0x001 TSS的基础知识
TSS是一段内存结构
01 | char st[10] = {0}; // st 的地址是 0042b034 |
02 | TSS tss = { // tss的地址是 0x00427b40 |
03 | 0x00000000, //link |
04 | ( DWORD )st, //esp0 |
05 | 0x00000010, //ss0 |
06 | 0x00000000, //esp1 |
07 | 0x00000000, //ss1 |
08 | 0x00000000, //esp2 |
09 | 0x00000000, //ss2 |
10 | 0x00000000, //cr3 |
11 | 0x0040fad0, //eip |
12 | 0x00000000, //eflags |
13 | 0x00000000, //eax |
14 | 0x00000000, //ecx |
15 | 0x00000000, //edx |
16 | 0x00000000, //ebx |
17 | ( DWORD )st, //esp |
18 | 0x00000000, //ebp |
19 | 0x00000000, //esi |
20 | 0x00000000, //edi |
21 | 0x00000023, //es |
22 | 0x00000008, //cs |
23 | 0x00000010, //ss |
24 | 0x00000023, //ds |
25 | 0x00000030, //fs |
26 | 0x00000000, //gs |
27 | 0x00000000, //ldt |
28 | 0x20ac0000 |
29 | }; |
理解TR寄存器 TSS段描述符 TSS段的关系
0x002、测试代码
01 | // 20180322_05.cpp : Defines the entry point for the console application. |
02 | // |
03 |
04 | #include "stdafx.h" |
05 | #include <windows.h> |
06 | #include <stdio.h> |
07 |
08 | DWORD dwOK; |
09 | DWORD dwESP; |
10 | DWORD dwCS; |
11 |
12 | __declspec ( naked )func() //00401020 |
13 | { |
14 | dwOK = 1; |
15 | __asm{ |
16 | //int 3 |
17 | mov eax,esp |
18 | mov dwESP,eax |
19 | mov ax,cs |
20 | mov word ptr [dwCS],ax |
21 |
22 | //返回 |
23 | iret |
24 | } |
25 | } |
26 |
27 | //eq 8003f0c0 0000e912`fdcc0068 |
28 |
29 |
30 |
31 | int main( int argc, char * argv[]) |
32 | { |
33 | char bu[0x10]; //0x12ff70 |
34 | int iCr3; |
35 | printf ( "input CR3:\n" ); |
36 | scanf ( "%x" ,&iCr3); //!process 0 0 获取 |
37 |
38 | //0012fDCC |
39 | DWORD iTSS[0x68]={ |
40 | 0x00000000, //link |
41 | ( DWORD )bu, //esp0 |
42 | 0x00000010, //ss0 |
43 | 0x00000000, //esp1 |
44 | 0x00000000, //ss1 |
45 | 0x00000000, //esp2 |
46 | 0x00000000, //ss2 |
47 | ( DWORD )iCr3, //cr3 |
48 | 0x00401020, //eip |
49 | 0x00000000, //eflags |
50 | 0x00000000, //eax |
51 | 0x00000000, //ecx |
52 | 0x00000000, //edx |
53 | 0x00000000, //ebx |
54 | ( DWORD )bu, //esp |
55 | 0x00000000, //ebp |
56 | 0x00000000, //esi |
57 | 0x00000000, //edi |
58 | 0x00000023, //es |
59 | 0x00000008, //cs |
60 | 0x00000010, //ss |
61 | 0x00000023, //ds |
62 | 0x00000030, //fs |
63 | 0x00000000, //gs |
64 | 0x00000000, //ldt |
65 | 0x20ac0000 |
66 | }; |
67 |
68 | char buff[6]; |
69 |
70 | *( DWORD *)&buff[0] = 0x12345678; |
71 | *( WORD *)&buff[4] = 0x48; |
72 |
73 | __asm |
74 | { |
75 | call fword ptr[buff] |
76 | } |
77 |
78 | printf ( "ok = %d ESP = %x CS = %x \n" ,dwOK,dwESP,dwCS); |
79 |
80 | return 0; |
81 | } |
0x003 测试环境
eq 8003f048 0000e912`fdcc0068
0x004 修改CR3
1 | PROCESS 86311228 SessionId: 0 Cid: 059c Peb: 7ffdf000 ParentCid: 0640 |
2 | DirBase: 06d80360 ObjectTable: e17d9ac0 HandleCount: 73. |
3 | Image: 20180322_05.exe |
对
1 | DirBase: 06d80360 进行设置 |
1 |
1 | 0x005 运行读取 |
总结: 难点很多,理解起来,模模糊糊的, 只是完成了实验, 很多还是不太懂!!
1则评论给“TSS切换实验”
兄弟你这代码差了个 void 执行不过
__declspec(naked)func()