0x001 TSS的基础知识
TSS是一段内存结构
01 | char st[10] = {0}; // st 的地址是 0042b034 |
02 | TSS tss = {// tss的地址是 0x00427b40 |
03 | 0x00000000,//link |
04 | (DWORD)st,//esp0 |
05 | 0x00000010,//ss0 |
06 | 0x00000000,//esp1 |
07 | 0x00000000,//ss1 |
08 | 0x00000000,//esp2 |
09 | 0x00000000,//ss2 |
10 | 0x00000000,//cr3 |
11 | 0x0040fad0,//eip |
12 | 0x00000000,//eflags |
13 | 0x00000000,//eax |
14 | 0x00000000,//ecx |
15 | 0x00000000,//edx |
16 | 0x00000000,//ebx |
17 | (DWORD)st,//esp |
18 | 0x00000000,//ebp |
19 | 0x00000000,//esi |
20 | 0x00000000,//edi |
21 | 0x00000023,//es |
22 | 0x00000008,//cs |
23 | 0x00000010,//ss |
24 | 0x00000023,//ds |
25 | 0x00000030,//fs |
26 | 0x00000000,//gs |
27 | 0x00000000,//ldt |
28 | 0x20ac0000 |
29 | }; |
理解TR寄存器 TSS段描述符 TSS段的关系
0x002、测试代码
01 | // 20180322_05.cpp : Defines the entry point for the console application. |
02 | // |
03 |
04 | #include "stdafx.h" |
05 | #include <windows.h> |
06 | #include <stdio.h> |
07 |
08 | DWORD dwOK; |
09 | DWORD dwESP; |
10 | DWORD dwCS; |
11 |
12 | __declspec(naked)func()//00401020 |
13 | { |
14 | dwOK = 1; |
15 | __asm{ |
16 | //int 3 |
17 | mov eax,esp |
18 | mov dwESP,eax |
19 | mov ax,cs |
20 | mov word ptr [dwCS],ax |
21 |
22 | //返回 |
23 | iret |
24 | } |
25 | } |
26 |
27 | //eq 8003f0c0 0000e912`fdcc0068 |
28 |
29 |
30 |
31 | int main(int argc, char* argv[]) |
32 | { |
33 | char bu[0x10]; //0x12ff70 |
34 | int iCr3; |
35 | printf("input CR3:\n"); |
36 | scanf("%x",&iCr3); //!process 0 0 获取 |
37 |
38 | //0012fDCC |
39 | DWORD iTSS[0x68]={ |
40 | 0x00000000,//link |
41 | (DWORD)bu,//esp0 |
42 | 0x00000010,//ss0 |
43 | 0x00000000,//esp1 |
44 | 0x00000000,//ss1 |
45 | 0x00000000,//esp2 |
46 | 0x00000000,//ss2 |
47 | (DWORD)iCr3,//cr3 |
48 | 0x00401020,//eip |
49 | 0x00000000,//eflags |
50 | 0x00000000,//eax |
51 | 0x00000000,//ecx |
52 | 0x00000000,//edx |
53 | 0x00000000,//ebx |
54 | (DWORD)bu,//esp |
55 | 0x00000000,//ebp |
56 | 0x00000000,//esi |
57 | 0x00000000,//edi |
58 | 0x00000023,//es |
59 | 0x00000008,//cs |
60 | 0x00000010,//ss |
61 | 0x00000023,//ds |
62 | 0x00000030,//fs |
63 | 0x00000000,//gs |
64 | 0x00000000,//ldt |
65 | 0x20ac0000 |
66 | }; |
67 |
68 | char buff[6]; |
69 |
70 | *(DWORD*)&buff[0] = 0x12345678; |
71 | *(WORD*)&buff[4] = 0x48; |
72 |
73 | __asm |
74 | { |
75 | call fword ptr[buff] |
76 | } |
77 |
78 | printf("ok = %d ESP = %x CS = %x \n",dwOK,dwESP,dwCS); |
79 |
80 | return 0; |
81 | } |
0x003 测试环境
eq 8003f048 0000e912`fdcc0068
0x004 修改CR3
1 | PROCESS 86311228 SessionId: 0 Cid: 059c Peb: 7ffdf000 ParentCid: 0640 |
2 | DirBase: 06d80360 ObjectTable: e17d9ac0 HandleCount: 73. |
3 | Image: 20180322_05.exe |
对
1 | DirBase: 06d80360 进行设置 |
1 |
1 | 0x005 运行读取 |
总结: 难点很多,理解起来,模模糊糊的, 只是完成了实验, 很多还是不太懂!!
1则评论给“TSS切换实验”
兄弟你这代码差了个 void 执行不过
__declspec(naked)func()