在64位模式下在CR0寄存器中禁用WP位
我在这里要做的是写入属于ntoskrnl.exe地址空间的仅阅读内核模式代码,但是我的机器不断锁定,所有需要重新启动的东西都冻结了。多亏了《 rootkit Arsenal》一书,我使用的是与它们提供的代码相同的代码来禁用WP位,然后启用WP位。但是,除了一个例外,书中的代码是为32位CPU编写的。因此,这是我尝试修改它以使64位CPU兼容的尝试。我正在使用Visual Studio 2019社区,并且该代码目前针对Windows 8.1 Pro(64位)。我已经编写了下面所示的两个组装程序。
有人可以告诉我代码是否正确,如果不正确,请分享64位体系结构的代码的外观。
DisableWP PROC PUBLIC
CLI
PUSH RBX
MOV RBX, CR0
AND RBX, 0FFFFFFFFFFFEFFFFh
MOV CR0, RBX
POP RBX
RET
DisableWP ENDP
EnableWP PROC PUBLIC
PUSH RBX
MOV RBX, CR0
OR RBX, 0000000000010000h
MOV CR0, RBX
POP RBX
STI
RET
EnableWP ENDP
What I'm trying to do here is write to read-only kernel mode code belonging to the address space of ntoskrnl.exe but my machine keeps locking up and everything freezes which requires a reboot. Thanks to the book Rootkit Arsenal I'm using the same code that they have provided to disable the WP bit and then enable the WP bit. However with a single exception the code in the book is written for 32 bit CPU's . So here is my attempt to modify it in order to make compatible for 64 bit CPU's. I'm using Visual Studio 2019 Community and the code is targeting Windows 8.1 Pro (64 bit) at the moment. I've written two assembly procedures as seen here below.
Can someone tell me if the code is correct and if not please do share what the code should look like for 64 bit architecture.
DisableWP PROC PUBLIC
CLI
PUSH RBX
MOV RBX, CR0
AND RBX, 0FFFFFFFFFFFEFFFFh
MOV CR0, RBX
POP RBX
RET
DisableWP ENDP
EnableWP PROC PUBLIC
PUSH RBX
MOV RBX, CR0
OR RBX, 0000000000010000h
MOV CR0, RBX
POP RBX
STI
RET
EnableWP ENDP
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论