Search code examples
cwindowsassemblyintelprocessor

Error trying to read the IVT in windows 7 64 bits

I want to read the IVT in windows 7, 64 bits, I am not sure if it is possible, I have a code that is in the Rootkit Arsenal, which is the next one:

int main(int argc, char** argv) {

     unsigned short csAddr;
     unsigned short ipAddr;
     short address;
     unsigned short vector;

     vector = 0x0;

     printf ("\n---Dumping IVT from bottom up---\n");
     printf ("Vector\tAddress\t\n");

     for (
             address = IDT_001_ADDR; 
             address <= IDT_255_ADDR;
             address = address+IDT_VECTOR_SZ, vector++
         ) 
         {
     printf ("%03d\t$08p\t",vector,address);
     asm ("PUSH ES;");
     asm ("MOV AX,0;");
     asm ("MOV ES,AX;");
     asm ("MOV EBX,0;");
     asm ("MOV BX,%0"::"r"(address):);
     asm ("MOV AX,ES:[BX]");
     asm ("MOV %0,AX":"=r"(ipAddr)::);  
     asm ("INC BX;");
     asm ("INC BX;");
     asm ("MOV AX,ES:[BX]");
     asm ("MOV %0,AX":"=r"(csAddr):);
     asm ("POP ES");

     printf ("[CS:IP]=[%04X,%04X]\n",csAddr,ipAddr);
     }
     return 0;
}

I am using Windows 7 64 bits. I want to understand why does this code, doesnt work. I m getting the "Access violation reading location 0x00000000" error, which makes sense for me because windows uses pagination to access the memory so I dont know why on the book it tells you that you can run that code on windows 7, if windows runs in Protected mode, and that code needs Real Mode. so My question is, can I access the IVT in windows 7, 64 bits ?? or definitely, the book is wrong because it should specify that that code wont run in a windows 7 32 or 64 bits. any help is welcome. Thanks a lot for your time. cheers !! :D

Solution

  • NO you cannot do that on Windows without writing a kernel mode driver because you're running in long mode (the 64bit extension of protected mode). What you are asking to do is impossible in user mode

    From the linked blog post from Raymond Chen:

    Windows NT didn't have a lot of stuff at low addresses. The only thing that was already there was a PAGE_NOACCESS page mapped at zero in order to catch null pointer accesses.

    Basically the OS puts a PAGE_NOACCESS down at the addresses that the IVT would be at to prevent dumb programming mistakes. That said it's impossible because you're in a virtual address space and have no physical access to that section of physical memory.