Interpretation of CIH into RING0 secret
I saw everyone commented on the previous comments, I felt a bit weird. It seems that everyone is not so strong about the pursuit of technology, declares that these things that I wrote may never have help you, this is just hacker. Our research, if your wishes are just general programming, this article is not suitable for you.
I started to edit a game in these days, I haven't come into contact with game programming, I feel very interesting, there is DirectX programming, really cool, I estimate that a few days of enthusiasm, huh, huh.
Also, I know that my wife will come to see my article every day, here asked a good: Dear Tina, hello!
Question.
The code we study today is mainly to enter the implementation of RING0. First we have to have a few questions, I don't know if you have such a problem, anyway, I am studying Cih.
1, what is ring0?
2, why do you want to enter Ring0?
3, how can I enter Ring0?
Answer now.
What is RING0? Windows is divided into 4-layer protection structure, the core RING0, the outermost is RING3, RING0 layer applications can be dealt with hardware, and other layers must call the corresponding API to deal with hardware through HAL.DLL, so if I want to break through the limitations, and I have to enter Ring0.
How can I enter Ring0? When CS = 28, DS = 30 can be considered to enter RING0.
There are still many ways to enter, such as what interrupt doors, traps, call doors, specifically check the corresponding knowledge of the microcomputer principle.
How to enter through SEH? Remember the last chapter of the LPCONTEXT we said? Just relying on it!
Let's talk about the process now:
1, set the SEH linked list
2, trigger breakpoint abnormal INT3
3, clear the exception triggered
4, modify CS = 28, DS = 30 via lpContext
This is the main thing, is it very simple as it. In fact, I still wanted to change through SEH. I finally became a lot of things today. It is actually that I have seen the third article I wrote about about LPContext, huh, huh.
Below is the code I learned Cih, I also joined some comments, let's take a look:
;;;;;;;;;;;;;;;;;;;;;;;;; I estimate this code makes TASM compiled, and MASM is somewhat different
INCLUDE "./inc/win32n.inc"
Extern _exitprocess @ 4
Extern_GettickCount @ 0
Extern_GetStdHandle @ 4
Extern _MessageBeep @ 4
Extern _writeconsolea @ 20
Global _MainCrtStartup
Segment .text us32 class = code
_MAINCRTSTARTUP
Push DWORD STD_OUTPUT_HANDLE;
Call _GetStdHandle @ 4; get the handle of the output control screen
MOV [stdout], eax; save handle; ************************************************* **
* The following section forms a chain table according to SEH
*************************************************
XOR EBX, EBX; first clear 0
Push DWORD EH; Press your ExceptHandle pointer, that is, the EH
Push DWORD [FS: EBX]; pressing the current [fs: 0], think about why not directly fs: 0?
MOV [FS: EBX], ESP; forming a chain form
Pushfd; into the stack to save the content of the current EFLAGS flag register
MOV EAX, ESP; save the current stack pointer to EAX
*************************************************
; * Here will generate breakpoint interrupts to enter an exception handler
*************************************************
Int3
*************************************************
; * Here is the address that returned from the exception handler
*************************************************
MOV EBX, CR3; will display the contents of EBX, that is, the content of CR3 is displayed
*********************************************************** **********************************************
; * The following is a special jump. Because of the use of PUSH / IRETD, be careful not to PUSH / RETN.
, * So, in the stack, the contents of each register are set, because when the interrupt occurs, the system will automatically
* The contents of these registers are incorporated, and the stack is automatically out when IRETD returns. This is the difference between IRETD and RETN.
* In addition, the following modifications are performed in the abnormal handler. So just returned: ECX = CS, CS = 28, EDX = SS, SS = 30,
, * So, at this time we see the content of each register is the same. This is mainly a demonstration, or is a simple application.
I don't understand this paragraph. I don't understand why I can achieve my purpose. I am discussing with Figozhu, there is no answer, this I am not owe everyone's ****************** *********************************************************** ******************
Push DWord EDX; GS
Push dword edx; fs
Push DWord Edx; ES
Push DWORD EDX; DS
Push DWORD EDX; SS
Push Eax; ESP
Push DWORD [EAX]; EFLAGS
Push DWORD ECX; CS
Push DWord .wow; EIP
IRETD
.wow
*************************************************
; * Display EBX content
*************************************************
POPFD
Call PrintAddress
*************************************************
; * This paragraph will clear your abnormality in the SEH chain list.
*************************************************
Pop DWORD [FS: 0]; modify [FS: 0] by filling
Add ESP, 4
Push DWORD MB_ICONASTERISK
Call _MessageBeep @ 4;
Push dword 0
Call _exitprocess @ 4; exit program
RETN
*************************************************
; * Here is its own exception handler start
*************************************************
EH
Push EBP; save EBP, current pointer
MOV EBP, ESP
Push EBX;
PUSH ECX;
*************************************************
; * This section is to determine whether the exception flag is the exceptionFlags.
; * Is unwind_stack.
*************************************************
MOV EAX, [EBP 8]; [EBP 8] = exception_record_ptr, EAX is the pointer for Exception_Record.
Test DWORD [EAX 4], 6; [EAX 4] = Exception_Record_ptr-> ExceptionFlags,
It is said that if the ExceptionFlags is unwind_stack, this is defined in Seh.inc
Jz .cont; yes, jump
*************************************************
; * Display OI
*************************************************
Push DWORD 0; Save the on-site call function display
Push DWord Written
Push dword 2
Push dword oi
Push DWORD [stdout]
Call_WriteConsolea @ 20
MOV Eax, 1
JMP .e
.cont
*********************************************************** *********
; * Determine whether the exceptioncode is exception_breakpoint, that is, INT3
*********************************************************** ******** MOV EBX, [EBP 8]; [EBP 8] = Exception_Record_ptr, pointers for EXCEPTION_RECORD
MOV Eax, 1
CMP DWORD [EBX], 0x80000003; [EBX] = Exception_Record_ptr-> Exceptioncode, int3 exception signature 0x80000003
即 Judge whether the exceptioncode is exception_breakpoint (breakpoint sign)
JNE .E; not, jump, return value EAX is 1
*********************************************************** **********
; * Modify xframe_record_ptr-> cx_ecx = xframe_record_ptr-> cxsegcs
Mainly using context to modify ************************************************************** *************
MOV EAX, [EBP 0x10]; [EBP 10] = XFrame_Record_ptr, pointers for EAX XFrame_Record
Movzx ECX, Word [EAX Context.cx_segcs]
MOV [EAX Context.cx_ecx], ECX; XFrame_Record_PTR-> CX_ECX = XFrame_Record_ptr-> cxsegcs
*********************************************************** **********
; * Modify XFrame_Record_PTR-> CX_SEGCS = 0x28
*********************************************************** **********
MOV DWORD [Eax Context.cx_segcs], 0x28; Modify CS = 28
*********************************************************** **********
; * Modify xframe_record_ptr-> cx_edx = xframe_record_ptr-> cxsegss
*********************************************************** **********
Movzx ECX, Word [Eax Context.cx_Segss]
MOV [EAX Context.cx_edx], ECX
*********************************************************** **********
; * Modify XFrame_Record_PTR-> CX_SEGSS = 0x30
*********************************************************** **********
Mov DWORD [EAX Context.cx_Segss], 0x30
; ss = 30
*********************************************************** **********
; * Modify XFrame_Record_PTR-> CX_EFLAGS = 0x0200; ************************************************************* ******************
OR DWORD [EAX Context.cx_eflags], 0x0200; Set the IF flag in EFLAGS (interrupt allowed sign) is 1, ie CLI
*********************************************************** *********
; * Display EBX content on the control screen
*********************************************************** *********
Mov ebx, 0x12345678
Call PrintAddress
*********************************************************** *********
; * EAX = 0, that is, the notification kernel will continue to execute
*********************************************************** *********
MOV EAX, 0
.e
POP ECX; recovery site; out of the stack
POP EBX; out of the stack recovery
MOV ESP, EBP
POP EBP
Retn; return
*************************************************
Here is the end of your own exception handler, and it's ending.
*************************************************
*************************************************
; * Convert EBX content as character form, display on the screen
; * EBX is an entry parameter, represents an address
*************************************************
PrintAddress
Push Ecx; Just a Lame Routine to Print Out
Push edx; a hex address, no explanations ;-)
XOR ECX, ECX
.n
ROL EBX, 4
MOV DL, BL
And DL, 0x0f
CMP DL, 0x9
Ja .abcdef
Add DL, '0'
JMP .a
.ABCDEF
Add DL, 'A'-0xa
.a
MOV [ECX Address], DL
INC CL
CMP CL, 8
JNE.N
Push dword 0
Push DWord Written
Push dword 9
Push DWord Address
Push DWORD [stdout]
Call_WriteConsolea @ 20
POP EDX
POP ECX
Retn
Segment .data USE32 Class = DATA
STDOUT DD 0
OneDOT DB '.'
Oi DB '!', 0x0a
Written DD 0
Address DB 0, 1, 2, 3, 4, 5, 6, 7, 0x0a
*********************** * ******* ******** is good, should be Said, the code is also posted, is it feeling a bit of feeling? I have this kind of feeling. I used to listen to how it is difficult, in fact, this is not so difficult, so people who have no qualifications are eligible to comment.
It is always ready to learn new technologies. This is my experience. Next, I am ready to write some articles of APIHOOK, I have learned to share with my friends. If I have time I want to write an article every day, better than playing games.
