[Original] rootkit ring3 into ring0 door series [4]-trap door

Eight articles on the protection model have come to an end today. : D: Back to the truth.
Today, let's take a look at the theoretical part.
1. Exception Source:
1) The processor detects an exception in a program error.
A program error is detected during the running of the program. Further divided into: faluts (fault), traps (TRAP), aborts. (STOP)
2) The software generates exceptions. commands such as int0, INT 3, and bound generate exceptions in the software.
3) The processor checks the internal chip and the external bus for exceptions.

In Windows, the task door or trap door is interrupted or exception handled. We have learned about the interrupt door and task door before. Today, let's take a look at the structure of the trap door.
13049
The trap door is suitable for handling exceptions. If there is an error code, the error code should be pushed into the stack before it is transferred to the processing program. Only Exception Handling can have error codes.
13050
A and B are situations where no privilege changes, and C and D are cases where privilege changes exist.
2. Exception Handling steps
The steps for automatically handling hardware exceptions are as follows:
1) Determine whether the gate descriptor to be indexed by the interrupt vector number exceeds the IDT limit. If the limit is exceeded, a general protection fault will occur. The error code is the interrupt vector number multiplied by 8 and then 2.

2) obtain the corresponding Gate descriptor from IDT, break down the Selection Sub-, offset and descriptor attribute type, and perform relevant checks. The descriptor can only be a task door, a 286 interrupt door, a 286 trap door, a 386 interrupt door, or a 386 trap door. Otherwise, a general protection fault occurs. The error code is the interrupt vector number multiplied by 8 and followed by 2.

3 ). if the transfer is caused by an int N or into command, check whether the DPL In the interrupt gate, trap gate, or task gate descriptor meets CPL <= DPL (for other exceptions or interruptions, DPL is ignored ). This check avoids the use of interrupt vector numbers allocated to various devices when the application executes the int n command. If the check fails, it will cause a general protection fault. The error code is the interrupt vector number multiplied by 8 plus 2.
4). The P position in the gate descriptor must be 1, indicating that the gate descriptor is a valid item. Otherwise, the segment does not have a fault. The error code is the interrupt vector number multiplied by 8 and followed by 2.
5). Transfer to the interrupt or exception handling program based on the type of the gate descriptor. For exception handling, the return point must be determined based on the exception type before the preceding steps are started. If there is an error code, an error code in the error code format will be formed, and press the error code into the stack before the exception handling program is actually executed.

3. transfer through the trap door
If the gate descriptor indicated by the interrupt vector number is a 386 trap gate, control the transfer to a processing procedure of the current task and change the privilege level. Like the call commands of other call doors, the 48-bit full pointer pointing to the processing program is obtained from the trap door. The 16-bit selection child is the selection child of the corresponding processing program or code segment, which indicates the code segment descriptor in the Global Descriptor Table gdt or Local Descriptor Table LDT; 32-bit offset indicates the offset of the handler entry point in the code segment. The transfer process through the trap door is as follows, which is automatically performed by the hardware.
(1) If the selection is left blank, a general protection fault will occur;
(2) obtain the corresponding descriptor;
(3) If it is not a storage segment descriptor, a general protection fault is generated;
(4) switch to the inner stack if the DPL segment is inconsistent and the DPL segment exists;
(5) Adjust RPL = 0;
(6) load the descriptor into CS;
(7) If the entry offset is out of the range, a general protection fault will occur;
(8) Press eflags into the stack;
(9) CS is pushed into the stack;
(10) The EIP is pushed into the stack;
(11) Make TF = 0, NT = 0;
(12) If an error code exists, the error code is pushed into the stack;
(13) Transfer to the processing program.


4. Returned results after Exception Handling

The iret command is used to return data from the exception handler. The execution of this command is divided into two situations based on whether the NT bit of the task nested flag is 1.
The NT bit is 1, indicating that the returned result is a nested task. The link field in the current TSS is saved as the TSS selector of the previous task. If this selector is taken out, the task is switched and the result is returned. This situation occurs when an exception handler that is transferred through the job gate is returned because the NT bit is cleared when it is transferred from the interrupt or trap gate to the handler.
The NT bit is 0, indicating the return in the current task. This situation occurs when it is returned by an interrupt or exception handling program that transfers through an interrupt or trap door. The specific operations include returning the EIP and Cs from the top of the stack, and then the eflags value. Select the sub-RPL field in the pop-up CS to determine the returned privilege level. If the returned result shows that the selected sub-RPL is the same as that of CPL, no privilege-level change is performed. If RPL specifies an outer privileged level, it needs to be changed at the privileged level. The outer Stack pointer ESP and SS values pop up from the inner stack. These practices are similar to ret commands. For example, select
Instead of DPL of the CIDR Block of the sub-ID, the sub-RPL is returned to a consistent code segment that is not at the privilege level specified by DPL. If the RPL of the pop-up CS sub-sets an internal privileged level, a general protection fault is generated. Note that for the iret command, the Selection Sub-fields in the return address saved in the current stack must point to the code segment descriptor. It cannot be a system segment or a gate descriptor. Otherwise, a general protection fault is triggered.
For exception handling programs that provide error code, the error code must be manually popped up from the stack, and then the iret command is executed. The error code will not be automatically popped up or canceled by the processor.
The iret of the interrupt return command can be used not only to return the nested tasks caused by the interrupt/exception, but also to return the nested tasks caused by calling the command call between segments through the task gate, as described above, when calling the command call between the segments that perform task switching through the task gate, the NT bit in the register is set to 1, indicating task nesting. The RET command cannot implement this function.