Run any Ring 0 code from a WIN32 application on Windows NT  
-----------------------------------------------------------

Copyright (C) 1997 Prasad Dabak & Sandeep Phadke & Milind Borate

Background
----------

Callgate is a mechanism of controlled ring transfers (privilege 
level transfers) on INTEL processors. There are ways to implement
callgate mechanism under Windows 3.1 and Windows 95. Refer to 
MSDN articles 'Run Privileged Code from Your Windows-based Programs 
Using Call Gates' by Matt Pietrek (MSJ May 1993) for Win3.1 implementation.
Refer to PHYS program in Matt Pietrek's excellent "Windows 95 System 
Programming Secrets". We are providing here an equivalent mechanism
under Windows NT 3.51 and 4.0. We provide the reader with an API, 
driver and a DLL to directly try out this mechanism.

This is the best known mechanism to execute privileged instructions
WITHOUT having to write a NT kernel mode device driver. You can directly
link with our general purpose DLL and execute Ring 0 code.

Implementation
--------------

There are a lot of undocumented functions in the core NT component
NTOSKRNL.EXE. Using some of these functions we have provided a 
mechanism for creating callgates under Windows NT. The implementation
consists of a kernel mode device driver CALLGATE.SYS and a wrapper
DLL CALLGATE.DLL. Using the functions from CALLGATE.DLL, one can 
create a callgate and execute any Ring 0 code from a WIN32 application. 

The prototypes for the functions exported by CALLGATE.DLL are
given in GATE.H header file. We have provided a sample application
which uses this DLL to create callgate and get the contents of the 
CPU control registers like CR0, CR2, CR3 from a WIN32 application. 
It also demonstrates how direct port I/O can be done using this trick. 
The sample program provided, beeps by outputting data on the sound port.

The function which is called through a callgate is written in 
assembly language, since the standard 32-bit compiler does not generate
the stack frame required for such a function. The function called
through a callgate is called by a far call. Therefore the parameters
to the functions starts from ESP+8. The standard 32-bit compiler
generates the code which expects the parameters to start from 
ESP+4. Also in this case, you have to make a far return, whereas
standard 32-bit compiler generates a near return instruction.
You can find the details about this in Matt Pietrek's
excellent book, "Windows 95 System Programming Secrets", Chapter 5,
page numbers 301, 302 (Cool stuff in the PHYS program).

Note that CALLGATE.SYS and CALLGATE.DLL have to be present in the
same directory as that of the application using CALLGATE.DLL, since 
CALLGATE.DLL forms the complete path of the driver by getting the 
current directory of the application.

The source code for CALLGATE.DLL and CALLGATE.SYS will be presented 
in our forthcoming book  "Undocumented Windows NT" by O'Reilly 
Associates.

*****NOTE: You have to extremely cautious when writing the function
which is to be called through a callgate. A small mistake can 
easily crash your NT machine. We are NOT responsible for any
data loss caused due to the use of this trick.*********

How to Contact us
-----------------

Prasad  : pdabak@cyberspace.org
Sandeep : sandeep@giaspn01.vsnl.net.in
Milind  : milind@cyberspace.org
