// ±£»¤Ä£Ê½½×¶ÎÐÔ²âÊÔ2.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#define PDE(x) ((PDWORD)(0xC0300000) + ((x >> 20) & 0xFFC))
#define PTE(x) ((PDWORD)((0xC0000000) + ((x >> 10) & 0x3FFFFC)))
DWORD g_dwAddr;
PDWORD g_pdw1000PDE;
PDWORD g_pdw1000PTE;
PDWORD g_pdwPDE;
PDWORD g_pdwPTE;
void __declspec(naked) Test()
{
/*
PDE(0x1000) = PDE(g_dwAddr);
PTE(0x1000) = PTE(g_dwAddr);
*/
g_pdwPDE = PDE(g_dwAddr);
g_pdwPTE = PTE(g_dwAddr);
g_pdw1000PDE = PDE(0x1000);
g_pdw1000PTE = PTE(0x1000);
/*
_asm
{
retf;
}*/
//g_pdw1000PDE = PDE(0x1000);
//g_pdw1000PTE = PTE(0x1000);
_asm
{
pushad;
pushfd;
mov eax,g_pdwPDE;
mov eax,[eax];
mov ebx,g_pdw1000PDE;
mov [ebx],eax;
mov ecx,g_pdwPTE;
mov ecx,[ecx];
mov edx,g_pdw1000PTE;
mov [edx],ecx;
popfd;
popad;
retf;
}
}
int main(int argc, char* argv[])
{
DWORD dwAddr = (DWORD)VirtualAlloc(NULL,0x1000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(dwAddr == NULL)
{
printf("·ÖÅäµØַʧ°Ü!");
}
memset((PDWORD)dwAddr,0,0x1000);
for(int i = 0;i < 100;i++)
{
*((PDWORD)dwAddr+i) = (DWORD)((PDWORD)dwAddr + i);
}
/*
for(int y = 0;y < 100;y++)
{
printf("%d = %x => %xn",(DWORD)((PDWORD)dwAddr + y),(DWORD)((PDWORD)dwAddr + y),*((PDWORD)dwAddr+y));
}
//ÑéÖ¤
*/
g_dwAddr = dwAddr;
/*
g_pdwPDE = PDE(g_dwAddr);
g_pdwPTE = PTE(g_dwAddr);
PDWORD xPDE = (PDWORD)((( g_dwAddr >> 20) & 0xFFC) +0xC0300000);
printf("xPDE = %xn",xPDE);
printf("g_pdwPDE = %xn",g_pdwPDE);
//XµÄPTE
PDWORD xPTE = (PDWORD)(((g_dwAddr >> 10) & 0x3FFFFC) + 0xC0000000);
printf("xPTE = %xn",xPTE);
printf("g_pdwPTE = %xn",g_pdwPTE);
*/
char buff[6] = {0x44,0x33,0x22,0x11,0x48,0x00};
_asm
{
call fword ptr [buff];
}
printf("g_pdwPDE = %xn",g_pdwPDE);
printf("g_pdwPTE = %xn",g_pdwPTE);
printf("g_pdw1000PDE = %xn",g_pdw1000PDE);
printf("g_pdw1000PTE = %xn",g_pdw1000PTE);
printf("hellon");
for(i=0;i<100;i++)
{
printf("%dn", *(DWORD*)(0x1000+i*4));
}
getchar();
return 0;
}
原文始发于微信公众号(loochSec):保护模式-阶段性测试-二
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论