[Reprint] x86 winxp under the segmentation instance

The debug system can be easily and intuitively observed using Bochs. The following is a selection of an XP boot actual fragment, as follows:

<bochs:7> Sreg cs:s=0x001b, Dl=0x0000ffff, Dh=0x00cffa00, valid=1 ds:s=0x0023, Dl=0x0000ffff, dl=0x00cff300, valid=31 ss:s=0x0023, Dl=0x0000ffff, dl=0x00cff300, valid=31 ss:s=0x0023, Dl=0x0000ffff, dl=0x00cff300, valid=31 fs:s=0x003b, Dl=0xe000ffff, DL=0X7F40F3FD, valid=7 gs:s=0x0000, dl=0x00000000, dl=0x00000000, valid=0 ldtr:s=0x0000, dl=0x00000000, dh=0x00000000, valid=0 tr:s=0x0028, Dl=0x200020ab, DH=800008B04, valid=1 gdtr:base=0x8003f000, LIMIT=0X3FF idtr:base=0x8003f400, LIMIT=0X7FF

1, Gdtr.base is 0x8003f000, Gdtr.limit is 0x3ff
2, Idtr.base is 0x8003f400, Idtr.limit is 0x7ff
3, Ldtr.selector for 0x0000

The LDT is not established here, and its selector is 0x0000, or NULL descriptor.



5.6.1, observing CS Register

To observe CS information:
1, CS Use of selector is the aforementioned 0x1b
2, the next dl=0x0000ffff, dh=0x00cffa00 is actually descriptor information.

Have a look at what CS descriptor:

<bochs:8> X/2 0x8003f000+3*8 0x8003f018 <bogus+ 0>: 0x0000ffff 0x00cffa00

The selector used by

CS is 0x1b, so: selector. RPL = 3   Use the permissions 3   selector. TI = 0, use gdt,selector.si = 3

Descriptor address in: Gdtr.base + 3 * 8 = 0x8003f018.

Its value is displayed as 64 bits: 0X00CFFA00_0000FFFF.


Then, descriptor information:
1, base = 0x00000000, which is a 32-bit value.
2, limit = 0xFFFFFF, which is a 20-bit value.
3, DPL = 11b, that is, Level 3.
4, S bit is 1, it is a non-system descriptor, that is, belongs to segment descriptor.
5, type 1010b, shows that it is a execute/readable  non-conforming type of code segment descriptor.
6, the size of the limit of the G-bit is 1, indicating that it is 4K granular.
7, the last default bit D bit is 1, indicating the 32-bit code of the target code segment.

The information described by this descriptor is summarized as: segment is a 32-bit code snippet, the base address is 0x00000000, access is level 3, limit is 0xFFFFF * 0x1000 + 0xFFF = 4G. The
physically this descriptor is loaded into CS register.




5.6.2, observe DS register "
" Let's see what DS loads What is the descriptor. The selector used by the
ds are 0x23:ti = 0,si = 4 and RPL = 3.

gets Descirptor:

<bochs:9> X/2 0x8003f000+4*8 0x8003f020 <bogus+ 0>: 0x0000ffff 0x00cff300

The value of this descriptor is: 0X00CFF300_0000FFFF (64-bit value)


1, base = 0x00000000, this is a 32-bit value.
2, limit = 0xFFFFFF, this is a 20-bit value.
3, DPL = 11b, that is, Level 3.
4, S bit is 1, it is a non-system descriptor, that is, belongs to segment descriptor.
5. Type is 0011b, which shows that it is a data segment descriptor with R/W permissions.
6, the size of the limit of the G-bit is 1, indicating that it is 4K granularity.
7, the last default bit D bit is 1, with code segment descriptor meaning consistent

---------------------------

This descriptor differs from the descriptor of the above CS only in the same type. This descriptor is a data segment descriptor.



5.6.3, flat memory mode

Most of the current operating system uses a flat memory mode, where all segment addresses are 0x00000000, but Windows uses FS to define segments that are not 0 base addresses. The base address for the segment described by FS is: 0x7f3de000, which uses FS to manage some system information.
A flat mode is used, which results in the use of DS to read CS data, or you can execute code other than CS such as: DS or SS. At this stage of segmentation, processor cannot prevent the code in the stack from being able to perform this situation. Until the paging protection measures are resolved.

Since the flat mode is used, the logical address is consistent with the linear address. Cause the modern operating system has weakened the concept of logical address, virtual address is generally referred to as a linear address

Therefore: for two instructions
mov eax, DWORD ptr cs:[0x8012100]
mov eax, DWORD ptr ds:[0x8012100]
-------------------------------------
The result is exactly the same. Of course this is there in advance. In advance: This code segment of CS is readable.



However, for these two instructions, the situation is different:

mov dword ptr cs:[0x8012100],eax
mov dword ptr ds:[0x8012100],eax
-------------------------------------
1th is going to go wrong. Here the CS-installed code segment is not writable.

[Reprint] x86 winxp under the segmentation instance