Trapping CPU IRQ

Discussion in 'Windows Vista Drivers' started by Raymond, Jul 8, 2003.

  1. Raymond

    Raymond Guest

    Hi

    I was wondering whether you can use a driver to trap IRQs
    coming from the CPU itself (ie treating the CPU as the
    device)

    And if you can, how to check whether, or ensure that, your
    driver is the top level, and is the first to handle the
    interrupt?

    In particular, I want to trap Int 1 generated from single
    step exeception.

    This is for a copy protection routine I am working on. I
    am trying to figure out a good way to write polymorphic
    code that decrypts line by line. I have done this in DOS,
    and seen it done in Win9x, but I am wondering whether it
    is possible with NT/2k/XP. I know you can start a debugger
    process to do it, but that still doesn't escape S-ICE.
     
    Raymond, Jul 8, 2003
    #1
    1. Advertisements

  2. Raymond

    Ramboii Guest

    Raymond,
    A kernel debugger is loaded ahead of your driver, that means it's at the top
    level.

    You cannot intercept the debugger INT 1 which is a single step's interrupt
    generated indirectly by the hacker. You can prevent the hacker to snoop
    around by using the timer and a few routines to measure the difference in
    millisecond between each pass. If the delay has been greater than your
    normal operation, then make your SW confuse the hacker by going through a
    different path or reboot the system, that will stop the hacker. In my
    opinion, this is less risky than playing with the IDT table.

    Good luck

    Ramboii
     
    Ramboii, Jul 9, 2003
    #2
    1. Advertisements

  3. Please, keep doing this and thinking it really accomplishes something. If
    the hacker sees a time delay routine test, all they have to do is change the
    registers to be more acceptable. It will cause the hacker to work a little
    harder, but with Windbg and a good disassembler, why bother? One solution
    is the Microsoft solution: make the app so big that no one can spend the
    time to reverse engineer it.
     
    David J. Craig, Jul 9, 2003
    #3
  4. Raymond

    Skywing Guest

    Just because a program is large doesn't mean it'd be more difficult for a
    hacker to reverse engineer the *parts needed to accomplish his task* -- Joe
    Hacker won't have to reverse engineer your entire program to do what he
    wants, typically, just a small portion of it.
     
    Skywing, Jul 10, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.