保护模式(三):中断门与陷阱门

中断门与陷阱门在IDT表中,查看IDT表

kd> dq idtr L40h
8003f400  80538e00`0008f19c 80538e00`0008f314
8003f410  00008500`0058113e 8053ee00`0008f6e4
8003f420  8053ee00`0008f864 80538e00`0008f9c0
8003f430  80538e00`0008fb34 80548e00`0008019c
8003f440  00008500`00501198 80548e00`000805c0
8003f450  80548e00`000806e0 80548e00`00080820
8003f460  80548e00`00080a7c 80548e00`00080d60
8003f470  80548e00`00081450 80548e00`00081780
8003f480  80548e00`000818a0 80548e00`000819d8
8003f490  80548500`00a01780 80548e00`00081b40
8003f4a0  80548e00`00081780 80548e00`00081780
8003f4b0  80548e00`00081780 80548e00`00081780
8003f4c0  80548e00`00081780 80548e00`00081780
8003f4d0  80548e00`00081780 80548e00`00081780
8003f4e0  80548e00`00081780 80548e00`00081780
8003f4f0  80548e00`00081780 806d8e00`00082fd0
8003f500  00000000`00080000 00000000`00080000
8003f510  00000000`00080000 00000000`00080000
8003f520  00000000`00080000 00000000`00080000
8003f530  00000000`00080000 00000000`00080000
8003f540  00000000`00080000 00000000`00080000
8003f550  8053ee00`0008e9de 8053ee00`0008eae0
8003f560  8053ee00`0008ec80 8053ee00`0008f5c0
8003f570  8053ee00`0008e481 80548e00`00081780
8003f580  80538e00`0008db40 80538e00`0008db4a
8003f590  80538e00`0008db54 80538e00`0008db5e
8003f5a0  80538e00`0008db68 80538e00`0008db72
8003f5b0  80538e00`0008db7c 806d8e00`00082728
8003f5c0  80538e00`0008db90 80538e00`0008db9a
8003f5d0  80538e00`0008dba4 80538e00`0008dbae
8003f5e0  80538e00`0008dbb8 806d8e00`00083b70
8003f5f0  80538e00`0008dbcc 80538e00`0008dbd6

中断门基本结构与调用门相同,但Type为1110,陷阱门Type为1111

中断门提权实验

构造中断门为0040ee00`00081020

#include "stdafx.h"
//401020
unsigned __int32 X;
void __declspec(naked)Test(){
    __asm{
        mov eax,dword ptr ds:[0x8003f500]
        mov X,eax
        iretd
    }
}

int main(int argc, char* argv[])
{
    __asm{
        int 0x20
    }
    printf("%x",X);
    getchar();
    return 0;
}

陷阱门与中断门几乎一致,区别在于中断门执行时会将IF位清零,陷阱门不会

 

posted @ 2020-12-24 20:15  Harmonica11  阅读(221)  评论(0编辑  收藏  举报