Run any Ring 0 code from a WIN32 application on Windows NT ----------------------------------------------------------- Copyright (C) 1997 Prasad Dabak & Sandeep Phadke & Milind Borate Background ---------- Callgate is a mechanism of controlled ring transfers (privilege level transfers) on INTEL processors. There are ways to implement callgate mechanism under Windows 3.1 and Windows 95. Refer to MSDN articles 'Run Privileged Code from Your Windows-based Programs Using Call Gates' by Matt Pietrek (MSJ May 1993) for Win3.1 implementation. Refer to PHYS program in Matt Pietrek's excellent "Windows 95 System Programming Secrets". We are providing here an equivalent mechanism under Windows NT 3.51 and 4.0. We provide the reader with an API, driver and a DLL to directly try out this mechanism. This is the best known mechanism to execute privileged instructions WITHOUT having to write a NT kernel mode device driver. You can directly link with our general purpose DLL and execute Ring 0 code. Implementation -------------- There are a lot of undocumented functions in the core NT component NTOSKRNL.EXE. Using some of these functions we have provided a mechanism for creating callgates under Windows NT. The implementation consists of a kernel mode device driver CALLGATE.SYS and a wrapper DLL CALLGATE.DLL. Using the functions from CALLGATE.DLL, one can create a callgate and execute any Ring 0 code from a WIN32 application. The prototypes for the functions exported by CALLGATE.DLL are given in GATE.H header file. We have provided a sample application which uses this DLL to create callgate and get the contents of the CPU control registers like CR0, CR2, CR3 from a WIN32 application. It also demonstrates how direct port I/O can be done using this trick. The sample program provided, beeps by outputting data on the sound port. The function which is called through a callgate is written in assembly language, since the standard 32-bit compiler does not generate the stack frame required for such a function. The function called through a callgate is called by a far call. Therefore the parameters to the functions starts from ESP+8. The standard 32-bit compiler generates the code which expects the parameters to start from ESP+4. Also in this case, you have to make a far return, whereas standard 32-bit compiler generates a near return instruction. You can find the details about this in Matt Pietrek's excellent book, "Windows 95 System Programming Secrets", Chapter 5, page numbers 301, 302 (Cool stuff in the PHYS program). Note that CALLGATE.SYS and CALLGATE.DLL have to be present in the same directory as that of the application using CALLGATE.DLL, since CALLGATE.DLL forms the complete path of the driver by getting the current directory of the application. The source code for CALLGATE.DLL and CALLGATE.SYS will be presented in our forthcoming book "Undocumented Windows NT" by O'Reilly Associates. *****NOTE: You have to extremely cautious when writing the function which is to be called through a callgate. A small mistake can easily crash your NT machine. We are NOT responsible for any data loss caused due to the use of this trick.********* How to Contact us ----------------- Prasad : pdabak@cyberspace.org Sandeep : sandeep@giaspn01.vsnl.net.in Milind : milind@cyberspace.org