Results 1 to 3 of 3

Thread: XP using not only ring0/ring3?

  1. #1

    XP using not only ring0/ring3?

    Recently, I've run my GDT/IDT/LDT dumper on an XP SP2 system, and found some really interesting data.

    In GDT:
    Code:
    #0009: 0048 [8203c000:00000177] * 32bit=0, gran=0, present=1, dpl=0, type=[S] LDT
    This LDT is not empty:
    Code:
    Reading secondary Local Descriptors Table...
    Base = 8203c000, limit = 0177
    
    #0000: 0002 [41540a2e:00000000] * 32bit=1, gran=0, present=0, dpl=2, type=[S] 16-bit TSS (busy)          
    #0001: null
    #0002: 0012 [82140000:00030000] * 32bit=0, gran=0, present=1, dpl=2, type=[S] Unknown [0000]             
    #0003: 001a [821c8203:0003c014] * 32bit=0, gran=0, present=1, dpl=2, type=[S] Unknown [0000]             
    #0004: 0022 [82248203:0003c01c] * 32bit=0, gran=0, present=1, dpl=2, type=[S] Unknown [0000]             
    #0005: 0028 [00008203:0008c024] * 32bit=0, gran=0, present=0, dpl=0, type=[S] 16-bit Call Gate           
    #0006: null
    #0007: null
    #0008: null
    #0009: 0048 [00000000:00000000] * 32bit=0, gran=0, present=1, dpl=0, type=[S] Unknown [0000]             
    #000a: null
    #000b: null
    #000c: null
    #000d: 0068 [00000000:00000000] * 32bit=0, gran=0, present=0, dpl=0, type=[S] 16-bit TSS (available)     
    #000e: null
    #000f: null
    ...
    The LDT from LDTR is null, however. What's interesting, that in this "secondary" 16-bit LDT some descriptors have DPL = 1 or 2. I don't know if it's just garbage (it seems so), but then what's the purpose of this? The #9 selector in GDT is null in w2k. As I recall, XP SP1 was similar to 2k - no secondary LDT. My tool seems to work good, I wish I had SoftIce at my office to check it

    Full dumps from w2k sp4 and xp sp2:
    http://ry.pl/~omega/n/sdt_dump_2k_sp4.txt
    http://ry.pl/~omega/n/sdt_dump_xp_sp2.txt

    The utility:
    http://ry.pl/~omega/asm/sdt.zip
    Last edited by omega_red; January 11th, 2005 at 07:00.

  2. #2
    Quote Originally Posted by omega_red
    The LDT from LDTR is null, however. What's interesting, that in this "secondary" 16-bit LDT some descriptors have DPL = 1 or 2. I don't know if it's just garbage (it seems so), but then what's the purpose of this? ]
    I'm pretty new to GDT/LDT and don't pretend to understand it well. My understanding is that the LDT is being reserved for DOS-based applications in XP, and in XP that would mean the DOS window. I have never seen a listing for the LDT in XP with SP2 using purely 32 bit apps. Of course, I haven't looked a lot either.

    I read somewhere as well that Windows doesn't use privelege levels 1 and 2 to keep it compatible with Unix based systems (I think). If you are seeing LDT listings and the use of privelege levels 1 and 2, would that not suggest a DOS app is running? I'm wondering about the app you're using to view the GDT/LDT. Maybe it's using DOS extended mode.

    Windows starts in real mode then switches to protected mode. I don't know if an app running in DOS extended mode can start in Windows or whether it needs to boot clean.

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    LDT mostly is need for 16bit apps..
    debug them & see.

Similar Threads

  1. About changing a module name in ring0
    By Hero in forum The Newbie Forum
    Replies: 3
    Last Post: July 15th, 2005, 15:25
  2. how can i obtain a ring3 thread context in ring0
    By _d_ in forum Advanced Reversing and Programming
    Replies: 11
    Last Post: June 10th, 2005, 13:49
  3. switching a running program from ring3 to ring0 in WinXP
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: May 17th, 2005, 09:14
  4. article on ring0 exploits
    By HAVOK in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: April 21st, 2005, 08:36
  5. article on ring0 exploits
    By HAVOK in forum The Newbie Forum
    Replies: 0
    Last Post: March 5th, 2005, 11:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •