Learning experience ---- SEH (4)

zhaozj2021-02-12  134

Interpretation of CIH into RING0 secret

I saw everyone commented on the previous comments, I felt a bit weird. It seems that everyone is not so strong about the pursuit of technology, declares that these things that I wrote may never have help you, this is just hacker. Our research, if your wishes are just general programming, this article is not suitable for you.

I started to edit a game in these days, I haven't come into contact with game programming, I feel very interesting, there is DirectX programming, really cool, I estimate that a few days of enthusiasm, huh, huh.

Also, I know that my wife will come to see my article every day, here asked a good: Dear Tina, hello!

Question.

The code we study today is mainly to enter the implementation of RING0. First we have to have a few questions, I don't know if you have such a problem, anyway, I am studying Cih.

1, what is ring0?

2, why do you want to enter Ring0?

3, how can I enter Ring0?

Answer now.

What is RING0? Windows is divided into 4-layer protection structure, the core RING0, the outermost is RING3, RING0 layer applications can be dealt with hardware, and other layers must call the corresponding API to deal with hardware through HAL.DLL, so if I want to break through the limitations, and I have to enter Ring0.

How can I enter Ring0? When CS = 28, DS = 30 can be considered to enter RING0.

There are still many ways to enter, such as what interrupt doors, traps, call doors, specifically check the corresponding knowledge of the microcomputer principle.

How to enter through SEH? Remember the last chapter of the LPCONTEXT we said? Just relying on it!

Let's talk about the process now:

1, set the SEH linked list

2, trigger breakpoint abnormal INT3

3, clear the exception triggered

4, modify CS = 28, DS = 30 via lpContext

This is the main thing, is it very simple as it. In fact, I still wanted to change through SEH. I finally became a lot of things today. It is actually that I have seen the third article I wrote about about LPContext, huh, huh.

Below is the code I learned Cih, I also joined some comments, let's take a look:

;;;;;;;;;;;;;;;;;;;;;;;;; I estimate this code makes TASM compiled, and MASM is somewhat different

INCLUDE "./inc/win32n.inc"

Extern _exitprocess @ 4

Extern_GettickCount @ 0

Extern_GetStdHandle @ 4

Extern _MessageBeep @ 4

Extern _writeconsolea @ 20

Global _MainCrtStartup

Segment .text us32 class = code

_MAINCRTSTARTUP

Push DWORD STD_OUTPUT_HANDLE;

Call _GetStdHandle @ 4; get the handle of the output control screen

MOV [stdout], eax; save handle; ************************************************* **

* The following section forms a chain table according to SEH

*************************************************

XOR EBX, EBX; first clear 0

Push DWORD EH; Press your ExceptHandle pointer, that is, the EH

Push DWORD [FS: EBX]; pressing the current [fs: 0], think about why not directly fs: 0?

MOV [FS: EBX], ESP; forming a chain form

Pushfd; into the stack to save the content of the current EFLAGS flag register

MOV EAX, ESP; save the current stack pointer to EAX

*************************************************

; * Here will generate breakpoint interrupts to enter an exception handler

*************************************************

Int3

*************************************************

; * Here is the address that returned from the exception handler

*************************************************

MOV EBX, CR3; will display the contents of EBX, that is, the content of CR3 is displayed

*********************************************************** **********************************************

; * The following is a special jump. Because of the use of PUSH / IRETD, be careful not to PUSH / RETN.

, * So, in the stack, the contents of each register are set, because when the interrupt occurs, the system will automatically

* The contents of these registers are incorporated, and the stack is automatically out when IRETD returns. This is the difference between IRETD and RETN.

* In addition, the following modifications are performed in the abnormal handler. So just returned: ECX = CS, CS = 28, EDX = SS, SS = 30,

, * So, at this time we see the content of each register is the same. This is mainly a demonstration, or is a simple application.

I don't understand this paragraph. I don't understand why I can achieve my purpose. I am discussing with Figozhu, there is no answer, this I am not owe everyone's ****************** *********************************************************** ******************

Push DWord EDX; GS

Push dword edx; fs

Push DWord Edx; ES

Push DWORD EDX; DS

Push DWORD EDX; SS

Push Eax; ESP

Push DWORD [EAX]; EFLAGS

Push DWORD ECX; CS

Push DWord .wow; EIP

IRETD

.wow

*************************************************

; * Display EBX content

*************************************************

POPFD

Call PrintAddress

*************************************************

; * This paragraph will clear your abnormality in the SEH chain list.

*************************************************

Pop DWORD [FS: 0]; modify [FS: 0] by filling

Add ESP, 4

Push DWORD MB_ICONASTERISK

Call _MessageBeep @ 4;

Push dword 0

Call _exitprocess @ 4; exit program

RETN

*************************************************

; * Here is its own exception handler start

*************************************************

EH

Push EBP; save EBP, current pointer

MOV EBP, ESP

Push EBX;

PUSH ECX;

*************************************************

; * This section is to determine whether the exception flag is the exceptionFlags.

; * Is unwind_stack.

*************************************************

MOV EAX, [EBP 8]; [EBP 8] = exception_record_ptr, EAX is the pointer for Exception_Record.

Test DWORD [EAX 4], 6; [EAX 4] = Exception_Record_ptr-> ExceptionFlags,

It is said that if the ExceptionFlags is unwind_stack, this is defined in Seh.inc

Jz .cont; yes, jump

*************************************************

; * Display OI

*************************************************

Push DWORD 0; Save the on-site call function display

Push DWord Written

Push dword 2

Push dword oi

Push DWORD [stdout]

Call_WriteConsolea @ 20

MOV Eax, 1

JMP .e

.cont

*********************************************************** *********

; * Determine whether the exceptioncode is exception_breakpoint, that is, INT3

*********************************************************** ******** MOV EBX, [EBP 8]; [EBP 8] = Exception_Record_ptr, pointers for EXCEPTION_RECORD

MOV Eax, 1

CMP DWORD [EBX], 0x80000003; [EBX] = Exception_Record_ptr-> Exceptioncode, int3 exception signature 0x80000003

即 Judge whether the exceptioncode is exception_breakpoint (breakpoint sign)

JNE .E; not, jump, return value EAX is 1

*********************************************************** **********

; * Modify xframe_record_ptr-> cx_ecx = xframe_record_ptr-> cxsegcs

Mainly using context to modify ************************************************************** *************

MOV EAX, [EBP 0x10]; [EBP 10] = XFrame_Record_ptr, pointers for EAX XFrame_Record

Movzx ECX, Word [EAX Context.cx_segcs]

MOV [EAX Context.cx_ecx], ECX; XFrame_Record_PTR-> CX_ECX = XFrame_Record_ptr-> cxsegcs

*********************************************************** **********

; * Modify XFrame_Record_PTR-> CX_SEGCS = 0x28

*********************************************************** **********

MOV DWORD [Eax Context.cx_segcs], 0x28; Modify CS = 28

*********************************************************** **********

; * Modify xframe_record_ptr-> cx_edx = xframe_record_ptr-> cxsegss

*********************************************************** **********

Movzx ECX, Word [Eax Context.cx_Segss]

MOV [EAX Context.cx_edx], ECX

*********************************************************** **********

; * Modify XFrame_Record_PTR-> CX_SEGSS = 0x30

*********************************************************** **********

Mov DWORD [EAX Context.cx_Segss], 0x30

; ss = 30

*********************************************************** **********

; * Modify XFrame_Record_PTR-> CX_EFLAGS = 0x0200; ************************************************************* ******************

OR DWORD [EAX Context.cx_eflags], 0x0200; Set the IF flag in EFLAGS (interrupt allowed sign) is 1, ie CLI

*********************************************************** *********

; * Display EBX content on the control screen

*********************************************************** *********

Mov ebx, 0x12345678

Call PrintAddress

*********************************************************** *********

; * EAX = 0, that is, the notification kernel will continue to execute

*********************************************************** *********

MOV EAX, 0

.e

POP ECX; recovery site; out of the stack

POP EBX; out of the stack recovery

MOV ESP, EBP

POP EBP

Retn; return

*************************************************

Here is the end of your own exception handler, and it's ending.

*************************************************

*************************************************

; * Convert EBX content as character form, display on the screen

; * EBX is an entry parameter, represents an address

*************************************************

PrintAddress

Push Ecx; Just a Lame Routine to Print Out

Push edx; a hex address, no explanations ;-)

XOR ECX, ECX

.n

ROL EBX, 4

MOV DL, BL

And DL, 0x0f

CMP DL, 0x9

Ja .abcdef

Add DL, '0'

JMP .a

.ABCDEF

Add DL, 'A'-0xa

.a

MOV [ECX Address], DL

INC CL

CMP CL, 8

JNE.N

Push dword 0

Push DWord Written

Push dword 9

Push DWord Address

Push DWORD [stdout]

Call_WriteConsolea @ 20

POP EDX

POP ECX

Retn

Segment .data USE32 Class = DATA

STDOUT DD 0

OneDOT DB '.'

Oi DB '!', 0x0a

Written DD 0

Address DB 0, 1, 2, 3, 4, 5, 6, 7, 0x0a

*********************** * ******* ******** is good, should be Said, the code is also posted, is it feeling a bit of feeling? I have this kind of feeling. I used to listen to how it is difficult, in fact, this is not so difficult, so people who have no qualifications are eligible to comment.

It is always ready to learn new technologies. This is my experience. Next, I am ready to write some articles of APIHOOK, I have learned to share with my friends. If I have time I want to write an article every day, better than playing games.

转载请注明原文地址:https://www.9cbs.com/read-6293.html

New Post(0)