调用门提权操作

原创

土匪猿 2018-06-21 11:49:28 博主文章分类：Windows ©著作权

©著作权归作者所有：来自51CTO博客作者土匪猿的原创作品，请联系作者获取转载授权，否则将追究法律责任

1。调用门在gdt表中在dgt表中注册一个回调函数然后调用提权与中断相同操作

nt!DbgBreakPointWithStatus+0x4:
83eb2110 cc              int     3
kd> r gdtr
gdtr=80b95000

kd> dq 80b95000 L30
80b95000  00000000`00000000 00cf9b00`0000ffff
80b95010  00cf9300`0000ffff 00cffb00`0000ffff
80b95020  00cff300`0000ffff 80008b1e`400020ab
80b95030  834093f6`2c003748 0040f300`00000fff
80b95040  0000f200`0400ffff 00000000`00000000
80b95050  830089f6`00000068 830089f6`00680068
80b95060  00000000`00000000 00000000`00000000
80b95070  800092b9`500003ff 00000000`00000000
80b95080  00000000`00000000 00000000`00000000
80b95090  00000000`00000000 00000000`00000000
80b950a0  86008961`71c00068 00000000`00000000
80b950b0  00000000`00000000 00000000`00000000
80b950c0  00000000`00000000 00000000`00000000
80b950d0  00000000`00000000 00000000`00000000
80b950e0  00000000`80b95100 00009200`0000ffff
80b950f0  830098e6`f97003b2 00009200`0000ffff
80b95100  00000000`80b95108 00000000`80b95110
80b95110  00000000`80b95118 00000000`80b95120
80b95120  00000000`80b95128 00000000`80b95130
80b95130  00000000`80b95138 00000000`80b95140
80b95140  00000000`80b95148 00000000`80b95150
80b95150  00000000`80b95158 00000000`80b95160
80b95160  00000000`80b95168 00000000`80b95170
80b95170  00000000`80b95178 00000000`80b95180

修改 eq 80b95060 0045ec00`00080850

kd> dq 80b95000 L30
80b95000  00000000`00000000 00cf9b00`0000ffff
80b95010  00cf9300`0000ffff 00cffb00`0000ffff
80b95020  00cff300`0000ffff 80008b1e`400020ab
80b95030  834093f6`2c003748 0040f300`00000fff
80b95040  0000f200`0400ffff 00000000`00000000
80b95050  830089f6`00000068 830089f6`00680068
80b95060  0045ec00`00080850 00000000`00000000
80b95070  800092b9`500003ff 00000000`00000000
80b95080  00000000`00000000 00000000`00000000
80b95090  00000000`00000000 00000000`00000000
80b950a0  86008961`71c00068 00000000`00000000
80b950b0  00000000`00000000 00000000`00000000
80b950c0  00000000`00000000 00000000`00000000
80b950d0  00000000`00000000 00000000`00000000
80b950e0  00000000`80b95100 00009200`0000ffff
80b950f0  830098e6`f97003b2 00009200`0000ffff
80b95100  00000000`80b95108 00000000`80b95110
80b95110  00000000`80b95118 00000000`80b95120
80b95120  00000000`80b95128 00000000`80b95130
80b95130  00000000`80b95138 00000000`80b95140
80b95140  00000000`80b95148 00000000`80b95150
80b95150  00000000`80b95158 00000000`80b95160
80b95160  00000000`80b95168 00000000`80b95170
80b95170  00000000`80b95178 00000000`80b95180

源码

#include <stdio.h>
#include <windows.h>
int g_Gdt2 = 0;
_declspec(naked) void fun()   //450850
{
	__asm
	{
		push eax;
		mov eax, dword ptr ds : [0x80b95060]; //注册的回调地址
		mov g_Gdt2, eax;
		pop eax;
		retf;
	}
}
//  eq xxxx ec00 0008xxxx
int main()
{
	                                    //0x63( 0110 0011)      01100   0   11
	                                                             //1100 第12个
	char buf[6] = { 0x00,0x00,0x00,0x00,0x63,0x00 }; //反着看 
	
	__asm
	{
		call fword ptr ds : [buf];//相当于 call cs:0xXXXX   目的就是切换段选择子
	}
	printf("%x\n", g_Gdt2);
	system("pause");
}