Update markdown and tabs and stuff
This commit is contained in:
@@ -14,16 +14,16 @@ popular. With segmentation, the physical memory is divided into segments that
|
||||
work as a kind of translation table. In Protected mode, if you call an address
|
||||
like
|
||||
|
||||
jmp CS:AX
|
||||
{: .prettyprint .lang-nasm}
|
||||
:::nasm
|
||||
jmp CS:AX
|
||||
|
||||
the processor looks into the currently loaded __Local__ or __Global Descriptor
|
||||
Table__ ( __LDT__/ __GDT__) for the entry pointed to by _CS_. This enty (or
|
||||
__Segment Descriptor__) describes the beginning of a segment which is combined
|
||||
with the offset in _AX_ to get the physical address;
|
||||
|
||||
physical_address = segment_descriptor_from_index(CS).base + AX;
|
||||
{: .prettyprint}
|
||||
:::c
|
||||
physical_address = segment_descriptor_from_index(CS).base + AX;
|
||||
|
||||
The segment descriptor also has a limit, which in our example is the maximum
|
||||
value _AX_ is allowed to take. If it's higher, you get a __Segmentation Fault__
|
||||
@@ -76,11 +76,11 @@ Changing the CPL is actually two different problems.
|
||||
|
||||
Increasing the CPL is relatively easy. It can be done either through a far jump
|
||||
|
||||
JMP 0x1B:label
|
||||
label:
|
||||
; The CS selector is now 0x18 | 0x3
|
||||
; i.e. it points to segment no 3 (3*0x8) and CPL is set to 0x3
|
||||
{: .prettyprint .lang-nasm}
|
||||
:::nasm
|
||||
JMP 0x1B:label
|
||||
label:
|
||||
; The CS selector is now 0x18 | 0x3
|
||||
; i.e. it points to segment no 3 (3*0x8) and CPL is set to 0x3
|
||||
|
||||
or through the `IRET` instruction
|
||||
|
||||
@@ -119,32 +119,33 @@ bottom two bits to 0x3, you will soon be in User Mode.
|
||||
An other (better in my opinion) option is to create a fake interrupt-pushed
|
||||
stack and push that onto the stack before running `IRET` .
|
||||
|
||||
// C code
|
||||
struct
|
||||
{
|
||||
uint32_t esp;
|
||||
uint32_t ss;
|
||||
uint32_t eflags;
|
||||
uint32_t eip;
|
||||
uint32_t cs;
|
||||
} fake_stack;
|
||||
:::c
|
||||
// C code
|
||||
struct
|
||||
{
|
||||
uint32_t esp;
|
||||
uint32_t ss;
|
||||
uint32_t eflags;
|
||||
uint32_t eip;
|
||||
uint32_t cs;
|
||||
} fake_stack;
|
||||
|
||||
fake_stack.esp = usermode_stack_top;
|
||||
fake_stack.ss = user_data_segment | 0x3;
|
||||
fake_stack.eflags = 0;
|
||||
fake_stack.eip = &usermode_function;
|
||||
fake_stack.cs = user_code_segment | 0x3;
|
||||
|
||||
set_all_segments(user_data_segment | 0x3);
|
||||
run_iret(&fake_stack);
|
||||
{: .prettyprint}
|
||||
fake_stack.esp = usermode_stack_top;
|
||||
fake_stack.ss = user_data_segment | 0x3;
|
||||
fake_stack.eflags = 0;
|
||||
fake_stack.eip = &usermode_function;
|
||||
fake_stack.cs = user_code_segment | 0x3;
|
||||
|
||||
; Assembler code
|
||||
run_iret:
|
||||
add esp, 0x8
|
||||
iret
|
||||
{: .prettyprint .lang-nasm}
|
||||
set_all_segments(user_data_segment | 0x3);
|
||||
run_iret(&fake_stack);
|
||||
|
||||
|
||||
|
||||
:::nasm
|
||||
; Assembler code
|
||||
run_iret:
|
||||
add esp, 0x8
|
||||
iret
|
||||
|
||||
###Going back to ring0
|
||||
|
||||
|
||||
Reference in New Issue
Block a user