lidt, idt hooking

#10868 by Kiuhnm
Fri Jan 06, 2012 12:44 pm

I was reading about IDT hooking (I like to read interesting books from cover to cover) when I came across this snippet of code:

Code: Select all

cli
lea  eax, KiSystemServiceHook
mov  ebx, int2eDescriptor

mov  [ebx], ax
shr  eax, 16
mov  [ebx+6], ax

lidt idtr
sti

It basically patches an IDT descriptor and then reloads IDTR with the *same* value (previously read with SIDT). I'm not sure that "LIDT IDTR" is needed. There is no TLBS-like structure for IDT tables, AFAIK. I wasn't able to find anything on the Intel manuals.

Username

Kiuhnm

Posts

14

Joined

Mon Jan 02, 2012 8:51 pm

Re: lidt, idt hooking

#10879 by xdeadcode
Fri Jan 06, 2012 6:51 pm

Hi Kiuhnm,

Depends on what you want to hook.
If you want to hook entire IDT table, then you need lidt, if you're hooking single service, then using vs intrinsic or asm with sidt instruction should be enough.

Username

xdeadcode

Posts

44

Joined

Mon Dec 19, 2011 3:01 pm

Location

poland

Re: lidt, idt hooking

#10881 by Kiuhnm
Fri Jan 06, 2012 8:55 pm

Thanks, glad to know I wasn't missing something.

Username

Kiuhnm

Posts

14

Joined

Mon Jan 02, 2012 8:51 pm