Int 2Ah - KiGetTickCount
ReWolf^HTB
http://www.rewolf.prv.pl
Date: 16.III.2007
I. BACKGROUND
Everybody knows that GetTickCount is often used as anti-debug trick,
also everybody has patched that function. There is ring0 equivalent
called KiGetTickCount... but we can call it from user mode.
II. DESCRIPTION
KiGetTickCount is not exported by ntoskrnl.exe, it is part of
_BBT_Exclude_Trap_Code_Begin. However it is interrupt 2Ah handler, which
we can call from usermode.
Body of KiGetTickCount is almost identical to GetTickCount. Now if you
want to measure code execution time use int 2Ah instead of GetTickCount.
Int 2Ah returns "the number of milliseconds that have elapsed since
the system was started" in eax register, it also modifies edx register.
tested on Windows XP Pro sp2
III. END
comments, suggestions, job opportunities: rewolf@poczta.onet.pl
ReWolf^HTB
http://www.rewolf.prv.pl
Date: 16.III.2007
I. BACKGROUND
Everybody knows that GetTickCount is often used as anti-debug trick,
also everybody has patched that function. There is ring0 equivalent
called KiGetTickCount... but we can call it from user mode.
II. DESCRIPTION
KiGetTickCount is not exported by ntoskrnl.exe, it is part of
_BBT_Exclude_Trap_Code_Begin. However it is interrupt 2Ah handler, which
we can call from usermode.
kd> !idt 2a
Dumping IDT:
2a: 804deb92 nt!KiGetTickCount
nt!KiGetTickCount:
804deb92 cmp dword ptr [esp+4],1Bh
804deb97 jne nt!KiGetTickCount+0x19 (804debab)
804deb99 mov eax,dword ptr cs:[nt!KeTickCount (80551280)]
804deb9f mul eax,dword ptr cs:[nt!ExpTickCountMultiplier (805617bc)]
804deba6 shrd eax,edx,18h
804debaa iretd
Body of KiGetTickCount is almost identical to GetTickCount. Now if you
want to measure code execution time use int 2Ah instead of GetTickCount.
Int 2Ah returns "the number of milliseconds that have elapsed since
the system was started" in eax register, it also modifies edx register.
tested on Windows XP Pro sp2
III. END
comments, suggestions, job opportunities: rewolf@poczta.onet.pl
扫一扫
9518
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
