-
-
[原创]TTS
-
发表于: 2021-11-18 16:28
-
环境:Win7 32位
#include<windows.h>
#include<iostream>
typedef struct _KTSS
{
USHORT Backlink; //0x0
USHORT Reserved0; //0x2
ULONG Esp0; //0x4
USHORT Ss0; //0x8
USHORT Reserved1; //0xa
ULONG Esp1; //0x4
USHORT Ss1;
USHORT Reserved111;
ULONG Esp2; //0x4
USHORT Ss2;
USHORT Reserved1111; //0xc
ULONG CR3; //0x1c
ULONG Eip; //0x20
ULONG EFlags; //0x24
ULONG Eax; //0x28
ULONG Ecx; //0x2c
ULONG Edx; //0x30
ULONG Ebx; //0x34
ULONG Esp; //0x38
ULONG Ebp; //0x3c
ULONG Esi; //0x40
ULONG Edi; //0x44
USHORT Es; //0x48
USHORT Reserved2; //0x4a
USHORT Cs; //0x4c
USHORT Reserved3; //0x4e
USHORT Ss; //0x50
USHORT Reserved4; //0x52
USHORT Ds; //0x54
USHORT Reserved5; //0x56
USHORT Fs; //0x58
USHORT Reserved6; //0x5a
USHORT Gs; //0x5c
USHORT Reserved7; //0x5e
USHORT LDT; //0x60
USHORT Reserved8; //0x62
USHORT Flags; //0x64
USHORT IoMapBase; //0x66 //0x208c
}KTSS, * PKTSS;
KTSS ktss = { 0 };
ULONG a1 = (ULONG)calloc(1024, 1);
ULONG a2 = (ULONG)calloc(1024, 1);
DWORD ktssAddr = (DWORD)&ktss;
DWORD Cr3 = 0;
void _declspec(naked)test1() {
_asm {
int 3
//eflages NT 位置置1,因为int 3会将NT位置0
pushfd
pop edi
//设置上一个TSS段的Cr3
sgdt fword ptr ss : [esp]
mov edx, dword ptr ss : [esp+2] //edx存放GDT的首地址
xor ecx, ecx
mov eax, ktssAddr
mov cx, word ptr ds : [eax]
shr ecx, 3
lea ebx, dword ptr ds : [edx + ecx*8] //ebx存放着上一个任务段的段描述符的地址
xor ecx, ecx
xor edx, edx
mov cl, byte ptr ds : [ebx+7] //地址高位 ecx
shl ecx,24
mov edx, dword ptr ds : [ebx+1] //地址低位 edx
shr edx,8
or ecx,edx //ecx存放 上一个任务段的首地址
mov eax, Cr3
mov dword ptr [ecx+0x1c], eax
or edi, 0x4000
push edi
popfd
iretd
}
}
int main() {
// Esp0 Ss0 CR3 Eip Esp Cs Ss fs
ktss.Eip = (ULONG)test1;
ktss.Esp0 = a1+1000;
ktss.Ss0 = 0x10;
ktss.Esp = a2+1000;
ktss.Ss = 0x10;
ktss.Cs = 0x8;
ktss.Ds = 0x23;
ktss.Es = 0x23;
ktss.Fs = 0x30;
printf("方法地址:%p\n", test1);
printf("KTSS结构体地址:%p\n",ktssAddr);
printf("GDTR索引 0xC 请填充段描述符 xx00e9xx`xxxx0068\n请输入Cr3:");
if (scanf("%x", &Cr3) == 0) {
return 0;
}
ktss.CR3 = Cr3;
BYTE code[] = { 0,0,0,0,0x60,0 };
_asm {
push fs
call far fword ptr code
pop fs
}
printf("Root success\n");
system("pause");
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
