-
-
[求助]关于hopy一篇代码
-
发表于: 2008-2-27 10:53
-
下面这段程序是从侯佩大师的论坛上找到的,就是
invoke ZwSetSystemInformation,SystemLoadAndCallImage,
addr stSysCallImage,
sizeof SYSTEM_LOAD_AND_CALL_IMAGE
这个函数用来干什么的,SystemLoadAndCallImage=38是什么什么意思
?是不是用来得到门描述符表的地址?怎么句许完善这段程序来加载自己的ring0代码?
.386
.model flat, stdcall
option casemap:none
include d:\masm32\include\windows.inc
include d:\masm32\include\user32.inc
include d:\masm32\include\kernel32.inc
include d:\masm32\include\advapi32.inc
includelib d:\masm32\lib\user32.lib
includelib d:\masm32\lib\kernel32.lib
includelib d:\masm32\lib\advapi32.lib
include d:\masm32\macros\Strings.mac
UNICODE_STRING1 STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer DWORD ?
UNICODE_STRING1 ENDS
SystemLoadAndCallImage equ 38
_ZwSetSystemInformation typedef proto :dword,:dword,:dword
lpZwSetSystemInformation typedef ptr _ZwSetSystemInformation
_RtlInitUnicodeString typedef proto :dword,:dword
lpRtlInitUnicodeString typedef ptr _RtlInitUnicodeString
SYSTEM_LOAD_AND_CALL_IMAGE struct
ModuleName UNICODE_STRING <?>
SYSTEM_LOAD_AND_CALL_IMAGE ends
.const
txt db 'Just Do It!',0
cp db 'hopy|侯佩',0
; drvnameW,"??c: mpDrv.sys"
drvnameW dw "?","?","c",":","m","p","D","r","v",".","s","y","s",0
drvname db '??c:tmpDrv.sys',0
dllname db 'ntdll.dll',0
szZwSetSystemInformation db 'ZwSetSystemInformation',0
szRtlInitUnicodeString db 'RtlInitUnicodeString',0
.data?
hInstance dd ?
hdll dd ?
stSysCallImage SYSTEM_LOAD_AND_CALL_IMAGE <>
ZwSetSystemInformation lpZwSetSystemInformation ?
RtlInitUnicodeString lpRtlInitUnicodeString ?
.code
start:
invoke GetModuleHandle, 0
mov hInstance,eax
invoke LoadLibrary,addr dllname
mov hdll,eax
invoke GetProcAddress,hdll,addr szZwSetSystemInformation
mov ZwSetSystemInformation,eax
.if eax
invoke MessageBox,NULL,addr szZwSetSystemInformation,addr szZwSetSystemInformation,MB_OK
.endif
invoke GetProcAddress,hdll,addr szRtlInitUnicodeString
mov RtlInitUnicodeString,eax
.if eax
invoke MessageBox,NULL,addr szRtlInitUnicodeString,addr szRtlInitUnicodeString,MB_OK
.endif
invoke RtlInitUnicodeString,addr stSysCallImage.ModuleName,
addr drvnameW
invoke ZwSetSystemInformation,SystemLoadAndCallImage,
addr stSysCallImage,
sizeof SYSTEM_LOAD_AND_CALL_IMAGE
.if eax
invoke MessageBox,NULL,addr txt,addr cp,MB_OK
.endif
invoke ExitProcess,NULL
end start
invoke ZwSetSystemInformation,SystemLoadAndCallImage,
addr stSysCallImage,
sizeof SYSTEM_LOAD_AND_CALL_IMAGE
这个函数用来干什么的,SystemLoadAndCallImage=38是什么什么意思
?是不是用来得到门描述符表的地址?怎么句许完善这段程序来加载自己的ring0代码?.386
.model flat, stdcall
option casemap:none
include d:\masm32\include\windows.inc
include d:\masm32\include\user32.inc
include d:\masm32\include\kernel32.inc
include d:\masm32\include\advapi32.inc
includelib d:\masm32\lib\user32.lib
includelib d:\masm32\lib\kernel32.lib
includelib d:\masm32\lib\advapi32.lib
include d:\masm32\macros\Strings.mac
UNICODE_STRING1 STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer DWORD ?
UNICODE_STRING1 ENDS
SystemLoadAndCallImage equ 38
_ZwSetSystemInformation typedef proto :dword,:dword,:dword
lpZwSetSystemInformation typedef ptr _ZwSetSystemInformation
_RtlInitUnicodeString typedef proto :dword,:dword
lpRtlInitUnicodeString typedef ptr _RtlInitUnicodeString
SYSTEM_LOAD_AND_CALL_IMAGE struct
ModuleName UNICODE_STRING <?>
SYSTEM_LOAD_AND_CALL_IMAGE ends
.const
txt db 'Just Do It!',0
cp db 'hopy|侯佩',0
; drvnameW,"??c: mpDrv.sys"
drvnameW dw "?","?","c",":","m","p","D","r","v",".","s","y","s",0
drvname db '??c:tmpDrv.sys',0
dllname db 'ntdll.dll',0
szZwSetSystemInformation db 'ZwSetSystemInformation',0
szRtlInitUnicodeString db 'RtlInitUnicodeString',0
.data?
hInstance dd ?
hdll dd ?
stSysCallImage SYSTEM_LOAD_AND_CALL_IMAGE <>
ZwSetSystemInformation lpZwSetSystemInformation ?
RtlInitUnicodeString lpRtlInitUnicodeString ?
.code
start:
invoke GetModuleHandle, 0
mov hInstance,eax
invoke LoadLibrary,addr dllname
mov hdll,eax
invoke GetProcAddress,hdll,addr szZwSetSystemInformation
mov ZwSetSystemInformation,eax
.if eax
invoke MessageBox,NULL,addr szZwSetSystemInformation,addr szZwSetSystemInformation,MB_OK
.endif
invoke GetProcAddress,hdll,addr szRtlInitUnicodeString
mov RtlInitUnicodeString,eax
.if eax
invoke MessageBox,NULL,addr szRtlInitUnicodeString,addr szRtlInitUnicodeString,MB_OK
.endif
invoke RtlInitUnicodeString,addr stSysCallImage.ModuleName,
addr drvnameW
invoke ZwSetSystemInformation,SystemLoadAndCallImage,
addr stSysCallImage,
sizeof SYSTEM_LOAD_AND_CALL_IMAGE
.if eax
invoke MessageBox,NULL,addr txt,addr cp,MB_OK
.endif
invoke ExitProcess,NULL
end start
|
|
|---|---|
|
|
|
|
|
|
|
|
|
