Int 2Ah - KiGetTickCount
ReWolf^HTB
http://www.rewolf.prv.pl

Date: 16.III.2007


 I. BACKGROUND

       Everybody knows that GetTickCount is often used as anti-debug trick,
    also everybody has patched that function. There is ring0 equivalent
    called KiGetTickCount... but we can call it from user mode.


 II. DESCRIPTION

       KiGetTickCount is not exported by ntoskrnl.exe, it is part of
    _BBT_Exclude_Trap_Code_Begin. However it is interrupt 2Ah handler, which
    we can call from usermode.

    kd> !idt 2a
    Dumping IDT:
    2a:    804deb92 nt!KiGetTickCount


    nt!KiGetTickCount:
    804deb92  cmp    dword ptr [esp+4],1Bh
    804deb97  jne    nt!KiGetTickCount+0x19 (804debab)
    804deb99  mov    eax,dword ptr cs:[nt!KeTickCount (80551280)]
    804deb9f  mul    eax,dword ptr cs:[nt!ExpTickCountMultiplier (805617bc)]
    804deba6  shrd   eax,edx,18h
    804debaa  iretd

    Body of KiGetTickCount is almost identical to GetTickCount. Now if you
    want to measure code execution time use int 2Ah instead of GetTickCount.

    Int 2Ah returns "the number of milliseconds that have elapsed since
    the system was started" in eax register, it also modifies edx register.

    tested on Windows XP Pro sp2


  III. END

   comments, suggestions, job opportunities: rewolf@poczta.onet.pl