Ring0Fun proc
pushad
pushfd
cli
invoke DbgPrint, $CTA0("mycallgate function executed\n")
;add your code here, you can do anything if you like.
sti
popfd
popad
retf
Ring0Fun endp
2. 由于ring0时fs为0x30,故修改之
Ring0Fun proc
pushad
pushfd
cli
push fs
mov bx, 30h
mov fs, bx
invoke DbgPrint, $CTA0("mycallgate function executed\n")
;add your code here, you can do anything if you like.
pop fs
sti
popfd
popad
retf
Ring0Fun endp
可惜 当ring0通过retf返回ring3时,fs变成了0,应用程序异常结束。
3. 通过查阅intel手册,发现如下一段话
Checks the contents of the DS, ES, FS, and GS segment registers. If any of these registers refer to segments whose DPL is less than the new CPL (excluding conforming code egments), the segment register is loaded with a null segment selector.
Ring0Fun proc
pushad
pushfd
cli
mov bx, 30h
mov fs, bx
invoke DbgPrint, $CTA0("mycallgate function executed\n")
;add your code here, you can do anything if you like.
mov bx, 3bh
mov fs, bx
sti
popfd
popad
retf
Ring0Fun endp
调试时发现fs没有被设置为0x3b,应用程序依旧异常结束。
4. 还有一个很奇怪的地方。根据intel手册,当使用call出现权限改变时,段寄存器ds es fs gs并不会改变,只会将ring0的cs和ss加载。可是刚进入Ring0Fun的时候fs就已经变成0x30,然后fs又无法改变,很不解。求大牛解释。
