Recent Posts

Pages: [1] 2 3 ... 10
1
The Campus / Re: Need Sysenter tips
« Last post by aw27 on Today at 06:37:58 PM »
Only question I got now is, how is the return for the kernel function handled ie passing a return from the kernel func back to user mode? Or am I having a late-night brain fart and this isn't even necessary?

I am not fresh on the subject, so I am not willing to give you information that may not be correct.
The idea I have now now, and may be wrong, is that you need to push the return address on the stack because sysenter will not do that.
BTW, when you have something working please post here.  :t
2
One trick that's worked for me is to go into the AV's settings BEFORE your first scan, and place your development folders into a whitelist (not scanned by AV). Be careful to add them to the in-memory scans as well as the file system scans and you should be good. The thing is, you just can't forget to do this if you create a new directory outside of the one you already specified or else it's back to the drawing board again. I use Symantec and they have a setting hidden way deep in the AV settings for disabling memory and file system scans on a per-directory basis. Not sure about the others but that should do it for Symantec at least.


Oh also: BitDefender is the only AV who licenses their engine out... So basically if BitDefender has a false positive, it will also show on like 8 other AV platforms because they all use the BD engine. It is extremely anal and flags a lot of false positives, so yes BD is not the best :)
3
The Colosseum / Re: Great news...
« Last post by caballero on Today at 05:50:04 PM »
Anyone like to see the trip photos ?
It would be nice, maybe as links to external sites to avoid occupy space here.
4
The Campus / Re: Need Sysenter tips
« Last post by Mondragon on Today at 05:32:37 PM »
aw27,

Thanks a lot, just got done reading and it cleared up a few things! :eusa_clap:

Some of the comments were scarier than the article... But thats probably because my idea of after-work fun is reading the Windows Internals book :P

So it seems basically 2 things are needed to pull this off:

1. The address of the beginning of the stack

2. The Dispatch ID of the func.

Using these 2 things, the kernel will call up the function and pass it the arguments. Only question I got now is, how is the return for the kernel function handled ie passing a return from the kernel func back to user mode? Or am I having a late-night brain fart and this isn't even necessary?

Thanks again! I feel like this info is pretty scarce, especially when compared to all the javascript stuff out now haha.
5
The Campus / Re: Need Sysenter tips
« Last post by aw27 on Today at 04:40:08 PM »
Hello,

I've been doing a lot of research and study of the Windows kernel and for fun, I wanted to try and write some assembly which calls sysenter directly rather than using the Ntdll.dll stuff in order to learn about the system service dispatch table and how it interacts with usermode.

However, I can't really find a concrete example on implementing the sysenter or int 0x2e in code and the other implications behind it such as how to pass arguments to the SSDT call. Could anyone point me in the right direction or give any tips? Thanks.
Hello Mondragon,
I published a Code Project article which may give you a good introduction on these matters.
Note the following sparse points:
1) SSDT service numbers may vary between Windows releases.
2) the edx register points to the list of arguments.
3) In x64, the instruction is syscall and the 1st 4 arguments are passed in registers, remaining on the stack.

I have no test sample right now, but it is uncomplicated.
6
The Campus / Need Sysenter tips
« Last post by Mondragon on Today at 03:40:44 PM »
Hello,

I've been doing a lot of research and study of the Windows kernel and for fun, I wanted to try and write some assembly which calls sysenter directly rather than using the Ntdll.dll stuff in order to learn about the system service dispatch table and how it interacts with usermode.

However, I can't really find a concrete example on implementing the sysenter or int 0x2e in code and the other implications behind it such as how to pass arguments to the SSDT call. Could anyone point me in the right direction or give any tips? Thanks.
7
The Colosseum / Re: Great news...
« Last post by mineiro on Today at 08:35:47 AM »
congratulations sir K_F;
You're being a good father, mine was like you but leave me early.
Well, prices so much expansive on your place but each cent have their value.  :t
Keep us informed, I'm following the topic.
8
The Campus / Re: Printing floating point not working.
« Last post by RuiLoureiro on Today at 08:24:43 AM »
Hi
    Here how to convert to string to print
    or string to real10

    http://masm32.com/board/index.php?topic=1852.0
    http://masm32.com/board/index.php?topic=1914.msg19899#msg19899
9
The Colosseum / Re: Great news...
« Last post by K_F on Today at 07:35:00 AM »
Two weeks to go... All bookings and goodies.. all done... all set to go.  :eusa_boohoo:

If there's any type of problem.. it's dealing with a Uni's bureaucracy... the left hand doesn't know what the right hand is doing and visa-versa.
Countless emails (and a few phone calls) confirming the obvious and making sure each department knows what's going on... what a headache  :icon_exclaim:
And in between the mess, one or two shining individuals that pull the the whole Uni admin together - they need a raise  :t

Anyone like to see the trip photos ?
 :icon_mrgreen:
10
The Campus / Re: Printing floating point not working.
« Last post by raymond on Today at 05:10:24 AM »
Chris,
To answer your very first question, the answer is YES. Floating point numbers CAN be printed directly from an fpu register. However, if you don't know how to do it, you can use some other external procedures until you have learned how to use assembly, including fpu mnemonics, to do it yourself. One such procedure is included in the Fpulib available on the same site where you read (but did not understand) the description of the 'fist' instruction. If you are really interested, that library also comes with the code for each of the procedures.

Quote
I thought the "fist" instruction allows you to store fpu numbers into memory or variables.
It does allow you to store it into a memory variable but as its ROUNDED INTEGER, rounded according to the content of the fpu's Control Word (http://www.ray.masmcode.com/tutorial/fpuchap1.htm#cword). Once rounded, that integer CANNOT be converted back to the original float; and trying to print that as a float would only yield garbage.

As for your recent question
Quote
What if i want two different variables in one string?
, whether you have two, three, or 100+, the only way in assembly is to build the string one variable at a time yourself in a buffer before printing it.
Pages: [1] 2 3 ... 10