遍历IDT和GDT

最新推荐文章于 2023-12-05 16:27:23 发布

CodeStarr

最新推荐文章于 2023-12-05 16:27:23 发布

阅读量897

点赞数

分类专栏： # windows Kernel

本文链接：https://blog.csdn.net/Ga4ra/article/details/103714710

版权

windows Kernel 专栏收录该内容

8 篇文章 1 订阅

订阅专栏

文章目录

IDT

结构体

//idtr指向这个结构体
typedef struct _IDT_INFO{
    UINT16 uIdtLimit;   // IDT范围
    UINT16 uLowIdtBase;   // IDT低基址
    UINT16 uHighIdtBase;   // IDT高基址
}IDT_INFO, *PIDT_INFO;

// IDT表中描述符结构体
//0x8 bytes (sizeof)
typedef struct _IDTENTRY
{
    // USHORT == UINT16
    USHORT uOffsetLow;       //0x0，低地址偏移
    USHORT uSelector;     //0x2，段选择器

    //USHORT uAccess;      //0x4
    UINT8 uReserved;     // 保留
    UINT8 GateType : 4;     // 中断类型
    UINT8 StorageSegment : 1;   // 为0则是中断门
    UINT8 DPL : 2;      // 特权级
    UINT8 Present : 1;      // 如未使用中断可置为0

    USHORT uOffsetHigh; //0x6   // 高地址偏移
}IDTENTRY, *PIDTENTRY;

获取IDTR

__asm sidt stcIDT;

遍历IDT

#include <ntifs.h>
#include <ntddk.h>

#define MAKE_LONG(a,b) ((a) + (b<<16))

typedef struct _IDT_INFO {
    UINT16 uIdtLimit;   // IDT范围
    UINT16 uLowIdtBase;   // IDT低基址
    UINT16 uHighIdtBase;   // IDT高基址
}IDT_INFO, * PIDT_INFO;


//0x8 bytes (sizeof)
typedef struct _IDTENTRY
{
    // USHORT == UINT16
    USHORT uOffsetLow;       //0x0，低地址偏移
    USHORT uSelector;     //0x2，段选择器

    //USHORT uAccess;      //0x4
    UINT8 uReserved;     // 保留
    UINT8 GateType : 4;     // 中断类型
    UINT8 StorageSegment : 1;   // 为0则是中断门
    UINT8 DPL : 2;      // 特权级
    UINT8 Present : 1;      // 如未使用中断可置为0

    USHORT uOffsetHigh; //0x6   // 高地址偏移
}IDTENTRY, *PIDTENTRY;



void OnUnload(DRIVER_OBJECT* pDriver)
{
	pDriver;
}

NTSTATUS DriverEntry(DRIVER_OBJECT* pDriver, UNICODE_STRING* pRegPath)
{
    NTSTATUS status = STATUS_SUCCESS;
    pRegPath;
    pDriver->DriverUnload = OnUnload;

    //KdBreakPoint();

    IDT_INFO stcIDT = { 0 };
    PIDTENTRY pIdtEntry = NULL;
    ULONG uAddr = 0;

    // IDT table
    __asm sidt stcIDT;

    // IDT array
    pIdtEntry = (PIDTENTRY)MAKE_LONG(stcIDT.uLowIdtBase, stcIDT.uHighIdtBase);

    KdPrint(("-------------IDT---------------\n"));
    KdPrint(("IDT Addr: 0x%p\n", pIdtEntry));
    for (ULONG i = 0; i < 0x100; ++i)
    {
        KdPrint(("Interrupted number: %d\n", i));

        uAddr = MAKE_LONG(pIdtEntry[i].uOffsetLow, pIdtEntry[i].uOffsetHigh);
        KdPrint(("Interrupted Addr: 0x%p\n", uAddr));

        KdPrint(("selector: %d\n", pIdtEntry[i].uSelector));

        KdPrint(("GataType: %d\n", pIdtEntry[i].GateType));
        
        KdPrint(("DPL: %d\n\n", pIdtEntry[i].DPL));

    }

	return status;
}

GDT

#include <ntddk.h>

#define MAKE_LONG(a,b) ((LONG)(((UINT16)(((DWORD_PTR)(a)) & 0xffff)) | ((UINT32)((UINT16)(((DWORD_PTR)(b)) & 0xffff))) << 16))

typedef struct _GDT_INFO {
    UINT16 uGdtLimit;
    UINT16 uLowGdtBase;
    UINT16 uHighGdtBase;
}GDT_INFO, *PGDT_INFO;

//0x8 bytes (sizeof)
typedef struct _GDTENTRY
{
    USHORT LimitLow;                                                        //0x0
    USHORT BaseLow;                                                         //0x2
    union
    {
        struct
        {
            UCHAR BaseMid;                                                  //0x4
            UCHAR Flags1;                                                   //0x5
            UCHAR Flags2;                                                   //0x6
            UCHAR BaseHi;                                                   //0x7
        } Bytes;                                                            //0x4
        struct
        {
            ULONG BaseMid : 8;                                           
            ULONG Type : 4;     
            ULONG S : 1;
            ULONG Dpl : 2;                                               
            ULONG Pres : 1;                                              
            ULONG LimitHi : 4;                                           
            ULONG Avl : 1;                                               
            ULONG Reserved_0 : 1;                                        
            ULONG D_B : 1;                                       
            ULONG Granularity : 1;                                       
            ULONG BaseHi : 8;                                            
        } Bits;                                                          
    } HighWord;                                                          
}GDTENTRY, *PGDTENTRY;

void OnUnload(DRIVER_OBJECT* pDriver)
{
	pDriver;
}

NTSTATUS DriverEntry(DRIVER_OBJECT* pDriver, UNICODE_STRING* pRegPath)
{
    NTSTATUS status = STATUS_SUCCESS;
    pRegPath;
    pDriver->DriverUnload = OnUnload;

    //KdBreakPoint();
    
    GDT_INFO stcGDT = { 0 };
    PGDTENTRY pGdtEntry = NULL;
    unsigned int nGdtEntry = 0;
    ULONG uData = 0;

    // IDT table
    __asm sgdt stcGDT;

    // IDT array
    pGdtEntry = (PGDTENTRY)MAKE_LONG(stcGDT.uLowGdtBase, stcGDT.uHighGdtBase);

    KdPrint(("-------------GDT---------------\n"));
    KdPrint(("GDT Addr: 0x%p\n", pGdtEntry));

    nGdtEntry = stcGDT.uGdtLimit / 8;
    for (ULONG i = 0; i < nGdtEntry; ++i)
    {
        if (!(pGdtEntry[i].HighWord.Bits.Pres)) continue;

        uData = (ULONG)pGdtEntry[i].BaseLow
            + ((ULONG)(pGdtEntry[i].HighWord.Bits.BaseMid) << 16)
            + ((ULONG)(pGdtEntry[i].HighWord.Bits.BaseHi) << 24);
        KdPrint(("BaseAddr: 0x%p\n", uData));


        uData = pGdtEntry[i].LimitLow
            + ((ULONG)(pGdtEntry[i].HighWord.Bits.LimitHi) << 16);
        KdPrint(("Segment Limit: 0x%08X ", uData));

        (pGdtEntry[i].HighWord.Bits.Granularity)
            ? KdPrint(("pages\n"))
            : KdPrint(("bytes\n"));


        KdPrint(("DPL: %d\n", pGdtEntry[i].HighWord.Bits.Dpl));


        if ((pGdtEntry[i].HighWord.Bits.S == 0))
        {
            KdPrint(("Type: System segment\t"));
            switch (pGdtEntry[i].HighWord.Bits.Type)
            {
            case 12:
                KdPrint(("Call Gate "));
                break;
            case 14:
                KdPrint(("Interruptting Gate "));
                break;
            case 15:
                KdPrint(("Trap Gate "));
                break;
            case 5:
                KdPrint(("Task Gate "));
                break;
            default:
                KdPrint(("Unknown "));
                break;
            }
            KdPrint(("\n"));
        }
        else
        {
            if (pGdtEntry[i].HighWord.Bits.Type & 0x8)
            {
                KdPrint(("Type: Code Segment\n"));
                KdPrint(("Attr: "));
                KdPrint(("%s", pGdtEntry[i].HighWord.Bits.Type & 0x4 ? "C" : "-"));
                KdPrint(("%s", pGdtEntry[i].HighWord.Bits.Type & 0x2 ? "R" : "-"));
                KdPrint(("%s", pGdtEntry[i].HighWord.Bits.Type & 0x1 ? "A" : "-"));
                KdPrint(("\n"));
            }
            else
            {
                KdPrint(("Type: Data Segment\n"));
                KdPrint(("Attr: "));
                KdPrint(("%s", pGdtEntry[i].HighWord.Bits.Type & 0x4 ? "E" : "-"));
                KdPrint(("%s", pGdtEntry[i].HighWord.Bits.Type & 0x2 ? "W" : "-"));
                KdPrint(("%s", pGdtEntry[i].HighWord.Bits.Type & 0x1 ? "A" : "-"));
                KdPrint(("\n"));
            }
        }


        KdPrint(("\n"));
    }

	return status;
}