|
阅读:4789回复:2
由驱动进入Ring0
晚辈参照别人的代码(就是前几天发的贴子),想在驱动里调用KeI386AllocateGdtSelectors,KeI386SetGdtSelector,可是在调试驱动时老是出现蓝屏,不知是什么原因,还望高手指点。
先谢了。 .586P .model flat, stdcall option casemap:none include ntddk.inc include native.inc include ntoskrnl.inc includelib ntoskrnl.lib .const szModuleName db \'ntoskrnl.exe\', 0 szAllocSel db \'KeI386AllocateGdtSelectors\', 0 szSetSel db \'KeI386SetGdtSelector\', 0 szReleaseSel db \'KeI386ReleaseGdtSelectors\', 0 .data? ReturnLength dd ? lpMemory dd ? lpKeI386AllocateGdtSelectors dd ? lpKeI386SetGdtSelector dd ? lpKeI386ReleaseGdtSelectors dd ? Offset_L dw ? Selector dw ? Count db ? GateType db ? Offset_H dw ? callgt df ? .code GetKrnlAddress proc local nReturnLength: dword push ebx push edx push esi push edi lea eax, nReturnLength push eax push 0 lea eax, nReturnLength push eax push 11 call ZwQuerySystemInformation cmp ReturnLength, 0 jz _@Exit invoke ExAllocatePool, PagedPool, ReturnLength or eax, eax jz _@Exit mov ebx, eax push 0 push nReturnLength push ebx push 11 call ZwQuerySystemInformation or eax, eax jnz _@Exit1 mov ecx, [ebx] add ebx, 4 mov esi, ebx sub esi, sizeof SYSTEM_MODULE_INFORMATION @@: or ecx,ecx jz _@Exit1 dec ecx add esi, sizeof SYSTEM_MODULE_INFORMATION assume esi: ptr SYSTEM_MODULE_INFORMATION lea edi, [esi].ImageName movzx eax, word ptr [esi].ModuleNameOffset add edi, eax mov eax, dword ptr [szModuleName] scasd jnz @b mov eax, dword ptr [szModuleName + 4] scasd jnz @b push dword ptr [esi].Base assume esi:nothing invoke ExFreePool, ebx pop eax pop edi pop esi pop edx pop ebx ret _@Exit1: invoke ExFreePool, ebx _@Exit: xor eax, eax pop edi pop esi pop edx pop ebx ret GetKrnlAddress endp CallFunc proc push eax pop eax nop nop ret CallFunc endp GetProcAddress_By_Name proc hModule:dword, lpProcName:dword local ProcNameLength push ebx push edx push esi push edi mov ebx, hModule mov esi, [ebx + 3ch] add esi, ebx mov edi, [esi + 78h] add edi, ebx push edi mov edx, dword ptr [edi + 20h] add edx, ebx xor eax, eax dec eax _FindApiName1: inc eax mov esi, [edx + 4*eax] add esi, ebx mov edi, lpProcName cld _FindApiName2: cmpsb jnz _FindApiName1 cmp byte ptr [edi], 0 jz _Ordinal jmp _FindApiName2 _Ordinal: pop edi mov esi, [edi + 24h] add esi, ebx movzx eax, word ptr [esi + 2*eax] _AddressOfFunction: mov esi, [edi + 1ch] add esi, ebx mov eax, [esi + 4*eax] add eax, ebx pop edi pop esi pop edx pop ebx ret GetProcAddress_By_Name endp DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local ntoskrnlBase: dword local lpDescriptor: dword ;*******Interrupt used for DEBUGGING******** int 3 ;Get ntoskrnlBase lea eax, ReturnLength push eax push 0 lea eax, ReturnLength push eax push 11 call ZwQuerySystemInformation cmp ReturnLength, 0 jz _Exit invoke ExAllocatePool, PagedPool, ReturnLength or eax, eax jz _Exit mov ebx, eax push 0 push ReturnLength push ebx push 11 call ZwQuerySystemInformation or eax, eax jnz _Exit1 mov ecx, [ebx] mov esi, ebx add esi, 4 sub esi, sizeof SYSTEM_MODULE_INFORMATION @@: or ecx,ecx jz _Exit1 dec ecx add esi, sizeof SYSTEM_MODULE_INFORMATION assume esi: ptr SYSTEM_MODULE_INFORMATION lea edi, [esi].ImageName movzx eax, word ptr [esi].ModuleNameOffset add edi, eax mov eax, dword ptr [szModuleName] scasd jnz @b mov eax, dword ptr [szModuleName + 4] scasd jnz @b push dword ptr [esi].Base assume esi:nothing invoke ExFreePool, ebx pop eax jmp @f _Exit1: invoke ExFreePool, ebx _Exit: xor eax, eax @@: or eax, eax jz _DE_Exit mov ntoskrnlBase, eax ;Get KeI386GdtXXXSelectors Base mov esi, offset szAllocSel mov edi, offset lpKeI386AllocateGdtSelectors _GetApiBase: push esi push dword ptr [ntoskrnlBase] call GetProcAddress_By_Name or eax, eax jz _DE_Exit stosd @@: lodsb or al, al jnz @b cmp byte ptr [esi], 0 jnz _GetApiBase mov lpDescriptor, 0 push 1 lea edx, lpDescriptor push edx call dword ptr [lpKeI386AllocateGdtSelectors] ;Init Callgt mov eax, offset CallFunc mov Offset_L, ax shr eax, 16 mov word ptr [Offset_H], ax mov Selector, cs mov Count, 0 mov GateType, 8ch lea eax, offset Offset_L push eax push lpDescriptor call dword ptr [lpKeI386SetGdtSelector] or eax, eax jz @f push 1 lea eax, lpDescriptor push eax call dword ptr [lpKeI386ReleaseGdtSelectors] jmp _DE_Exit @@: mov dword ptr[callgt], 0 mov eax, lpDescriptor mov word ptr[callgt + 4], ax call fword ptr [callgt] _DE_Exit: mov eax, STATUS_DEVICE_CONFIGURATION_ERROR ret DriverEntry endp end DriverEntry |
|
|
沙发#
发布于:2005-06-16 14:01
.386
.model small .code public _func _func proc push ebp mov ebp, esp ;Issues a beep to show that you can do direct port I/O ;Not a good piece of 32-bit code, but still proves the fact pushad mov ax, 1000 mov bx, 200 mov cx, ax mov al, 0b6h out 43h, al mov dx, 0012h mov ax, 34dch div cx out 42h, al mov al, ah out 42h, al in al, 61h mov ah, al or al, 03h out 61h, al l1: mov ecx, 4680 l2: loop l2 dec bx jnz l1 mov al, ah out 61h, al popad ;Save away the registers which we modify push esi push ebx ;Get the contents of CR0, CR2, CR3 registers. Check if PDWORDS for holding ;CR0, CR2, CR3 are not NULL mov esi, [ebp+0Ch] test esi, esi jz next mov ebx, cr0 mov [esi], ebx next: mov esi, [ebp+10h] test esi, esi jz next1 mov ebx, cr2 mov [esi], ebx next1: mov esi, [ebp+14h] test esi, esi jz next2 mov ebx, cr3 mov [esi], ebx next2: pop esi pop ebx pop ebp retf 0Ch _func endp END |
|
|
板凳#
发布于:2005-08-06 03:16
请问这里能用 pagedpool分配内存吗? 好像exfreepool只能释放nonpagedpool吧?
|
|