swapgs_restore...
user mode 돌아갈때 page table을 돌려주는 함수이다.
0xffffffff81c00df0: pop r15
0xffffffff81c00df2: pop r14
0xffffffff81c00df4: pop r13
0xffffffff81c00df6: pop r12
0xffffffff81c00df8: pop rbp
0xffffffff81c00df9: pop rbx
0xffffffff81c00dfa: pop r11
0xffffffff81c00dfc: pop r10
0xffffffff81c00dfe: pop r9
0xffffffff81c00e00: pop r8
0xffffffff81c00e02: pop rax
0xffffffff81c00e03: pop rcx
0xffffffff81c00e04: pop rdx
0xffffffff81c00e05: pop rsi
0xffffffff81c00e06: mov rdi,rsp
0xffffffff81c00e09: mov rsp,QWORD PTR gs:0x6004
0xffffffff81c00e12: push QWORD PTR [rdi+0x30]
0xffffffff81c00e15: push QWORD PTR [rdi+0x28]
0xffffffff81c00e18: push QWORD PTR [rdi+0x20]
0xffffffff81c00e1b: push QWORD PTR [rdi+0x18]
0xffffffff81c00e1e: push QWORD PTR [rdi+0x10]
0xffffffff81c00e21: push QWORD PTR [rdi]
0xffffffff81c00e23: push rax
0xffffffff81c00e24: xchg ax,ax
0xffffffff81c00e26: mov rdi,cr3
0xffffffff81c00e29: jmp 0xffffffff81c00e5f
0xffffffff81c00e2b: mov rax,rdi
0xffffffff81c00e2e: and rdi,0x7ff
0xffffffff81c00e35: bt QWORD PTR gs:0x28956,rdi
0xffffffff81c00e3f: jae 0xffffffff81c00e50
0xffffffff81c00e41: btr QWORD PTR gs:0x28956,rdi
0xffffffff81c00e4b: mov rdi,rax
0xffffffff81c00e4e: jmp 0xffffffff81c00e58
0xffffffff81c00e50: mov rdi,rax
0xffffffff81c00e53: bts rdi,0x3f
0xffffffff81c00e58: or rdi,0x800
0xffffffff81c00e5f: or rdi,0x1000
0xffffffff81c00e66: mov cr3,rdi
0xffffffff81c00e69: pop rax
0xffffffff81c00e6a: pop rdi
0xffffffff81c00e6b: swapgs
0xffffffff81c00e6e: jmp 0xffffffff81c00e90
0xffffffff81c00e70: pop r15
0xffffffff81c00e72: pop r14
0xffffffff81c00e74: pop r13
0xffffffff81c00e76: pop r12
0xffffffff81c00e78: pop rbp
0xffffffff81c00e79: pop rbx
0xffffffff81c00e7a: pop r11
0xffffffff81c00e7c: pop r10
0xffffffff81c00e7e: pop r9
0xffffffff81c00e80: pop r8
0xffffffff81c00e82: pop rax
0xffffffff81c00e83: pop rcx
0xffffffff81c00e84: pop rdx
0xffffffff81c00e85: pop rsi
0xffffffff81c00e86: pop rdi
0xffffffff81c00e87: add rsp,0x8
0xffffffff81c00e8b: jmp 0xffffffff81c00e90
0xffffffff81c00e8d: nop DWORD PTR [rax]
0xffffffff81c00e90: test BYTE PTR [rsp+0x20],0x4
0xffffffff81c00e95: jne 0xffffffff81c00e99
0xffffffff81c00e97: iretqKPTI bypass
0xffffffff81c00e06: mov rdi,rsp
0xffffffff81c00e09: mov rsp,QWORD PTR gs:0x6004
0xffffffff81c00e12: push QWORD PTR [rdi+0x30]
0xffffffff81c00e15: push QWORD PTR [rdi+0x28]
0xffffffff81c00e18: push QWORD PTR [rdi+0x20]
0xffffffff81c00e1b: push QWORD PTR [rdi+0x18]
0xffffffff81c00e1e: push QWORD PTR [rdi+0x10]
0xffffffff81c00e21: push QWORD PTR [rdi]
0xffffffff81c00e23: push rax
0xffffffff81c00e24: xchg ax,ax
0xffffffff81c00e26: mov rdi,cr3
0xffffffff81c00e29: jmp 0xffffffff81c00e5f
0xffffffff81c00e2b: mov rax,rdi
0xffffffff81c00e2e: and rdi,0x7ff
0xffffffff81c00e35: bt QWORD PTR gs:0x28956,rdi
0xffffffff81c00e3f: jae 0xffffffff81c00e50
0xffffffff81c00e41: btr QWORD PTR gs:0x28956,rdi
0xffffffff81c00e4b: mov rdi,rax
0xffffffff81c00e4e: jmp 0xffffffff81c00e58
0xffffffff81c00e50: mov rdi,rax
0xffffffff81c00e53: bts rdi,0x3f
0xffffffff81c00e58: or rdi,0x800
0xffffffff81c00e5f: or rdi,0x1000
0xffffffff81c00e66: mov cr3,rdi
0xffffffff81c00e69: pop rax
0xffffffff81c00e6a: pop rdi
0xffffffff81c00e6b: swapgs
0xffffffff81c00e6e: jmp 0xffffffff81c00e90
0xffffffff81c00e70: pop r15
0xffffffff81c00e72: pop r14
0xffffffff81c00e74: pop r13
0xffffffff81c00e76: pop r12
0xffffffff81c00e78: pop rbp
0xffffffff81c00e79: pop rbx
0xffffffff81c00e7a: pop r11
0xffffffff81c00e7c: pop r10
0xffffffff81c00e7e: pop r9
0xffffffff81c00e80: pop r8
0xffffffff81c00e82: pop rax
0xffffffff81c00e83: pop rcx
0xffffffff81c00e84: pop rdx
0xffffffff81c00e85: pop rsi
0xffffffff81c00e86: pop rdi
0xffffffff81c00e87: add rsp,0x8
0xffffffff81c00e8b: jmp 0xffffffff81c00e90
0xffffffff81c00e8d: nop DWORD PTR [rax]
0xffffffff81c00e90: test BYTE PTR [rsp+0x20],0x4
0xffffffff81c00e95: jne 0xffffffff81c00e99
0xffffffff81c00e97: iretqpop 부분 그냥 건너뛰고, mov rdi, rsp부터 시작하면 편하다.
payload 뒤에 넘길때 dummy 0x10 bytes 주고, trap frame 넘겨주면 된다.
필요에 따라 잘 잘라서 사용하면 된다.
rsp 값의 변경을 할 필요가 없을때는 당연히 처음부분 건너뛰고 스택상황 맞춰줘도 동작한다.
https://msh1307.kr