[madaboo]

Hi,

Today I've got new question:
What's wrong with this code:

Code: Select all

typedef struct _idt_entry
{
	USHORT base_lo;
	USHORT sel;
	UCHAR always0;
	UCHAR flags;
	USHORT base_hi;
} idt_entry, *pidt_entry;

typedef struct _idt_ptr
{
	USHORT limit;
	ULONG_PTR base;
} idt_ptr, *pidt_ptr;

//...
void fun()
{
//..
        idt_ptr p_idt;
        RtlZeroMemory(&p_idt, sizeof(idt_ptr));
	__sidt(&p_idt);

	KERNEL_DEBUG(("IDT base address is : %x, limit : %x\n", p_idt.base, p_idt.limit));
//..
}

Output is as follows: IDT base address is : 8003, limit : 7ff
In windbg idtr is 8003f400...

So what is going on?
Thanks for any help!

[EP_X0FF]

Replace your declaration with

Code: Select all

typedef struct _DESCRIPTOR {
    USHORT  Pad;
    USHORT  Limit;
    ULONG   Base;
} KDESCRIPTOR, *PKDESCRIPTOR;

[frank_boldewin]

http://siyobik.info/main/reference/instruction/SIDT

this should help you.

[Brock]

Madaboo,

Assuming you're on x86 it looks like the IDT base address is being truncated because of wrong structure size. Check sizeof(_idt_ptr)... if it's not 6 bytes this would explain why. Most likely it is using an 8 byte structure instead which is not what you want, obviously.

[madaboo]

Yeah, it was beacuse of alignment issues, using pragma pack solved problem,

Thanks a lot for everybody!

[madaboo]

One more question.

What with multi-processor/multi-core systems... how this registers (I mean idtr and msr) should be handled?


Thanks for every response.

[rkhunter]

Attach thread to processor (KeSetSystemAffinityThread) and perform command.

[madaboo]

rkhunter, Thank you for response.

I don;t know if it is really possible, but I'm thinking about case where you have machine which e.g 3 processors and 2 of them has support for sysenter and one not? Is it possible even?
One additional question.. if I attach to processor, then should I check same thing on next one ? Sorry probably this is stupid, but I just want to understand what I'm supposed to do? If I don't need to check it on next processor, then why to use attach to process, and not simply intristic of vs __sidt?
Thank you again for help.

[rkhunter]

Code: Select all

OBJECT_ATTRIBUTES oa = {0};
HANDLE hThread = 0;
NTSTATUS Status;
PVOID Context = NULL; //your context, optional
	
InitializeObjectAttributes( &oa, NULL, OBJ_KERNEL_HANDLE, NULL, NULL );

Status = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, &oa, NULL,
	NULL, (PKSTART_ROUTINE)WorkerRoutine, Context );

if( !NT_SUCCESS( Status ) )
{
	return;
}

Status = ZwWaitForSingleObject( hThread, FALSE, NULL );

ZwClose( hThread );


VOID
WorkerRoutine(
			IN PVOID Context
			)
{
	for( int i = 1; i <= KeNumberProcessors; i++ )
	{
		KeSetSystemAffinityThread( i );

		//your code
	}
	PsTerminateSystemThread( STATUS_SUCCESS );
}

[madaboo]

rkhunter, thank you again,

Maybe my question wasn't clear. I would like to know if it is possible that you have two processors on your machine and one of them is supporting sysenter but second not. And if this situation is possible then how system is gonna work (I assume that with int 2e) - is it correct or maybe this situation is not possible?

Thank you.,