Welcome! Log In Create A New Profile

Advanced

SYSENTER hook

Posted by ivanko 
SYSENTER hook
March 12, 2010 02:58PM
Hello to everybody! Recently I have been trying to intercept the sysenter execution (trying to understand how rootkits work) and I ve got nothing more than complete system freezes and system panic. Of course, the hook that is now in the code should do nothing except giving control to the original ia32_sysenter_target. So this is the code:
#include <linux/module.h>
#include <linux/kernel.h>

void hook(void);

void (*old_handl)(void);
void (*new_handl)(void);
void (**old_handl_pp)(void);



void hook(void)
{
  // Pointer to a pointer to a function
  __asm__ __volatile__("ljmp *%0" : : "m"(old_handl_pp));
  return;
  }

int init_module(void)
{
  new_handl = hook;
  old_handl_pp = &old_handl;

  __asm__ __volatile__("mov $0x176, %%ecx\n\t"
                       "rdmsr\n\t"
                       "mov %0, %%eax\n\t"
                       "wrmsr" : : "r"(old_handl) : "%ecx", "%eax", "%edx" ) ;

  return 0;
}
It compiles without any errors nor warnings. Yes, and the Makefile is this:
EXTRA_CFLAGS = -g -Wall
obj-m += msr.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
I tried it both in VMs and my real machine, the results are the same (failure). I will appreciate any help, and thanks in advance!



Edited 2 time(s). Last edit at 03/12/2010 03:00PM by ivanko.
Re: SYSENTER hook
March 21, 2010 03:53AM
Well, it appears that I solved it =)! Here is the working code:

void (*old_handl_p)(void) = 0;
void (*new_handl_p)(void) = 0;

void hook(void)
{
  /* Pointer to the original handler */
  asm("jmp *%0" : : "m"(old_handl_p));
  return;
}

int init_module(void)
{
  new_handl_p = &hook;

  asm("rdmsr\n\t"
      : "=a"(old_handl_p) /* EAX now has a pointer to the hook */
      : "c"(0x176) /* Number of MSR register */
      : "%edx" ) ; /* RDMSR also changes the EDX register */
  
  asm("wrmsr\n\t"
      : /* No output */
      : "c"(0x176), "d"(0x0), "a"(new_handl_p));
  
  return 0;
}
Re: SYSENTER hook
November 07, 2018 06:43AM
Did it tried by using the application of Vidmate APK it can help to download video without any technical steps.
Re: SYSENTER hook
November 07, 2018 02:58PM
In this app, the download option also contains the resume and pause support to break the download process in small parts...
Re: SYSENTER hook
February 21, 2019 12:26PM
Please, solve the mathematical question gogoanime and enter the answer in the input field below.which kissanime is real This is for blocking bots that try to post this form automatically.
Re: SYSENTER hook
February 21, 2019 12:35PM
Well, it appears that gogoanimes.co I solved it =)! Here watch prison school season 2 is the working code:
Author:

Subject:


Spam prevention:
Please, solve the mathematical question and enter the answer in the input field below. This is for blocking bots that try to post this form automatically.
Question: how much is 9 plus 6?
Message: