i have a driver code havin an assembly code that is using _asm (inline assembly) its working fine when i am compiling in 32 bit WDK but it throw following error:
"error C4235: nonstandard extension used : '_asm' keyword not supported on this architecture"
please convert following _asm code for 64 bit compilation.
_asm
{
mov ebx, cr0
push ebx
and ebx, ~010000h
mov cr0, ebx
sti
}
I was use __writecr0() to set cr0 value but how can i set interrupt flag (sti) in x64 windows driver? I have This Function
VOID RunHook(ULONG Service_Index,PVOID NewAddress,ULONG *OldAddress){
ULONG Address;
DbgPrint("RunHook - NewAddress:0x%00X - Service_Index:0x%0X",NewAddress,Service_Index);
Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + Service_Index * 4;
*OldAddress = *(ULONG*)Address;
/*__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}*/
__writecr0(__readcr0() & ~0x10000);
// ÐÞ¸ÄSSDTÖÐNtOpenProcess·þÎñµÄµØÖ·
*((ULONG*)Address) = (ULONG)NewAddress;
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}}
From MASM for x64 in the Visual Studio 2013 documentation:
I don't believe that there is any supported way to manipulate the interrupt flag, because by design kernel-mode drivers are Always Preemptible and Always Interruptible, so to do that you'll need to put the code in a separate module and use MASM.
However, there's little point; in 64-bit Windows, Kernel Patch Protection prevents you from modifying the service tables. You can only hook API calls at the application level, as described in the comments by Havenard.