Last active
December 2, 2019 11:50
-
-
Save Alikberov/37506b2be60553cd06dd09a79bfc3e24 to your computer and use it in GitHub Desktop.
Exception Parse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
#define _At_ | |
#define _Out_ | |
#define _In_ | |
#define _In_opt_ | |
#define _Out_ | |
#define _Out_opt_ | |
#define _Inout_ | |
#define _Inout_opt_ | |
#define _Inout_updates_opt_(x) | |
#define MEM_EXTENDED_PARAMETER_TYPE_BITS 8 | |
#define FILE_SEQUENTIAL_ONLY 0x00000004 | |
#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 | |
typedef struct MEM_EXTENDED_PARAMETER { | |
struct { | |
DWORD64 Type : MEM_EXTENDED_PARAMETER_TYPE_BITS; | |
DWORD64 Reserved : 64 - MEM_EXTENDED_PARAMETER_TYPE_BITS; | |
} DUMMYSTRUCTNAME; | |
union { | |
DWORD64 ULong64; | |
PVOID Pointer; | |
SIZE_T Size; | |
HANDLE Handle; | |
DWORD ULong; | |
} DUMMYUNIONNAME; | |
} MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER; | |
//typedef DWORD NTSTATUS; | |
typedef DWORD ULONG_PTR; | |
typedef struct _IO_STATUS_BLOCK { | |
union { | |
NTSTATUS Status; | |
PVOID Pointer; | |
} DUMMYUNIONNAME; | |
ULONG_PTR Information; | |
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; | |
typedef HANDLE (NTAPI *fpNtCurrentProcess)(void); | |
//_Must_inspect_result_ | |
//__kernel_entry NTSYSCALLAPI | |
typedef NTSTATUS (NTAPI *fpNtCreateSection) ( | |
_Out_ PHANDLE SectionHandle, | |
_In_ ACCESS_MASK DesiredAccess, | |
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, | |
_In_opt_ PLARGE_INTEGER MaximumSize, | |
_In_ ULONG SectionPageProtection, | |
_In_ ULONG AllocationAttributes, | |
_In_opt_ HANDLE FileHandle | |
); | |
typedef void(NTAPI *fpRtlInitUnicodeString)( | |
PUNICODE_STRING DestinationString, | |
PCWSTR SourceString | |
); | |
typedef | |
//NTSYSAPI | |
NTSTATUS | |
(NTAPI | |
*fpNtCreateFile)( | |
OUT PHANDLE FileHandle, | |
IN ACCESS_MASK DesiredAccess, | |
IN POBJECT_ATTRIBUTES ObjectAttributes, | |
OUT PIO_STATUS_BLOCK IoStatusBlock, | |
IN PLARGE_INTEGER AllocationSize OPTIONAL, | |
IN ULONG FileAttributes, | |
IN ULONG ShareAccess, | |
IN ULONG CreateDisposition, | |
IN ULONG CreateOptions, | |
IN PVOID EaBuffer OPTIONAL, | |
IN ULONG EaLength ); | |
//__kernel_entry NTSYSCALLAPI | |
typedef NTSTATUS (NTAPI *fpNtOpenFile) ( | |
_Out_ PHANDLE FileHandle, | |
_In_ ACCESS_MASK DesiredAccess, | |
_In_ POBJECT_ATTRIBUTES ObjectAttributes, | |
_Out_ PIO_STATUS_BLOCK IoStatusBlock, | |
_In_ ULONG ShareAccess, | |
_In_ ULONG OpenOptions | |
); | |
typedef NTSYSAPI NTSTATUS (NTAPI *fpNtMapViewOfSection) ( | |
_In_ HANDLE SectionHandle, | |
_In_ HANDLE ProcessHandle, | |
_Inout_ _At_ PVOID *BaseAddress, | |
_Inout_opt_ PLARGE_INTEGER SectionOffset, | |
_Inout_ PSIZE_T ViewSize, | |
_In_ ULONG AllocationType, | |
_In_ ULONG Win32Protect, | |
_Inout_updates_opt_(ParameterCount) MEM_EXTENDED_PARAMETER* Parameters, | |
_In_ ULONG ParameterCount | |
); | |
typedef NTSTATUS(NTAPI *fpNtCreateProcess) | |
( | |
OUT PHANDLE ProcessHandle, | |
IN ACCESS_MASK DesiredAccess, | |
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, | |
IN HANDLE ParentProcess, | |
IN ULONG Flags, | |
IN HANDLE SectionHandle OPTIONAL, | |
IN HANDLE DebugPort OPTIONAL, | |
IN HANDLE ExceptionPort OPTIONAL | |
); | |
fpRtlInitUnicodeString RtlInitUnicodeString; | |
fpNtCreateFile NtCreateFile; | |
fpNtCurrentProcess NtCurrentProcess; | |
fpNtCreateSection NtCreateSection; | |
fpNtOpenFile NtOpenFile; | |
fpNtMapViewOfSection NtMapViewOfSection; | |
fpNtCreateProcess NtCreateProcess; | |
/* | |
NTSTATUS NTAPI | |
NtCreateProcessEx(OUT PHANDLE ProcessHandle, | |
IN ACCESS_MASK DesiredAccess, | |
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, | |
IN HANDLE ParentProcess, | |
IN ULONG Flags, | |
IN HANDLE SectionHandle OPTIONAL, | |
IN HANDLE DebugPort OPTIONAL, | |
IN HANDLE ExceptionPort OPTIONAL, | |
IN BOOLEAN InJob); | |
*/ | |
// Macro-Codes of instructions | |
////////////////////////////// | |
#define X86_HLT 0xF4 // hlt | |
#define X86_INT 0xCD // int | |
#define X86_CLI 0xFA // cli | |
#define X86_STI 0xFB // sti | |
#define X86_ES 0x26 // es: | |
#define X86_CS 0x2E // cs: | |
#define X86_SS 0x36 // ss: | |
#define X86_DS 0x3E // ds: | |
#define X86_FS 0x64 // fs: | |
#define X86_GS 0x65 // gs: | |
#define X86_D16 0x66 // Data Override | |
#define X86_LOCK 0xF0 // lock | |
#define X86_REPNE 0xF2 // repne | |
#define X86_REP 0xF3 // rep/repe | |
#define X86_INSB 0x6C // insb | |
#define X86_INSD 0x6D // insd/insw | |
#define X86_OUTSB 0x6E // outsb | |
#define X86_OUTSD 0x6F // outsd/outsw | |
#define X86_IN_ALI 0xE4 // in al,i8 | |
#define X86_IN_AXI 0xE5 // in (e)ax,i8 | |
#define X86_OUT_ALI 0xE6 // out i8,al | |
#define X86_OUT_AXI 0xE7 // out i8,(e)ax | |
#define X86_IN_AL 0xEC // in al,dx | |
#define X86_IN_AX 0xED // in (e)ax,dx | |
#define X86_OUT_AL 0xEE // out dx,al | |
#define X86_OUT_AX 0xEF // out dx,(e)ax | |
// Flags of x86-instructions | |
////////////////////////////// | |
#define X86_USE_IM8 0x0001 // immediate byte | |
#define X86_USE_D16 0x0002 // 2 bytes | |
#define X86_USE_OUT 0x0004 // out/outs | |
#define X86_USE_D8 0x0008 // 8 bits | |
#define X86_USE_EAX 0x0010 // accumulator | |
#define X86_USE_ECX 0x0020 // ecx as loop conter | |
#define X86_USE_EDX 0x0040 // edx as port index | |
#define X86_USE_EBX 0x0080 // ebx | |
#define X86_USE_ESP 0x0100 // esp | |
#define X86_USE_EBP 0x0200 // ebp | |
#define X86_USE_ESI 0x0400 // esi as source | |
#define X86_USE_EDI 0x0800 // edi as destination | |
#define X86_USE_BUS 0x1000 // lock-prefix | |
DWORD nPorts = 0; // Number of accessable ports | |
/////////////////////////////////////////////////////////////////////// | |
// DisplayError | |
// Displays the error number and corresponding message. | |
/////////////////////////////////////////////////////////////////////// | |
void DisplayError(char *pszAPI) { | |
LPVOID lpvMessageBuffer; | |
CHAR szPrintBuffer[512]; | |
DWORD nCharsWritten; | |
DWORD idError = GetLastError(); | |
if(!idError) | |
return; | |
FormatMessage( | |
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM, | |
NULL, idError, | |
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), | |
(LPTSTR)&lpvMessageBuffer, 0, NULL); | |
wsprintf(szPrintBuffer, | |
"ERROR:\r\n" | |
"\tAPI = %s\r\n" | |
"\tCode: %d\r\n" | |
"\tHint: %s", | |
pszAPI, idError, (char *)lpvMessageBuffer); | |
LocalFree(lpvMessageBuffer); | |
WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE),szPrintBuffer, | |
lstrlen(szPrintBuffer),&nCharsWritten,NULL); | |
MessageBox(NULL, szPrintBuffer, "", MB_OK); | |
ExitProcess(idError); | |
} | |
LONG WINAPI x86_cmd_show(_EXCEPTION_POINTERS *ep, DWORD sel, int d8, DWORD usage) { | |
int j; | |
char cmd[32][16] = { | |
"INSB", | |
"INSD", | |
"OUTSB", | |
"OUTSD", | |
"IN AL,%3d", | |
"IN EAX,%3d", | |
"OUT %3d,AL", | |
"OUT %3d,EAX", | |
"---", | |
"HLT", | |
"CLI", | |
"STI", | |
"IN AL,EDX", | |
"IN EAX,EDX", | |
"OUT EDX,AL", | |
"OUT EDX,EAX", | |
"INSB", | |
"INSW", | |
"OUTSB", | |
"OUTSW", | |
"IN AL,%3d", | |
"IN AX,%3d", | |
"OUT %3d,AL", | |
"OUT %3d,AX", | |
"---", | |
"HLT", | |
"CLI", | |
"STI", | |
"IN AL,EDX", | |
"IN AX,EDX", | |
"OUT EDX,AL", | |
"OUT EDX,AX" | |
}; | |
char str[16][16] = { | |
"---", | |
"---", | |
"CS:", | |
"DS:", | |
"ES:", | |
"FS:", | |
"GS:", | |
"SS:", | |
"---", | |
"---", | |
"---", | |
"---", | |
"LOCK ", | |
"---", | |
"REPE ", | |
"REPNE " | |
}; | |
if(sel != 0 || (sel & 0xF) != 8) { | |
//if(0xEC == *ic) { | |
DWORD port = ep->ContextRecord->Edx; | |
DWORD ticks; | |
DWORD static delta = 0; | |
DWORD static max = 0; | |
DWORD static reset = 0; | |
DWORD reseter = 100; | |
_asm rdtsc; | |
_asm mov ticks,eax; | |
printf("%08X %08X ", ep->ExceptionRecord->ExceptionAddress, sel); | |
if(d8 >= 0) | |
printf("%02X|", d8); | |
else | |
printf(" |"); | |
j = 4; | |
while(((sel >> j) & 0xF) > 0 && j < 32) { | |
printf(str[(sel >> j) & 0x0F]); | |
j += 4; | |
} | |
if(usage & X86_USE_ECX) | |
printf("(ECX) "); | |
if(usage & X86_USE_EAX) { // port in/out | |
if(usage & X86_USE_OUT) { // port output | |
printf("OUT "); | |
if(usage & X86_USE_EDX) | |
printf("EDX,"); | |
else | |
printf("%02X,", d8); | |
if(usage & X86_USE_D8) | |
printf("AL"); | |
else | |
if(usage & X86_USE_D16) | |
printf("AX"); | |
else | |
printf("EAX"); | |
} else { // port input | |
printf("IN "); | |
if(usage & X86_USE_D8) | |
printf(" AL"); | |
else | |
if(usage & X86_USE_D16) | |
printf(" AX"); | |
else | |
printf("EAX"); | |
if(usage & X86_USE_EDX) | |
printf(",EDX"); | |
else | |
printf(",%02X", d8); | |
} | |
} else | |
if(usage & X86_USE_EDX) { | |
if(usage & X86_USE_ESI) | |
printf("OUTS"); | |
else | |
printf("INS"); | |
if(usage & X86_USE_D8) | |
printf("B"); | |
else | |
if(usage & X86_USE_D16) | |
printf("W"); | |
else | |
printf("D"); | |
} else | |
printf(cmd[sel & 0xF]); | |
if((sel & 0xF) == 0x9 && !(usage & X86_USE_IM8)) { | |
if(reseter < reset ++) | |
reset = 0, | |
max = 0; | |
if(max < ep->ContextRecord->Eax - delta) | |
max = ep->ContextRecord->Eax - delta; | |
printf("\t %9d > %9d ticks", max, ep->ContextRecord->Eax - delta); | |
} | |
printf("\r\n\t"); | |
if(usage & X86_USE_EAX) | |
printf("EAX:%08X ", ep->ContextRecord->Eax); | |
if(usage & X86_USE_ECX) | |
printf("ECX:%08X ", ep->ContextRecord->Ecx); | |
if(usage & X86_USE_EDX) | |
printf("EDX:%08X ", ep->ContextRecord->Edx); | |
if(usage & X86_USE_ESI) | |
printf("ESI:%08X ", ep->ContextRecord->Esi); | |
if(usage & X86_USE_EDI) | |
printf("EDI:%08X ", ep->ContextRecord->Edi); | |
printf("\r\n"); | |
_asm rdtsc; | |
_asm sub eax,ticks; | |
_asm mov delta,eax; | |
//printf("%08X %02X|IN AL,DX ; Port #%04X is bad; Ports available - %d\r", ea, *ic, port, nPorts); | |
return EXCEPTION_CONTINUE_EXECUTION; | |
} | |
return EXCEPTION_EXECUTE_HANDLER; | |
} | |
LONG WINAPI TopLevelExceptionFilter(_EXCEPTION_POINTERS *ep) { | |
DWORD ea = (DWORD)ep->ExceptionRecord->ExceptionAddress; | |
BYTE *ic = (BYTE *)ea; | |
DWORD sel = 0; | |
BYTE cc; | |
int d8 = -1; | |
DWORD i = 0; | |
bool d16 = false; | |
DWORD usage = 0; | |
do { | |
cc = *(BYTE *)(ea + i ++); | |
printf("%02X ", cc); | |
switch(cc) { | |
// Parse for prefixes | |
case X86_D16: | |
usage |= X86_USE_D16; | |
d16 = true; | |
continue; | |
case X86_CS: | |
sel |= 0x2 << (i << 2); | |
continue; | |
case X86_DS: | |
sel |= 0x3 << (i << 2); | |
continue; | |
case X86_ES: | |
sel |= 0x4 << (i << 2); | |
continue; | |
case X86_FS: | |
sel |= 0x5 << (i << 2); | |
continue; | |
case X86_GS: | |
sel |= 0x6 << (i << 2); | |
continue; | |
case X86_SS: | |
sel |= 0x7 << (i << 2); | |
continue; | |
case X86_LOCK: | |
usage |= X86_USE_BUS; | |
sel |= 0xC << (i << 2); | |
continue; | |
case X86_REPNE: | |
usage |= X86_USE_ECX; | |
sel |= 0xF << (i << 2); | |
continue; | |
case X86_REP: | |
usage |= X86_USE_ECX; | |
sel |= 0xE << (i << 2); | |
continue; | |
// Parse for instruction | |
case X86_INSB: // 0x0 | |
usage |= X86_USE_EDI; | |
sel |= (cc & 0x3); | |
break; | |
case X86_INSD: // 0x1 | |
usage |= X86_USE_EDI; | |
sel |= (cc & 0x3); | |
break; | |
case X86_OUTSB: // 0x2 | |
usage |= X86_USE_ESI | X86_USE_OUT | X86_USE_D8; | |
sel |= (cc & 0x3); | |
break; | |
case X86_OUTSD: // 0x3 | |
usage |= X86_USE_ESI | X86_USE_OUT; | |
sel |= (cc & 0x3); | |
break; | |
case X86_IN_ALI: // 0x4 | |
usage |= X86_USE_EAX | X86_USE_IM8 | X86_USE_D8; | |
d8 = *(BYTE *)(ea + i ++); | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_IN_AXI: // 0x5 | |
usage |= X86_USE_EAX | X86_USE_IM8; | |
d8 = *(BYTE *)(ea + i ++); | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_OUT_ALI: // 0x6 | |
usage |= X86_USE_EAX | X86_USE_IM8 | X86_USE_OUT | X86_USE_D8; | |
d8 = *(BYTE *)(ea + i ++); | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_OUT_AXI: // 0x7 | |
usage |= X86_USE_EAX | X86_USE_IM8 | X86_USE_OUT; | |
d8 = *(BYTE *)(ea + i ++); | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_CLI: // 0xA | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_STI: // 0xB | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_IN_AL: // 0xC | |
usage |= X86_USE_EAX | X86_USE_EDX | X86_USE_D8; | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_IN_AX: // 0xD | |
usage |= X86_USE_EAX | X86_USE_EDX; | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_OUT_AL: // 0xE | |
usage |= X86_USE_EAX | X86_USE_EDX | X86_USE_OUT | X86_USE_D8; | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_OUT_AX: // 0xF | |
usage |= X86_USE_EAX | X86_USE_EDX | X86_USE_OUT; | |
sel |= (cc & 0xF); | |
cc = 0; | |
break; | |
case X86_INT: // 0x9 | |
usage |= X86_USE_IM8; | |
d8 = *(BYTE *)(ea + i ++); | |
case X86_HLT: // 0x9 | |
sel |= 9; | |
default: | |
sel |= 8; | |
cc = 0; | |
break; | |
} | |
} while(cc); | |
ep->ContextRecord->Eip += i; | |
ep->ContextRecord->EFlags |= 1 << 11; // Overflow Flags | |
ep->ExceptionRecord->ExceptionAddress = (void *)(ea + i); | |
return x86_cmd_show(ep, sel, d8, usage); | |
} | |
void LoadApplication(HANDLE File, int h) { | |
/* ObjAttr.Length = sizeof OBJECT_ATTRIBUTES; | |
ObjAttr.RootDirectory = 0; | |
ObjAttr.ObjectName = 0;*/ | |
// NtOpenFile(&hFile, FILE_ALL_ACCESS, &ofs, &StatusBlock, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_SEQUENTIAL_ONLY); | |
// printf("%08X:hFile\r\n", hFile); | |
OBJECT_ATTRIBUTES ObjAttr; | |
IO_STATUS_BLOCK StatusBlock; | |
HANDLE hSection; | |
HANDLE hProcess; | |
PVOID ImageBaseAddr; | |
SIZE_T ViewSize; | |
HANDLE hFile; | |
OBJECT_ATTRIBUTES ofs; | |
UNICODE_STRING dn; | |
IO_STATUS_BLOCK State; | |
DWORD Error; | |
// | |
ZeroMemory(&State,sizeof(IO_STATUS_BLOCK)); | |
WCHAR *ch1 = L"\\??\\C:\\test.bat"; | |
RtlInitUnicodeString(&dn, ch1); | |
InitializeObjectAttributes(&ofs, &dn, 0, 0, 0); | |
// | |
Error = NtCreateFile(&hFile,PAGE_EXECUTE/*|GENERIC_WRITE|GENERIC_READ|GENERIC_EXECUTE*0*/,&ofs, &State,0,FILE_ATTRIBUTE_NORMAL,0,0/*FILE_SUPERSEDE*/,0,0,0); | |
printf("%08X %08X:hFile\r\n", Error, hFile); | |
Error = NtCreateSection(&hSection, SECTION_ALL_ACCESS, &ofs, NULL, PAGE_EXECUTE_READWRITE, SEC_IMAGE|SEC_FILE|SEC_COMMIT, &hFile); | |
printf("%08X %08X:hSection\r\n", Error, hSection); | |
Error = NtMapViewOfSection(hSection, (void *)-1, &ImageBaseAddr, NULL, &ViewSize, 0, PAGE_EXECUTE_READWRITE, NULL, 0); | |
printf("%08X %08X:ImageBaseAddr\r\n", Error, ImageBaseAddr); | |
Error = NtCreateProcess(&hProcess, PROCESS_ALL_ACCESS, NULL, (void *)-1, PROCESS_CREATE_FLAGS_BREAKAWAY, hSection, NULL, NULL); | |
printf("%08X %08X:hProcess\r\n", Error, hProcess); | |
// NtCreateThread(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, &ClientId, &ThreadContext, &InitialTeb, TRUE); | |
// NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (PUSER_THREAD_START_ROUTINE)Foo, (PVOID)Param1(), THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, NULL); | |
} | |
void Loader(void) { | |
HMODULE hNtDll = LoadLibrary("ntdll.dll"); | |
HMODULE hKernel = LoadLibrary("kernel.dll"); | |
RtlInitUnicodeString = (fpRtlInitUnicodeString)GetProcAddress(hNtDll, "RtlInitUnicodeString"); | |
printf("%08X:RtlInitUnicodeString\r\n", RtlInitUnicodeString); | |
NtCreateFile = (fpNtCreateFile)GetProcAddress(hNtDll, "NtCreateFile"); | |
printf("%08X:NtCreateFile\r\n", NtCreateFile); | |
NtOpenFile = (fpNtOpenFile)GetProcAddress(hNtDll, "NtOpenFile"); | |
printf("%08X:NtOpenFile\r\n", NtOpenFile); | |
NtCreateSection = (fpNtCreateSection)GetProcAddress(hNtDll, "NtCreateSection"); | |
printf("%08X:NtCreateSection\r\n", NtCreateSection); | |
NtMapViewOfSection = (fpNtMapViewOfSection)GetProcAddress(hNtDll, "NtMapViewOfSection"); | |
printf("%08X:NtMapViewOfSection\r\n", NtMapViewOfSection); | |
NtCreateProcess = (fpNtCreateProcess)GetProcAddress(hNtDll, "NtCreateProcess"); | |
printf("%08X:NtCreateProcessEx\r\n", NtCreateProcess); | |
NtCurrentProcess = (fpNtCurrentProcess)GetProcAddress(hNtDll, "NtCurrentProcess"); | |
printf("%08X:NtCurrentProcess\r\n", NtCurrentProcess); | |
system("pause"); | |
LoadApplication(0,//CreateFile("C:/test.bat", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0), | |
0); | |
system("pause"); | |
} | |
// INT 0x03,0x04,0x2D, ..4F | |
int (*NtSetLdtEntries)(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD); | |
LDT_ENTRY ll; | |
int main(int argc, char* argv[]) | |
{ | |
SYSTEM_INFO si; | |
DWORD base = 0x0490; | |
int ret; | |
COORD coord = {0, 0}; | |
Loader(); | |
HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE); | |
GetSystemInfo(&si); | |
printf("wProcessorArchitecture:%08X\r\n", si.wProcessorArchitecture); | |
printf("dwPageSize:%08X\r\n", si.dwPageSize); | |
printf("lpMinimumApplicationAddress:%08X\r\n", si.lpMinimumApplicationAddress); | |
printf("lpMaximumApplicationAddress:%08X\r\n", si.lpMaximumApplicationAddress); | |
printf("dwActiveProcessorMask:%08X\r\n", si.dwActiveProcessorMask); | |
printf("dwNumberOfProcessors:%08X\r\n", si.dwNumberOfProcessors); | |
printf("dwAllocationGranularity:%08X\r\n", si.dwAllocationGranularity); | |
printf("wProcessorLevel:%08X\r\n", si.wProcessorLevel); | |
printf("VirtualAlloc:%08X", | |
VirtualAlloc((void*)si.lpMinimumApplicationAddress, | |
(DWORD)si.lpMaximumApplicationAddress - (DWORD)si.lpMinimumApplicationAddress - si.dwAllocationGranularity - 0x1000000, | |
MEM_COMMIT, PAGE_EXECUTE_READWRITE)); | |
// DisplayError("VirtualAlloc"); | |
system("Pause"); | |
//VirtualAlloc((void*)0x570000, 0x70000000, MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
*(FARPROC*)(&NtSetLdtEntries) = GetProcAddress(LoadLibrary("ntdll.dll"), "NtSetLdtEntries"); | |
ll.BaseLow = base & 0xFFFF; | |
ll.HighWord.Bytes.BaseMid = base >> 16; | |
ll.HighWord.Bytes.BaseHi = base >> 24; | |
ll.LimitLow = 400; | |
ll.HighWord.Bits.LimitHi = 0; | |
ll.HighWord.Bits.Granularity = 0; | |
ll.HighWord.Bits.Default_Big = 1; | |
ll.HighWord.Bits.Reserved_0 = 0; | |
ll.HighWord.Bits.Sys = 0; | |
ll.HighWord.Bits.Pres = 1; | |
ll.HighWord.Bits.Dpl = 3; | |
ll.HighWord.Bits.Type = 0x13; | |
// ret = NtSetLdtEntries(0x08, *(DWORD*)&ll, *((DWORD*)(&ll)+1),0,*(DWORD*)&ll, *((DWORD*)(&ll)+1)); | |
//SetUnhandledExceptionFilter(TopLevelExceptionFilter); | |
printf("Hello World!\n"); | |
for(int i = 0x2E00; i <= 0xFFFF; ++ i) { | |
SetConsoleCursorPosition(hStdOut, coord); | |
_asm { | |
rdtsc | |
mov esi,esp | |
mov edi,esp | |
mov ecx,1 | |
mov ebx,eax | |
mov edx,i // Index of IO-Port | |
_emit X86_REP | |
_emit X86_REP | |
_emit X86_SS | |
out 54,eax | |
movsd | |
_emit X86_REP | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
_emit X86_DS | |
movsd | |
_emit X86_REP | |
_emit X86_CS | |
_emit X86_DS | |
_emit X86_ES | |
_emit X86_FS | |
_emit X86_GS | |
_emit X86_SS | |
_emit X86_GS | |
_emit X86_FS | |
_emit X86_ES | |
_emit X86_DS | |
_emit X86_CS | |
_emit X86_DS | |
_emit X86_ES | |
_emit X86_IN_AL | |
repe lock in al,dx // Try for port-read | |
repne lock out dx,eax; | |
repe lock cli | |
sti | |
/*mov al,0xC3 | |
shl eax,16 | |
mov al,0xCD | |
mov ah,dh | |
push eax | |
call esp | |
pop eax*/ | |
rdtsc | |
sub eax,ebx | |
hlt | |
jo err // Overflow if unaccessable | |
inc nPorts | |
err: | |
} | |
//system("pause"); | |
} | |
printf("\nPorts available - %d\r\n", nPorts); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment