ring0.asm

一段进入ring0的代码。

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;	ml /c /coff wdm.asm
;	link /subsystem:NATIVE /driver:wdm /release /out:wdm.sys wdm.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.586P			;	保护模式
		.model flat,stdcall
		option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;include		windows.inc
;	Win2k驱动结构定义
include		ddk\ntddk.inc
;	Win2k驱动相关文件
include		ddk\ntoskrnl.inc
includelib	ddk\ntoskrnl.lib
include		ddk\hal.inc
includelib	ddk\hal.lib
;====================================================================
include		Ring0.inc

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;		.data
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.code
;====================================================================
;	字符串定义
;	szMyIntFunc	db	'Ring0 ...',0
;	szDrvLoad	db	'DriverEntry ...',0
;	szUnLoad	db	'WdmUnload   ...',0

	szBuffer	db	16 dup(0)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
MyIntFunc	proc
;	入口参数,EAX=子程序,EDX=参数
;		invoke	DbgPrint,addr szMyIntFunc
;		mov	[ebx-4],cx
;		shr	ecx,16
;		mov	[ebx+2],cx
		push	edx
		call	eax
		iretd
MyIntFunc	endp

;====================================================================
AddMyInt	proc		uses edi
		local	@IDT

		sidt	szBuffer
		mov		edi,(IDT_REG ptr [szBuffer]).base
		add		edi,21h*8

	;	使用Int21中断,该中断在Win2k下没有使用
;		cli
		mov	eax,offset MyIntFunc
		mov	[edi],ax
		shr	eax,16
		mov	[edi+6],ax		;	设置入口地址
		mov	[edi+2],cs		;	设置段地址
	;	设置Ring3可以访问
		mov	WORD ptr [edi+4],0EE00h
;		sti

		ret
AddMyInt	endp
;====================================================================
WdmUnload	proc	DriverObject:DWORD
		local	@IDT

;		invoke	DbgPrint,addr szUnLoad
;	int 3

		sidt	szBuffer
		mov		edi,(IDT_REG ptr [szBuffer]).base
		add		edi,21h*8
	;	使用Int21中断,该中断在Win2k下没有使用
;		cli
		xor	eax,eax
		mov	[edi],ax
		mov	[edi+6],ax		;	设置入口地址
		mov	[edi+2],ax		;	设置段地址
	;	设置Ring3可以访问
		mov	WORD ptr [edi+4],ax
;		sti

		ret
WdmUnload	endp
;====================================================================
DriverEntry		proc	DriverObj:DWORD,RegistryPath:DWORD

;		invoke	DbgPrint,addr szDrvLoad
;	int 3

		mov		eax,DriverObj
		assume	eax:ptr DRIVER_OBJECT
		mov		[eax].DriverUnload,offset WdmUnload
		assume	eax:nothing
		invoke	AddMyInt

		xor	eax,eax
		ret
DriverEntry		endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end DriverEntry