|
阅读:1022回复:0
帮我解释一下
http://www.internals.com上的winio工具中的DLL的port32.cpp提供了一个从3环进入0环的代码.但有两句不明白
请问下面几句是什么意识? // Prepare the far call parameters WORD CallgateAddr[3]; CallgateAddr[0] = 0x0; CallgateAddr[1] = 0x0; CallgateAddr[2] = (wGDTIndex << 3) | 3; wGDTIndex<<3好象形成选择子,为何或上3? 付整个源码 bool CallRing0(PVOID pvRing0FuncAddr, WORD wPortAddr, PDWORD pdwPortVal, BYTE bSize) { GDT_DESCRIPTOR *pGDTDescriptor; GDTR gdtr; _asm Sgdt [gdtr] // Skip the null descriptor pGDTDescriptor = (GDT_DESCRIPTOR *)(gdtr.dwGDTBase + 8); // Search for a free GDT descriptor for (WORD wGDTIndex = 1; wGDTIndex < (gdtr.wGDTLimit / 8); wGDTIndex++) { if (pGDTDescriptor->Type == 0 && pGDTDescriptor->System == 0 && pGDTDescriptor->DPL == 0 && pGDTDescriptor->Present == 0) { CALLGATE_DESCRIPTOR *pCallgate; pCallgate = (CALLGATE_DESCRIPTOR *) pGDTDescriptor; pCallgate->Offset_0_15 = LOWORD(pvRing0FuncAddr); pCallgate->Selector = 0x28; pCallgate->ParamCount = 0; pCallgate->Unused = 0; pCallgate->Type = 0xc; pCallgate->System = 0; pCallgate->DPL = 3; pCallgate->Present = 1; pCallgate->Offset_16_31 = HIWORD(pvRing0FuncAddr); // Prepare the far call parameters WORD CallgateAddr[3]; CallgateAddr[0] = 0x0; CallgateAddr[1] = 0x0; CallgateAddr[2] = (wGDTIndex << 3) | 3; // Please fasten your seat belts! // We're about to make a hyperspace jump into RING 0. _asm Mov DX, [wPortAddr] _asm Mov EBX, [pdwPortVal] _asm Mov CL, [bSize] _asm Call FWORD PTR [CallgateAddr] // We have made it ! // Now free the GDT descriptor memset(pGDTDescriptor, 0, 8); // Our journey was successful. Seeya. return true; } // Advance to the next GDT descriptor pGDTDescriptor++; } // Whoops, the GDT is full return false; } |
|
|
