flat assembler
Message board for the users of flat assembler.

Index > Windows > fs and gs segment registers in 64 bit windows

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 10 May 2023, 05:02
so I tried rd/wrfsbase since gs looks like it is being used. fs started out as zero, and almost all of the calls into the windows apis set it back to zero. Therefore, it is necessary to save and restore it around calls to foreign code. This actually worked (i.e. I got the same value out of reads inside the program as the value one I wrote once at the beginning of the program) with one caveat: the WindowProc function is called indirectly, so I had to set it to the right value at the beginning of this function. In any case, windows really wants to set that back to zero, so it is necessary to have a method of restoring it inside your functions that can be called from foreign code.
Post 10 May 2023, 05:02
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 10 May 2023, 05:05
The main problem with using undocumented things is that they are not guaranteed to be consistent for each use. If someone else is on a different version, or patch level, of the OS then they might get different behaviour.
Post 10 May 2023, 05:05
View user's profile Send private message Visit poster's website Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 02 Jul 2023, 03:47
Welp, with longer running programs, fsbase does get randomly set back to zero. So, that is it for windows.
Post 02 Jul 2023, 03:47
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2493
Furs 02 Jul 2023, 14:33
tthsqe wrote:
Welp, with longer running programs, fsbase does get randomly set back to zero. So, that is it for windows.
Can't wait for side-channel exploits using this, somehow.
Post 02 Jul 2023, 14:33
View user's profile Send private message Reply with quote
Hrstka



Joined: 05 May 2008
Posts: 56
Location: Czech republic
Hrstka 03 Jul 2023, 12:29
Windows periodically suspends and resumes your process in order to run applications concurrently. During this task switch the fs register is probably set to zero.
Post 03 Jul 2023, 12:29
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 789
Location: Adelaide
sinsi 03 Jul 2023, 22:24
The Old New Thing wrote:
The fs register has not yet been assigned a meaning and should not be used.⁴ The Windows ABI forbids modifying either of these segment registers.

https://devblogs.microsoft.com/oldnewthing/20220831-00/?p=107077
Post 03 Jul 2023, 22:24
View user's profile Send private message Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 04 Jul 2023, 06:48
Quote:
The Windows ABI forbids modifying either of these segment registers.

I suppose the source for this is the Windows ABI's silence? Where is the Windows ABI?

For absolute clarity, I have observed the following printing anywhere from 50M to 1.5B iterations.
Code:
mov edx,1
wrfsbase rdx
xor ecx,ecx
again:
rdfsbase rax
inc rcx
cmp rax,rdx
je again
Print 'something happened after ', rcx, ' iterations'
    
[/code]
Post 04 Jul 2023, 06:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 04 Jul 2023, 14:45
Is it being changed by another process, or the OS, or both?

If you run a second process to change fsbase after starting your test code, does that immediately trigger the message?
Post 04 Jul 2023, 14:45
View user's profile Send private message Visit poster's website Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 04 Jul 2023, 23:02
I will be sure to run those experiments before I delete the windows partition. I am intrigued by the thought of what might happen with lots of processes changing it, though I not sure what difference between attributing it to another process and attributing it to the OS is; I though it was the job of OS (besides collecting telemetrics) to keep the processes separated. I have only observed fsbase changing on its own back to zero - never any other value.
Post 04 Jul 2023, 23:02
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.