A brief analysis of Windows system call--2 ways to switch to kernel mode

First, summarize the 2 different processes that switch to the kernel mode method:

Memory method (Interrupt method):

(user mode) WriteFile (), ntdll! Ntwritefile (), ntdll! Kiintsystemcall (), int 2Eh, find the memory address of IDT, offset 0x2e (kernel mode) nt! KiSystemService ()

nt! Kifastcallentry (), nt! Ntwritefile ()

After 0x2e interrupt transfer control to kernel mode, the system service distribution/Scheduler is nt! Kifastcallentry (), which is responsible for calling the nt! function with the same name in kernel space Ntwritefile (), which has a system service number, also called a distribution ID, which needs to be loaded into the EAX register before the int 2Eh is executed to notify nt! KiSystemService () The system call (native API) to which it is distributed, but ultimately through nt! Kifastcallentry () to distribute

MSR Register Method (Fast method):

(user mode) WriteFile (), ntdll! Ntwritefile (), ntdll! Kifastsystemcall (), set the value of the Ia32_sysenter_cs register to the segment selector corresponding to the RING0 permission code segment descriptor, and the kernel-mode stack address that sets the value of the IA32_SYSENTER_ESP register to RING0 permissions ; set IA32_SYSENTER_EIP register to point to nt! Start address of Kifastcallentry ()

Sysenter (kernel mode) nt! Kifastcallentry (), nt! Ntwritefile ()

After Sysenter transfer control to kernel mode, the system service distribution/Scheduler is nt! Kifastcallentry (), which is responsible for calling the nt! function with the same name in kernel space Ntwritefile ()

The sysenter directive implies a 6-step operation:

1. Select Fugazai to CS from the Ia32_sysenter_cs removal section.

2. Remove the instruction pointer from the IA32_SYSENTER_EIP and place it in the EIP

3. Add the value of Ia32_sysenter_cs to 8 and load its result into the SS. (That is, the segment descriptor that corresponds to the address of the kernel-mode stack segment of the RING0 permission code segment selector +8 to calculate the RING0 permissions)

4. Remove the stack pointer from the IA32_SYSENTER_ESP and place it in the ESP register

5. Take instructions from an EIP-directed address to actually enter kernel mode

6. If the VM flag in EFlags is set, clear the VM flag.

The Register method seems to be a lot more steps than the memory method, especially the sysenter instructions and the implicit internal operations, but all of this adds up to dozens of to hundreds of processor clock cycles faster than accessing IDT in memory and retrieving data. In addition, the interrupt method after entering the kernel mode is more than once to nt! KiSystemService (), thus increasing the performance overhead.

ntdll! nt* to nt! The nt* system invokes the user-mode proxy, which is stored in one of the variables called Sytemcallstub ntdll! The address of the Kifastsystemcall () (which is verified later);

ntdll! The sysenter directive in Kifastsystemcall () is responsible for the actual transfer from Ring3 to RING0, which is entering kernel mode.

Prior to Intel Pentium II or Windows XP, system calls could only be switched to kernel mode with an INT 2Eh interrupt, and nt! KiSystemService () as the actual system service distribution/scheduler.

After this, the actual system service distribution/Scheduler is nt!, whether using INT 2Eh or Sysenter Kifastcallentry (), as mentioned earlier, it is not necessary to use the INT 2Eh to perform one more nt! KiSystemService ().

The following combination of user-mode debugging and kernel-mode debugging to verify the above content, first with WINDBG open calc.exe (Windows Calculator) or any other executable PE file, at the bottom of the command line input

u ntdll! Kiintsystemcall, disassembly this function , you can see its 77c071c4 address at the 2-byte machine instruction sequence, int 2Eh:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/75/A4/wKiom1Y_cbbTrY83AAAbsEfr31s904.png "title=" Web398.png "alt=" Wkiom1y_cbbtry83aaabsefr31s904.png "/>

in the WINDBG menu, choose Stop Debugging, and then quit the program, again with LiveKD.exe Open WINDBG, which will debug the kernel directly, execute!idt 2e command, get the ISR processing int 2Eh, you can see that this 8-byte gate descriptor finally points to the is nt!. KiSystemService () address 842447fe; Note that the linear address 7FFFFFFF is the watershed between the user and the kernel space, up to 80000000 of the kernel space:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/75/A2/wKioL1Y_cyuDWetyAABGo6TaEuo312.png "title=" Web399.png "alt=" Wkiol1y_cyudwetyaabgo6taeuo312.png "/>

Execute u 842447fe L25 command, Disassembly nt! The first 25 lines of KiSystemService () found that it eventually jumped to the nt! kifastcallentry+0x8f offset (at 8424495f address):

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/75/A2/wKioL1Y_c9jQePD7AAGRFzCYgLA402.png "title=" Web400.png "alt=" Wkiol1y_c9jqepd7aagrfzcygla402.png "/>

You can also verify using KD.EXE:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/75/A4/wKiom1Y_c-OgCj1fAAB7fg0lckI573.png "title=" Web393.png "alt=" Wkiom1y_c-ogcj1faab7fg0lcki573.png "/>

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/75/A4/wKiom1Y_dBaiQN6BAAGVaUPwvq8722.png "title=" Web394.png "alt=" Wkiom1y_dbaiqn6baagvaupwvq8722.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/75/A2/wKioL1Y_dJHDPWYJAAE4CbVOTpM464.png "title=" Web395.png "alt=" Wkiol1y_djhdpwyjaae4cbvotpm464.png "/>

this confirms the process of making system calls through interrupts. However, in the calc.exe process, the choice of the interrupt method or MSR register method, but also need to be verified. To do this, open the calc.exe again with WINDBG, follow the previous process, first execute u ntdll! Ntopenfile command, because OpenFile () is one of the most-used Windows APIs for any application, and it causes the user mode proxy to be invoked: ntdll! Ntopenfile (), so we choose the latter to disassemble:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/75/A4/wKiom1Y_dPPjwUdXAAAtlFnzGW4434.png "title=" Web401.png "alt=" Wkiom1y_dppjwudxaaatlfnzgw4434.png "/>

you can see at a where the address 7ffe0300 at the shareuserdata! The SystemCallStub (System call stub) is copied into the EDX register and then uses the assembly instruction with the memory addressing format operand call DWORD ptr [EDX], which is called the function address saved by the stub, in other words, Our next step is to dump the address 7ffe0300 the saved content and see what the function address is. Input instruction DD 7ffe0300:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/75/A4/wKiom1Y_dUbT1wMiAAATx0YPmbc642.png "title=" Web402.png "alt=" Wkiom1y_dubt1wmiaaatx0ypmbc642.png "/> from the knowledge that the 7ffe0300 address starts at 4 bytes 16 binary number is 77c071b0, in other words, the front call The DWORD ptr [edx] directive is equivalent to call 77c071b0, so we continue to disassemble the address. Input instruction U 77c071b0:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/75/A2/wKioL1Y_dcqBr9_nAAAglz0QcFM160.png "title=" Web403.png "alt=" Wkiol1y_dcqbr9_naaaglz0qcfm160.png "/> from knowing that 77c071b0 is ntdll! The starting address of the Kifastsystemcall (), in other words, the system call stub holds a pointer to the address (7ffe0300); ntdll! The content of Kifastsystemcall () is only 4 bytes of machine instruction, where 2nd of the 2-byte instruction 0f34, the Intel Pentium II processor after the new sysenter instruction, it transfers the program to the CPU control to R ING0 the privileged code, that is, switching to kernel mode.

as mentioned earlier, the most critical of the 6 steps implied in the Sysenter directive is the removal of the instruction pointer from the IA32_SYSENTER_EIP register into the EIP, while the IA32_SYSENTER_EIP register holds the nt! The starting address of the kifastcallentry (). (through the Kernel debugger command RDMSR 0x176 can get the address, the address of the 3 registers as shown)

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/75/A4/wKiom1Y_dfnAMYmzAAA5k5ji35Y303.png "title=" Web404.png "alt=" Wkiom1y_dfnamymzaaa5k5ji35y303.png "/>

So we jump to nt!. Kifastcallentry (), which dispatches a function with the same name in kernel space nt! Ntopenfile () to actually perform the action requested by the user application. The following diagram summarizes the entire process of register method:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/75/A2/wKioL1Y_gSPCDf3zAAByaGdRJA0718.png "title=" Web405.png "alt=" Wkiol1y_gspcdf3zaabyagdrja0718.png "/>

Finally, focus your attention back on the disassembly ntdll!. Kifastsystemcall () of the figure, attentive you may have found that ntdll! Kifastsystemcall () The memory address is not far behind, is ntdll! The starting address of Kiintsystemcall (), since there are 2 ways to enter the kernel space in the user space of the calc.exe process, it may mean that there is a CMP in the program .... Je/jge's assembly judgment logic for forward-compatible older Intel processors that do not support sysenter directives use INT 2Eh to enter the core space . (Just speculation, you are interested in self-validation)

This article is from the "free, equal, sharing, mutual help" blog, please be sure to keep this source http://shayi1983.blog.51cto.com/4681835/1710861

A brief analysis of Windows system call--2 ways to switch to kernel mode