Log in

View Full Version : How is this really done?


nikolatesla20
July 10th, 2002, 22:26
Over the last few days I've been reading up on the Intel manuals, and some other O.S. programming tutes to get a better feel for pmode and such. My Question is:

I've read lately that some "protections" use a trick to enter ring0 so they can do whatever they want. Supposedly they take over the divide by zero handler or whatever and then do a divide by zero.

How do they exactly "take over" the handler. I mean most windoze programs you can install an exceptions handler, but I thought I was reading that a handler will execute in the priviledge leve of the current task, so if that task is ring3 the handler would be ring3. The only thing I can think of is changing the RPL of the interrupt call? Because hardware interrupts and CPU interrupts (such as divide by zero) ignore the RPL.

They couldn't modify IDT directly as far as I have seen with ring3 code- it's in a protected data segment I would think. Am I right? So how are they "hooking" or taking over the handler?

I still can't figure out what they are really doing...

-nt20

Fake51
July 10th, 2002, 22:46
Quote:

They couldn't modify IDT directly as far as I have seen with ring3 code- it's in a protected data segment I would think. Am I right? So how are they "hooking" or taking over the handler?


You can under win98 ... it's only on nt-based systems that the idt resides in protected memory.

Fake