Skip to content

KiFastSystemCall Hook

May 18, 2007

A little trick I invented to hook syscall made by gamemon.des sometime ago. It only works on Windows XP and above, due to the design of syscall mechanism itself. So how it works? Lets get into some research about syscall mechanism.

As you know NT-based Windows (Windows NT/2k/XP/2k3/Vista) have ring0 and ring3 layer, each of them holds the kernelmode and usermode stuff respectively. Usermode is isolated from kernelmode, means you cannot access kernelmode in anyway from usermode. So in order to communicate with kernelmode, you make a syscall. Processor will transfer control to kernelmode, kernelmode processes your syscall and transfer the control back to usermode again.

Each version of Windows have different syscall mechanism. For Windows 2000 and older, the syscall mechanism is as shown below.

MOV EAX, SyscallNumber ; requested syscall number
LEA EDX, [ESP+4] ; EDX = params...
INT 2Eh ; throw the execution to the KM handler
RET 4*NUMBER_OF_PARAMS ; return

Each syscall number is moved into EAX and invoked through INT 2Eh. In Windows XP and later, the syscall mechanism had changed.

MOV EAX, 101h ; syscall number: NtTerminateProcess
MOV EDX, 7FFE0300h ; EDX = 7FFE0300h
CALL EDX ; call 7FFE0300h
RETN 8

Notice the difference. Instead of INT 2Eh, now it is replaced by CALL EDX which leads us to ntdll.KiFastSystemCall, a tiny stub containing the SYSENTER instruction.

MOV EDX, ESP
SYSENTER
RETN

This is where KiFastSystemCall hook came in. We can install hook on the stub to catch all syscalls made by the process, including undocumented NtUser*, NtGdi* syscalls.

——————————————————————————————-

KiFastSystemCall Hook
http://w14.easy-share.com/3759571.html

Advertisements
10 Comments
  1. upb permalink

    actually the mechanism is changed again in win2003,
    now it’s like
    MOV EAX,0ED
    MOV EDX,7FFE0300
    CALL DWORD PTR DS:[EDX]
    RETN 10

  2. Didnt know that. πŸ˜€ It still leads to KiFastSystemCall though.

  3. stimmedcow permalink

    Can you please re-upload the file elsewhere, it is not found with that link and I’d be interested in reading it πŸ™‚

  4. stimmedcow permalink

    Sorry for double post, but I forgot to add a thanks for the tip, I’m trying it out right now.

  5. The file hosting is currently performing an upgrade, the files should be up soon. πŸ˜‰

    Just a note, now GameMon.des is performing a direct syscall via INT 2E, so KiFastSystemCall hook doesnt work anymore.

  6. Vista home premium:

    KiFastSystemCall:
    mov edx,esp
    db 0Fh;
    db 34h; ‘4’

  7. Not sure if anyone is still interested, XP x64 SP2 and Vista x64 SP1 may use something like:

    7D61CFAC ZwCreateFile
    MOV EAX,52
    XOR ECX,ECX
    LEA EDX,DWORD PTR SS:[ESP+4]
    CALL NEAR DWORD PTR FS:[C0]
    RET 2C

    at FS:[C0] lies a far jmp, eg:
    JMP FAR 0033:78B83C2C

    It’s quite convenient that all functions seem to call a common point to dispatch syscalls.

  8. Are you sure GameMon.des only uses INT 2E for syscalls?

    Under 32-bit processes in Windows XP x64 Pro, it just seems to raise an unhandled exception.

  9. Score permalink

    @Longpoke: Replacing KiFastSystemCall (the function starts at the JMP) with this:

    7C90E506 8D5424 08 LEA EDX,[ESP+8]
    7C90E50A CD 2E INT 2E
    7C90E50C C3 RETN
    7C90E50D . 8D49 00 LEA ECX,[ECX]
    7C90E510 > ^ EB F4 JMP SHORT 7C90E506

    Does not break any programs.

  10. Awk permalink

    Hi,

    Can you re-upload the file elsewhere please.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: