With regard to the way to enter the RING0 layer, everyone must have heard a lot, I will have some way to enter RING0 in the review protection mode program; summarize, including call doors, task doors, interrupt doors, traps, etc., these methods It is the method of directly utilizing IA32, so there is not much relationship with the operating system. Of course, due to the NT core to GDT, IDT, we can't use these methods, but once the NT is broken, then all methods can Used, other SEH and other methods, I also have a introduction in the previous article.
----------------- Code ---
; ================================================================================================================================================================================================ ============================================= .586p .Model flat, stdcall option, CaseMap: None; Case include /masm32/include/windows.inc include /masm32/include/kernel32.inc include /masm32/include/user32.inc includelib /masm32/lib/kernel32.lib includelib /masm32/lib/user32.lib ;; --- ----------- TSS STRUC TRLINK DW 0; Link field DW 0; not used, set to 0 TRESP0 DD 0; 0-level stack pointer TRSS0 DW 0; 0-level stack segment register DW 0; , Set to 0 TRESP1 DD 0; Level 1 Stack Pointer TRSS1 DW 0; Level 1 Stack Section Register DW 0; Not used, set to 0 TRESP2 DD 0; 2-stage stack pointer TRSS2 DW 0; 2 stack segment register DW 0; Not in use, set to 0 trCr3 DD 0; Cr3 Treip DD 0; EIP Treflag DD 0; EFLAGS Treax DD 0; ECX TREBX DD 0; EDX TREBX DD 0; EBX TRESP DD 0; ESP TREBP DD 0; EBP TRESI DD 0; ESI TREDI DD 0 EDI TRES DW 0; ES DW 0; not used, set to 0 TRCS DW 0; CS DW 0; not used, set to 0 TRSS DW 0; SS DW 0; not used, set to 0 TRDS DW 0; DS DW 0; not used, set to 0 TRFS DW 0; FS DW 0; not used, set to 0 TRGS DW 0; GS DW 0; not used, set to 0 TRLDTR DW 0; LDTR DW 0; not used, set to 0 TRTRIP DW 0; debug trap flag (only bit 0) TRIOMAP DW $ 2;
Point to the parameter of the I / O license bit zone TSS Ends .data Sztit DB "Gate Test", 0 ctextCall DB "Call Gate to Ring0! Continue?", 0 ctextint db "int Gate to ring0 by Int 5! Continue ? ", 0 CTextXTX DB" INT GATE TO RING0 BY INT X! Continue? ", 0 CTextTrap DB" Trap Gate to Ring0 By INT 1! Continue? " DB "Task Gate TO Ring0! Continue?" The Contents of GDTR, IDTR, LDTR, TRLDES DW 0 DW 0; LDT Limit DD 0; LDT Base Callgt DQ 0; Call Gate's Sel: OFF
TRDES DW 0 DW 0; TR LIMIT DD 0; TR BASE
TSS1SEL DW?; TSS
Call32 DD 0 TSS1GATE DW?; Task Gate
TSS1 TSS <> TSS1LIMIT EQU $ -TSS1
TSS2 TSS <> TESTCR3 DD 4
Mycall Macro Selector, Offsetv DB 09ah DD Offsetv DW Selector Endm ;; ------------------------------------ ----- .code __start: SGDT FWORD PTR GDTR SIDT FWORD PTR IDTR SLDT Word Ptr Ldtr Str Word PTR TRR; Save The for Later USE
; -----------------------; Get the ldt mu; -------------------- --- Movzx ESI, LDTR ADD ESI, DWORD PTR [GDTR 2]; ESI-> LDT Descriptor
MOV AX, Word PTR [ESI] MOV Word PTR [LDTDES], AX MOV AX, Word PTR [ESI 6] and Ax, 0FH MOV WORD PTR [LDTDES 2], AX; Get LDT Limit Mov Eax, [ESI 2] And EAX, 0FFFFFH MOV EBX, [ESI 4] and EBX, 0F000000h OR EAX, EBX MOV DWORD PTR [LDTDES 4], EAX; Get Ldt Base; ----------- ----------; Get the Tr Mes; --------------------- Movzx ESI, TRR Add ESI, DWORD PTR [GDTR 2]
MOV AX, Word PTR [ESI] MOV Word PTR [TRDES], AX MOV AX, WORD PTR [ESI 6] And AX, 0FH MOV WORD PTR [TRDES 2], AX; GET TR LIMIT MOV EAX, [ESI 2] And EAX, 0FFFFFH MOV EBX, [ESI 4] and EBX, 0F000000h OR EAX, EBX MOV DWORD PTR [TRDES 4], EAX; Get Tr Base; ------------- ------------------------; here is shown in GDT to find blank tables to make a call gate; ----------- -------------------------- MOV ESI, DWORD PTR [GDTR 2]; ESI-> GDT Base Movzx Eax, Word Ptr [GDTR] EAX = GDT LIMIT CALL Search_XDT; ESI == GDT Base MOV ESI, DWORD PTR [GDTR 2] Push Offset MyRing0_PRC_Callgt; SET Callgate In GDT Pop Word PTR [ESI EAX 0] POP Word PTR [ESI EAX 6 ]; OffsetMov Word PTR [ESI EAX 2], 28H MOV Word PTR [ESI EAX 4], 0EC00H; SEL = 28H, DPL = 3, and Attribute -> 386 Call Gate!
And DWORD PTR CALLGT, 0 or Al, 3H MOV Word PTR [Callgt 4], AX Call Fword PTR [Callgt]; Use Callgate to Ring0!
; ------------------------------------------; Demonstrate here in LDT Made in the manufacture; ------------------------------------------ Invoke Messageboxa, 0, addr ctextcall, addr sztit, mb_yesno cmp eax, idno jz @ xit000; Continue Demo?
MOV ESI, DWORD PTR [LDTDES 4]; ESI-> LDT Base Mov Eax, DWORD PTR [ldtdes]; EAX = LDT LIMIT
Call search_xdt; eax Return to find blank options Subi, DWORD PTR [ldtdes 4]
Push offset myring0_prc_callgt; set callgate in ldt pop Word PTR [ESI EAX 0] POP Word PTR [ESI EAX 6]; Offset
MOV Word PTR [ESI EAX 2], 28H MOV Word PTR [ESI EAX 4], 0EC00H; SEL = 28H, DPL = 3, And Attribute -> 386 Call Gate! And DWORD PTR Callgt, 0 or Al, 7h; So selector must point to LDT MOV Word PTR [Callgt 4], AX Call Fword PTR [Callgt]; use callgate to ring0!
; * By interrupting door into Ring0, like under DOS, we only replace the interrupt vector table address to point to us; * Your program is OK, but the interrupt vector table is turned to IDT (interrupt descriptor table) The 0th to 1st; * interrupt the lower handle of 16 bits, 6 ~ 7 bytes save offset high, we must use the descriptor with DPL = 3; * interrupt door to in Ring3 Transfer to the interrupt program, but INT 03H, 04H, 05H, 10H, 13h, 30h, etc., etc. is the original; * DPL = 3, we can easily use it, pay attention to the interrupt handler returns IRETD; -------------- -------------------; Use INT 5 into Ring0; ----------------------- ---- Invoke Messageboxa, 0, Addr Ctextint, Addr Sztit, MB_YESNO CMP EAX, IDNO JZ @ xit000; Continue Demo?
MOV ESI, DWORD PTR [IDTR 2]; ESI-> IDT Base Push DWORD PTR [ESI 8 * 5 0] Push DWORD PTR [ESI 8 * 5 4]; save INT 5, interrupt descriptor
PUSH OFFSET MYRING0_PRC_INTGT; Replace the original INT5 entry address POP WORD PTR [ESI 8 * 5] POP Word PTR [ESI 8 * 5 6] INT 5; Enter Ring0!; INT 3; // Select INT 3; DB 0cch; // Save and recovery to change to 8 * 3; in order to enhance the anti-tracking effect; of course, INT 1 can also be used, the method can be conflicted on some processors POP DWORD PTR [ESI 8 * 5 4]; Recovery, INT 5, Interrupt Descriptor Pop DWORD PTR [ESI 8 * 5 0]
* Of course, all of the above use of DPL = 3 is like 1, 3, 5, etc. If we are ready to use any int, what should I do? This requires you to change INT DESCRIPTOR attribute value, make DPL = 3, SEL = 28h; * As used below, INT 255; * ________________________________________ inputr ctextintX, Addr Sztit, MB_YESNO CMP EAX, IDNO JZ @ xit000; Continue Demo?
Movzx EBX, Word Ptr [Idtr]; EBX = IDT LIMIT SUB EBX, 7
Push DWORD PTR [ESI EBX 0]; Save IDt Entry Push DWORD PTR [ESI EBX 4] Push Offset MyRing0_PRC_INTGT POP WORD PTR [ESI EBX 0] MOV Word PTR [ESI EBX 2], 28H; Ring0 SEL MOV WORD PTR [ESI EBX 4], 0EE00H; P = 1, 386 Interrupt Door, DPL = 3 Pop Word PTR [ESI EBX 6]; MOV EAX, EBX; SHL Eax, 5; Add Eax, 90c300cdh
; Push Eax; Call SS: ESP; forming instruction INT 5FH RET in the stack directly transfer! INT 5FH; POP Eax; INT call, cool! Pop DWORD PTR [ESI EBX 4]; restore POP DWORD PTR [ ESI EBX 0]; *; * There are other methods to enter Ring0, such as traps, basically consistent with the interrupt door, just let hardware generate interrupts; * We have TF = 1 triggered, pay attention The TF is turned off in the interrupt processing, otherwise it will cause death cycles, constantly single step, and therefore, the * barrier door is noted after the failure, pay attention to the stack, if you do not change the instruction, you have to modify the EIP to the security; * The benefit of the address fault door is that it is not necessary to set another SEL for 28h, and don't worry about DPL = 0. The operating system is ready for us; * Sliced us as long as the INT processing address is, the following is a simple example; * _____________________________ input , 0, addr sztit, mb_yesno cmp eax, idno jz @ xit001; Continue demonstration?; ------------------------------------------------------------------------------------------------------------------------ -----; INT1 single-step trap or int4 division overflow trap; here demonstrate INT 1, INT 4 is similar; this is different from above, there is! It is int 1; it is made by CPU instead of our explicit use INT 1 The instruction is triggered; --------------------------------- Push DWORD PTR [ESI (8 * 1) 0]; Preserve former INT 1 Push DWORD PTR [ESI (8 * 1) 4]
Push Offset Myring0_PRC_TRAPGT POP WORD PTR [ESI (8 * 1) 0] POP Word PTR [ESI (8 * 1) 6]
Pushfd Pop Eax OR AH, 1 PUSH EAX POPFD; SET TF = 1
Nop; Ring0!
POP DWORD PTR [ESI (8 * 1) 4]; Restore IDT Entry Pop DWORD PTR [ESI (8 * 1) 0]; ------------------- ------------------------- Here to demonstrate the fault door, division error; ---------------- ---------------------------- @ xit001: invoke messageboxa, 0, addr ctextfault, addr sztit, mb_yesno cmp eax, idno jz @ xit000 ; Continue Demo? Push DWORD PTR [ESI (8 * 0) 0]; Push DWORD PTR [ESI (8 * 0) 4] Push Offset Ring0Code_DIV Pop Word PTR [ESI (8 * 0) 0] Pop Word Ptr [ESI (8 * 0) 6] xor Eax, EAX Div Eax; divided error, enter the failed door RING0! ------------------------------------------------------------------------------------------------------------ ----------------- Invoke Messageboxa, 0, Addr CTextTask, Addr Sztit, MB_YESNO CMP Eax, IDNO JZ @ xit000; ------------- ------------------------ Here Demos to find a whitening table in GDT to make TSS; ------------ - ----------------------- Mov ESI, DWORD PTR [GDTR 2] Movzx Eax, Word PTR [GDTR] Call search_XDT and AX, 0FFF8H MOV TSS1SEL, Ax; save tss1 selector, esi == gdt base MOV ESI, DWORD PTR [GDTR 2] MOV EBX, OFFSET TSS1 MOV WORD PTR [ESI EAX 0], TSS1LIMIT MOV DWORD PTR [ESI EAX 2], EBX ; Offset
MOV Word PTR [ESI EAX 5], 89H SHR EBX, 24 MOV BYTE PTR [ESI EAX 7], BL; SET MYTSS
; ------------------------------------------; Demonstrate here in LDT Manufacturing task door; ------------------------------------------ MOV ESI, DWORD PTR [LDTDES 4] MOV EAX, DWORD PTR [ldtdes]
Call search_xdt; eax Back to find a blank options Push Eax OR AX, 7H MOV TSS1GATE, AX PTR [LDTDES 4] MOV Word PTR [ESI EAX 0], 0 MOV Word PTR [ESI Eax 6], 0; Offset Push Word PTR TSS1SEL POP WORD PTR [ESI EAX 2] MOV Word PTR [ESI Eax 4], 0E500H; TSS Gate
MOV ESI, DWORD PTR [TRDES 4] Assume ESI: PTR TSS Push Word Ptr Ldtr Pop Word Ptr [ESI] .trLDTR; Set LDT Selector (WINDT 98 TSS is 0 ???)
Lea EDI, TSS1 Assume EDI: PTR TSS Push Word PTR TRR POP WORD PTR [EDI] .trlink; Return to TSS Selection
Push DWORD PTR [ESI] .tresp0; Set SP0 POP DWORD PTR [EDI] .tresp0 Push Word PTR [ESI] .TRSS0; Set SS0 POP Word PTR [EDI] .trss0
Push DWORD PTR [ESI] .TRCR3; Sets the CR3 register, which is set to change all segments and page conversion related registers Pop DWORD PTR [EDI] .TRCR3
Push Offset Ring0 Pop DWORD PTR [EDI] .treip
MOV Word PTR [EDI] .TRCS, 28H; CS = 28 MOV Word PTR [EDI] .TRSS, 30H; SS = 30
Push Word Ptr LDTR; Set LDTR POP Word PTR [EDI] .trldtr
Push DS Pop DWORD PTR [EDI] .Trds Mov Word PTR [EDI 54H 2], 0
call fword ptr Call32 mov ebx, dword ptr [TestCR3] @ xit000: invoke wsprintf, addr temp2, addr temp1, TestCR3 invoke MessageBoxA, 0, addr temp2, addr sztit, 0 mov eax, dword ptr [ldtDes 4]; restore GDT , Empty selection in the LDT. Movzx ESI, TSS1GATE AND ESI, 0FFFFFF8H Add Eax, ESI MOV DWORD PTR [ESI], 0 MOV DWORD PTR [ES 4], 0 MOV Eax, DWORD PTR [GDTR 2] Movzx ESI, TSS1SEL ADD EAX, ESI MOV DWORD PTR [EAX], 0 MOV DWORD PTR [EAX 4], 0 Invoke EXITPROCESS, 0; ------------------------------------------------------------------------------------------------------ ------------ Ring0Code_div Proc Far Pushad Mov ECX, 10; EIP Ambalance002:; CS Push ECX; EFLAGS CALL BEEPS POP ECX LOOP AmbALANCE002 POPAD Add DWORD PTR [ESP], 2; Modify EIP, Sketch Over-exemption (DIV EAX) 2 bytes long, continue to execute IRETD RING0CODE_DIV ENDPMYRING0_PRC_TRAPGT PROC FAR PUSHAD; pay attention to the stack structure MOV ECX, 10; ESP-> EIP Ambalance002:; CS Push ECX; EFLAGS CALL BEEPS POP ECX LOOP AmbALANCE002 POPAD AND BYTE PTR [ESP 9], 0FEH; must set TF = 0, terminate IRETD; note IRETD, not IRet (w) MYRING0_PRC_TRAPGT ENDP
MYRING0_PRC_INTGT PROC FAR PUSHAD MOV ECX, 10 Ambalance001: Push ECX CALL BEEPS POP ECX LOOP AmbALANCE001 POPAD IRETD MYRING0_PRC_INTGT ENDP
myring0_prc_callgt proc far pushad pushfd pop eax or eax, 3000h push eax popfd mov ecx, 10 ambalance: push ecx call Beeps pop ecx loop ambalance popad retf myring0_prc_callgt endp; ----------------- ------------------------ Search_xdt proc Near; entry ESI == Base of LDT or gdt; eax == limited pushad MOV EBX, EAX; EBX = Limit Mov Eax, 8; Skipping Null Selector @@ 1: CMP DWORD PTR [ESI EAX 0], 0 JNZ @@ 2 CMP DWORD PTR [ESI EAX 4], 0 JZ @@ 3 @@ 2: Add EAX, 8 CMP EAX, EBX JB @@ 1; if we haven't Found Any Free GDT Entry,; Lets Use the last two entries Mov Eax, EBX SUB EAX, 7 @@ 3: MOV [ESP 4 * 7] , Eax; Return Off in EAX POPAD; EAX = Free GDT Entry Selector Ret Search_Xdt Endp; ------------------------------------------------------------------------------------------------------------------------ ---------- Beeps proc Near; classic phonograms, when learning DOS, should be PUS Had; don't use it ... MOV Al, 0B6H OUT 43H, Al Mov Al, FREQ; interface requirements, don't ask out 42h, Al Out 42H, Al Out 42H, Al Out
XOR BYTE PTR FREQ, 0CH; Change frequency; so as to issue different pirators in Al, 61H OR Al, 3 OUT 61H, Al Mov ECX, 1000000H; Delay Loop $
And Al, 0fch; Off Sound Out 61H, Al Popad Ret Beeps Endp
Ring0: MOV EBX, CR3 MOV TESTCR3, EBX IRETD END __START; ___________________________________________
