windows内核探索--打印windows的GDT表(全局描述符表)

 x86

#include <windows.h>
#include<stdio.h>
#include "x86struct.h"
void PrintSegmentDescriptor(ULONG64* sd, WORD Count);
SegmentSelector GetSegmentSelector(USHORT  Selector);
int main()
{printf("0环cs段寄存器 ");GetSegmentSelector(8);//0环cs printf("0环ss段寄存器 ");GetSegmentSelector(0x10);//0环ssprintf("3环cs段寄存器 ");GetSegmentSelector(0x1b);//3环csprintf("3环ss段寄存器 ");GetSegmentSelector(0x23);//3环ssprintf("   ds段寄存器 ");GetSegmentSelector(0x23);//3环 0环都一样printf("   es段寄存器 ");GetSegmentSelector(0x23);//3环 0环都一样printf("  \n ");ULONG64 sd[] ={0x0000000000000000 ,0x00cf9b000000ffff,0x00cf93000000ffff,0x00cffb000000ffff,0x00cff3000000ffff,0x80008bb98c0020ab,0x804093b9b0004fff,0x0040f30000000fff,0x0000f2000400ffff,0x0000000000000000,0x800089b9ad200067,0x800089b9acb00067,0x0000000000000000,0x0000000000000000,0x800092b9880003ff,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x800089b9ad900067,0x0000000000000000};PrintSegmentDescriptor(sd,_countof(sd));
}//拆解段选择子
SegmentSelector GetSegmentSelector(USHORT  Selector)
{SegmentSelector sec = { 0 };sec.value = Selector;// 通过 structSelector 直接访问匿名结构体中的位域字段printf("RPL = %d ", sec.RPL);printf("TI = 0x%x ", sec.TI);printf("Index =0x%x\n", sec.index);return sec;
};void PrintSegmentDescriptor(ULONG64* sd ,WORD Count)
{SegmentDescriptor32 sc;DWORD BaseAddress = 0;DWORD SegLimit = 0;SegmentSelector Ss = { 0 };for (size_t i = 0; i < Count; i++, sd++){sc.heightValue = *sd >> 32;sc.lowValue = (DWORD)(*sd);BaseAddress = (DWORD)sc.high.base_high << 24;BaseAddress |= (DWORD)sc.high.base_mid << 16;BaseAddress |= (DWORD)sc.low.base_low;SegLimit =(DWORD)sc.high.limit_high << 16;SegLimit |= (DWORD)sc.low.limit_low;Ss.index = i;Ss.TI = 0;printf("[%d] BaseAddress=0x%x limit=0x%x ",i, BaseAddress, SegLimit);printf("G:%d D/B:%d  AVL:%d ", sc.high.g, sc.high.db, sc.high.avl);//判断p位是否存在if (sc.high.p == 0){printf("段描述符无效\n");continue;}//判断是不是 系统描述符if (sc.high.s == 0){printf("系统描述符\n");continue;}//判断是不是数据段描述符if (sc.high.type < 8){switch (sc.high.type){case 0:printf("只读 数据段\n"); break;case 1:printf("只读 已访问 数据段\n"); break;case 2:printf("可读 可写 数据段\n"); break;case 3:printf("可读 可写 已访问 数据段\n"); break;case 4: printf("只读 向下扩展 数据段\n"); break;case 5:printf("只读 向下扩展 已访问 数据段\n"); break;case 6:printf("可读/可写 向下扩展 数据段\n"); break;case 7:printf("可读/可写 向下扩展 已访问 数据段\n"); break;default:break;}}//代码段描述符else{switch (sc.high.type){case 8:printf("只可执行 代码段\n"); break;case 9:printf("只可执行 已访问 代码段\n"); break;case 10:printf("可执行 可读 代码段\n"); break;case 11:printf("可执行 可读 已访问 代码段\n"); break;case 12:printf("只可执行 一致 代码段\n"); break;case 13:printf("只可执行 一致 已访问 代码段n"); break;case 14:printf("可执行 可读 一致 代码段\n"); break;case 15:printf("可执行 可读 一致 已访问代码段\n"); break;default:break;}}}
}

#pragma once#ifndef qq1490900437
#define qq1490900437//段选择子
typedef union _SegmentSelector
{struct {unsigned short RPL : 2;  // 请求特权级unsigned short TI : 1;   // 表指示符 (0: GDT, 1: LDT)unsigned short index : 13; // 段描述符表的索引};unsigned short value; 作为完整的16位值访问}SegmentSelector, * pSegmentSelector;GDTR寄存器
typedef struct _DescriptorTableRegister32
{unsigned int baseAddress;unsigned short tableLimt;
}GDTR32, * pGDTR32;typedef struct _DescriptorTableRegister64
{unsigned __int64  baseAddress64;unsigned short tableLimt;
}GDTR64, * pGDTR64;//段描述符32位
typedef struct _SegmentDescriptor32
{// 低 4 字节union{struct{// 在这里定义低字节的具体字段unsigned short limit_low; // 段界限的低 16 位unsigned short base_low;  // 基地址的低 16 位} low; // 用于分解访问unsigned long lowValue; // 作为完整的低 4 字节访问};// 高 4 字节union{struct{unsigned char base_mid;     // 基地址的中间 8 位unsigned char type : 4;     // 段类型unsigned char s : 1;        // 系统段/用户段标志unsigned char dpl : 2;      // 特权级别unsigned char p : 1;        // 存在位unsigned char limit_high : 4; // 段界限的高 4 位unsigned char avl : 1;      // 可用位unsigned char reserved : 1;  // 保留位unsigned char db : 1;       // 方向/大小位unsigned char g : 1;        // 粒度位unsigned char base_high;    // 基地址的高 8 位} high; // 用于分解访问unsigned long heightValue; // 作为完整的高 4 字节访问};} SegmentDescriptor32, * pSegmentDescriptor32;//段描述符64位
typedef struct _SegmentDescriptor64
{// 低 4 字节union{struct{// 在这里定义低字节的具体字段unsigned short limit_low; // 段界限的低 16 位unsigned short base_low;  // 基地址的低 16 位} low; // 用于分解访问unsigned long lowValue; // 作为完整的低 4 字节访问};// 高 4 字节union{struct{unsigned char base_mid;     // 基地址的中间 8 位unsigned char type : 4;     // 段类型unsigned char s : 1;        // 系统段/用户段标志unsigned char dpl : 2;      // 特权级别unsigned char p : 1;        // 存在位unsigned char limit_high : 4; // 段界限的高 4 位unsigned char avl : 1;      // 可用位unsigned char L : 1;  // 保留位unsigned char db : 1;       // 方向/大小位unsigned char g : 1;        // 粒度位unsigned char base_high;    // 基地址的高 8 位} high; // 用于分解访问unsigned long heightValue; // 作为完整的高 4 字节访问};} SegmentDescriptor64, * pSegmentDescriptor64;#endif // qq1490900437