浮
浮生
Unregistered / Unconfirmed
GUEST, unregistred user!
感谢大家的帮助[8D]
T
tsedlinux
Unregistered / Unconfirmed
GUEST, unregistred user!
gz
E
emonster
Unregistered / Unconfirmed
GUEST, unregistred user!
正规方法是用VXD、WDM。但也有非正规方法,如CIH病毒。
K
kingkong
Unregistered / Unconfirmed
GUEST, unregistred user!
gz
C
cozo
Unregistered / Unconfirmed
GUEST, unregistred user!
TRW用过吗?去问问它的作者吧。这个用Delphi是不大可能实现了。
E
emonster
Unregistered / Unconfirmed
GUEST, unregistred user!
也不用去问TRW的作者,去www.pediy.com论坛,里面有很多这方面的高手。
我记得好像是修改LDT来实现的。
我记得好像是修改LDT来实现的。
F
foolboy007
Unregistered / Unconfirmed
GUEST, unregistred user!
看看cih源码
修改idt 或者ldt都可以
修改idt 或者ldt都可以
3
3368aa
Unregistered / Unconfirmed
GUEST, unregistred user!
// File name : SetClock.cpp
// Function1 : SetClock9x(int)
// Function2 : SetClockNT(int)
// Chu Rui 2001.3.1
#include "stdafx.h"
#include "ntport.h"
#define FREE_INT_NO 5
void Ring0()
{ //在Windows9x下进入ring0后进行的操作
__asm
{
cli
mov al,34h
out 43h,al //写入8253控制寄存器,设置写0号定时器
mov ax,bx
out 40h,al //写定时值低位
mov al,ah
out 40h,al //写定时值高位
sti
iretd;
}
}
void SetClockNT(int freq)
{ //NT下的操作
//这里使用了NT Port库
Outport(0x43,0x34); //写入8253控制寄存器,设置写0号定时器
Outport(0x40,freq&0xff); //写定时值低位
Outport(0x40,(freq>>8)&0xff); //写定时值高位
}
void SetClock9x(int freq)
{
union Function_Pointer
{
void (*pointer)();
char bytes[sizeof(void *)];
}OldIntAddress,NewIntAddress;
int IDTAddress; //IDT表基地址
int IDTItemAddress; //要修改的中断门所在地址
char *Pointer; //要修改的中断门所在地址,指针形式
__asm
{
push eax
sidt [esp-2]
pop eax
mov IDTAddress,eax //得到IDT表基地址
}
IDTItemAddress=FREE_INT_NO*8+IDTAddress;
Pointer=(char *)IDTItemAddress;
NewIntAddress.pointer=Ring0;
OldIntAddress.bytes[0]=Pointer[0];
OldIntAddress.bytes[1]=Pointer[1];
OldIntAddress.bytes[2]=Pointer[6];
OldIntAddress.bytes[3]=Pointer[7]; //保存旧的中断门
Pointer[0]=NewIntAddress.bytes[0];
Pointer[1]=NewIntAddress.bytes[1];
Pointer[6]=NewIntAddress.bytes[2];
Pointer[7]=NewIntAddress.bytes[3]; //设置新的中断门
__asm
{
mov ebx,freq
int FREE_INT_NO //产生中断,进入ring0
}
Pointer[0]=OldIntAddress.bytes[0];
Pointer[1]=OldIntAddress.bytes[1];
Pointer[6]=OldIntAddress.bytes[2];
Pointer[7]=OldIntAddress.bytes[3]; //恢复旧的中断门
}
抄来的,试试吧,如果有用,请写信给我
// Function1 : SetClock9x(int)
// Function2 : SetClockNT(int)
// Chu Rui 2001.3.1
#include "stdafx.h"
#include "ntport.h"
#define FREE_INT_NO 5
void Ring0()
{ //在Windows9x下进入ring0后进行的操作
__asm
{
cli
mov al,34h
out 43h,al //写入8253控制寄存器,设置写0号定时器
mov ax,bx
out 40h,al //写定时值低位
mov al,ah
out 40h,al //写定时值高位
sti
iretd;
}
}
void SetClockNT(int freq)
{ //NT下的操作
//这里使用了NT Port库
Outport(0x43,0x34); //写入8253控制寄存器,设置写0号定时器
Outport(0x40,freq&0xff); //写定时值低位
Outport(0x40,(freq>>8)&0xff); //写定时值高位
}
void SetClock9x(int freq)
{
union Function_Pointer
{
void (*pointer)();
char bytes[sizeof(void *)];
}OldIntAddress,NewIntAddress;
int IDTAddress; //IDT表基地址
int IDTItemAddress; //要修改的中断门所在地址
char *Pointer; //要修改的中断门所在地址,指针形式
__asm
{
push eax
sidt [esp-2]
pop eax
mov IDTAddress,eax //得到IDT表基地址
}
IDTItemAddress=FREE_INT_NO*8+IDTAddress;
Pointer=(char *)IDTItemAddress;
NewIntAddress.pointer=Ring0;
OldIntAddress.bytes[0]=Pointer[0];
OldIntAddress.bytes[1]=Pointer[1];
OldIntAddress.bytes[2]=Pointer[6];
OldIntAddress.bytes[3]=Pointer[7]; //保存旧的中断门
Pointer[0]=NewIntAddress.bytes[0];
Pointer[1]=NewIntAddress.bytes[1];
Pointer[6]=NewIntAddress.bytes[2];
Pointer[7]=NewIntAddress.bytes[3]; //设置新的中断门
__asm
{
mov ebx,freq
int FREE_INT_NO //产生中断,进入ring0
}
Pointer[0]=OldIntAddress.bytes[0];
Pointer[1]=OldIntAddress.bytes[1];
Pointer[6]=OldIntAddress.bytes[2];
Pointer[7]=OldIntAddress.bytes[3]; //恢复旧的中断门
}
抄来的,试试吧,如果有用,请写信给我
M
manfeel
Unregistered / Unconfirmed
GUEST, unregistred user!
[red]兄弟,你的运气太好了!我一直在研究这个问题。
我现在能做到在所有的操作系统(包括XP)下获得Ring0特权。
看看下面完整的代码先,觉得好一定要给分呀
如果想要在其它操作系统下实现的代码,可以给我来个Mailto:mingtao@sina.com[/red]
[blue]//------- 在Win9X下实现硬盘写保护 -----------[/blue]
program nuke; //Programmed by Manfeel ! 转载请注明作者及出处!
uses
windows,sysutils;
const
MyIntNum=$9;
type
IFS_CallBack=function(pfn
ointer; fn, Drive, ResType,CodePage, pir:Integer):Longword;cdecl;
var
_IDTR,SavedGate:Int64;
MyGate:array[0..3] of word=(0,$28,$ee00,0);
origin_ifs_hook:array[0..12] of byte=
($55,$8B,$EC,$FF,$75,$1C,$FF,$55,$08,$8B,$E5,$5D,$C3);
//0028:C013FC7A 55 PUSH EBP
//0028:C013FC7B 8BEC MOV EBP,ESP
//0028:C013FC7D FF751C PUSH DWORD PTR [EBP+1C]
//0028:C013FC80 FF5508 CALL [EBP+08]
//0028:C013FC83 8BE5 MOV ESP,EBP
//0028:C013FC85 5D POP EBP
//0028:C013FC86 C3 RET
PrevHook:IFS_CallBack;
Success:Integer;
function MyIfsHook(pfnointer; fn, Drive, ResType,CodePage, pir:Integer):Longword;cdecl;
begin
if((fn=31{IFSFN_DELETE}) or (fn=37{IFSFN_RENAME})) then
Result:=1 //返回系统已经处理的假相
else
Result:=PrevHook(pfn, fn, Drive, ResType, CodePage, pir);
end;
procedure Ring0proc;stdcall;
begin
asm
pushad
push $0000000F //Flags = PAGEUSEALIGN
push 0 //phym Address
push $0000000F //Max Address
push $00000000 //Min Address
push $00000000 //AlignMask , Physical address is a multiple of 4K
push $00000000 //hVm = 0 Access to all VM
push $00000001 //type = PG_SYS
push $00000001 //just 1 page
int $20 //VxDCall
dd $00010053 //Call ID _PageAllocate
add esp,32 //-------------------------Manfeel
or eax,eax
mov Success,eax
jz @@quit
mov ecx,1000 //我不知道我的代码有多少字节,但1000肯定足够了:-(
mov edx,offset MyIfsHook
mov edi,eax
@@trans:
cmp word ptr [edx],$15ff //Delphi不支持 Call [address],只好写机器码 opc: FF 15
jnz @@goon
mov dword ptr [edi],$15ff
mov dword ptr [edi+2],1000
add [edi+2],eax
add edi,6
add edx,6
@@goon:
mov bl,[edx]
mov [edi],bl
inc edx
inc edi
loopnz @@trans
push eax
int $20
dd $00400067 //VxDCall : IFSMGR_InstallFileSystemApiHook
pop eax
add eax,1004
mov dword ptr [eax-4],eax
mov edi,eax
mov esi,offset origin_ifs_hook
mov ecx,13
rep movsb
@@quit:
popad
iretd
end;
end;
begin
asm
pushad
mov eax,OFFSET Ring0proc //注意:@在Inline Asm中有特殊含义,
// 只能用OFFSET来取得偏移地址
mov [offset MyGate],ax //必须要用offset,下同
shr eax,16
mov [offset MyGate+6],ax
sidt [offset _IDTR]
mov ebx,dword ptr [offset _IDTR+2]
add ebx,8*MyIntNum
mov edi,offset SavedGate
mov esi,ebx
movsd
movsd
mov edi,ebx
mov esi,offset MyGate
movsd
movsd
int MyIntNum
mov edi,ebx
mov esi,offset SavedGate
movsd
movsd
popad
end;
if (Success=0) then
MessageBoxA(0,PChar('Installed FAILED!!!'),
PChar('Install My IFS Hook!'),MB_OK)
else
MessageBoxA(0,PChar('Installed Successfully!!!'),
PChar('Install My IFS Hook!'),MB_OK);
end.
我现在能做到在所有的操作系统(包括XP)下获得Ring0特权。
看看下面完整的代码先,觉得好一定要给分呀
如果想要在其它操作系统下实现的代码,可以给我来个Mailto:mingtao@sina.com[/red]
[blue]//------- 在Win9X下实现硬盘写保护 -----------[/blue]
program nuke; //Programmed by Manfeel ! 转载请注明作者及出处!
uses
windows,sysutils;
const
MyIntNum=$9;
type
IFS_CallBack=function(pfn
ointer; fn, Drive, ResType,CodePage, pir:Integer):Longword;cdecl;var
_IDTR,SavedGate:Int64;
MyGate:array[0..3] of word=(0,$28,$ee00,0);
origin_ifs_hook:array[0..12] of byte=
($55,$8B,$EC,$FF,$75,$1C,$FF,$55,$08,$8B,$E5,$5D,$C3);
//0028:C013FC7A 55 PUSH EBP
//0028:C013FC7B 8BEC MOV EBP,ESP
//0028:C013FC7D FF751C PUSH DWORD PTR [EBP+1C]
//0028:C013FC80 FF5508 CALL [EBP+08]
//0028:C013FC83 8BE5 MOV ESP,EBP
//0028:C013FC85 5D POP EBP
//0028:C013FC86 C3 RET
PrevHook:IFS_CallBack;
Success:Integer;
function MyIfsHook(pfn
ointer; fn, Drive, ResType,CodePage, pir:Integer):Longword;cdecl;begin
if((fn=31{IFSFN_DELETE}) or (fn=37{IFSFN_RENAME})) then
Result:=1 //返回系统已经处理的假相
else
Result:=PrevHook(pfn, fn, Drive, ResType, CodePage, pir);
end;
procedure Ring0proc;stdcall;
begin
asm
pushad
push $0000000F //Flags = PAGEUSEALIGN
push 0 //phym Address
push $0000000F //Max Address
push $00000000 //Min Address
push $00000000 //AlignMask , Physical address is a multiple of 4K
push $00000000 //hVm = 0 Access to all VM
push $00000001 //type = PG_SYS
push $00000001 //just 1 page
int $20 //VxDCall
dd $00010053 //Call ID _PageAllocate
add esp,32 //-------------------------Manfeel
or eax,eax
mov Success,eax
jz @@quit
mov ecx,1000 //我不知道我的代码有多少字节,但1000肯定足够了:-(
mov edx,offset MyIfsHook
mov edi,eax
@@trans:
cmp word ptr [edx],$15ff //Delphi不支持 Call [address],只好写机器码 opc: FF 15
jnz @@goon
mov dword ptr [edi],$15ff
mov dword ptr [edi+2],1000
add [edi+2],eax
add edi,6
add edx,6
@@goon:
mov bl,[edx]
mov [edi],bl
inc edx
inc edi
loopnz @@trans
push eax
int $20
dd $00400067 //VxDCall : IFSMGR_InstallFileSystemApiHook
pop eax
add eax,1004
mov dword ptr [eax-4],eax
mov edi,eax
mov esi,offset origin_ifs_hook
mov ecx,13
rep movsb
@@quit:
popad
iretd
end;
end;
begin
asm
pushad
mov eax,OFFSET Ring0proc //注意:@在Inline Asm中有特殊含义,
// 只能用OFFSET来取得偏移地址
mov [offset MyGate],ax //必须要用offset,下同
shr eax,16
mov [offset MyGate+6],ax
sidt [offset _IDTR]
mov ebx,dword ptr [offset _IDTR+2]
add ebx,8*MyIntNum
mov edi,offset SavedGate
mov esi,ebx
movsd
movsd
mov edi,ebx
mov esi,offset MyGate
movsd
movsd
int MyIntNum
mov edi,ebx
mov esi,offset SavedGate
movsd
movsd
popad
end;
if (Success=0) then
MessageBoxA(0,PChar('Installed FAILED!!!'),
PChar('Install My IFS Hook!'),MB_OK)
else
MessageBoxA(0,PChar('Installed Successfully!!!'),
PChar('Install My IFS Hook!'),MB_OK);
end.
浮
浮生
Unregistered / Unconfirmed
GUEST, unregistred user!
多人接受答案了。