type
status
date
slug
summary
tags
category
icon
password
保护模式
段
段寄存器
段寄存器结构
我们在OD当中查看段寄存器,上面显示32位,但真的是32位吗?
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fe11b8aa3-d4ab-46cd-a5f7-f0c08da36630%2Fimage.png?table=block&id=12c533f9-4e40-8025-9480-eb7eeef901ce&t=12c533f9-4e40-8025-9480-eb7eeef901ce&width=303&cache=v2)
Intel白皮书介绍段寄存器结构为如下16位可见部分(selector),80位隐藏部分
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fa595fef7-ac41-4be1-b9fe-f38fec7a6443%2Fimage.png?table=block&id=12c533f9-4e40-805a-87c5-d2fa7f6b70be&t=12c533f9-4e40-805a-87c5-d2fa7f6b70be&width=707.9874877929688&cache=v2)
对应结构图如下:
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F3e1c5121-f5bf-497e-bca6-d0c3c081a1ab%2Fimage.png?table=block&id=12c533f9-4e40-802d-8fcf-e05e4e1f6062&t=12c533f9-4e40-802d-8fcf-e05e4e1f6062&width=252&cache=v2)
Win7 x86 R3 Segment
Segment | Selector | Base | limit | Attribute |
CS | 0x001B | 0 | 0xFFFFFFFF | 可读,可执行 |
DS | 0x0023 | 0 | 0xFFFFFFFF | 可读,可写 |
SS | 0x0023 | 0 | 0xFFFFFFFF | 可读,可写 |
ES | 0x0023 | 0 | 0xFFFFFFFF | 可读,可写 |
FS | 0x003B | 0x7FFDF000 | 0xFFF | 可读,可写 |
GS | - | - | - | - |
段寄存器的读写
读取段寄存器
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fea8b1895-0a50-4d98-ba45-e94b28c802f4%2Fimage.png?table=block&id=12f533f9-4e40-80c5-a519-f66a890dc980&t=12f533f9-4e40-80c5-a519-f66a890dc980&width=707.9625244140625&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F1e718d0e-f6c0-4a98-95c9-7a7d557036c3%2Fimage.png?table=block&id=12f533f9-4e40-80be-bd79-e9c44e7f6962&t=12f533f9-4e40-80be-bd79-e9c44e7f6962&width=707.9500122070312&cache=v2)
写入段寄存器
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F3059602c-b3a1-40d4-854b-1a12714cae7d%2Fimage.png?table=block&id=12f533f9-4e40-80dc-aed0-dfe83041eb71&t=12f533f9-4e40-80dc-aed0-dfe83041eb71&width=707.9750366210938&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F912d5382-acce-42ed-bc7c-b5c41a13025e%2Fimage.png?table=block&id=12f533f9-4e40-8033-8a83-e10b25eb44b5&t=12f533f9-4e40-8033-8a83-e10b25eb44b5&width=707.9125366210938&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fe37dd251-8d99-44fd-a9c7-0688bcbb432d%2Fimage.png?table=block&id=12f533f9-4e40-80f8-bde1-fb28edc96d79&t=12f533f9-4e40-80f8-bde1-fb28edc96d79&width=470&cache=v2)
段寄存器属性探测
我们在前面了解到了段寄存器的结构,它不仅有值还有属性
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fe461c4b7-3cc3-44f9-9ebf-37f6b73dad95%2Fimage.png?table=block&id=12f533f9-4e40-8043-a07e-fa4638fd39bd&t=12f533f9-4e40-8043-a07e-fa4638fd39bd&width=707.9750366210938&cache=v2)
Attribute
我们拿cs这个段寄存器进行实验,因为的它是可读可执行,那我们先将cs的地址赋值为ax这个寄存器,然后让gs寄存器的地址指向cs寄存器
我们可以在这里设置断点,然后直接运行
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F85274de7-d31c-4705-9af0-eda01bc6a4ba%2Fimage.png?table=block&id=12f533f9-4e40-80e6-950e-fc1727f763f5&t=12f533f9-4e40-80e6-950e-fc1727f763f5&width=439&cache=v2)
正好验证CS寄存器是可读可执行,并且是不可写入的.
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F8c6e550e-c05e-45d3-a1f1-fa8a95f1f9b0%2Fimage.png?table=block&id=12f533f9-4e40-8011-bc62-e802259adb40&t=12f533f9-4e40-8011-bc62-e802259adb40&width=707.9500122070312&cache=v2)
Base
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F506b4678-5c08-4b76-9946-5085a5fb8519%2Fimage.png?table=block&id=12f533f9-4e40-8097-a043-e6272c472eb7&t=12f533f9-4e40-8097-a043-e6272c472eb7&width=417&cache=v2)
limit
如果超过了限制大小会读取失败
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F06b97ad6-a879-43c3-99ff-f6b91ee17fec%2Fimage.png?table=block&id=12f533f9-4e40-80ae-8e10-df5170417594&t=12f533f9-4e40-80ae-8e10-df5170417594&width=707.9625244140625&cache=v2)
📎 参考文章
有关学习上的问题,欢迎您在底部评论区留言,一起交流~
- Author:5m10v3
- URL:https://5m10v3.top/article/12b533f9-4e40-80bc-b8ab-e4321f687942
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!