📄 tracer.cpp
字号:
test byte ptr [eax + 4], 3 //we can't make "page_in"
jz bad_pointer //yet...
mov eax, dword ptr [PreLastEIPValue]
mov edx, eax
and edx, 0FFFh //check if last eip == 0x...FFF
cmp edx, 0FFFh //and next page may be "page out"
jne eip_in_range
sub eax, 4
eip_in_range:
mov dx, word ptr [eax] //save user bytes
mov word ptr [saved_user_bytes], dx
push eax //patch user code with command mov al, [eax]
call EnableWrite
mov SavedCR0, eax
pop eax
mov word ptr [eax], 0x008A
mov dword ptr [saved_esp_end], esp
push 23h //prepare own interrupt stack
mov eax, offset NewInterruptStack + 0x1000 - 0x10
push dword ptr [eax + 0xC] //get esp value for ring3
push 00010306h
push 1Bh
push dword ptr [PreLastEIPValue]
mov eax, ebx
mov ReturnToMakePageIn, offset return_from_int1
mov MakePageIn, 1
iretd
//=========================================================================================
return_from_int1:
mov MakePageIn, 0
mov ReturnToMakePageIn, 0
mov eax, dword ptr [PreLastEIPValue] //check if "pagein" success
add eax, 2
cmp eax, dword ptr [esp]
mov esp, dword ptr [saved_esp_end]
jz pagein_success
xor eax, eax
mov dword ptr [esp + 34h], eax
pagein_success:
mov eax, dword ptr [PreLastEIPValue] //restore user bytes
mov edx, dword ptr [saved_user_bytes]
mov word ptr [eax], dx
push SavedCR0
call SetCR0
cld //we must to restore original interrupt stack
mov ecx, 5 //because it was changed by last interrupt
mov edi, OldInterruptStack
mov esi, offset NewInterruptStack + 0x1000 - 0x10
repnz movsd
page_in_memory:
pop gs
pop es
pop ds
pop fs
popad
mov eax, dword ptr [esp + 4]
ret 4
}
}
///////////////////////////////////////////////////////////////////////
//
// function CheckAddressAndMakePageIn - make "PAGEIN"
//
// this version of function using patch TSS is not work good!
// because in one of 100000 it's not save own stack! ...very bad :(
// why i leave it? - may be you would have any additional ideas!?...
//
///////////////////////////////////////////////////////////////////////
//__declspec(naked) void* CheckAddressAndMakePageIn(void *address)
//{
// UNREFERENCED_PARAMETER(address);
//
// static int original_esp0 = 0;
// static int saved_esp_beg = 0;
// static int saved_esp_end = 0;
// static int intterupt_stack[5] = {0};
// static int saved_user_bytes[2] = {0};
// static __int64 temp_old_descrp = 0;
// static __int64 temp_new_descrp = 0;
//
// __asm
// {
// pushad
// push fs
// push ds
// push es
// push gs
//
// cmp dword ptr [esp + 0x34], 0x1000
// jb bad_pointer
//
// cmp dword ptr [esp + 0x34], NT_HIGHEST_USER_ADDRESS
// jb make_page_in
//
// push dword ptr [esp + 0x34]
// call GetPte
// mov eax, dword ptr [eax]
// test al, 1
// jnz page_in_memory
//
// // here need to make PAGEIN for page in range > NT_HIGHEST_USER_ADDRESS
// // not support yet...
//
//bad_pointer:
// pop gs
// pop es
// pop ds
// pop fs
// popad
// xor eax, eax
// ret 4
//
//make_page_in:
// mov dword ptr [saved_esp_beg], esp
//
// mov eax, dword ptr [esp + 0x34] //get [address] parameter
// mov ebx, eax
// push eax
// call GetPte
// mov eax, dword ptr [eax]
// test al, 1
// jnz page_in_memory
//
// mov eax, dword ptr [PreLastEIPValue]
//
// mov edx, eax
// and edx, 0FFFh //check if last eip == 0x...FFF
// cmp edx, 0FFBh //and next page may be "page out"
// jbe eip_in_range
// sub eax, 5
//eip_in_range:
//
// mov edx, dword ptr [eax] //save user bytes
// mov dword ptr [saved_user_bytes], edx
// mov dl, byte ptr [eax + 4]
// mov byte ptr [saved_user_bytes + 4], dl
//
// push eax
// call EnableWrite
// mov SavedCR0, eax
// pop eax
//
// mov byte ptr [eax], 0xA0 //patch user code with
// mov dword ptr [eax + 1], ebx //mov al, dword [0xXXX...]
//
// mov ecx, esp //stack value for saving in TSS
//
// //===========================================
//
// push ds //patch current TSS with new ESP0 value
// push gs
// mov ax, 23h
// mov ds, ax
// mov ax, 10h
// mov gs, ax
// sub esp, 08h
//
// sgdt fword ptr [esp]
//
// str ax //get TSS selector
// movzx eax, ax
// add eax, dword ptr [esp + 2]
//
// mov edx, dword ptr [eax]
// mov dword ptr [temp_new_descrp], edx
// mov edx, dword ptr [eax + 4]
// mov dword ptr [temp_new_descrp + 4], edx
//
// mov ax, 20h //means 23h selector
// movzx eax, ax
// add eax, dword ptr [esp + 2]
//
// mov edx, dword ptr [eax]
// mov dword ptr [temp_old_descrp], edx
// mov edx, dword ptr [eax + 4]
// mov dword ptr [temp_old_descrp + 4], edx
//
// shr edx, 8
// mov byte ptr [temp_new_descrp + 4 + 1], dl
// shr edx, 8
// and dl, 11000000b
// mov byte ptr [temp_new_descrp + 4 + 2], dl
//
// mov edx, dword ptr [temp_new_descrp] //patch GDT with new descriptor
// mov dword ptr [eax], edx
// mov edx, dword ptr [temp_new_descrp + 4]
// mov dword ptr [eax + 4], edx
//
// mov dx, 23h //reload shadow part in ds
// mov ds, dx
//
// mov edx, dword ptr ds:[4]
// mov dword ptr gs:[original_esp0], edx
// mov dword ptr ds:[4], ecx //patch ESP0 value at TSS
//
// mov edx, dword ptr gs:[temp_old_descrp] //patch back GDT with old descriptor
// mov dword ptr gs:[eax], edx
// mov edx, dword ptr gs:[temp_old_descrp + 4]
// mov dword ptr gs:[eax + 4], edx
//
// mov dx, 23h
// mov ds, dx
//
// add esp, 08h
// pop gs
// pop ds
//
// //===========================================
//
// mov eax, dword ptr [original_esp0]
// push dword ptr [eax - 4] //need to save the old interrupt stack for
// push dword ptr [eax - 8] //further recollection, because the system
// push dword ptr [eax - 0Ch] //in int0xE(PageFault) handler will change it
// push dword ptr [eax - 10h] //later (don't know why exactly...)
// push dword ptr [eax - 14h]
//
// pop dword ptr [intterupt_stack + 10h]
// pop dword ptr [intterupt_stack + 0Ch]
// pop dword ptr [intterupt_stack + 8]
// pop dword ptr [intterupt_stack + 4]
// pop dword ptr [intterupt_stack + 0]
//
// push 23h
// push dword ptr [intterupt_stack + 4] //prepare own interrupt stack
// push 00010306h
// push 1Bh
// push dword ptr [PreLastEIPValue]
//
// mov dword ptr [saved_esp_end], esp
// mov ReturnToMakePageIn, offset return_from_int1
// mov MakePageIn, 1
// iretd
//
////=========================================================================================
//
//return_from_int1:
//
// mov MakePageIn, 0
// mov ReturnToMakePageIn, 0
//
// mov eax, dword ptr [PreLastEIPValue]
// add eax, 5
// cmp eax, dword ptr [esp]
// jz pagein_success
// mov esp, dword ptr [saved_esp_beg]
// xor eax, eax
// mov dword ptr [esp + 34h], eax
//pagein_success:
// mov esp, dword ptr [saved_esp_end]
//
// //===========================================
//
// push ds //restore ESP0 in TSS to original value
// push gs
// mov ax, 23h
// mov ds, ax
// mov ax, 10h
// mov gs, ax
// sub esp, 08h
//
// sgdt fword ptr [esp]
//
// mov ax, 20h //means 23h selector
// movzx eax, ax
// add eax, dword ptr [esp + 2]
//
// mov edx, dword ptr [temp_new_descrp] //patch GDT with new descriptor
// mov dword ptr [eax], edx
// mov edx, dword ptr [temp_new_descrp + 4]
// mov dword ptr [eax + 4], edx
//
// mov dx, 23h
// mov ds, dx
//
// mov edx, dword ptr gs:[original_esp0]
// mov dword ptr ds:[4], edx
//
// mov edx, dword ptr gs:[temp_old_descrp] //patch GDT back
// mov dword ptr gs:[eax], edx
// mov edx, dword ptr gs:[temp_old_descrp + 4]
// mov dword ptr gs:[eax + 4], edx
//
// mov dx, 23h //reload segment register
// mov ds, dx
//
// add esp, 08h
// pop gs
// pop ds
//
// //===========================================
//
// mov eax, dword ptr [PreLastEIPValue]
// mov edx, dword ptr [saved_user_bytes] //restore user bytes
// mov dword ptr [eax], edx
// mov dl, byte ptr [saved_user_bytes + 4]
// mov byte ptr [eax + 4], dl
//
// push SavedCR0
// call SetCR0
//
// mov ebx, dword ptr [original_esp0] //restore old interrupt stack
//
// mov eax, dword ptr [intterupt_stack + 0]
// mov dword ptr [ebx - 4], eax
// mov eax, dword ptr [intterupt_stack + 4]
// mov dword ptr [ebx - 8], eax
// mov eax, dword ptr [intterupt_stack + 8]
// mov dword ptr [ebx - 0Ch], eax
// mov eax, dword ptr [intterupt_stack + 0Ch]
// mov dword ptr [ebx - 10h], eax
// mov eax, dword ptr [intterupt_stack + 10h]
// mov dword ptr [ebx - 14h], eax
//
// mov esp, dword ptr [saved_esp_beg]
//
//page_in_memory:
// pop gs
// pop es
// pop ds
// pop fs
// popad
// mov eax, dword ptr [esp + 4]
// ret 4
// }
//}
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
void* GetUserHandler(void)
{
void* handler = 0;
__asm
{
push fs
mov ax, 38h
mov fs, ax
mov dword ptr [handler], 0
mov eax, dword ptr fs:[0]
add eax, 4
push eax
call CheckAddressAndMakePageIn
or eax, eax
jz get_handler_exit
mov eax, dword ptr [eax]
push eax
call CheckAddressAndMakePageIn
or eax, eax
jz get_handler_exit
mov dword ptr [handler], eax
get_handler_exit:
pop fs
}
return handler;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -