保护模式-阶段性测试-二

// ±£»¤Ä£Ê½½×¶ÎÐÔ²âÊÔ2.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>


#define PDE(x) ((PDWORD)(0xC0300000) + ((x >> 20) & 0xFFC))

#define PTE(x) ((PDWORD)((0xC0000000) + ((x >> 10) & 0x3FFFFC)))

DWORD g_dwAddr;
PDWORD g_pdw1000PDE;
PDWORD g_pdw1000PTE;

PDWORD g_pdwPDE;
PDWORD g_pdwPTE;


void __declspec(naked) Test()
{
/*
PDE(0x1000) = PDE(g_dwAddr);
PTE(0x1000) = PTE(g_dwAddr);
*/

g_pdwPDE = PDE(g_dwAddr);
g_pdwPTE = PTE(g_dwAddr);
g_pdw1000PDE = PDE(0x1000);
g_pdw1000PTE = PTE(0x1000);
/*
_asm
{
retf;
}*/
//g_pdw1000PDE = PDE(0x1000);
//g_pdw1000PTE = PTE(0x1000);

_asm
{
pushad;
pushfd;

mov eax,g_pdwPDE;
mov eax,[eax];
mov ebx,g_pdw1000PDE;
mov [ebx],eax;

mov ecx,g_pdwPTE;
mov ecx,[ecx];
mov edx,g_pdw1000PTE;
mov [edx],ecx;

popfd;
popad;

retf;
}

}

int main(int argc, char* argv[])
{
DWORD dwAddr = (DWORD)VirtualAlloc(NULL,0x1000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(dwAddr == NULL)
{
printf("·ÖÅäµØַʧ°Ü!");
}
memset((PDWORD)dwAddr,0,0x1000);
for(int i = 0;i < 100;i++)
{
*((PDWORD)dwAddr+i) = (DWORD)((PDWORD)dwAddr + i);
}
/*
for(int y = 0;y < 100;y++)
{

printf("%d = %x => %xn",(DWORD)((PDWORD)dwAddr + y),(DWORD)((PDWORD)dwAddr + y),*((PDWORD)dwAddr+y));
}
//ÑéÖ¤
*/
g_dwAddr = dwAddr;

/*
g_pdwPDE = PDE(g_dwAddr);
g_pdwPTE = PTE(g_dwAddr);

PDWORD xPDE = (PDWORD)((( g_dwAddr >> 20) & 0xFFC) +0xC0300000);
printf("xPDE = %xn",xPDE);
printf("g_pdwPDE = %xn",g_pdwPDE);

//XµÄPTE
PDWORD xPTE = (PDWORD)(((g_dwAddr >> 10) & 0x3FFFFC) + 0xC0000000);
printf("xPTE = %xn",xPTE);
printf("g_pdwPTE = %xn",g_pdwPTE);

*/

char buff[6] = {0x44,0x33,0x22,0x11,0x48,0x00};
_asm
{
call fword ptr [buff];
}
printf("g_pdwPDE = %xn",g_pdwPDE);
printf("g_pdwPTE = %xn",g_pdwPTE);
printf("g_pdw1000PDE = %xn",g_pdw1000PDE);
printf("g_pdw1000PTE = %xn",g_pdw1000PTE);
printf("hellon");
for(i=0;i<100;i++)
{
printf("%dn", *(DWORD*)(0x1000+i*4));
}
getchar();
return 0;
}

原文始发于微信公众号（loochSec）：保护模式-阶段性测试-二