📄 ring0.asm
字号:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.586P ; 保护模式
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include ddk\NTDDK.INC
include Ring0.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
szBuffer db 16 dup(0)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
MyIntFunc proc
push edx
call eax
iretd
MyIntFunc endp
;====================================================================
AddMyInt proc uses edi
local @IDT
sidt szBuffer
mov edi,(IDT_REG ptr [szBuffer]).base
add edi,21h*8
; 使用Int21中断,该中断在Win2k下没有使用
; cli
mov eax,offset MyIntFunc
mov [edi],ax
shr eax,16
mov [edi+6],ax ; 设置入口地址
mov [edi+2],cs ; 设置段地址
; 设置Ring3可以访问
mov WORD ptr [edi+4],0EE00h
; sti
ret
AddMyInt endp
;====================================================================
WdmUnload proc DriverObject:DWORD
local @IDT
sidt szBuffer
mov edi,(IDT_REG ptr [szBuffer]).base
add edi,21h*8
xor eax,eax
mov [edi],ax
mov [edi+6],ax ; 设置入口地址
mov [edi+2],ax ; 设置段地址
mov WORD ptr [edi+4],ax
ret
WdmUnload endp
;====================================================================
DriverEntry proc DriverObj:DWORD,RegistryPath:DWORD
mov eax,DriverObj
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset WdmUnload
assume eax:nothing
invoke AddMyInt
xor eax,eax
ret
DriverEntry endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end DriverEntry⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -