Windows内核分析索引目录:https://www.cnblogs.com/onetrainee/p/11675224.html
使用驱动来编写调用门
测试代码:
#include "stdafx.h" #include <stdlib.h> __declspec(naked) void callgate(){ __asm{ int 3; retf; } } int main(int argc, char* argv[]) { char buf[6] = {0}; *(int*)&buf[0] = 0x12345678; *(short*)&buf[4] = 0x4b; printf("%x ",callgate); getchar(); __asm{ call fword ptr buf; } system("pause"); return 0; }
驱动代码:
#include <ntddk.h> VOID DriverUnload(_In_ struct _DRIVER_OBJECT* DriverObject) { DbgPrint("%s ", "驱动卸载成功"); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath) { pDriver->DriverUnload = DriverUnload; DbgPrint("驱动加载成功 "); KdBreakPoint(); // 获取gdt表地址 CHAR Sgdtr[6] = { NULL }; __asm { sgdt Sgdtr; } int gdtAddr = *(int*)(Sgdtr + 2); // 获取gdt表地址 // 0040ec00`001b1005 // 构造调用门描述符,这里的代码段选择子采用的是标准CS的,并没有重新构造代码段 gdtAddr += 0x48; _asm { mov ecx, gdtAddr; mov dword ptr[ecx],0x1005; mov dword ptr[ecx + 2],0x001b; mov dword ptr[ecx + 4], 0xec00; mov dword ptr[ecx + 6], 0x0040; } DbgPrint("%x ", gdtAddr); return STATUS_SUCCESS; }