#include <the iostream>
#include <the Windows.h>
// global descriptor byte address is 6, the upper 32 bits are the start address, the lower 16 bits is the size of
char the GDT [. 7] = {0};
void _declspec (Naked ) GetRegister ()
{
_asm
{
// privileged instruction
SGDT the GDT;
RETF
}
}
int main ()
{
the printf ( "% 08x \ n-", GetRegister);
// Call the CS: the EIP (the EIP deprecated)
char BUFF [. 6] {0} =;
// deprecated the EIP
* (DWORD *) & BUFF [0] = 0x12345678;
// the CS segment selector:
@ 13: descriptor [9] 1: TI = 0 2 place: the RPL . 3 =
// 1001011-> 0x4b
* (DWORD *) & BUFF [. 4] = 0x4b;
the address of the jump to be executed // save function
char szFunAddress [. 9] = {0};
sprintf_s (szFunAddress,. 9, " % 08x ", GetRegister);
// Construction jump gate descriptor:
// High 32:
@ 16: Offset = 0 1: P = 1 2 place: the DPL = 0 = 0. 3 a 4: Type = 12 3 bit 0 5: parameter 0 =
@ 0000 0000 0000 0000 1110 0000 0000 1100 is
// 0 0 0 0 0 0 E C
@ 32 low:
// ----------------- -------------------------------------------------- -------------------------------------
// jump address is executed door: gate descriptor the high 32-bit 16-bit 32-bit offset and the low 16-bit offset into one (32) 4 byte address offset,
// plus the low 32-bit segment selector to index the GDT the term (descriptor) of the segment base to obtain the address of the Call. Therefore, to address the control of Call,
// it should be modified to address the offset function to be performed, the index into a segment selector for the segment base address 0 of the field, while DPL = 0, S = 1, at this time Call function can
// mention the right to operate, while the GDT [1] key fits.
// ------------------------------------------------ -------------------------------------------------- ------
// 16-bit segment selector -> 13 index: 0 1 TI = 0 2 bit RPL = 3; 16 = 0 bit offset
0000 0000 0000 0. 1 // pm- 6> 0x0008 0x0000
// get is: the EC00 0x0000 0008 0000
@ Review: the address before the address 4 4
char szCallDoor [18 is] = {0};
// write address before 4
memcpy_s (szCallDoor, 18, szFunAddress, 4) ;
// write segment attributes
memcpy_s (szCallDoor +. 4, 14, "the EC00",. 5);
// write segment selector
; memcpy_s (szCallDoor + 9, 9 , "0008", 4)
the write address // 4
memcpy_s (+ 13 is szCallDoor,. 5, szFunAddress +. 4,. 4);
// Print
printf ( "copy value: [% s] to the GDT [. 9] \ n-", szCallDoor);
System ( "PAUSE");
_asm
{
Call FWORD PTR DS: [BUFF]
}
the printf ( "% S \ n-", the GDT);
System ( "PAUSE");
return 0;
}
I do not know why, always run the program error. Get the x64 debugging found: call gate running, access to the address and size of the GDT.
