can't make it 101.99 % and can't do it for ALL Win ... it don't go.

Just like a Doctor ... Maybe I will accept the PRACTICE too..... But this is atill really still hard for me to say ...

i must be nuts...

See ya
Posted on 2002-09-16 23:25:56 by cmax