-
-
[求助]求教XP SP3,WIN7无驱动进入RING0的方法
-
发表于: 2011-4-4 11:49
-
如题,给个相关资料也可以,我试了那个是用调用门得方法,但一运行就出错,下面是我下的一个老外对XP SP2弄的一个使用调用门得方法, __asm call fword ptr [farcall]跑到那就出错,应该就是执行自己写的RING0函数时出错了,有大大知道怎么改成SP3,和WIN7的吗?
#include <windows.h>
#include <stdio.h>
#pragma pack(1)
struct CALL_GATE { WORD addrlo; WORD seg; BYTE arg:5; BYTE u:3; BYTE typ:5; BYTE dpl:2; BYTE pres:1; WORD addrhi; } ;
#define Virtual(a,b,c,d) { struct VIRTUAL{void* A;void* B;DWORD C;}; VIRTUAL v={(void*)(a),b,c}; hr=NtSystemDebugControl(d,&v,sizeof(v),0,0,0); }
void Ring0( DWORD cs, char*& text ) {
text = "Hello World from Ring 0 \n";
__asm mov eax,cr0
__asm leave
__asm retf 4
}
int main() {
LONG (NTAPI *NtSystemDebugControl) (int,void*,DWORD,void*,DWORD,DWORD*);
*(DWORD*) &NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");
TOKEN_PRIVILEGES pv={1},po; pv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED ; HANDLE t; int hr; DWORD no;
// This will enable NtSystemDebugControl usage
hr = LookupPrivilegeValue( 0, SE_DEBUG_NAME, &pv.Privileges[0].Luid );
hr = OpenProcessToken( GetCurrentProcess(), TOKEN_ALL_ACCESS,&t);
hr = AdjustTokenPrivileges( t,0,&pv,sizeof(po),&po, &no);
// This ensures that on multi cpu/core systems we patch the right GDT for right cpu
hr = SetThreadAffinityMask (GetCurrentThread(),1); Sleep(100);
// We read GDT table
LDT_ENTRY gdt[1000]={0}; struct {WORD limit;DWORD base;} gdtr; __asm sgdt gdtr
// Find free spot
Virtual(gdtr.base, &gdt,gdtr.limit,8); for(int gate=1;gate<100;gate++) { if(!gdt[gate].HighWord.Bits.Pres) break; }
// Construct Call Gate pointing to Ring0 proc and write it there
DWORD addr=(DWORD)Ring0; CALL_GATE g={addr&0xffff,8,1,0,12,3,1,addr>>16}; Virtual(gdtr.base+gate*8, &g,8,9);
// Quite ugly way to do far call
WORD farcall[3]={0,0,(gate<<3)}; char* param=0,**p=¶m; long result=0;
// Switch from Ring 3 to Ring 0 is just normal call ;)
__asm push p
__asm call fword ptr [farcall] //0x004ebd55 处未处理的异常: 0xC0000005: 读取位置 0xffffffff 时发生访问冲突
__asm mov result, eax
// Cleanup Call Gate from GDT
__int64 c=0; Virtual(gdtr.base+gate*8, &c,8,9);
printf("\n %s\n CR0 = %X ",param,result); getchar();
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
一直不明白,你们说的R3进R0是指像int 3 一样进入R0呢 还是说在R3进R0执行代码
|
|
|
 是在R3进R0执行代码呢,进去不执行代码做神马啊
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
