Log in

View Full Version : Linear Address


Newbie
January 4th, 2001, 22:24
Hello everyone,
I have a simple question. How do you convert a 32-bit linear address in to a segmentffset address?!?

Thanks,
Newbie

Solomon
January 4th, 2001, 22:43
There is a simple PDF manual: http://www.datarescue.com/idabase/idadown.htm

Solomon
January 4th, 2001, 22:46
Ooops! I post in the wrong place. I mean IDA manual sorry.

The Owl
January 5th, 2001, 05:43
Quote:

I have a simple question. How do you convert a 32-bit linear address in to a segmentffset address?!?


generally, you don't as segmentffset addressing is used in real and V86 mode only (and covers roughly the lower 1 MB of linear address space), in protected mode you have the selectorffset form (which i think is what you meant). so, there are 2 cases here:

1. you already have a selector and want to find out which offset to use to end up at the target linear address. you have to find out the corresponding descriptor (in the GDT or LDT) then extract the base address of the segment described by this descriptor, substract it from your target linear address and if the result is not above the segment's limit, you have just got your offset (otherwise the target linear address is not accessible through this selector/descriptor).

2. you don't have any specific selector. then you have to find one in the execution environment this linear address is used. for this you have to enumerate all the descriptors in the GDT and LDT and find one that has the right type code/data) and access rights (read/write and the DPL) and a base/limit for which the following holds:

base <= target linear address <= base+limit. once you find such a descriptor, go to the previous step to find the corresponding offset in it.

Newbie
January 5th, 2001, 22:56
Thanks both of you for your explanations. What I am trying to do is to find the address of the IDT by reading the IDTR. As you most probably know the IDTR has a 32-bit linear address which points to the base of the IDT plus the the 16-bit Limit for the IDT. That's why the question. I want to extract that information from the IDTR and then do a memory dump using the 32-bit linear address.
Let's see if I can make this happen.

Thanks,
Newbie

Newbie
January 5th, 2001, 23:20
By the way ArthaXerXes... if you have time to post that routine I will appreciate.


p.s. You can tell you people know quite a bit. Thanks for your time and knowledge. It is appreciate


Thanks,
Newbie[/QUOTE]

The Owl
January 6th, 2001, 14:41
Quote:

Limit for the IDT. That's why the question. I want to extract that information from the IDTR and then do a memory dump using the 32-bit linear address.
Let's see if I can make this happen.


again assuming that you're under a win32 OS, you will face some problems:

1. win9x

every Virtual Machine has its own IDT, what's more, each one of them has two (one is used when the VM executes V86 mode code, this IDT is actually common for all VMs, and one for protected mode execution, it is created dynamically each time a VM switches to protected mode). if you write a win32 application to do all this IDT dumping, your SIDT will give you the protected mode IDT of the System VM which again is just one of the IDTs used in win9x. other than this, you can simply use the linear address as it is without the need for any further selectorffset transformation magic, win32 apps execute in a 'flat' environment, ie. all segments are 0 based and 4 GB limited (well, almost, for practical purposes it's true ;-)).

2. winnt

here you have a different issue, actually 2. first, you face a problem on SMP machines as each one of them has its own IDT, second the IDT is not accessible from user mode code (well, not entirely true ;-)) as it is in the system arena and the paging logic will prevent any access to it. so your only option would be to write a kernel mode driver that would then enumerate all the IDTs and dump them. i'm not sure how far you want to go to achieve this, so i'll stop here and let me know what you need.

Newbie
January 6th, 2001, 17:23
The Owl (01-06-2001 03:41):
[QUOTE]
1. win9x

every Virtual Machine has its own IDT, what's more, each one of them has two (one is used when the VM executes V86 mode code, this IDT is actually common for all VMs, and one for protected mode execution, it is created dynamically each time a VM switches to protected mode). if you write a win32 application to do all this IDT dumping, your SIDT will give you the protected mode IDT of the System VM which again is just one of the IDTs used in win9x. other than this, you can simply use the linear address as it is without the need for any further selectorffset transformation magic, win32 apps execute in a 'flat' environment, ie. all segments are 0 based and 4 GB limited (well, almost, for practical purposes it's true ;-)).



Ok. Let's start from a Win9x prospective. When you talk about the System VM's IDT, are you referring to the IDT that is common to all VMs?!? Otherwise, I can't explain how a program changing entries in the IDT can still stop SICE or any debugger for that matter. Or am I amissing something here.

Newbie

p.s. Don't want to sound corny... but talking to you people has really got me excited and a lot of light bulbs are turning on in my head. Thanks again for your time. Hope I am not frustrating anyone with my questions. Thanks!

The Owl
January 7th, 2001, 05:53
Quote:

Ok. Let's start from a Win9x prospective. When you talk about the System VM's IDT, are you referring to the IDT that is common to all VMs?!? Otherwise, I can't explain how a program changing entries in the IDT can still stop SICE or any debugger for that matter. Or am I amissing something here.


1. i did not talk about THE IDT of the System VM per se as there is no such thing. the Sys VM (by the time win32 apps get to run) has 2 IDTs. the V86 mode IDT (which will be common to all VMs when they start their life in V86 mode) is created when the Sys VM was born, later when krnl386 switches the Sys VM into protected mode (as part of the windows startup) a protected mode IDT will be created as well. since all win32 threads run in the Sys VM in protected mode, an SIDT executed by them will show the protected mode IDT of the Sys VM, ie. they will all see the SAME IDT, hence when any one of them modifies it (not exactly a prudent thing, but unfortunately the win9x design allows it), the rest of the win32 threads will experience the result as well (reason to many f*ckups you can see in protections written by not too well educated people... did i say c-dilla?).

2. the above also explains why changing the Sys VM protected mode IDT by one win32 thread will affect softice when you debug other win32 threads: they all rely on the same IDT (but other VMs are not affected).

Newbie
January 7th, 2001, 19:05
The Owl (01-06-2001 18:53):
[QUOTE]
1. i did not talk about THE IDT of the System VM per se as there is no such thing. the Sys VM (by the time win32 apps get to run) has 2 IDTs. the V86 mode IDT (which will be common to all VMs when they start their life in V86 mode) is created when the Sys VM was born, later when krnl386 switches the Sys VM into protected mode (as part of the windows startup) a protected mode IDT will be created as well. since all win32 threads run in the Sys VM in protected mode, an SIDT executed by them will show the protected mode IDT of the Sys VM, ie. they will all see the SAME IDT, hence when any one of them modifies it (not exactly a prudent thing, but unfortunately the win9x design allows it), the rest of the win32 threads will experience the result as well (reason to many f*ckups you can see in protections written by not too well educated people... did i say c-dilla?).

2. the above also explains why changing the Sys VM protected mode IDT by one win32 thread will affect softice when you debug other win32 threads: they all rely on the same IDT (but other VMs are not affected).



Thanks for the lesson. I understand things better now. Thanks for your time.

Newbie

Newbie
January 10th, 2001, 21:50
Quote:
ArthaXerXes (01-09-2001 20:22):

I am afraid it will not fit your needs though.


Thanks for the code. I did not know if you had given up on me . However, I think there is so much for me to learn that I believe there is a need... if not now may be when I get smarter. I am just trying to learn some concepts and anything is useful when you are learning. Anyways... Thanks!

Newbie