Как получить привелегию Ring 0
Автор: The GSG®
Иногда это нужно для доступа к портам выше $FF, таких как IDE контроллер и т.д.
--------------------------------------------------
.386p
.model flat
.radix 16
Ring_0_CS_32 = 28
Ring_0_DS_32 = 30
public CALLRING0PROC
_TEXT segment dword public use32 'CODE'
CALLRING0PROC proc near
; Get the LDT's address first
push ebp
mov ebp,esp
sub esp,8
push edi
sgdt [ebp-8]
mov edi,[ebp-6]
sldt ax
and ax,0fff8
movzx eax,ax
add edi,eax
mov eax,[edi+2]
mov [ebp-8],eax
mov al,[edi+7]
mov [ebp-5],al ; EBP-8 now contains LDT's address
mov ax,[edi]
and al,0f8
movzx eax,ax
mov [ebp-4],eax ; EBP-4 contains LDT's Limit
; Then allocate a descriptor
mov edi,[ebp-8]
Search :cmp dword ptr [edi+eax],0
jne Search_Next_Desc
cmp dword ptr [edi+eax+4],0
je Found_Unused_Desc
Search_Next_Desc :
sub ax,8
jns Search
mov eax,0fffffffe ; Return -2 if error
jmp Done
Found_Unused_Desc :
add edi,eax ; EDI contains the Descriptor's address
add al,7 ; AX contains the selector
; Create the call gate
mov [ebp-4],ax
mov dword ptr [edi],offset DGROUP:Shell
mov eax,Ring_0_CS_32+0ec000000
xchg eax,[edi+2]
mov [edi+6],ax
; Call the gate and transfer to Shell
call fword ptr [ebp-8]
; Free the selector
mov dword ptr [edi],0
mov dword ptr [edi+4],0
Done :pop edi
mov esp,ebp
pop ebp
ret 4 ; Clean up parameter
CALLRING0PROC endp
Shell proc far
push ds
push es
push edi
MOV ECX,[ESI]
ADD ESI,4
push 0f12ff34f
PUSHARG:
PUSH DWORD PTR [ESI]
ADD ESI,4
LOOP PUSHARG
mov ax,Ring_0_DS_32
mov ds,ax
mov es,ax
call dword ptr [ebp+8]
POPARG:
POP ESI
CMP ESI,0f12ff34f
JNE POPARG
pop edi
pop es
pop ds
ret
Shell endp
_TEXT ends
end
|