Created
June 19, 2024 17:04
-
-
Save waryas/28b5cda869f5b0fb97e2867fa855ad7f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| // #pf detection from usermode, by waryas | |
| void wgs(uint16_t value) { | |
| __asm__ volatile("mov %0, %%gs" : : "r"(value)); | |
| } | |
| uint16_t rgs() { | |
| uint16_t gs; | |
| __asm__ volatile("mov %%gs, %0" : "=r"(gs)); | |
| return gs; | |
| } | |
| int main() { | |
| auto x = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
| *(uint64_t*)x = 5; // #pf for first write | |
| VirtualUnlock(x, 0x1000); // if u comment this out, next write won't #pf | |
| wgs(1); | |
| unsigned int count = 0; | |
| *(uint64_t*)x = 5; // if virtualunlock this will #pf and count will be 0 | |
| _asm { | |
| mov rax, 0x0 | |
| syscall //syscall that don't generate interrupt won't reset gs segment | |
| } | |
| while (rgs() == 1) | |
| ++count; | |
| // interrupt happened, only way for gs segment to be reset. | |
| printf("Took %d loop\n", count); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment