[PDF]The Art of Bootkit Development
一本比较新的PDF,里面内容涉及到WIN8的BOOTKIT设计,以及一些神秘的BIOS模拟器函数(x86BiosXXXX)的用法以及注意事项。可惜只有32位的内容,没有64位的内容。精彩片段:
MBR Verification on Bugcheck
Verification on bugcheck is way more complicated, since the bugcheck handler runs with DIRQL and therefore cannot use nearly
the complete kernel API.
Registering a bugcheck callback can be done through KeRegisterBugCheckCallback.
Normal Windows functions (such as ZwReadFile) or direct calling of the disk driver cannot be used – but the Vista internal BIOS
emulation can. Originally this BIOS emulation was written to support graphic functions (VESA BIOS Extension) for 64-bit in case
a dedicated driver is not available. It is a full emulator (technically an interpreter) that keeps certain memory ranges from the
16-bit mode and executes BIOS functions sandboxed.
It only reserves 4 KB of memory to allocate (using x86BiosAllocateBuffer), so that is everything someone has to deal with. Even
if this seems unbelievable, this actually works in the bugcheck handler:
// read the MBR
DiskAddressPacket.op = 0x10;
DiskAddressPacket.zero = 0;
DiskAddressPacket.nsector = 1;
DiskAddressPacket.addr = Offset;
DiskAddressPacket.segment = Segment;
DiskAddressPacket.s1 = 0;
DiskAddressPacket.s2 = 0;
// copy the disk address packet
x86BiosWriteMemory(DapSegment, DapOffset, &DiskAddressPacket, 0x10);
// execute the read command (Extended Read)
regs.Eax = 0x4200;
regs.Edx = 0x0080;
regs.SegDs = DapSegment;
regs.Esi = DapOffset;
Status = x86BiosCall(0x13, ®s);
感慨一句:玩WINDOWS KERNEL,要多上洋人的网站淘宝,好过去一些国内网站吃某些所谓“大牛”吐出来的残渣剩羹。 虽然内容对我来说还太艰深,但谢谢分享。 感謝分享 希望楼主可以推荐一些国外比较好的论坛或者网站,新手知识面太窄,很多时候都找不到门路
页:
[1]