NT/2000下不用驱动的Ring0代码实现

80137530 33c0 xor eax,eax
80137532 5e pop esi
80137533 c20400 ret 0x4

从这段汇编代码可看出假如线性地址在0x80000000和0xa0000000范围内，只是简单的进行移位操作(位于801374ff-80137519指令间)，并未查页表。我想Microsoft这样安排肯定是出于执行效率的考虑。这也为我们指明了一线曙光，因为GDT表在Windows NT/2000中一般情况下均位于这个区域(我不知道/3GB开关的Windows NT/2000是不是这种情况)。

经过这样的分析，我们就能够只通过用户态程式修改GDT表了。而增加一个CallGate就不是我能够介绍的了，找本Intel手册自己看一看了。具体实现代码如下：

typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t;

ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}

BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;

ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;

HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;

status = STATUS_SUCCESS;

RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");

InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);

status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,
&objectAttributes);

if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC
　　　　　　　　　　　,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,
　　　　　　　　&objectAttributes);
}

if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:X\n",status);
return 0;
}

PVOID BaseAddress;

BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit 1));

if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}

BOOL setcg=FALSE;

for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress (gdt.Limit&0xFFF8));
　　　　　　　　　　　　　　(ULONG)cg>(ULONG)BaseAddress;cg--)
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->present = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}

if(!setcg){
ZwClose(hSection);
return 0;
}

short farcall[3];

farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;

if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}

SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);

Sleep(0);

_asm call fword ptr [farcall]

SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);

VirtualUnlock((PVOID)Entry,seglen);

//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg 1)=0;

ZwClose(hSection);
return TRUE;

}

我在提供的代码中演示了对Control Register和I/O端口的操作。CIH病毒在Windows 9X中就是因为获得Ring 0权限才有了一定的危害，但Windows NT/2000毕竟不是Windows 9X，她已有了比较多的安全审核机制，本文提供的代码也需要具备Administrator权限，但假如系统存在某种漏洞，如缓冲区溢出等等，还是有可能获得这种权限的，所以我不对本文提供的方法负有任何的责任，任何讨论只是个技术热爱者在讨论技术而已。谢谢！