I am doing a training task in which you need to run the program code on the 0 ring. I do it using a fake stack.

I put the function address in my fake stack. And then there is such a problem: in the Debug-version, everything is fine, control passes to the desired function. Here is a screenshot from WinDbg, the red underlined the address of the function, which is in the stack: Assembly code in windbg

Now I compile in the Release-version, control passes here in such a place: enter image description here

I understand that there are differences in the Release and Debug builds of the program, but in Release I did not see any meaningful code as such, although in IDA everything is in place.

UPD:

auto kernelImageBase = GetKernelBase(); DbgPrintEx = (DbgPrintExType)GetImportSymbol(kernelImageBase, "DbgPrintEx"); ZwQuerySystemInformation = (ZwQuerySystemInformationType)GetImportSymbol(kernelImageBase, "ZwQuerySystemInformation"); MyDbgPrint("ZwQuerySystemInformation address is 0x%p.", ZwQuerySystemInformation);

`

  • Give the source code corresponding to the compiled fragment on the screenshots. - ߊߚߤߘ
  • Added the first 4 lines - Alexey Sarovsky

0