OpenRCE_EliCZ
March 6th, 2008, 14:20
They told me they later crashed when they executed:
"
mov ax, gs
mov gs, ax
"
on x64 in kernel mode.
This is clear.
I tried to 'examine' user mode:
"
.CODE
wmain PROC
;mov rdx, 1
;mov rcx, -2
;call __imp_SetThreadAffinityMask
;mov al, byte ptr gs:[wmain] ;no
;mov ah, gs:[33] ;yes
;mov ah, cs:[33] ;no
mov r8d, gs
mov r9d, cs
mov gs, r9d
;mov ah, gs:[33] ;no
mov al, byte ptr gs:[wmain] ;yes
;mov cl, byte ptr gs:[wmain] ;yes
mov ah, gs:[33] ;yes ?! what is this?
;mov ch, byte ptr gs:[wmain] ;no
mov gs, r8d
mov dl, byte ptr gs:[wmain] ;yes
mov cl, byte ptr gs:[wmain] ;yes
mov dh, gs:[33]; yes
;mov ch, byte ptr gs:[wmain] ;no
;just for info - loop until swapgs
mov gs, r9d
xor ecx, ecx
@@:
mov al, byte ptr gs:[wmain]
loop @b
ret
wmain ENDP
"
https://www.openrce.org/blog/view/830/hm
"
mov ax, gs
mov gs, ax
"
on x64 in kernel mode.
This is clear.
I tried to 'examine' user mode:
"
.CODE
wmain PROC
;mov rdx, 1
;mov rcx, -2
;call __imp_SetThreadAffinityMask
;mov al, byte ptr gs:[wmain] ;no
;mov ah, gs:[33] ;yes
;mov ah, cs:[33] ;no
mov r8d, gs
mov r9d, cs
mov gs, r9d
;mov ah, gs:[33] ;no
mov al, byte ptr gs:[wmain] ;yes
;mov cl, byte ptr gs:[wmain] ;yes
mov ah, gs:[33] ;yes ?! what is this?
;mov ch, byte ptr gs:[wmain] ;no
mov gs, r8d
mov dl, byte ptr gs:[wmain] ;yes
mov cl, byte ptr gs:[wmain] ;yes
mov dh, gs:[33]; yes
;mov ch, byte ptr gs:[wmain] ;no
;just for info - loop until swapgs
mov gs, r9d
xor ecx, ecx
@@:
mov al, byte ptr gs:[wmain]
loop @b
ret
wmain ENDP
"
https://www.openrce.org/blog/view/830/hm