Wednesday, 23 October 2013

Kernel Driver: SYSENTER detour


Today we will be covering Kernel Mode detouring. Kernel Mode detouring is extremely powerful, most AV solutions operate on Kernel Mode.
The reason they operate on Kernel Mode, is solely due to the power and control they will posses, for example we can create a patch which will make sure that if a "backdoor" password is used on login or UAC, it accepts it. 

Back to topic...Using Kernel Mode driver is powerful as stated previously but can leave devastating effects if the Driver failed to work properly, therefore test it on VM before even attempting to run code on original machine as our machines could be different. 

Now we will dive into the realm of the code and theory

SYSENTER is the target we will be detouring, SYSENTER is a intel provided opcode to transform\jump into kernel mode, in addition detouring the opcode is detouring in the lowest level of Windows Kernel. As any decent reverse engineer would have discovered that SYSENTER opcode is only available in x86 bit Windows OS. 
If one wishes to detour deeper, s\he can detour interrupts, although this is\should be covered in upcoming tutorials. 

As Kernel mode by design allows us to detour these in fairly short amount of code - 

it only takes few lines of Assembly x86 :

- Grab current System Call handler from the 0x176 SYSENTER_MSR
- Read the value of IA32_SYSENTER_EIP 
- Save real SYSENTER address  
- Replace SYSENTER address with our detour callback
- Write the new\callback address to IA32_SYSENTER_EIP 

Lets get coding...

We will start defining the Driver Entry ( ***NOTE*** This also contains detour code):

The actual unload routine is not really anything special and a usual routine you normally see. 
As for the remaining code I am not really going to explain it as it more or less straightforward with the comments. It makes no sense for me to explain it all over again.

Now I will show the SysenterCallback "function":

To be honest, I do not really need to show example of how to filter content out using assembly instructions such as cmp and other similar instructions. Note - Here I was too lazy to add a void after _declspec(naked) as it was a test\code which worked and was just to show you guys. It is always a good programming practices to specify the data type. 

The Entire Code  (Comments Removed) : 

This is all there to, detouring the deepest level of Windows Kernel. You can use this code for variety of purposes from Malware Research, to Anti-Virus Programming or Kernel Diagnostic tools. 

This code works on pretty all Windows NT Operating Systems, with minor adjustment to the code. 
After you have compiled this properly and has been successful, to run the code follow this tutorial on CodeProject :

Until Next Time,

1 comment: