;====================================================================
; Ring0驱动服务代码
; 作者:天杀 QQ:797801 Email:Willok@163.com
;--------------------------------------------------------------------
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.586P ; 保护模式
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include w2k/NTDDK.INC
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;=================================================================
; 中断相关数据结构
IDT_REG STRUCT
limit WORD ?
base DWORD ?
IDT_REG ENDS
; 中断描述符
INT_DESCRIPTOR STRUCT
offs0_15 WORD ?
sel WORD ?
paramcnt BYTE ?
attrs BYTE ?
offs16_31 WORD ?
INT_DESCRIPTOR ENDS
;=================================================================
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
szBuffer db 16 dup(0)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
MyIntFunc proc
push edx
call eax
iretd
MyIntFunc endp
;====================================================================
AddMyInt proc uses edi
local @IDT
sidt szBuffer
mov edi,(IDT_REG ptr [szBuffer]).base
add edi,21h*8
; 使用Int21中断,该中断在Win2k下没有使用
; cli
mov eax,offset MyIntFunc
mov [edi],ax
shr eax,16
mov [edi+6],ax ; 设置入口地址
mov [edi+2],cs ; 设置段地址
; 设置Ring3可以访问
mov WORD ptr [edi+4],0EE00h
; sti
ret
AddMyInt endp
;====================================================================
WdmUnload proc DriverObject:DWORD
local @IDT
sidt szBuffer
mov edi,(IDT_REG ptr [szBuffer]).base
add edi,21h*8
xor eax,eax
mov [edi],ax
mov [edi+6],ax ; 设置入口地址
mov [edi+2],ax ; 设置段地址
mov WORD ptr [edi+4],ax
ret
WdmUnload endp
;====================================================================
DriverEntry proc DriverObj:DWORD,RegistryPath:DWORD
mov eax,DriverObj
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset WdmUnload
assume eax:nothing
invoke AddMyInt
xor eax,eax
ret
DriverEntry endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end DriverEntr
;=======================================================================
.386p
.Model Flat,StdCall
Option CaseMap :None
Include /Masm32/Include/Windows.inc
Include /Masm32/Include/User32.inc
Include /Masm32/Include/Kernel32.inc
Include /Masm32/Include/Advapi32.inc
IncludeLib /Masm32/Lib/User32.lib
IncludeLib /Masm32/Lib/Kernel32.lib
IncludeLib /Masm32/Lib/Advapi32.lib
.Data
szDriverPath2 db "%SystemRoot%/system32/drivers/Ring0.sys",0
szDriverName db "Ring0 Driver",0
.Data?
szDriverPath db 260 dup(?)
hSCM dd ?
hService dd ?
lpParam dd ?
.Code
Ring0Fun Proc _Param:DWORD
mov eax,cr0
ret
Ring0Fun EndP
Start:
invoke ExpandEnvironmentStrings,addr szDriverPath2,addr szDriverPath,260
invoke OpenSCManager,0,0,SC_MANAGER_ALL_ACCESS
.if eax
mov hSCM,eax
invoke CreateService,hSCM,addr szDriverName,addr szDriverName,/
SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,/
SERVICE_ERROR_NORMAL,addr szDriverPath,0,0,0,0,0
.if eax
mov hService,eax
.else
invoke OpenService,hSCM,addr szDriverName,SERVICE_ALL_ACCESS
.if eax
mov hService,eax
.else
invoke CloseServiceHandle,hSCM
invoke MessageBox,0,CTEXT("运行驱动服务时发生错误。"),0,16
invoke ExitProcess,0
.endif
.endif
invoke StartService,hService,0,0
invoke CloseServiceHandle,hService
invoke CloseServiceHandle,hSCM
.endif
lea eax,Ring0Fun
lea edx,lpParam
int 21h
invoke MessageBox,0,CTEXT("运行成功"),0,0
invoke ExitProcess,0
End Start
2041
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
