Please look at this first:(win95/98) ****************************************************** .386P LOCALS JUMPS .MODEL FLAT, STDCALL ; with STDCALL we must reverse the sequence of pushes ; before a APIn call. UNICODE = 0 ; Needed for INCLUDE ; Windows definitions, messages, errors, structures, ; API functions declarations. Some additions of mine. ; Thanks to Barry Kauler and Sven Schreiber. lp EQU OFFSET extrn SetUnhandledExceptionFilter : PROC .DATA skod db 0 lpOldGate dd 0 IDT db 6 dup (0) ;---- Error Messages szExceptionCaused db "Exception Caused - could not switch to ring 0",0 szError db "Error",0 ExceptionUsed EQU 5 .CODE start: call SetUnhandledExceptionFilter, lp ExceptCallBack ; Catch exceptions ; (security if ring transform ; doesn't work) sidt fword ptr IDT ; fetch IDT register mov ebx, dword ptr ; ebx -> IDT add ebx, 8*ExceptionUsed ; Ebx -> IDT entry of ExceptionUsed cli ; Clear interupts mov dx, word ptr ; Save the current gate highword shl edx, 16d mov dx, word ptr ; lowword mov , edx mov eax, offset Ring0Code ; "install hook" - that is newgate mov word ptr , ax ; lowword shr eax, 16d mov word ptr , ax ; highword int ExceptionUsed ; cause exception mov ebx, dword ptr ; restore gate add ebx, 8*ExceptionUsed mov edx, mov word ptr , dx shr edx, 16d mov word ptr , dx CALL ExitProcess, -1 ; exit Ring0Code PROC mov eax, cr0 ; Ring0 code here.. iretd Ring0Code ENDP ExceptCallBack PROC call MessageBoxA, 0, lp szError, lp szExceptionCaused, 0 call ExitProcess, -1 ret ExceptCallBack ENDP ends end start ********************************************** my question: the program has changed offset of interupt gate only,but it hasn't changed segment address. why???is right???
Posted on 2001-04-30 07:28:00 by snowedge
If you want to execute anything in ring0, I suggest looking at writing a VxD, as that is much more appriotate. That method doesn't work under WinNT, and probably wont work under future versions of windows.
Posted on 2001-05-02 01:43:00 by because