1.
# define _CRT_SECURE_NO_WARNINGS
# include<Windows.h>
# include<stdio.h>
void JumpToZero();
void hookfunc();
int ReadMemory(OUT PVOID buffer, IN DWORD dwAddr, IN DWORD dwLength);
DWORD g_KernelValue;
DWORD g_PDTIndex;
DWORD g_PTTIIndex;
DWORD g_PhyPageIndex;
DWORD g_IsRead;
int main()
{
BYTE test[10] = { 0,1,2,3,4,5,6,7,8,9 };
BYTE buffer[256];
PBYTE dwAddr= test;
//PBYTE dwAddr= 0x8003f00c;
DWORD dwLength=10;
DWORD IsTrue = ReadMemory(&buffer, dwAddr, dwLength);
if (IsTrue)
{
for(int i=0;i< dwLength;i++)
printf("buffer[%d]=%x\n", i, buffer[i]);
}
else
{
printf("内存读取失败\n");
}
//printf("%08x\n", *(PDWORD)dwAddr);
getchar();
return 0;
}
void JumpToZero()
{
//
//
//
//必须是ec(3环),如果是8c(0环),应用程序连调用门都进入不了
//调用门描述符0000ec00`xxxx0000 段选择子 xxxx==0048
//0048 0 0000 0000 1001 0 00
printf("在GDT表中构建调用门,请在windbg中执行下面的指令:\neq 8003f090 0000ec00`00480000\n");
unsigned int FuncAddr = (int)hookfunc;
//
//
//
//printf("hookfunc地址:%p\n", (PVOID)FuncAddr);
//代码段描述符xxcf9bxx`xxxxffff func地址
//有现成的代码段0008,也可以自己申请
printf("eq 8003f048 %02xcf9b%02x`%04xffff\n", FuncAddr>>32-8, (FuncAddr >> 16)&0x0000FF,FuncAddr&0X0000FFFF);
getchar();
//
//
//
//注意fword是传入6个字节,所以GateSector长度为6
//0090 0 0000 0001 0010 0 00
//是数字不是字符
char GateSector[6] = { 0x00,0x00,0x00,0x00,0x90,0x00};
_asm {
call fword ptr[GateSector];
}
}
//
//
//
//注意必须是裸函数
void _declspec(naked) hookfunc()
{
//0环代码...
//在代码中任何物理地址的访问都将被视为线性地址的访问
__asm
{
PUSHAD//...
pushfd//...
//do something...
mov eax, 0;
mov g_IsRead, eax
mov eax, 0xc0300000
mov ecx, g_PDTIndex
shl ecx, 2
add eax, ecx
mov ebx, [eax]
test ebx, 0x1
jz end
//修改u/s位为1
OR ebx,0x00000004
//必须修改g位,否则操作系统仍然会从TLB缓存中查找物理地址
AND ebx, 0xFFFFFEFF
mov [eax],ebx
mov eax, 0xc0000000
mov ecx, g_PDTIndex
shl ecx,12
add eax,ecx
mov ecx, g_PTTIIndex
shl ecx,2
add eax,ecx
mov ebx,[eax]
test ebx, 0x1
jz end
OR ebx, 0x00000004
AND ebx, 0xFFFFFEFF
mov [eax], ebx
mov eax, 1
mov g_IsRead, eax
end:
popfd
POPAD//...
RETF //...
}
}
int ReadMemory(OUT PVOID buffer, IN DWORD dwAddr, IN DWORD dwLength)
{
//按10-10-12分页
//PDT中的索引
g_PDTIndex = dwAddr >> 22;
//PTT中的索引
g_PTTIIndex = (dwAddr >> 12) & 0x000003FF;
//物理页索引
g_PhyPageIndex = dwAddr & 0X00000FFF;
JumpToZero();
if (!g_IsRead)
return FALSE;
//该函数读取高2G的内存有问题,会导致程序闪退...不清楚原因
//读高2G地址时需要手动读取
memcpy_s(buffer, dwLength, (PBYTE)dwAddr, dwLength);
return TRUE;
}
2.略
思路是通过修改0x1000所属的PTE为申请的内存的PTE,使得0x1000指向该申请的内存,从而可以遍历该数组