首页
社区
课程
招聘
[原创]TTS
发表于: 2021-11-18 16:28 6199

[原创]TTS

2021-11-18 16:28
6199

环境:Win7 32位

#include<windows.h>
#include<iostream>

typedef struct _KTSS
{
    USHORT Backlink;                                                        //0x0
    USHORT Reserved0;                                                       //0x2
    ULONG Esp0;                                                             //0x4
    USHORT Ss0;                                                             //0x8
    USHORT Reserved1;                                                       //0xa
    ULONG Esp1;                                                             //0x4
    USHORT Ss1;
    USHORT Reserved111;
    ULONG Esp2;                                                             //0x4
    USHORT Ss2;
    USHORT Reserved1111;                                                   //0xc
    ULONG CR3;                                                              //0x1c
    ULONG Eip;                                                              //0x20
    ULONG EFlags;                                                           //0x24
    ULONG Eax;                                                              //0x28
    ULONG Ecx;                                                              //0x2c
    ULONG Edx;                                                              //0x30
    ULONG Ebx;                                                              //0x34
    ULONG Esp;                                                              //0x38
    ULONG Ebp;                                                              //0x3c
    ULONG Esi;                                                              //0x40
    ULONG Edi;                                                              //0x44
    USHORT Es;                                                              //0x48
    USHORT Reserved2;                                                       //0x4a
    USHORT Cs;                                                              //0x4c
    USHORT Reserved3;                                                       //0x4e
    USHORT Ss;                                                              //0x50
    USHORT Reserved4;                                                       //0x52
    USHORT Ds;                                                              //0x54
    USHORT Reserved5;                                                       //0x56
    USHORT Fs;                                                              //0x58
    USHORT Reserved6;                                                       //0x5a
    USHORT Gs;                                                              //0x5c
    USHORT Reserved7;                                                       //0x5e
    USHORT LDT;                                                             //0x60
    USHORT Reserved8;                                                       //0x62
    USHORT Flags;                                                           //0x64
    USHORT IoMapBase;                                                       //0x66                                             //0x208c
}KTSS, * PKTSS;

KTSS ktss = { 0 }; 
ULONG a1 = (ULONG)calloc(1024, 1);
ULONG a2 = (ULONG)calloc(1024, 1);
DWORD ktssAddr = (DWORD)&ktss;
DWORD Cr3 = 0;
void _declspec(naked)test1() {

	_asm {
		int 3
        //eflages NT 位置置1,因为int 3会将NT位置0
        pushfd
        pop edi

        //设置上一个TSS段的Cr3
        sgdt fword ptr ss : [esp]
        mov edx, dword ptr ss : [esp+2]    //edx存放GDT的首地址
        
        xor ecx, ecx
        mov eax, ktssAddr
        mov cx,  word ptr ds : [eax]
        shr ecx, 3
     
        

        lea ebx, dword ptr ds : [edx + ecx*8] //ebx存放着上一个任务段的段描述符的地址
        xor ecx, ecx
        xor edx, edx
        mov cl, byte ptr ds : [ebx+7]   //地址高位 ecx
        shl ecx,24
        mov edx, dword ptr ds : [ebx+1]   //地址低位 edx
        shr edx,8
        or ecx,edx                          //ecx存放 上一个任务段的首地址

        mov eax, Cr3
        mov dword ptr [ecx+0x1c], eax

        or edi, 0x4000
        push edi
        popfd
		iretd
	}

}

int main() {
    
   // Esp0 Ss0 CR3 Eip Esp Cs Ss fs
    ktss.Eip = (ULONG)test1;
    ktss.Esp0 = a1+1000;
    ktss.Ss0 = 0x10;
    ktss.Esp = a2+1000;
    ktss.Ss = 0x10;
    ktss.Cs = 0x8;
    ktss.Ds = 0x23;
    ktss.Es = 0x23;
    ktss.Fs = 0x30;


    printf("方法地址:%p\n", test1);
    printf("KTSS结构体地址:%p\n",ktssAddr);

    
    printf("GDTR索引 0xC 请填充段描述符 xx00e9xx`xxxx0068\n请输入Cr3:");
   
    if (scanf("%x", &Cr3) == 0) {
        return 0;
    }
    ktss.CR3 = Cr3;


	BYTE code[] = { 0,0,0,0,0x60,0 };
	_asm {
		push fs
		call far fword ptr code
		pop fs
	}
	printf("Root success\n");
    system("pause");
}


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//