ZwSystemDebugControl函数读取MSR寄存器值

最新推荐文章于 2024-10-05 17:48:13 发布

perry_peng

最新推荐文章于 2024-10-05 17:48:13 发布

阅读量2.7k

点赞数

分类专栏：汇编WIN32 硬件测试文章标签： struct null include token user output

本文链接：https://blog.csdn.net/perry_peng/article/details/6899625

版权

硬件测试同时被 2 个专栏收录

23 篇文章 0 订阅

订阅专栏

汇编WIN32

17 篇文章 2 订阅

订阅专栏

在XP系统中，利用ZwSystemDebugControl函数在不需要驱动的情况下可以访问一些内核对象，如，I/O、物理内存、一些寄存器。但需要具有SeDebugPrivilege权限。XP中的User组是没有这个权限的，也没有权自己提升到这个级别。

.386
.model flat, stdcall
    option casemap :none

                include   windows.inc
                include   user32.inc
                include   kernel32.inc
                include   advapi32.inc

             includelib   user32.lib
             includelib   kernel32.lib
             includelib   advapi32.lib

               PrintMsr   PROTO :DWORD
                ReadMsr   PROTO :DWORD,:DWORD
               WriteMsr   PROTO :DWORD,:DWORD,:DWORD
        AdjustPrivilege   PROTO :DWORD,:DWORD
               
  MSR_STRUCT struct
                 MsrNum   dd ?
                NotUsed   dd ?
                  MsrLo   dd ?
                  MsrHi   dd ?
  MSR_STRUCT ends
  
;    DebugSysReadPhysicalMemory = 10,
;    DebugSysReadIoSpace = 14,
;    DebugSysWriteIoSpace = 15,
;    DebugSysReadMsr = 16,
;    DebugSysWriteMsr = 17

.const
            szNtDllName   db "ntdll.dll", 0
     szSeDebugPrivilege   db "SeDebugPrivilege", 0
 szZwSystemDebugControl   db "ZwSystemDebugControl", 0
          szPrintFormat   db "MSR 0x%04X: 0x%016I64X", 13, 10, 0
  
.data?
         pFunSysDbgCtrl   dd ?
                hStdOut   dd ?
                
                 dwSize   dd ?
              MsrBuffer   dq ?
                       
.data
          szPrintBuffer   db 128 dup(0)
               MsrCount   dd 148
                MsrTabs   dw 0000h, 0001h, 0010h, 0017h, 001Bh, 0021h, 002Ah, 002Bh
                          dw 002Ch, 0079h, 008Bh, 00CEh, 00EEh, 00FEh, 0174h, 0175h
                          dw 0176h, 0179h, 017Ah, 017Bh, 0180h, 0181h, 0182h, 0183h
                          dw 0184h, 0185h, 0186h, 0187h, 0188h, 0189h, 018Ah, 0198h
                          dw 0199h, 019Ah, 019Bh, 019Ch, 01A0h, 01ADh, 01D7h, 01D8h
                          dw 01D9h, 01DAh, 01DBh, 01DCh, 01DDh, 01DEh, 0277h, 02FFh
                          dw 0300h, 0301h, 0302h, 0303h, 0304h, 0305h, 0306h, 0307h
                          dw 0308h, 0309h, 030Ah, 030Bh, 030Ch, 030Dh, 030Eh, 030Fh
                          dw 0310h, 0311h, 0360h, 0361h, 0362h, 0363h, 0364h, 0365h
                          dw 0366h, 0367h, 0368h, 0369h, 036Ah, 036Bh, 036Ch, 036Dh
                          dw 036Eh, 036Fh, 0370h, 0371h, 03A0h, 03A1h, 03A2h, 03A3h
                          dw 03A4h, 03A5h, 03A6h, 03A7h, 03A8h, 03A9h, 03AAh, 03ABh
                          dw 03ACh, 03ADh, 03AEh, 03AFh, 03B0h, 03B1h, 03B2h, 03B3h
                          dw 03B4h, 03B5h, 03B6h, 03B7h, 03B8h, 03B9h, 03BAh, 03BBh
                          dw 03BCh, 03BDh, 03BEh, 03C0h, 03C1h, 03C2h, 03C3h, 03C4h
                          dw 03C5h, 03C8h, 03C9h, 03CAh, 03CBh, 03CCh, 03CDh, 03E0h
                          dw 03E1h, 03F0h, 03F2h, 0400h, 0401h, 0402h, 0403h, 0404h
                          dw 0405h, 0406h, 0407h, 0408h, 0409h, 040Ah, 040Bh, 040Ch
                          dw 040Dh, 040Eh, 040Fh, 0600h
.code
MyAppStart:
      INVOKE    GetStdHandle, STD_OUTPUT_HANDLE
         mov    hStdOut, eax
         
      INVOKE    AdjustPrivilege, addr szSeDebugPrivilege, 1
         cmp    eax, 0
          je    Exit
          
      INVOKE    GetModuleHandle, addr szNtDllName
         cmp    eax, NULL
          je    Exit
         mov    ebx, eax
      INVOKE    GetProcAddress, ebx, addr szZwSystemDebugControl
         cmp    eax, NULL
          je    Exit
         mov    pFunSysDbgCtrl, eax
      
         mov    ecx, MsrCount
         lea    esi, MsrTabs
         @@:
       lodsw
        cwde
        push    ecx
      INVOKE    PrintMsr, eax
         pop    ecx
        loop    @B
        
Exit:
      INVOKE    ExitProcess, 0
      
  AdjustPrivilege proc szPrivilege:DWORD, bEnable:DWORD
    LOCAL @retval :DWORD
    LOCAL @ht :DWORD
    LOCAL @tp :TOKEN_PRIVILEGES
    
         mov    @ht, NULL
         mov    @retval, 0
      INVOKE    RtlZeroMemory, addr @tp, sizeof TOKEN_PRIVILEGES
      INVOKE    GetCurrentProcess
         mov    ebx, eax
      INVOKE    OpenProcessToken, ebx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr @ht
         cmp    eax, 0
          je    Exit_Failed
      INVOKE    LookupPrivilegeValue, NULL, szPrivilege, addr @tp.Privileges.Luid
         cmp    eax, 0
          je    Exit_Failed
         mov    @tp.PrivilegeCount, 1
         mov    @tp.Privileges.Attributes, SE_PRIVILEGE_ENABLED
         cmp    bEnable, 0
         jne    @F
         mov    @tp.Privileges.Attributes, SE_PRIVILEGE_REMOVED
         @@:
      INVOKE    AdjustTokenPrivileges, @ht, 0, addr @tp, 0, 0, 0
         cmp    eax, 0
          je    Exit_Failed

Exit_Succeed:
         mov    @retval, 1
         
Exit_Failed:

Exit_Clean:
         cmp    @ht, NULL
          je    @F
      INVOKE    CloseHandle, @ht
         mov    @ht, NULL
         @@:
         
         mov    eax, @retval
         ret
  AdjustPrivilege endp
  
  PrintMsr proc MsrAddr:DWORD
    LOCAL @MsrBuffer :QWORD
    LOCAL @dwSize :WORD
    
      INVOKE    ReadMsr, MsrAddr, addr @MsrBuffer
      INVOKE    wsprintf, addr szPrintBuffer, addr szPrintFormat, MsrAddr, @MsrBuffer
      INVOKE    lstrlen, addr szPrintBuffer
         mov    edx, eax
      INVOKE    WriteFile, hStdOut, addr szPrintBuffer, edx, addr @dwSize, NULL
         ret
  PrintMsr endp
  
  ReadMsr proc MsrAddr:DWORD, DataPtr:DWORD
    LOCAL @Msr :MSR_STRUCT
    
      INVOKE    RtlZeroMemory, addr @Msr, sizeof MSR_STRUCT
        push    MsrAddr
         pop    @Msr.MsrNum
         mov    eax, NULL
        push    eax
         mov    eax, 0
        push    eax
         mov    eax, NULL
        push    eax
         mov    eax, sizeof MSR_STRUCT
        push    eax
         lea    eax, @Msr
        push    eax
         mov    eax, 16
        push    eax
        call    pFunSysDbgCtrl
         mov    ebx, DataPtr
        push    @Msr.MsrLo
         pop    [ebx]
        push    @Msr.MsrHi
         pop    [ebx + 4]
         ret
  ReadMsr endp
  
  WriteMsr proc MsrAddr:DWORD, DataLow:DWORD, DataHigh:DWORD
    LOCAL @Msr :MSR_STRUCT
    
      INVOKE    RtlZeroMemory, addr @Msr, sizeof MSR_STRUCT
        push    MsrAddr
         pop    @Msr.MsrNum
        push    DataLow
         pop    @Msr.MsrLo
        push    DataHigh
         pop    @Msr.MsrHi
         mov    eax, NULL
        push    eax
         mov    eax, 0
        push    eax
         mov    eax, NULL
        push    eax
         mov    eax, sizeof MSR_STRUCT
        push    eax
         lea    eax, @Msr
        push    eax
         mov    eax, 17
        push    eax
        call    pFunSysDbgCtrl
         ret
  WriteMsr endp
end MyAppStart