News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

How to read the GDT using SGDT

Started by allynm, May 26, 2011, 04:13:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

allynm

May 26, 2011, 04:13:04 PM
Heelo everyone,

I have been trying to read the GDT without success.  After some help from Dedndave and Tedd I consulted the Intel tech docs and thought I knew how to do it, but I have failed miserably in this project.  I can easily locate the GDTR but when I try to use it as a pointer to the bottom of the GDT, I get an access violation.  I'm always fearful of displaying how badly I code , but here is the code I am using:

Code Select

nclude \masm32\include\masm32rt.inc

gdtinfo STRUCT
GDTLimit word ? ;store gdtr here
LOWGDTbase word ?
HiGDTbase word ?
gdtinfo ENDS

gdtrec STRUCT
limit_low word ? ;store definition of gdt here
base_low word ?
base_middle byte ?
access byte ?
granularity byte ?
base_high byte ?
gdtrec ENDS

pgdtrec typedef ptr gdtrec ;define pointer to gdt

.stack
.data

segstruct gdtinfo <?>
gdtstruct gdtrec <?>
pgdtstruct pgdtrec gdtstruct  ;pointer to gdt

.code
  start:
readseg PROC

mov eax, 2h

sgdt segstruct ;copy gdtr to memory

mov bx, segstruct.HiGDTbase
movzx ebx, bx
shl ebx, 16
mov bx, segstruct.LOWGDTbase ;create the gdtr in ebx
mov pgdtstruct, ebx
mov eax, pgdtstruct
mov edx, [eax] ;read the memory pointed to--
Invoke ExitProcess, 0 ;and get access violation
ret
readseg ENDP
END start



I don't know how to get around the access violation.  But, surely there must be a way.  I say this because WinDBG can get to the IDT and SoftIce can also get to the GDT.  And, since it is possible for users to load the gdt, I think it is illogical that they couldn't also read it and store it. Any suggestions?

Regards,

Mark Allyn

qWord

#1
May 26, 2011, 05:17:38 PM
you need to write a kernel mode driver for this purpose, because reading the GDT can only be done in ring0.
Kernel Driver Tute
FPU in a trice: SmplMath
It's that simple!

donkey

#2
May 26, 2011, 09:09:54 PM
I was always under the impression (but I could be wrong) that only the "limits" could be reliably read from p-mode. AFAIK qWord is correct and this has to be read from k-mode in order for the "base" data to be valid.
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

MichaelW

#3
May 27, 2011, 07:18:43 AM Last Edit: May 27, 2011, 08:53:01 AM by MichaelW
I think this is correct as far as it goes, but it will not help you get around the access violation. Windows already has enough security problems without letting user-mode applications run around barefoot in the descriptor tables.
Code Select

;==============================================================================
    include \masm32\include\masm32rt.inc
    .686p
;==============================================================================

printf MACRO format:REQ, args:VARARG
    IFNB <args>
        invoke crt_printf, cfm$(format), args
    ELSE
        invoke crt_printf, cfm$(format)
    ENDIF
    EXITM <>
ENDM

;==============================================================================

;-----------------------------------------------------------------
; This was an attempt to simplify access to descriptor tables by
; having all of the fields named. It tests out OK, but it's still
; not easy to use.
;-----------------------------------------------------------------

ACCESS_BYTE RECORD P:1=0, DPL:2=0, S:1=0, segtype:4=0
EXTRA_BYTE  RECORD G:1=0, D:1=0, reserved:1=0, AVL:1=0, limit_19_16:4=0

SEGMENT_DESCRIPTOR STRUCT
  limit_15_0  WORD        0
  base_15_0   WORD        0
  base_23_16  BYTE        0
  access_byte ACCESS_BYTE <>
  extra_byte  EXTRA_BYTE  <>
  base_31_24  BYTE        0
SEGMENT_DESCRIPTOR ENDS

;--------------------------------------------------------------

TABLE_DESCRIPTOR STRUC
  table_limit WORD  0
  table_base  DWORD 0
TABLE_DESCRIPTOR ENDS

;==============================================================================
    .data
        td TABLE_DESCRIPTOR <>
    .code
;==============================================================================
start:
;==============================================================================

    sgdt FWORD PTR td
    movzx eax, td.table_limit
    printf( "table_limit %Xh\n", eax )
    printf( "table_base  %Xh\n", td.table_base )
    sidt FWORD PTR td
    movzx eax, td.table_limit
    printf( "table_limit %Xh\n", eax )
    printf( "table_base  %Xh\n", td.table_base )

    inkey "Press any key to exit..."
    exit
;==============================================================================
end start


Running under Windows 2000:
Code Select

table_limit 3FFh
table_base  80036000h
table_limit 7FFh
table_base  80036400h


eschew obfuscation

allynm

#4
May 27, 2011, 12:12:34 PM
Good morning Donkey, MichaelW, and Qword,

No doubt you are right about kernel mode.  I looked thru the Intel docs fairly carefully but I don't recall that they mention this specifically.  Probably in the "fine print" somewhere...

As always, I am grateful to MichaelW for taking a look at this problem and sharing some code. 

I will read the tutes on kmode that you sent. 

As I said to 'Dave and Tedd awhile back, I don't want to mess up or alter the gdt, I just want to read it passively.  I know that there is a delicate fuzzy line separating "reading" and "messing with".

Regards,
Mark Allyn
Print
Go Up Pages1
User actions