KiFastSystemCall Hook
May 18, 2007A little trick I invented to hook syscall made by gamemon.des sometime ago. It only works on Windows XP and above, due to the design of syscall mechanism itself. So how it works? Lets get into some research about syscall mechanism.
As you know NT-based Windows (Windows NT/2k/XP/2k3/Vista) have ring0 and ring3 layer, each of them holds the kernelmode and usermode stuff respectively. Usermode is isolated from kernelmode, means you cannot access kernelmode in anyway from usermode. So in order to communicate with kernelmode, you make a syscall. Processor will transfer control to kernelmode, kernelmode processes your syscall and transfer the control back to usermode again.
Each version of Windows have different syscall mechanism. For Windows 2000 and older, the syscall mechanism is as shown below.
MOV EAX, SyscallNumber ; requested syscall number
LEA EDX, [ESP+4] ; EDX = params...
INT 2Eh ; throw the execution to the KM handler
RET 4*NUMBER_OF_PARAMS ; return
Each syscall number is moved into EAX and invoked through INT 2Eh. In Windows XP and later, the syscall mechanism had changed.
MOV EAX, 101h ; syscall number: NtTerminateProcess
MOV EDX, 7FFE0300h ; EDX = 7FFE0300h
CALL EDX ; call 7FFE0300h
RETN 8
Notice the difference. Instead of INT 2Eh, now it is replaced by CALL EDX which leads us to ntdll.KiFastSystemCall, a tiny stub containing the SYSENTER instruction.
MOV EDX, ESP
SYSENTER
RETN
This is where KiFastSystemCall hook came in. We can install hook on the stub to catch all syscalls made by the process, including undocumented NtUser*, NtGdi* syscalls.
——————————————————————————————-
KiFastSystemCall Hook
http://w14.easy-share.com/3759571.html
actually the mechanism is changed again in win2003,
now it’s like
MOV EAX,0ED
MOV EDX,7FFE0300
CALL DWORD PTR DS:[EDX]
RETN 10
Didnt know that.
It still leads to KiFastSystemCall though.
Can you please re-upload the file elsewhere, it is not found with that link and I’d be interested in reading it
Sorry for double post, but I forgot to add a thanks for the tip, I’m trying it out right now.
The file hosting is currently performing an upgrade, the files should be up soon.
Just a note, now GameMon.des is performing a direct syscall via INT 2E, so KiFastSystemCall hook doesnt work anymore.
Vista home premium:
KiFastSystemCall:
mov edx,esp
db 0Fh;
db 34h; ‘4′
Not sure if anyone is still interested, XP x64 SP2 and Vista x64 SP1 may use something like:
7D61CFAC ZwCreateFile
MOV EAX,52
XOR ECX,ECX
LEA EDX,DWORD PTR SS:[ESP+4]
CALL NEAR DWORD PTR FS:[C0]
RET 2C
at FS:[C0] lies a far jmp, eg:
JMP FAR 0033:78B83C2C
It’s quite convenient that all functions seem to call a common point to dispatch syscalls.
Are you sure GameMon.des only uses INT 2E for syscalls?
Under 32-bit processes in Windows XP x64 Pro, it just seems to raise an unhandled exception.
@Longpoke: Replacing KiFastSystemCall (the function starts at the JMP) with this:
7C90E506 8D5424 08 LEA EDX,[ESP+8]
7C90E50A CD 2E INT 2E
7C90E50C C3 RETN
7C90E50D . 8D49 00 LEA ECX,[ECX]
7C90E510 > ^ EB F4 JMP SHORT 7C90E506
Does not break any programs.