调用门提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
//他妈的,调试蓝屏了几十次
//解决错误 IRQL_XXXX 蓝屏
//程序进Ring0后应该用KeRaiseIrqlToDpcLevel()提升中断请求级别至DpcLevel退出Ring0前调用KeLowerIrql()降权

#include "stdafx.h"
#include<Windows.h>

DWORD dwBuffer = 0;
BYTE GDT[6] = {0};

//eq gdtr+8*9 0040ec00`00081020
void __declspec(naked) CallGate1()
{
    _asm
    {
        int 3
        retf
    }
}

//eq gdtr+8*9 0040ec00`00081020
//eq gdtr+8*9 0040ec00`0008d4a0
void __declspec(naked) CallGate2()
{
    _asm
    {
        //int 3
        pushad
        pushfd

        //mov dwBuffer,ebx
        //mov eax,0x8003f00c
        //mov ebx,[eax]

        sgdt GDT

        popad
        popfd
        retf
    }
}

void PrintRes()
{
    printf("dwBuffer=%x\n",dwBuffer);
    printf("GDTR=%x\tGDTL=%x\n",*(DWORD*)&GDT[2],*(WORD*)GDT);
}

int main()
{
    BYTE buffer[6] = { 0 };
    *(DWORD*)&buffer[0] = 0x12345678;
    *(WORD*)&buffer[4] = 0x48;
    
    _asm
    {
        pushad
        pushfd
        call fword ptr [buffer]
        popfd
        popad
    }

    PrintRes();
    getchar();

    return 0;
}
逆向
#调试
调用门提权
https://rogxo.github.io/2021/12/10/2021-12-10-调用门提权/
作者
Rogxo
发布于
2021年12月10日
许可协议
CC BY-NC-SA 4.0