Log in

View Full Version : Question about Windows GDT


nikolatesla20
May 2nd, 2005, 14:09
Ive just been refreshing myself on protected mode and stuff.

Can't quite figure out yet - In windows the first 4 entries in the GDT table contain:

code ring0 DPL 0 RE
data ring0 DPL 0 RW
code ring3 DPL 3 RE
data ring3 DPL 3 RW

and they all overlap from 0x00000000 to 0xFFFFFFFF, except of course their privilege bits differ.

I was curious, I have been googling over the past week, but I have not found a satisfactory answer to how, for example, windows can write data to a code area, (in either the ring3 or ring0 segment) when the protection of the segment in the GDT descriptor is set to RE (read-execute). Doesn't the processor throw an exception when this write is attempted?

Also, I actually tried to change an entry in the GDT while inside softICE (tried to change the privilege level of the ring0 segment) and my whole computer locked solid LOL.


I'm thinking maybe i'll just have to step thru WriteProcessMemory for a while and see what actually goes on.

-nt20

evaluator
May 2nd, 2005, 14:18
exception will occur if you will try to write so

mov CS:[xx], eax etc.etc.

else without prefix, DS (or ES for STOS,SCAS,MOVS) segment assumed for RW..

newibie read Manualz

nikolatesla20
May 2nd, 2005, 14:47
lol I am reading the manuals but thanks eval. Yes WriteProcessMemory does a simple REPMOVSB and no exception.

Yes I see the flaw in my thinking now, it can write to data segment of course and data segment overlaps code segment of course ! So as long as DS: points to a correct segment all will be ok even when overwriting exe instructions.

Sorry for the goof.

-nt20

evaluator
May 2nd, 2005, 15:53
ok,
little exersize:

as you wrote:

code ring0 DPL 0 RE
data ring0 DPL 0 RW
code ring3 DPL 3 RE
data ring3 DPL 3 RW

why are they so!?

nikolatesla20
May 5th, 2005, 13:48
Well, pretty much the only main reason is because the CPU has to use segmentation always. And since it won't allow you to load a non-code segment into CS you have to define a segment as code. If you look at segment descriptors, where you define the segment type, you can never define a code segment as writeable.

The other descriptors are simply being used to support privilege levels, for example, to keep ring3 code from directly accessing ring0 data. Of course, allowing the data segments to overlap the code segments allows you to load programs and such into memory so you can run them !

-nt20

evaluator
May 6th, 2005, 11:05
not about that..

why thay are grouped in following way?

laola
May 11th, 2005, 10:33
I am very keen to learn why Please tell the solution to your little exercise

evaluator
May 12th, 2005, 13:54
solution: merely read Instruction Reference..(skip about FPU & mmx-xmm)