做一个ring3转入ring0问题,程序如下:
program Pchongqi;{$APPTYPE CONSOLE}uses
SysUtils,windows,shellapi;
const
EWX_FORCE=4; //¹Ø±ÕËùÓгÌÐò²¢ÒÔÆäËûÓû§Éí·ÝµÇ¼
EWX_LOGOFF=0; //ÖØÐÂÆô¶¯¼ÆËã»ú²¢Çл»µ½MS-DOS·½Ê½
EWX_REBOOT=2; //ÖØÐÂÆô¶¯¼ÆËã»ú
EWX_SHUTDOWN=1;//¹Ø±Õ¼ÆËã»ú
exceptionused=$03;
var
idt:array [0..5] of byte;
lpoldgate:dword;
begin
ExitWindowsEx((EWX_REBOOT), $FFFF);
asm
sidt idt
mov ebx,8*exceptionused
cli
mov dx,word ptr[ebx+6]
shl edx,16d
mov dx,word ptr[ebx]
mov [lpoldgate],edx
mov eax,offset @@ring0code
mov word ptr[ebx],ax
shr eax,16d
mov word ptr[ebx+6],ax
int exceptionused
mov ebx,dword ptr[idt+2]
add ebx,8*exceptionused
mov edx,[lpoldgate]
mov word ptr[ebx],dx
shr edx,16d
mov word ptr[ebx+6],dx
jmp @@exit
@@ring0code:
!!!!winexec('D:\Program Files\Borland\Delphi7\Bin\delphi32.exe',sw_Normal);
@@exit:
end;
end.
在!!!!处,报错。问在内嵌汇编中如何再内嵌delphi语句?
program Pchongqi;{$APPTYPE CONSOLE}uses
SysUtils,windows,shellapi;
const
EWX_FORCE=4; //¹Ø±ÕËùÓгÌÐò²¢ÒÔÆäËûÓû§Éí·ÝµÇ¼
EWX_LOGOFF=0; //ÖØÐÂÆô¶¯¼ÆËã»ú²¢Çл»µ½MS-DOS·½Ê½
EWX_REBOOT=2; //ÖØÐÂÆô¶¯¼ÆËã»ú
EWX_SHUTDOWN=1;//¹Ø±Õ¼ÆËã»ú
exceptionused=$03;
var
idt:array [0..5] of byte;
lpoldgate:dword;
begin
ExitWindowsEx((EWX_REBOOT), $FFFF);
asm
sidt idt
mov ebx,8*exceptionused
cli
mov dx,word ptr[ebx+6]
shl edx,16d
mov dx,word ptr[ebx]
mov [lpoldgate],edx
mov eax,offset @@ring0code
mov word ptr[ebx],ax
shr eax,16d
mov word ptr[ebx+6],ax
int exceptionused
mov ebx,dword ptr[idt+2]
add ebx,8*exceptionused
mov edx,[lpoldgate]
mov word ptr[ebx],dx
shr edx,16d
mov word ptr[ebx+6],dx
jmp @@exit
@@ring0code:
!!!!winexec('D:\Program Files\Borland\Delphi7\Bin\delphi32.exe',sw_Normal);
@@exit:
end;
end.
在!!!!处,报错。问在内嵌汇编中如何再内嵌delphi语句?
把参数压栈,再CALL winexec
试试
classes单元中有很多例子,你看看吧
MOV EAX,ESI
CALL TReader.ReadBuffer
call d;
@@exit:
....procedure d;
begin
winexec('D:\Program Files\Borland\Delphi7\Bin\delphi32.exe',sw_Normal);
end;