学习自大佬 https://bbs.pediy.com/thread-62263.htm
10年前的帖子,现在拿来学习还看了一下午。。。。菜鸡努力学习中
原理帖子中讲的很清楚了,只是自己实现了一遍代码。
//如果以ULONG对齐粒度就gg #pragma pack(1) typedef struct { USHORT TableLimit; ULONG TableBase; }GDT,*PGDT; //根据上图写出结构体 typedef struct { unsigned short offset_0_15; unsigned short selector; unsigned char param_count : 5; unsigned char some_bits : 3; unsigned char type : 4; unsigned char app_system : 1; unsigned char dpl : 2; unsigned char present : 1; unsigned short offset_16_31; } CALLGATE_DESCRIPTOR; void AddGate(ULONG Fun) { CALLGATE_DESCRIPTOR* CallGate; GDT* gdt = ExAllocatePool(NonPagedPool,sizeof(GDT)); ULONG pos = 0,count = 0; USHORT Limit = 0; USHORT CallGateSel = 0; _asm { mov eax,gdt sgdt [eax] } Limit = gdt->TableLimit; CallGate = gdt->TableBase; CallGate++;//调试发现第一项为空(第一项为系统保留) count = (Limit + 1) / 8;//Limit里面是字节 while (pos < count) { if (CallGate->present == 0) { //找到空闲位置 CallGate->offset_0_15 = Fun & 0xFFFF;//低16位偏移 CallGate->selector = 0x8; CallGate->param_count = 0; CallGate->some_bits = 0; CallGate->type = 0xC; CallGate->app_system = 0; CallGate->dpl = 0x3; CallGate->present = 0x1; CallGate->offset_16_31 = Fun >> 0x10;//右移16位,保存高16位 CallGateSel = (USHORT)((pos * sizeof(CALLGATE_DESCRIPTOR)) | 0x3); break; } pos ++; CallGate++; } }
__declspec(naked) void MyFun()
{
__asm
{
pushad
pushfd
call Ring0Run
popfd
popad
retf
}
}
void Ring0Run() { DbgPrint("My CallGate Run...."); }