majioa · January 23, 2013 07:11
diff --git a/ring0.asm b/ring0.asm
 ;Как получить привелегию Ring 0
 ;Автор: The GSGR
 ;Иногда это нужно для доступа к портам выше $FF, таких как IDE контроллер и т.д.
 ;--------------------------------------------------

 .386p
 .model    flat
 .radix 16

 Ring_0_CS_32 = 28
 Ring_0_DS_32 = 30

 public CALLRING0PROC

 _TEXT segment dword public use32 'CODE'

 CALLRING0PROC proc  near
    ; Get the LDT's address first
 push ebp
 mov ebp,esp
 sub esp,8
 push edi
 sgdt [ebp-8]
 mov edi,[ebp-6]
 sldt ax
 and ax,0fff8
 movzx eax,ax
 add edi,eax
 mov eax,[edi+2]
 mov [ebp-8],eax
 mov al,[edi+7]
 mov [ebp-5],al ; EBP-8 now contains LDT's address
 mov ax,[edi]
 and al,0f8
 movzx eax,ax
 mov [ebp-4],eax ; EBP-4 contains LDT's Limit
    ; Then allocate a descriptor
    mov edi,[ebp-8]
 Search :cmp dword ptr [edi+eax],0
 jne Search_Next_Desc
 cmp dword ptr [edi+eax+4],0
 je Found_Unused_Desc
 Search_Next_Desc  :
 sub ax,8
 jns Search
 mov eax,0fffffffe ; Return -2 if error
 jmp Done
 Found_Unused_Desc :
 add edi,eax ; EDI contains the Descriptor's address
 add al,7 ; AX contains the selector
    ; Create the call gate
 mov [ebp-4],ax
 mov dword ptr [edi],offset DGROUP:Shell
 mov eax,Ring_0_CS_32+0ec000000
 xchg eax,[edi+2]
 mov [edi+6],ax
    ; Call the gate and transfer to Shell
 call fword ptr [ebp-8]
    ; Free the selector
 mov dword ptr [edi],0
 mov dword ptr [edi+4],0
 Done   :pop edi
 mov esp,ebp
 pop ebp
 ret 4 ; Clean up parameter
 CALLRING0PROC endp

 Shell proc far
 push ds
 push es
 push edi

        MOV ECX,[ESI]
 ADD ESI,4
 push 0f12ff34f
 PUSHARG:
        PUSH DWORD PTR [ESI]
 ADD ESI,4
 LOOP PUSHARG

 mov ax,Ring_0_DS_32
 mov ds,ax
 mov es,ax
 call dword ptr [ebp+8]


 POPARG:
        POP ESI
 CMP ESI,0f12ff34f
 JNE POPARG
 pop edi
 pop es
 pop ds
 ret
 Shell endp

 _TEXT ends

 end
	;Как получить привелегию Ring 0
	;Автор: The GSGR
	;Иногда это нужно для доступа к портам выше $FF, таких как IDE контроллер и т.д.
	;--------------------------------------------------

	.386p
	.model flat
	.radix 16

	Ring_0_CS_32 = 28
	Ring_0_DS_32 = 30

	public CALLRING0PROC

	_TEXT segment dword public use32 'CODE'

	CALLRING0PROC proc near
	; Get the LDT's address first
	push ebp
	mov ebp,esp
	sub esp,8
	push edi
	sgdt [ebp-8]
	mov edi,[ebp-6]
	sldt ax
	and ax,0fff8
	movzx eax,ax
	add edi,eax
	mov eax,[edi+2]
	mov [ebp-8],eax
	mov al,[edi+7]
	mov [ebp-5],al ; EBP-8 now contains LDT's address
	mov ax,[edi]
	and al,0f8
	movzx eax,ax
	mov [ebp-4],eax ; EBP-4 contains LDT's Limit
	; Then allocate a descriptor
	mov edi,[ebp-8]
	Search :cmp dword ptr [edi+eax],0
	jne Search_Next_Desc
	cmp dword ptr [edi+eax+4],0
	je Found_Unused_Desc
	Search_Next_Desc :
	sub ax,8
	jns Search
	mov eax,0fffffffe ; Return -2 if error
	jmp Done
	Found_Unused_Desc :
	add edi,eax ; EDI contains the Descriptor's address
	add al,7 ; AX contains the selector
	; Create the call gate
	mov [ebp-4],ax
	mov dword ptr [edi],offset DGROUP:Shell
	mov eax,Ring_0_CS_32+0ec000000
	xchg eax,[edi+2]
	mov [edi+6],ax
	; Call the gate and transfer to Shell
	call fword ptr [ebp-8]
	; Free the selector
	mov dword ptr [edi],0
	mov dword ptr [edi+4],0
	Done :pop edi
	mov esp,ebp
	pop ebp
	ret 4 ; Clean up parameter
	CALLRING0PROC endp

	Shell proc far
	push ds
	push es
	push edi

	MOV ECX,[ESI]
	ADD ESI,4
	push 0f12ff34f
	PUSHARG:
	PUSH DWORD PTR [ESI]
	ADD ESI,4
	LOOP PUSHARG

	mov ax,Ring_0_DS_32
	mov ds,ax
	mov es,ax
	call dword ptr [ebp+8]


	POPARG:
	POP ESI
	CMP ESI,0f12ff34f
	JNE POPARG
	pop edi
	pop es
	pop ds
	ret
	Shell endp

	_TEXT ends

	end