Platform Win 98:
I'm trying to get into doing some coding at ring 0. I'm waiting for Microsofts new WDM CD to be delivered. But in the meantime I thought I'd try my hand at doing something very simple in ring 0 (opening a file, reading or writing some data, closing it). Because I've not got the WDM stuff I'm not using VxDs, just a forced entry into Ring 0. (I'm writing the above to just tell you why I'm not using a VxD - so please don't shout at me!)

Trouble is I'm getting a crash 'in IFSMgr at 0028:C0034366'. I've spent quite a bit of time going over everything, and changing things, but no joy. Probably making a simple error. Please help.


.Model Flat ,StdCall

Extrn MessageBoxA:PROC
Extrn ExitProcess:PROC

int3 EQU 3
IFSMgr EQU 0040h ;
Ring0_FileIO EQU 0032h
R0_OPENCREATFILE EQU 0D500h ; Open/Create a file

IDT dq 0
int3_position dd 0
filename db "C:\TESTOPEN.TXT",0
int3_old0 dd 0
int3_old1 dd 0


push 0
push offset filename
push offset filename
push 0
call MessageBoxA
;************************Find IDT & values***************************

;SIDT returns 48 bits, word=size IDT & then ptr to IDT
;Struc of IDT is

sidt IDT
mov esi,dword ptr
add esi, 8*int3

;***********************Save some stuff*****************************

mov int3_position,esi
mov eax,
mov int3_old0,eax
mov eax,
mov int3_old1,eax

;***********************Place our own*******************************
mov eax,offset ring0
mov word ptr,ax
shr eax,10h
mov word ptr,ax


int int3 ;call our interrupt & goto ring0
;returns here

;*******************Restore int3************************************
mov esi,int3_position
mov eax,int3_old0
mov ,eax
mov eax,int3_old1
mov ,eax

push 0
call ExitProcess


;Test Create & close file

mov esi, offset filename
mov ebx, 02h
mov edx, 01h

int 20h
dw Ring0_FileIO
dw IFSMgr

jmp exit_ring3 ;bypass rest for now to isolate error

mov ebx,eax
mov eax,R0_CLOSEFILE
int 20h
dw Ring0_FileIO
dw IFSMgr



end main

I've tried various different register values to pass to the OPENCREATFILE - no joy. If I take out the OPENCREATFILE procedure it works fine, so I seem to be going in and out of ring 0 fine.
Posted on 2003-01-18 00:48:07 by Manxcat
Sorry but that's a crappy hack, you should not wonder WHY your proggy doens't work...:rolleyes:
Posted on 2003-01-18 03:21:22 by Axial
"Sorry but that's a crappy hack"

I agree

"you should not wonder WHY..."

I disagree. Apparently far more complex progs have been written using this bug/hole. It should therefore work. That I can't see why it doesn't - means I'm missing something. If I'm missing something then I don't understand something.

Understanding is important to me. :) Hence I should wonder why.

Also it probably means something like this would crop up again, and I'd still be in the dark.

Someone please enlighten me!

P.S. I also notice that the code jumps to 0028:004xxxxx Would that be causing problems when I use mov esi, offset filename? (Segment change?)

<Also I've altered the above to int 5h, so I can use Softice to debug on Int 3h>
Posted on 2003-01-18 05:05:13 by Manxcat
"Apparently far more complex progs have been written using this bug/hole."

This hole is crappy, not only because it's a hack, but also because it doens't work on SOME Win9x stations, including mine.
Believe me, I tested many ring0 approach and the only decent way I found was writing a driver... (except NT callgates witch still works)
Posted on 2003-01-18 05:42:32 by Axial