Rootkit Arsenal, Installing a Call Gate
 David Reguera Garca (Dreg) <Dreg fr33project org> |
Saturday, January 16 2010 11:21.08 CST |
This is a part of the translation of my spanish post published in blog.48bits.com:
Hi, I was reading the book �The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System� and I'd like to qualify a few things about the chapter �Hooking the GDT - Installing a Call Gate�. A PoC driver is included at the end of the article that supports WalkGDT for multiple COREs.
A Call Gate is a mechanism in the Intel x86 architecture to change privilege levels of the CPU when running a predefined function that is called by the instruction CALL/JMP FAR.
A call to a Call Gate allows you to obtain higher privileges than the current, for example we can execute a routine in ring0 using a CALL FAR in ring3. A Call Gate is an entry in the GDT (Global Descriptor Table) or LDT (Local Descriptor Table).
Windows doesn't use Call Gate for anything special, but there are malware, as the worm Gurong.A, that installs a Call Gate via DevicePhysicalMemory to execute code on ring0. An article that talks about it is "Playing with Windows/dev/(k)mem" by crazylord and published at Phrack 59.
Nowadays we can't easily access to /Device/PhysicalMemory, I recommend reading the presentation by Alex Ionescu at RECON 2006 "Subverting Windows 2003 SP1 Kernel Integrity Protection". Also, there are examples in the wired that use the API ZwSystemDebugControl to install a Call Gate, but Ionescu's article says that it doesn't work nowadays (although there are techniques to reactivate them).
...
Now is time for a more detailed view, the POC code of the book doesn't allow the possibility of multiple CORES, this means that is only able to install the Call Gate in the CORE assigned when the driver is loaded and the GDT of the oher CORE remains intact, the problem is that if the userspace application makes a FAR CALL being in another CORE where there is no Call Gate, so it doesn't work.
...
You can view the orginal and official Spanish post in:
http://blog.48bits.com/2010/01/08/rootkit-arsenal-installing-a-call-gate/
And the English post in my rootkit.com blog:
http://www.rootkit.com/blog.php?newsid=992
Translated by Laura Garcia from http://www.securitybydefault.com/
Sincerely, Dreg.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |