#include <stdio.h>
#include <windows.h>
LPDWORD dwPDE=0;
LPDWORD dwPTE=0;
LPDWORD zeroPDE=0;
LPDWORD zeroPTE=0;
BYTE shellcode[] = {0x6a,0,0x6a,0,0x6a,0,0x6a,0,0xe8,0,0,0,0,0xc3};
VOID _declspec(naked) CallGate(){
_asm{
push 0x30
pop fs
pushad
pushfd
lea ecx,shellcode
//Get PDE
mov eax,ecx
shr eax,0x14
and eax,0xffc
sub eax,0x3fd00000
mov eax,[eax]
mov dwPDE,eax
//Get PTE
mov eax,ecx
shr eax,0xa
and eax,0x3ffffc
sub eax,0x40000000
mov eax,[eax]
mov dwPTE,eax
//zero address hook physic address
mov eax,ds:[0xc0300000]
test eax,eax
jnz Flag
mov ecx,dwPDE
mov ds:[0xc0300000],ecx
Flag:
mov ecx,dwPTE
mov ds:[0xc0000000],ecx
//Save zero PDE and PTE
mov eax,ds:[0xc0300000]
mov zeroPDE,eax
mov eax,ds:[0xc0000000]
mov zeroPTE,eax
popfd
popad
retf
}
}
int main(){
_asm{
// int 3
}
BYTE gate[] = {0,0,0,0,0x48,0};
UINT32 dwAddr = (UINT32)MessageBox;
//Fix SHELLCODE
UINT32 dwOffset = (UINT32)shellcode & 0xFFF;
printf("%p\n",CallGate);
getchar();
*(LPDWORD)&shellcode[9] = UINT32(dwAddr -dwOffset-13);
_asm{
push fs
call fword ptr gate
pop fs
call [dwOffset]
}
printf("0xC030:%p\n0xC00:%p\noffset:%x\n",zeroPDE,zeroPTE,dwOffset);
system("pause");
return 0;
}
0线性地址挂shellcode
最新推荐文章于 2024-08-10 09:32:53 发布
![](https://img-home.csdnimg.cn/images/20240711042549.png)