通过更改CS在长模式和兼容模式之间切换。用户模式代码无法修改描述符表,但是可以对描述符表中已经存在的代码段执行远跳转或远调用。我认为,例如在Linux中,存在所需的兼容模式描述符。
这是Linux(Ubuntu)的示例代码。建立
$ gcc -no-pie switch_mode.c switch_cs.s
switch_mode.c:
#include <stdlib.h>#include <stdio.h>#include <stdbool.h>extern bool switch_cs(int cs, bool (*f)());extern bool check_mode();int main(int argc, char **argv){ int cs = 0x23; if (argc > 1) cs = strtoull(argv[1], 0, 16); printf("switch to CS=%02xn", cs); bool r = switch_cs(cs, check_mode); if (r) printf("cs=%02x: 64-bit moden", cs); else printf("cs=%02x: 32-bit moden", cs); return 0;}switch_cs.s:
.intel_syntax noprefix .pre64 .text .globl switch_csswitch_cs: push rbx push rbp mov rbp, rsp sub rsp, 0x18 mov rbx, rsp movq [rbx], offset .L1 mov [rbx+4], edi // Before the lcall, switch to a stack below 4GB. // This assumes that the data segment is below 4GB. mov rsp, offset stack+0xf0 lcall [rbx] // restore rsp to the original stack leave pop rbx ret .pre32.L1: call esi lret .pre64 .globl check_mode// returns false for 32-bit mode; true for 64-bit modecheck_mode: xor eax, eax // In 32-bit mode, this instruction is executed as // inc eax; test eax, eax test rax, rax setz al ret .data .align 16stack: .space 0x100
