2. Tech
  3. Win2000 does not have to drive into Ring0

Win2000 does not have to drive into Ring0

xiaoxiao2021-03-06  60

#define _x86_

#include

#include

#include

#include

#include

TypedEf long NTSTATUS;

Typedef unsigned short ushrt;

#define nt_success (status) (status)> = 0)

#define obj_inherit 0x00000002L

#define obj_pers_Permanent 0x00000010L

#define obj_exclusive 0x00000020L

#define obj_case_insensitive 0x00000040L

#define obj_openif 0x00000080L

#define obj_openlink 0x00000100L

#define obj_kernel_handle 0x00000200L

#define obj_valid_attributes 0x000003F2L

Typedef struct _unicate_string {

Ushort Length;

Ushort maximumlength;

#ifdef MIDL_Pass

[size_is (MaximumLength / 2), Length_is ((Length) / 2)] Ushort * Buffer;

#ELSE // MIDL_Pass

PWSTR BUFFER;

#ENDIF / / MIDL_PASS

Unicode_string;

TypedEf unicode_string * punicode_string;

Typedef const unicode_string * pcunicode_string;

#define unicode_null (wchar) 0) // WinNT

Typedef struct _object_attributes {

Ulong Length;

Handle rootdirectory;

Punicode_String ObjectName;

Ulong attributes;

Pvoid ​​securityDescriptor; // points to Type Security_Descriptor

Pvoid ​​securityQualityOfservice; // points to type security_quality_of_service

} Object_attributes;

TYPEDEF Object_attributes * pObject_attributes;

#define InitializeObjectttributes (p, n, a, r, s) {

(p) -> length = sizeof (object_attributes);

(p) -> rootdirectory = r;

(p) -> attributes = a;

(p) -> Objectname = n;

(p) -> securityDescriptor = s;

(p) -> securityQualityofservice = null;

}

EXTERN "C"

NTSYSAPI

Void

NTAPI

RtlinitunicodeString

Punicode_string destinationString,

PCWSTR SOURCESTRING

);

EXTERN "C"

NTSYSAPI

NTSTATUS

NTAPI

ZWOPENSECTION

Out Phandle SectionHandle, In Access_mask DesiredAccess,

In POBJECT_ATTRIBUTES OBJECTATTRIBUTES

);

EXTERN "C"

NTSYSAPI

NTSTATUS

NTAPI

ZWClose

In Handle Handle

);

#define status_success ((NTSTATUS) 0x00000000L) // NTSUBAUTH

#define status_access_denied ((ntstatus) 0xc0000022L)

#pragma comment (Lib, "C: /NTDDK/LIBFRE/i386/NTDLL.LIB")

#define Enterring0_asm Pushad

_asm pushf

_asm CLI

#define leavering0_asm Popf

_asm pop

_asm Retf

Typedef struct gdtr {

UNSIGNED SHORT LIMIT;

UNSIGNED SHORT BASELOW;

Unsigned short baseh;

} GDTR_T, * PGDTR_T;

Typedef struct {

Unsigned short offset_0_15;

UNSIGNED Short Selector;

Unsigned char param_count: 4;

Unsigned char SOME_BITS: 4;

Unsigned char TYPE: 4;

Unsigned char app_system: 1;

UNSIGNED Char DPL: 2;

Unsigned char present: 1;

UNSIGNED SHORT OFFSET_16_31;

Callgate_Descriptor;

Void Printwin32erRor (DWORD ERRORCODE)

{

LPVOID LPMSGBUF;

FormatMessage (Format_Message_Allocate_buffer | format_message_from_system, null, errorcode, makelangid (lang_neutral, subsage_default), (lptstr) & lpmsgbuf, 0, null;

Printf ("% SN", LPMSGBUF);

LocalFree (lpmsgbuf);

}

Ulong MinimmgetPhysicalAddress (Ulong Virtualaddress)

{

IF (VirtualAddress <0x80000000 || VirtualAddress> = 0xa0000000)

Return 0;

Return Virtualaddress & 0x1fff000;

}

Void SetPhyscialMemorysectionCanbewrite (Handle Hsection)

{

PACL PDACL = NULL;

PACL PNEWDACL = NULL;

PSecurity_Descriptor PSD = NULL;

DWORD DWRES;

EXPLICIT_ACCESS EA;

IF (DWRES = GetSecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION, NULL, NULL, & PDACL, NULL, & PSD)! = Error_Success)

{

Printf ("GetSecurityInfo Error% UN", DWRES);

Goto cleanup;

}

ZeromeMory (& EA, SIZEOF (EXPLICIT_ACCESS));

Ea.grfaccesspermissions = section_map_write;

Ea.grfaccessmode = GRANT_ACCESS;

Ea.grfinheritance = no_inheritance;

Ea.trustee.trusteeform = trustee_is_name;

EA.TRUSTEE.TRUSTEETEETYPE = trustee_is_user;

Ea.trustee.ptStrName = "current_user";

IF (dwres = setENTRIESINACL (1, & EA, PDACL, & PNEWDACL)! = Error_Success)

{

Printf ("STENTRIESINACL% Un", dwres);

Goto cleanup;

}

IF (dwres = setsecurityInfo (hsection, se_kernel_object, dacl_security_information, null, null, pnewdacl, null)! = error_success

{

Printf ("setsecurityInfo% un", dwres);

Goto cleanup;

}

Cleanup:

IF (PSD)

Localfree (PSD);

IF (PNewDACL)

Localfree (PSD);

}

BOOL EXECRING0PROC (Ulong Entry, Ulong Seglen)

{

GDTR_T GDT;

__ASM SGDT GDT;

Ulong mapaddr = minimmgetphysicaladdress (gdt.basehigh << 16u | gdt.blelow);

IF (! mapaddr) return 0;

Handle hsection = NULL;

NTSTATUS STATUS;

Object_attributes objectattribute;

Unicode_String Objname;

Callgate_descriptor * cg;

Status = status_success;

RTLinitunicodeString (& ObjName, L "/ device / physicalmemory);

InitializeObjectattributes (& ObjectAttributes, & objName, Obj_case_insensitive | obj_kernel_handle, null, (psecurity_descriptor) NULL);

Status = zwopensection (& hsection, section_map_read | section_map_write, & jectattributes);

IF (status == status_access_denied) {

Status = zwopensection (& Hsection, Read_Control | Write_DAC, & Objectattributes);

SetPhyscialMemorySECTIONCANBEWRITED (HSECTION);

ZWClose (HSECTION);

Status = zwopensection (& hsection, section_map_write | section_map_write, & objectattribute);

}

IF (status! = status_success)

{

Printf ("Error Open PhysicalMemory Section Object, Status:% 08xN", Status; Return 0;

}

Pvoid ​​Baseaddress;

Baseaddress = MapViewOffile (HSECTION,

FILE_MAP_READ | file_map_write,

0,

MapAddr, // low part

(GDT.LIMIT 1));

IF (! BaseEaddress)

{

Printf ("ERROR MAPVIEWOFFILE:");

PRINTWIN32ERROR (getLastError ());

Return 0;

}

BOOL setcg = false;

For (CG = (Callgate_Descriptor *) ((Ulong) Baseaddress (GDT.LIMIT & 0xFFF8)); (Ulong) CG> (Ulong) BaseAddress; cg -)

IF (cg-> type == 0) {

CG-> offset_0_15 = loword (entry);

CG-> selector = 8;

CG-> param_count = 0;

Cg-> Some_bits = 0;

CG-> Type = 0xc; // 386 Call Gate

CG-> app_system = 0; // a system descriptor

CG-> DPL = 3; // Ring 3 Code Can Call

CG-> present = 1;

CG-> Offset_16_31 = HiWord (entry);

Setcg = true;

Break;

}

IF (! setcg) {

ZWClose (HSECTION);

Return 0;

}

Short farcall [3];

Farcall [2] = ((Ulong) CG- (Ulong) BaseEaddress) | 3; // Ring 3 CallGate;

IF (! VirtualLock ((pvoid) entry, seglen))

{

Printf ("Error VirtualLock:");

PRINTWIN32ERROR (getLastError ());

Return 0;

}

SetthreadPriority (getCurrentThread (), thread_priority_time_critical;

Sleep (0);

_ASM Call fword PTR [farcall]

SetthreadPriority (getCurrentthRead (), thread_priority_normal);

Virtualunlock ((pvoid) Entry, Seglen;

// Clear Callgate

* (Ulong *) cg = 0;

* ((Ulong *) cg 1) = 0;

ZWClose (HSECTION);

Return True;

}

Struct _ring0data

{

DWORD MCR0, MCR2, MCR3;

UNSIGNED short basememory;

UNSIGNED SHORT EXTENDMORY;

} r0data;

void __declspec (naked) ring0proc1 ()

{

ENTERRING0;

_asm {

MOV Eax, Cr0

MOV R0DATA.MCR0, EAX;

Mov Eax, CR2

MOV R0DATA.MCR2, EAX;

Mov Eax, CR3

MOV R0DATA.MCR3, EAX;

}

Leavering0;

}

Void __declspec (naked) ring0proc2 ()

{

ENTERRING0;

_outp (0x70, 0x15);

_asm

{

MOV AX, 0

IN Al, 71H

MOV R0DATA.BASEMEMORY, AX

}

_outp (0x70, 0x16);

R0DATA.BASEMEMORY = _inp (0x71) << 8;

_outp (0x70, 0x17);

R0DATA.EXTENDEDMEMORY = _INP (0x71);

_outp (0x70, 0x18);

R0DATA.EXTENDEDMEMORY = _inp (0x71) << 8;

Leavering0;

}

Void main (void)

{

ZeromeMory (& R0DATA); SIZEOF (Struct_ring0Data);

Virtuallock ((pvoid) & r0data, sizeof (struct _ring0data));

EXECRING0PROC ((Ulong) Ring0Proc1,0x100);

Execring0Proc ((Ulong) Ring0Proc2,0x100);

VirtualUnlock ((pvoid) & r0data, sizeof (struct _ring0data));

Printf ("CR0 =% xn", r0data.mcr0);

Printf ("CR2 =% xn", r0data.mcr2);

Printf ("CR3 =% xn", r0data.mcr3);

Printf ("Base Memory =% DKN", R0DATA.BASEMEMORY;

Printf ("Extended Memory =% DKN", R0DATA.EXTENDMEMORY;

}

转载请注明原文地址:https://www.9cbs.com/read-111598.html

9cbs

New Post(0)