Translation of my “Patchguard alternative theory” presentation!
I did a translation into English of my previous presentation which explain how to realize a protector for IDT, SSDT, and syscall address on Windows 32 and 64bits.
The translation can be found at the following link : Windows Vista Kernel Security – [EN].ppt
I’m writting an article about it which will be released very soon.
Happy merry xmas !
First commit @ TinyKrnl !
Hi there!
I’m proud to announce I did my first commit for tinykrnl !
http://svn.reactos.ru/svn/tinykrnl?view=rev&revision=729
Cheers,
OSSIR – Windows Vista Kernel Security
Hi there,
Today I did a presentation at the French Engineer School named Ecole Normal SupĂ©rieur. French Slides can be found at the following link OSSIR – Windows Vista Kernel Security.
In this presentation I’m showing an alternative theory to Patchguard on Windows Vista 32/64bits.
An article will be soon available.
IDTGuard v0.1 December, 2005 Build
This is a very interessting tool I did one year ago to realize proof of concept of my IDT authenticity theory.
Tool can be found at : IDTGuard v0.1
Note: This tool doesn’t work with Windows 2003 SP1 cause I used \\PhysicalMemory. (http://technet2.microsoft.com/WindowsServer/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true
The following paste is a sample of use with the 0×2D interrupt on Windows 2000.
Interrupt Descriptor Table(IDT) Guard
matt@msuiche.net www.msuiche.net
Version 0.1 – (c) December, 2005 -
INT 0×01 has been hooked at 0×816C001D (Org INT = 0×80466786) by Unknow
INT 0×02 has been hooked at 0×0000145E (Org INT = 0×80466826) by Unknow
INT 0×03 has been hooked at 0×816C003C (Org INT = 0×80466A5E) by Unknow
INT 0×08 has been hooked at 0×000014B8 (Org INT = 0×80467670) by Unknow
INT 0×0E has been hooked at 0×816C007A (Org INT = 0×804688F4) by Unknow
INT 0×13 has been hooked at 0×8046900B (Org INT = 0×80468C8F) by ntoskrnl.exe
INT 0×1F has been hooked at 0×80064908 (Org INT = 0×80468C8F) by hal.dll
INT 0×2D has been hooked at 0xBE8C2B5C (Org INT = 0×8046694E) by DbgMsg.SYS
INT 0×37 has been hooked at 0×800640B8 (Org INT = 0×80464C56) by hal.dll
INT 0×3D has been hooked at 0×80065254 (Org INT = 0×80464C92) by hal.dll
INT 0×41 has been hooked at 0×800650C8 (Org INT = 0×80464CBA) by hal.dll
INT 0×50 has been hooked at 0×80064190 (Org INT = 0×80464D50) by hal.dll
INT 0×51 has been hooked at 0×816878A4 (Org INT = 0×80464D5A) by Unknow
INT 0×52 has been hooked at 0×81688DC4 (Org INT = 0×80464D64) by Unknow
INT 0×83 has been hooked at 0×81674424 (Org INT = 0×80464F4E) by Unknow
INT 0×92 has been hooked at 0×816B4584 (Org INT = 0×80464FE4) by Unknow
INT 0×93 has been hooked at 0×81686DC4 (Org INT = 0×80464FEE) by Unknow
INT 0xA2 has been hooked at 0×81687D64 (Org INT = 0×80465084) by Unknow
INT 0xA3 has been hooked at 0×816B6504 (Org INT = 0×8046508E) by Unknow
INT 0xB1 has been hooked at 0×816F8044 (Org INT = 0×8046511A) by Unknow
INT 0xB3 has been hooked at 0×816891C4 (Org INT = 0×8046512E) by Unknow
INT 0xC1 has been hooked at 0×800642FC (Org INT = 0×804651BA) by hal.dll
INT 0xD1 has been hooked at 0×80063964 (Org INT = 0×8046525A) by hal.dll
INT 0xE1 has been hooked at 0×80064858 (Org INT = 0×804652FA) by hal.dll
INT 0xE3 has been hooked at 0×800645D4 (Org INT = 0×8046530E) by hal.dll
INT 0xFD has been hooked at 0×80064D64 (Org INT = 0×804653E2) by hal.dll
INT 0xFE has been hooked at 0×80064EEC (Org INT = 0×804653E9) by hal.dll
27 Interruptions have been modified.
Help:
q :quit
s :reshow list of modified interrupt
r X :restore interruption X in IDT(sample: r 0xA1)
h :show this help
cmd>r 0×2D
Are you sure that you want to restore the Interruption 0×2D(45)? (y/n)y
Let’s restore it !
I will do that :
Offset : 0xBE8C2B5C => 0×8046694E
Dpl : 0×01 => 0×01
Type : IntG32 => IntG32
Are you sure?(y/n)y
Reconstrution of the INT 0×2D
Offset value…Done
Dpl(Descriptor Privilege Level) value…Done
Type value…Done
OKiE
cmd>s
INT 0×01 has been hooked at 0×816C001D (Org INT = 0×80466786) by Unknow
INT 0×02 has been hooked at 0×0000145E (Org INT = 0×80466826) by Unknow
INT 0×03 has been hooked at 0×816C003C (Org INT = 0×80466A5E) by Unknow
INT 0×08 has been hooked at 0×000014B8 (Org INT = 0×80467670) by Unknow
INT 0×0E has been hooked at 0×816C007A (Org INT = 0×804688F4) by Unknow
INT 0×13 has been hooked at 0×8046900B (Org INT = 0×80468C8F) by ntoskrnl.exe
INT 0×1F has been hooked at 0×80064908 (Org INT = 0×80468C8F) by hal.dll
INT 0×37 has been hooked at 0×800640B8 (Org INT = 0×80464C56) by hal.dll
INT 0×3D has been hooked at 0×80065254 (Org INT = 0×80464C92) by hal.dll
INT 0×41 has been hooked at 0×800650C8 (Org INT = 0×80464CBA) by hal.dll
INT 0×50 has been hooked at 0×80064190 (Org INT = 0×80464D50) by hal.dll
INT 0×51 has been hooked at 0×816878A4 (Org INT = 0×80464D5A) by Unknow
INT 0×52 has been hooked at 0×81688DC4 (Org INT = 0×80464D64) by Unknow
INT 0×83 has been hooked at 0×81674424 (Org INT = 0×80464F4E) by Unknow
INT 0×92 has been hooked at 0×816B4584 (Org INT = 0×80464FE4) by Unknow
INT 0×93 has been hooked at 0×81686DC4 (Org INT = 0×80464FEE) by Unknow
INT 0xA2 has been hooked at 0×81687D64 (Org INT = 0×80465084) by Unknow
INT 0xA3 has been hooked at 0×816B6504 (Org INT = 0×8046508E) by Unknow
INT 0xB1 has been hooked at 0×816F8044 (Org INT = 0×8046511A) by Unknow
INT 0xB3 has been hooked at 0×816891C4 (Org INT = 0×8046512E) by Unknow
INT 0xC1 has been hooked at 0×800642FC (Org INT = 0×804651BA) by hal.dll
INT 0xD1 has been hooked at 0×80063964 (Org INT = 0×8046525A) by hal.dll
INT 0xE1 has been hooked at 0×80064858 (Org INT = 0×804652FA) by hal.dll
INT 0xE3 has been hooked at 0×800645D4 (Org INT = 0×8046530E) by hal.dll
INT 0xFD has been hooked at 0×80064D64 (Org INT = 0×804653E2) by hal.dll
INT 0xFE has been hooked at 0×80064EEC (Org INT = 0×804653E9) by hal.dll
cmd>q
