扫一扫微信二维码
扫一扫微信二维码
Kmdkit推荐的方法是把汇编源程序写成批处理bat文件,以天杀的ring0.sys为例
把下面的代码存成ring0.bat
;@echo off
;goto make
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.586P;保护模式
.modelflat,stdcall
optioncasemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
includemasm32includew2k tddk.inc
;中断相关数据结构
IDT_REGSTRUCT
limitWORD?
baseDWORD?
IDT_REGENDS
;中断描述符
INT_DESCRIPTORSTRUCT
offs0_15WORD?
selWORD?
paramcntBYTE?
attrsBYTE?
offs16_31WORD?
INT_DESCRIPTORENDS
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
szBufferdb16dup(0)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
MyIntFuncproc
pushedx
calleax
iretd
MyIntFuncendp
;====================================================================
AddMyIntprocusesedi
local@IDT
sidtszBuffer
movedi,(IDT_REGptr[szBuffer]).base
addedi,21h*8
;使用Int21中断,该中断在Win2k下没有使用
;cli
moveax,offsetMyIntFunc
mov[edi],ax
shreax,16
mov[edi+6],ax;设置入口地址
mov[edi+2],cs;设置段地址
;设置Ring3可以访问
movWORDptr[edi+4],0EE00h
;sti
ret
AddMyIntendp
;====================================================================
WdmUnloadprocDriverObject:DWORD
local@IDT
sidtszBuffer
movedi,(IDT_REGptr[szBuffer]).base
addedi,21h*8
xoreax,eax
mov[edi],ax
mov[edi+6],ax;设置入口地址
mov[edi+2],ax;设置段地址
movWORDptr[edi+4],ax
ret
WdmUnloadendp
;====================================================================
DriverEntryprocDriverObj:DWORD,RegistryPath:DWORD
moveax,DriverObj
assumeeax:ptrDRIVER_OBJECT
mov[eax].DriverUnload,offsetWdmUnload
assumeeax:nothing
invokeAddMyInt
xoreax,eax
ret
DriverEntryendp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
建站咨询热线
029-33273980