flat assembler
Message board for the users of flat assembler.

Index > Main > db 26 in x64

Author
Thread Post new topic Reply to topic
l4m2



Joined: 15 Jan 2015
Posts: 657
l4m2
http://ref.x86asm.net/geek.html wrote:
(db 26 is) Null Prefix in 64-bit Mode
https://wiki.osdev.org/CPU_Registers_x86-64 wrote:
Segments of CS, DS, ES, and SS are treated as if their base was 0 no matter what the segment descriptors in the GDT say.
They are actually not same on push dword [es:fs:ebx] or push dword [fs:es:ebx]. Is the behavior same for all x64 chips?
Post 12 Oct 2020, 16:01
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
That's an interesting question - while I was pretty sure of the answer, I decided to double-check so I went to my bookshelf and consulted the AMD x86-64 manuals from 2002. They state that these prefixes are ignored. As all the later incarnations of x64 were based on this original specification with very little deviations, my guess would be that this should be the same for all of them.
Post 12 Oct 2020, 20:57
View user's profile Send private message Visit poster's website Reply with quote
l4m2



Joined: 15 Jan 2015
Posts: 657
l4m2
Fail to test
Code:
; example of simplified Windows programming using complex macro features

include 'win64ax.inc' ; you can simply switch between win32ax, win32wx, win64ax and win64wx here

.code

  start:
        mov     eax, 0
        mov     edx, 0
        mov     ecx, 0xC0000100
        wrmsr
        invoke  MessageBox,HWND_DESKTOP,"Hi! I'm the example program!",invoke GetCommandLine,MB_OK
        invoke  ExitProcess,0

.end start    
causes an error, removing wrmsr it prompts
Post 12 Oct 2020, 21:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
wrmsr is a privileged instruction. You will need to ask a kernel driver to execute it for you.
Post 12 Oct 2020, 23:41
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
If your intention was to just modify FS base for testing purposes, and if your CPU is not too old, try WRFSBASE instruction instead (it is not privileged like WRMSR).

Code:
include 'win64ax.inc'

.data

  msg db 'Oh?',0

.code

  start:

        rdfsbase rbx    ; save original FS base

        lea rax,[msg]
        wrfsbase rax

        fs ds mov dword [0],'Hi!'

        wrfsbase rbx    ; restore original FS base

        invoke  MessageBox,HWND_DESKTOP,msg,invoke GetCommandLine,MB_OK
        invoke  ExitProcess,0

.end start    
Post 13 Oct 2020, 07:38
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 457
Location: Czech republic, Slovak republic
Feryno
rd/wrfsbase requires CR4 bit 16 to be enabled, otherwise it generates #UD if executed from not ring0 similarly to rd/wrmsr executed from not ring0
unfortunately mov from cr4 generates #GP(0) if executed from anything else than ring0 so no easy way to determine CR4 from usermode Sad

but back to l4m2 question
segment override prefixes are group 2 prefixes and when more of them used for 1 instruction only the first one or the last one (I do not remember exactly whether first or last) is used so that's why l4m2 results were different (he used them in legacy mode or compatibility submode because push dword instruction is impossible in 64 bit mode, you can push only qword or word in 64 bit mode, but not dword)
in 64-bit mode CS, DS, ES, SS prefixes are ignored (but using too many prefixes and generating too long instruction may lead to #UD) and only FS and GS prefixes are treated
moreover in his second post in this thread he is attempting to destroy FS base which may lead to completely damage execution of the program and generating access violations at any attempt to access any memory referenced by FS
Tomasz posted correct way and in his sample the FS base is restored, but meanwhile the program execution may be interrupted prior restoring FS base and again access violation could occur (that could be prevented by disabling interrupts by the CLI instruction - again privileged instruction for ring0 or by raising IRQL by writing CR8 - again privileged instruction for ring0)
Post 17 Oct 2020, 20:55
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
Your objections should be valid in general context, but please note that this was just about an ability to simply test/demonstrate the execution of these prefixed instructions under a normal user-mode Windows environment. With the sample I provided I was able to test them on Windows 10. To get the test results we do not need to worry about rare occurrences like interrupt happening before FS base is restored - if you are unlucky and this happens, you can simply run the program once more to get the results (it did not happen even once for me, though).
Post 17 Oct 2020, 21:57
View user's profile Send private message Visit poster's website Reply with quote
HopekForth



Joined: 13 Jul 2017
Posts: 4
Location: Poland
HopekForth
Wow! Razz if you are unlucky and General Protection Fault happens, you can simply run the program once more to get the results Cool
Post 18 Oct 2020, 07:56
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
Sometimes the exception IS the test result. Keep a debugger ready. Wink
Post 18 Oct 2020, 08:51
View user's profile Send private message Visit poster's website Reply with quote
l4m2



Joined: 15 Jan 2015
Posts: 657
l4m2
Anyway fs:start crashes on my computer, so I just checked if it crash. and 26 is ignored
Post 19 Oct 2020, 17:09
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 457
Location: Czech republic, Slovak republic
Feryno
l4m2 of course it crashes as MSR_fs_base is nonzero so the base adds to the address of start so you get bogus pointer which generates #PF
in 64 bit everything else than FS, GS is ignored
some of these registers at some older Intel microarchitecture were hints in branching instructions to tell the CPU which branch target executed more frequently but otherwise they are completely ignored
from intel man:
Quote:
2EH—Branch not taken (used only with Jcc instructions).
3EH—Branch taken (used only with Jcc instructions).
Some earlier microarchitectures used these as branch hints, but recent generations have not and they are reserved for future hint
usage.

Tomasz - nice, so your version of win runs with CR4 bit 16. enabled, I did not test these instructions from usermode yet... interesting ! It is also possible to install an exception handler and skip any faulting instruction...
Post 20 Oct 2020, 16:04
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.