Log in

View Full Version : XP using not only ring0/ring3?


omega_red
January 11th, 2005, 06:50
Recently, I've run my GDT/IDT/LDT dumper on an XP SP2 system, and found some really interesting data.

In GDT:
Code:

#0009: 0048 [8203c000:00000177] * 32bit=0, gran=0, present=1, dpl=0, type=[S] LDT


This LDT is not empty:
Code:

Reading secondary Local Descriptors Table...
Base = 8203c000, limit = 0177

#0000: 0002 [41540a2e:00000000] * 32bit=1, gran=0, present=0, dpl=2, type=[S] 16-bit TSS (busy)
#0001: null
#0002: 0012 [82140000:00030000] * 32bit=0, gran=0, present=1, dpl=2, type=[S] Unknown [0000]
#0003: 001a [821c8203:0003c014] * 32bit=0, gran=0, present=1, dpl=2, type=[S] Unknown [0000]
#0004: 0022 [82248203:0003c01c] * 32bit=0, gran=0, present=1, dpl=2, type=[S] Unknown [0000]
#0005: 0028 [00008203:0008c024] * 32bit=0, gran=0, present=0, dpl=0, type=[S] 16-bit Call Gate
#0006: null
#0007: null
#0008: null
#0009: 0048 [00000000:00000000] * 32bit=0, gran=0, present=1, dpl=0, type=[S] Unknown [0000]
#000a: null
#000b: null
#000c: null
#000d: 0068 [00000000:00000000] * 32bit=0, gran=0, present=0, dpl=0, type=[S] 16-bit TSS (available)
#000e: null
#000f: null
...

The LDT from LDTR is null, however. What's interesting, that in this "secondary" 16-bit LDT some descriptors have DPL = 1 or 2. I don't know if it's just garbage (it seems so), but then what's the purpose of this? The #9 selector in GDT is null in w2k. As I recall, XP SP1 was similar to 2k - no secondary LDT. My tool seems to work good, I wish I had SoftIce at my office to check it

Full dumps from w2k sp4 and xp sp2:
http://ry.pl/~omega/n/sdt_dump_2k_sp4.txt
http://ry.pl/~omega/n/sdt_dump_xp_sp2.txt

The utility:
http://ry.pl/~omega/asm/sdt.zip

WaxfordSqueers
January 29th, 2005, 18:45
Quote:
[Originally Posted by omega_red]The LDT from LDTR is null, however. What's interesting, that in this "secondary" 16-bit LDT some descriptors have DPL = 1 or 2. I don't know if it's just garbage (it seems so), but then what's the purpose of this? ]


I'm pretty new to GDT/LDT and don't pretend to understand it well. My understanding is that the LDT is being reserved for DOS-based applications in XP, and in XP that would mean the DOS window. I have never seen a listing for the LDT in XP with SP2 using purely 32 bit apps. Of course, I haven't looked a lot either.

I read somewhere as well that Windows doesn't use privelege levels 1 and 2 to keep it compatible with Unix based systems (I think). If you are seeing LDT listings and the use of privelege levels 1 and 2, would that not suggest a DOS app is running? I'm wondering about the app you're using to view the GDT/LDT. Maybe it's using DOS extended mode.

Windows starts in real mode then switches to protected mode. I don't know if an app running in DOS extended mode can start in Windows or whether it needs to boot clean.

evaluator
January 30th, 2005, 05:07
LDT mostly is need for 16bit apps..
debug them & see.