环境:
win7 x86 sp1 专业版
vs 2008
101012分页
windbg修改:
中断门: eq 80b99400 + (0x20 * 8) 0040EE00`00081000
注意:
//0xFFFFE000 只能改到这里 后面据说硬件地址 反正我的代码非死及蓝
PS:
代码很多地方可以有优化, 但是比较懒就没弄, 嘿嘿!
pde = 0xc0300000 + pdi * 4
pte = 0xc0000000 + pdi * 4096 + pti * 4
#include#includeint startAddress = 0;
int endAddress = 0;
void __declspec(naked)Func()
{
__asm{
//int 3;
pushad;
pushfd;
push fs;
mov ax,0x30;
mov fs,ax;
jmp funcStart;
//p位 = 0 找下一页
whileStart:
mov eax,startAddress;
mov edx,endAddress;
cmp eax,edx;
jz funcEnd; // 开始 结束相等结束程序 修改完毕
mov ecx,0x1000;
add ecx,startAddress;
mov startAddress,ecx;
//程序开始
funcStart:
mov ebx,startAddress;
shr ebx,14h;
and ebx,0ffch;
sub ebx,3FD00000h;
mov eax,[ebx];//取pde 得值
test al,1;
jnz PisTrue;
jmp whileStart;
//p位 ok
PisTrue:
test al,al;
jns PSIsTrue;
jmp whileStart;//跳到开始位置
//ps位 = 1
PSIsTrue:
or [ebx],7h;
mov ebx,startAddress;
shr ebx,0Ah;
and ebx,3FFFFCh;
sub ebx,40000000h;
mov eax,[ebx]; //取出pte
test al,1;
jz whileStart;
//修改pte属性
or [ebx],7h;
jmp whileStart;
funcEnd:
pop fs;
popfd;
popad;
mov eax,cr3;
mov cr3,eax;
iretd;
}
};
int main(void)
{
printf("%x\n",Func);
startAddress = 0x80000000;
endAddress = 0xFFFFE000;
int* address = (int*)0xC0300000;
system("pause");
__asm{
push fs;
int 0x20;
pop fs;
}
printf("%x\n",*address);
system("pause");
return 0;
}29912 代码
pde = pdpte * 512 * 8 + pdi * 8 + C0600000
pte = pdpte * (512 * 8) + pdi * (512*8) + C0000000
#include#includeint startAddress = 0;
int endAddress = 0;
void __declspec(naked)Func()
{
__asm{
//int 3;
pushad;
pushfd;
push fs;
mov ax,0x30;
mov fs,ax;
jmp funcStart;
//p位 = 0 找下一页
whileStart:
mov eax,startAddress;
mov edx,endAddress;
cmp eax,edx;
jz funcEnd; // 开始 结束相等结束程序 修改完毕
mov ecx,0x1000;
add ecx,startAddress;
mov startAddress,ecx;
//程序开始
funcStart:
mov ebx,startAddress;
shr ebx,12h;
and ebx,3FF8h; 2 * 512 * pde * 4
sub ebx,3FA00000h;
mov eax,[ebx];//取pde 低8位
mov edx,[ebx + 4]; //pde 高8位
test al,1;
jnz PisTrue;
jmp whileStart;
//p位 ok
PisTrue:
test al,al;
jns PSIsTrue;
or [ebx],7h; //大页我也修改
jmp whileStart;//跳到开始位置
//ps位 = 0
PSIsTrue:
or [ebx],7h;
mov ebx,startAddress;
shr ebx,9;
and ebx,7FFFF8h;
mov edx,[ebx - 3FFFFFFCh]; //pte 高四位
sub ebx,40000000h;
mov eax,[ebx]; //取出pte 低四位
test al,1;
jz whileStart;
//修改pte属性
or [ebx],7h;
jmp whileStart;
funcEnd:
pop fs;
popfd;
popad;
mov eax,cr3;
mov cr3,eax;
iretd;
}
};
int main(void)
{
printf("%x\n",Func);
startAddress = 0x80000000;
endAddress = 0xFFFFE000;
int* address = (int*)0xC0600000;
system("pause");
__asm{
push fs;
int 0x20;
pop fs;
}
printf("%x\n",*address);
system("pause");
return 0;
}
[课程]Linux pwn 探索篇!
最后于 2020-11-4 23:31
被清风qfccc编辑
,原因: 更新29912分页
