xp下sysenter hook-RDMSR-WRMSR

1. 关于sysenter sysexit wrmsr rdmsr请看cpu手册
P4_IA32 Intel Architecture Software Developer's Manual
24547110.pdf
page 3-763

2.xp初始化流程
KeInitSystem->KiInitMachineDependent->KiRestoreFastSyscallReturnState->KiLoadFastSyscallMachineSpecificRegisters->WRMSR

.text:00439A80
.text:00439A80 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:00439A80
.text:00439A80
.text:00439A80 ; __stdcall KiLoadFastSyscallMachineSpecificRegisters(x)
.text:00439A80 _KiLoadFastSyscallMachineSpecificRegisters@4 proc near
.text:00439A80 ; DATA XREF: KiRestoreFastSyscallReturnState()+31o
.text:00439A80 8B FF mov edi, edi
.text:00439A82 56 push esi
.text:00439A83 db 3Eh
.text:00439A83 3E A1 20 F0 DF FF mov eax, ds:0FFDFF020h
.text:00439A89 80 3D FC 20 48 00 00 cmp ds:_KiFastSystemCallIsIA32, 0
.text:00439A90 8B F0 mov esi, eax
.text:00439A92 74 31 jz short loc_439AC5
.text:00439A94 6A 00 push 0
.text:00439A96 6A 08 push 8
.text:00439A98 68 74 01 00 00 push 174h
.text:00439A9D E8 2B 00 00 00 call _WRMSR@12 ; WRMSR(x,x,x)
.text:00439AA2 6A 00 push 0
.text:00439AA4 68 F0 76 40 00 push offset _KiFastCallEntry
.text:00439AA9 68 76 01 00 00 push 176h
.text:00439AAE E8 1A 00 00 00 call _WRMSR@12 ; WRMSR(x,x,x)
.text:00439AB3 6A 00 push 0
.text:00439AB5 FF B6 68 08 00 00 push dword ptr [esi+868h]
.text:00439ABB 68 75 01 00 00 push 175h
.text:00439AC0 E8 08 00 00 00 call _WRMSR@12 ; WRMSR(x,x,x)
.text:00439AC5
.text:00439AC5 loc_439AC5: ; CODE XREF: KiLoadFastSyscallMachineSpecificRegisters(x)+12j
.text:00439AC5 5E pop esi
.text:00439AC6 C2 04 00 retn 4
.text:00439AC6 _KiLoadFastSyscallMachineSpecificRegisters@4 endp
.text:00439AC6

.text:00439AC9
.text:00439AC9 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:00439AC9
.text:00439AC9
.text:00439AC9 ; __fastcall RDMSR(x)
.text:00439AC9 @RDMSR@4 proc near ; CODE XREF: KiLoadMTRR(x)+53p
.text:00439AC9 ; KdpSysReadMsr(x,x)+14p ...
.text:00439AC9 0F 32 rdmsr
.text:00439ACB C3 retn
.text:00439ACB @RDMSR@4 endp
.text:00439ACB
.text:00439ACB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?

.text:00439ACD
.text:00439ACD ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:00439ACD
.text:00439ACD
.text:00439ACD ; __stdcall WRMSR(x,x,x)
.text:00439ACD _WRMSR@12 proc near ; CODE XREF: KiLoadFastSyscallMachineSpecificRegisters(x)+1Dp
.text:00439ACD ; KiLoadFastSyscallMachineSpecificRegisters(x)+2Ep ...
.text:00439ACD
.text:00439ACD arg_0 = dword ptr 4
.text:00439ACD arg_4 = dword ptr 8
.text:00439ACD arg_8 = dword ptr 0Ch
.text:00439ACD
.text:00439ACD 8B 4C 24 04 mov ecx, [esp+arg_0]
.text:00439AD1 8B 44 24 08 mov eax, [esp+arg_4]
.text:00439AD5 8B 54 24 0C mov edx, [esp+arg_8]
.text:00439AD9 0F 30 wrmsr
.text:00439ADB C2 0C 00 retn 0Ch
.text:00439ADB _WRMSR@12 endp
.text:00439ADB

INIT:005EBD9D ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
INIT:005EBD9D
INIT:005EBD9D
INIT:005EBD9D ; __stdcall KiAmdK6InitializeMTRR()
INIT:005EBD9D _KiAmdK6InitializeMTRR@0 proc near ; CODE XREF: KiInitMachineDependent():loc_5E3783p
INIT:005EBD9D 83 25 68 17 48 00 FC and ds:_KiAmdK6Mtrr, 0FFFFFFFCh
INIT:005EBDA4 83 25 6C 17 48 00 FC and ds:dword_48176C, 0FFFFFFFCh
INIT:005EBDAB 83 25 70 17 48 00 00 and ds:_AmdMtrrHwUsageCount, 0
INIT:005EBDB2 C7 05 74 17 48 00 02 00+ mov ds:_AmdK6RegionCount, 2
INIT:005EBDBC 33 C0 xor eax, eax
INIT:005EBDBE
INIT:005EBDBE loc_5EBDBE: ; CODE XREF: KiAmdK6InitializeMTRR()+35j
INIT:005EBDBE 83 88 80 17 48 00 FF or ds:_AmdK6Regions[eax], 0FFFFFFFFh
INIT:005EBDC5 83 A0 8C 17 48 00 00 and ds:dword_48178C[eax], 0
INIT:005EBDCC 83 C0 10 add eax, 10h
INIT:005EBDCF 83 F8 20 cmp eax, 20h
INIT:005EBDD2 72 EA jb short loc_5EBDBE
INIT:005EBDD4 53 push ebx
INIT:005EBDD5 56 push esi
INIT:005EBDD6 BE BC 17 48 00 mov esi, offset _KiRangeLock
INIT:005EBDDB 56 push esi ; SpinLock
INIT:005EBDDC E8 E3 77 E1 FF call _KeInitializeSpinLock@4 ; KeInitializeSpinLock(x)
INIT:005EBDE1 8B CE mov ecx, esi ; SpinLock
INIT:005EBDE3 FF 15 C8 05 40 00 call ds:__imp_@KfAcquireSpinLock@4 ; __declspec(dllimport) KfAcquireSpinLock(x)
INIT:005EBDE9 B9 85 00 00 C0 mov ecx, 0C0000085h
INIT:005EBDEE 8A D8 mov bl, al
INIT:005EBDF0 E8 D4 DC E4 FF call @RDMSR@4 ; RDMSR(x)
INIT:005EBDF5 50 push eax
INIT:005EBDF6 A3 68 17 48 00 mov ds:_KiAmdK6Mtrr, eax
INIT:005EBDFB 89 15 6C 17 48 00 mov ds:dword_48176C, edx
INIT:005EBE01 E8 49 CD F9 FF call _KiAmdK6MTRRAddRegionFromHW@4 ; KiAmdK6MTRRAddRegionFromHW(x)
INIT:005EBE06 FF 35 6C 17 48 00 push ds:dword_48176C
INIT:005EBE0C E8 3E CD F9 FF call _KiAmdK6MTRRAddRegionFromHW@4 ; KiAmdK6MTRRAddRegionFromHW(x)
INIT:005EBE11 8B CE mov ecx, esi
INIT:005EBE13 5E pop esi
INIT:005EBE14 8A D3 mov dl, bl
INIT:005EBE16 5B pop ebx
INIT:005EBE17 FF 25 C4 05 40 00 jmp ds:__imp_@KfReleaseSpinLock@8 ; __declspec(dllimport) KfReleaseSpinLock(x,x)
INIT:005EBE17 _KiAmdK6InitializeMTRR@0 endp
INIT:005EBE17
INIT:005EBE17 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?

3. 部分代码,感谢vxk
Hook FastCAll
这个太困难了,通过替换MSR_SYSENTER_EIP寄存器的内容，使得系统发出SYSENTER指令后，进入我们自己预设好的处理代码中，
而不是系统原有的KiFastCallEntry例程。
抄了一些wowocock的代码
看代码吧，具体的说明：：
RawMSR_SYSENTER_EIP DD 0
lea ebx,[ebp+offset RawMSR_SYSENTER_EIP]
push ebx
Call [ebp+_MmLockPagableDataSection]
lea ebx,[ebp+offset mySYSENTER_Proc]
push ebx
Call [ebp+_MmLockPagableCodeSection]
Call GetMSR_EIP
Call SetMSR_EIP;将mySYSENTER_Proc设置为SYSENTER的入口

TestProc proc
;这里编写我们的处理
TestProc endp

mySYSENTER_Proc Proc ;系统发出SYSENTER指令后，进入mySYSENTER_Proc的入口
Local tr:word

sgdt gdt ;设置内核RING0堆栈
str word ptrmovzx ecx,tr
add ecx,gdt.GdtBase
mov esp,dword ptr[ecx+2]
and esp,0ffffffh
mov ecx,dword ptr[ecx+4]
and ecx,0ff000000h
or esp,ecx ;esp->tss
mov esp,dword ptr[esp+4]

pushad
pushfd
push fs
mov bx,30h
mov fs,bx
push ds
push es

call TestProc;

pop es
pop ds
pop fs
popfd
popad
jmp [ebp+offset RawMSR_SYSENTER_EIP];

mySYSENTER_Proc Endp

;*********************************************************
; 读出MSR[ECX]的值，此处为SYSENTER_EIP_MSR
;*********************************************************
GetMSR_EIP proc
pushad
mov ecx,176h ;SYSENTER_EIP_MSR 176H
RDMSR
mov [ebp+offset RawMSR_SYSENTER_EIP],eax
popad
ret
GetMSR_EIP Endp
;*****************************************************
; 设置MSR[ECX]的值，此处为SYSENTER_EIP_MSR
;*****************************************************

SetMSR_EIP Proc
pushad
CLI
xor edx,edx
lea eax,[ebp+offset mySYSENTER_Proc]
mov ecx,176h
WRMSR
STI
popad
ret
SetMSR_EIP Endp