VC6下编译进Ring0代码的疑惑

2016-02-19 16:19 44 1 收藏

关注图老师设计创意栏目可以让大家能更好的了解电脑,知道有关于电脑的更多有趣教程,今天给大家分享VC6下编译进Ring0代码的疑惑教程,希望对大家能有一点小小的帮助。

【 tulaoshi.com - 编程语言 】

VC6下编译进Ring0代码的疑惑,操作系统XPSP2,CPU:AMD3000+。现象,VC6总会优化代码,编译出来的代码不是想要的。

代码如下:

// tt.cpp : Defines the entry point for the application.
//

#include "stdafx.h"

#define _X86_

#include windows.h
#include stdio.h
#include aclapi.h
#include conio.h
#include windef.h
#include shellapi.h

typedef long NTSTATUS;
typedef unsigned short USHORT;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) = 0)
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L

typedef struct _UNICODE_STRING {
 USHORT Length;
 USHORT MaximumLength;
 
#ifdef MIDL_PASS
 [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
 PWSTR Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;

typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
#define UNICODE_NULL ((WCHAR)0) // winnt

typedef struct _OBJECT_ATTRIBUTES {
 ULONG Length;
 HANDLE RootDirectory;
 PUNICODE_STRING ObjectName;
 ULONG Attributes;
 PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
 PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;

typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

(本文来源于图老师网站,更多请访问https://www.tulaoshi.com/bianchengyuyan/)

#define InitializeObjectAttributes( p, n, a, r, s ) {
 (p)-Length = sizeof( OBJECT_ATTRIBUTES );
 (p)-RootDirectory = r;
 (p)-Attributes = a;
 (p)-ObjectName = n;
 (p)-SecurityDescriptor = s;
 (p)-SecurityQualityOfService = NULL;
}

extern "C"
typedef VOID (*pRtlInitUnicodeString)( PUNICODE_STRING DestinationString,PCWSTR SourceString);

extern "C"
typedef NTSTATUS (*pZwOpenSection)(OUT PHANDLE SectionHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes);

extern "C"
typedef NTSTATUS (*pZwClose)(IN HANDLE Handle);

static const HINSTANCE NTDLLHANDLE=(HINSTANCE)0x7c920000; //ntdll.dll加载的位置可以用GetModuleHandle获取

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
//#pragma comment(lib,"C:NTDDKlibfrei386tdll.lib")

#define ENTERRING0 _asm pushad
 _asm pushf
_asm cli

#define LEAVERING0 _asm popf
 _asm popad
_asm retf

typedef struct gdtr {
 unsigned short Limit;
 unsigned short BaseLow;
 unsigned short BaseHigh;
} Gdtr_t, *PGdtr_t;

typedef struct {
 unsigned short offset_0_15;
 unsigned short selector;
 
 unsigned char param_count : 4;
 unsigned char some_bits : 4;
 
 unsigned char type : 4;
 unsigned char app_system : 1;
 unsigned char dpl : 2;
 unsigned char present : 1;
 
 unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR;

(本文来源于图老师网站,更多请访问https://www.tulaoshi.com/bianchengyuyan/)

void PrintWin32Error( DWORD ErrorCode )
{
 LPVOID lpMsgBuf;
 
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, ErrorCode, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL);
 printf("%s", lpMsgBuf );
 LocalFree( lpMsgBuf );
}

ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
 if(virtualaddress0x80000000||virtualaddress=0xA0000000)
  return 0;
 return virtualaddress&0x1FFFF000;
}

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
 PACL pDacl=NULL;
 PACL pNewDacl=NULL;
 PSECURITY_DESCRIPTOR pSD=NULL;
 DWORD dwRes;
 EXPLICIT_ACCESS ea;

 if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,&pDacl,NULL,&pSD) != ERROR_SUCCESS)
 {
  printf( "GetSecurityInfo Error %u", dwRes );
  goto CleanUp;
 }
 
 ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
 ea.grfAccessPermissions = SECTION_MAP_WRITE;
 ea.grfAccessMode = GRANT_ACCESS;
 ea.grfInheritance= NO_INHERITANCE;
 ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
 ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
 ea.Trustee.ptstrName = "CURRENT_USER";
 
 if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
 {
  printf( "SetEntriesInAcl %u", dwRes );
  goto CleanUp;
 }
 
 if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
 {
  printf("SetSecurityInfo %u",dwRes);
  goto CleanUp;
 }
 
CleanUp:
 
 if(pSD)
  LocalFree(pSD);
 if(pNewDacl)
  LocalFree(pSD);
}
#define RING0PROC void __declspec (naked)

BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
 Gdtr_t gdt;
 __asm sgdt gdt;
 
 ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh16U|gdt.BaseLow);
 if(!mapAddr) return 0;
 
 HANDLE hSection=NULL;
 NTSTATUS status;
 OBJECT_ATTRIBUTES objectAttributes;
 UNICODE_STRING objName;
 CALLGATE_DESCRIPTOR *cg;
 
 status = STATUS_SUCCESS;
 
 pRtlInitUnicodeString RtlInitUnicodeString;
 pZwOpenSection ZwOpenSection;
 pZwClose ZwClose;
 
 RtlInitUnicodeString=(pRtlInitUnicodeString)GetProcAddress(NTDLLHANDLE,"RtlInitUnicodeString");
 ZwOpenSection=(pZwOpenSection)GetProcAddress(NTDLLHANDLE,"ZwOpenSection");
 ZwClose=(pZwClose)GetProcAddress(NTDLLHANDLE,"ZwClose");

 RtlInitUnicodeString(&objName,L"DevicePhysicalMemory");
 InitializeObjectAttributes(&objectAttributes, &objName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, (PSECURITY_DESCRIPTOR) NULL);
 status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
 
 //if(status == STATUS_ACCESS_DENIED) //这个地方就一直加强改写才行!
 {
  status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
  SetPhyscialMemorySectionCanBeWrited(hSection);
  ZwClose(hSection);
  status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
 }
 
 if(status != STATUS_SUCCESS)
 {
  printf("Error Open PhysicalMemory Section Object,Status:%08X",status);
  return 0;
 }
 
 PVOID BaseAddress;
 BaseAddress=MapViewOfFile(hSection,
  FILE_MAP_READ|FILE_MAP_WRITE,
  0,
  mapAddr, //low part
  (gdt.Limit+1));
 if(!BaseAddress)
 {
  printf("Error MapViewOfFile:");
  PrintWin32Error(GetLastError());
  return 0;
 }
 
 BOOL setcg=FALSE;
 
 for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg(ULONG)BaseAddress;cg--)
  if(cg-type == 0){
   cg-offset_0_15 = LOWORD(Entry);
   cg-selector = 8;
   cg-param_count = 0;
   cg-some_bits = 0;
   cg-type = 0xC; // 386 call gate
   cg-app_system = 0; // A system descriptor
   cg-dpl = 3; // Ring 3 code can call
   cg-present = 1;
   cg-offset_16_31 = HIWORD(Entry);
  
   setcg=TRUE;
   break;
  }
 
  if(!setcg){
   ZwClose(hSection);
   return 0;
  }
  char *msg=new char[1000];
  sprintf(msg,"BaseAddress=%xhSection=%xmapAddr=%x",BaseAddress,hSection,mapAddr);
  MessageBox(NULL,msg,NULL,NULL);
  delete [] msg;
  short farcall[3];
 
  farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
  if(!VirtualLock((PVOID)Entry,seglen))
  {
   printf("Error VirtualLock:");
   PrintWin32Error(GetLastError());
   return 0;
  }  SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
  Sleep(0);
 
  _asm call fword ptr [farcall];
 
  MessageBox(NULL,"com",NULL,NULL);
  SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
 
  VirtualUnlock((PVOID)Entry,seglen);
 
  //Clear callgate
  *(ULONG *)cg=0;
  *((ULONG *)cg+1)=0;
  ZwClose(hSection);
  MessageBox(NULL,"com2",NULL,NULL);
  return TRUE;
}

struct _RING0DATA
{
 DWORD mcr0,mcr2,mcr3;
 unsigned short BaseMemory;
 unsigned short ExtendedMemory;
}r0Data;

RING0PROC Ring0Proc1()
{
 ENTERRING0;
 _asm {
  mov eax, cr0
   mov r0Data.mcr0, eax;
  mov eax, cr2
   mov r0Data.mcr2, eax;
  mov eax, cr3
   mov r0Data.mcr3, eax;
 }
 LEAVERING0;
}

RING0PROC Ring0Proc2()
{
 ENTERRING0;
 _outp( 0x70, 0x15 );
 
 _asm
 {
  mov ax,0
   in al,71h
   mov r0Data.BaseMemory,ax
 }
 
 _outp( 0x70, 0x16 );
 r0Data.BaseMemory += _inp(0x71) 8;
 _outp( 0x70, 0x17 );
 r0Data.ExtendedMemory = _inp( 0x71 );
 _outp( 0x70, 0x18 );
 r0Data.ExtendedMemory += _inp(0x71) 8;
 LEAVERING0;
}

来源:https://www.tulaoshi.com/n/20160219/1611686.html

延伸阅读
标签: Web开发
针对dhDataGrid的前一版本Ver1.0.0而做的更新! 1、标题栏、左边边栏固定方式更新,取消expression方式; 2、排序方式更新,同时支持数字、字符、日期、数字字符混合、中文汉字的排序; 3、支持换肤,您可以自己定制该控件样式; 4、预留[双击]、[右键]功能; 5、支持IE、FF; CSS: /*dhdatagrid 大块样式*/ #dhdatagrid&...
标签: windows10
Win10系统出现蓝屏0x00000133代码的解决办法   很多用户自从将系统升级到win10以后,选后遇到了不同的蓝屏问题,很多蓝屏问题之前图老师小编为大家带来了一系列的解决方法,今天图老师小编依旧为大家带来出现错误代码0x00000133的解决方法,希望对大家有所帮助! 蓝屏错误表现 根据用户反馈,该问题错误代码为0x00000133,出...
在市面上,有很多注册表管理方面的程序,如:魔法兔子,IE保护器等。但它们对注册表都进行固定的操作,对与windows的高级管理员来说是远远不够的,还经常用到Regedit,那它是如何设计的呢?经过分析它的主要分成以下几块①、注册表数据的显示与操作;②、注册表数据的导入与导出;③注册表数据的查找与替换。以下介绍在VC6中对注册表数据的...
标签: Web开发
Dreamweaver MX 2004中对源代码编辑的操作功能也有一定的改进,下面我们来看看这些新的改动。 一、右键菜单 在源代码区域如果选中一个范围,点击右键菜单看到新增了“Selection”功能,在这个功能下包括了转换大小写、转换标签等等功能,如图1。 图1 二、Tag标签 在Tag标签的群组里,除了以前有的行为、CSS面板...
有很多人问为什么VC编译出来的程序都要上兆。而且有些人还总结出条结论: VC做出的东西是又大又慢。 其实这实在是冤枉了VC了。其实VC做的工程是个能包含多个子工程的工程文件。一般用AppWizard生成的工程里就包含了两个子工程:Win32 Debug工程和Win32Release工程。而缺省激活的工程是Win32 Debug工程,用这个子工程编译出来的执行...

经验教程

778

收藏

100
微博分享 QQ分享 QQ空间 手机页面 收藏网站 回到头部