flat assembler
Message board for the users of flat assembler.

Index > Windows > Windows PROC at 7FFE0300h

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
Uwar



Joined: 09 Oct 2009
Posts: 11
Uwar 14 Oct 2009, 17:38
What is this? Call, but what?
Code:
mov   eax, 00001142h ; service number?
mov   edx, 7FFE0300h ; something, like interrupt number?
call  [edx]
retn  0004h
    
Post 14 Oct 2009, 17:38
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 14 Oct 2009, 18:01
No, it is just calling via pointer, using "call dword [7FFE0300h]" would have been the same actually.

Where you have seen that?

[edit]To clarify, that was something like:
Code:
mov edx, kernel32.GetTickCount ; Address of the IAT entry, not the API function itself
call [edx]    
[/edit]
Post 14 Oct 2009, 18:01
View user's profile Send private message Reply with quote
Uwar



Joined: 09 Oct 2009
Posts: 11
Uwar 14 Oct 2009, 18:10
In user32.dll
Yes, you're right. But, this address doesn't exist anywhere. In windows dlls this is really common construction. It looks like INT 21h in MS-DOS.
Post 14 Oct 2009, 18:10
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 14 Oct 2009, 18:22
You guessed correctly, in my system (WinXP SP3), it points to the following procedure:
Code:
7C91E510 > 8BD4             MOV EDX,ESP
7C91E512   0F34             SYSENTER
7C91E514 > C3               RETN
;;;;;;;;;;;;;;;;;;;;;;;;
7C91E515   8DA424 00000000  LEA ESP,DWORD PTR SS:[ESP]
7C91E51C   8D6424 00        LEA ESP,DWORD PTR SS:[ESP]
7C91E520 > 8D5424 08        LEA EDX,DWORD PTR SS:[ESP+8]
7C91E524   CD 2E            INT 2E
7C91E526   C3               RETN    


The pointer must be there to select between SYSENTER method and INT method (and also SYSCALL method?).

PS: According to OllyDbg, the code you posted is called from the following locations:
Code:
 Local calls from 7E3995FD, 7E39A077, 7E39EDC9, CreatePopupMenu+2, 7E39FE24, 7E3A1894, 7E3A1F65, 7E3A2DF6, 7E3A4D0B, 7E3A7F19, GetMessagePos+2, DestroyCaret+2, 7E3AB2E4, ReleaseCapture+2, 7E3AECA8, 7E3AEF87, CreateMenu+2, 7E3B1281, 7E3B45C2, ...    


Last edited by LocoDelAssembly on 14 Oct 2009, 18:32; edited 1 time in total
Post 14 Oct 2009, 18:22
View user's profile Send private message Reply with quote
Uwar



Joined: 09 Oct 2009
Posts: 11
Uwar 14 Oct 2009, 18:31
Great, Thank's a lot! It is exactly that what I need. From where OLLYDBG known it?
Post 14 Oct 2009, 18:31
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 21 Oct 2009, 07:25
Uwar wrote:
Great, Thank's a lot! It is exactly that what I need. From where OLLYDBG known it?
Because OllyDbg can disassemble arbitrary memory locations Smile

_________________
Image - carpe noctem
Post 21 Oct 2009, 07:25
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 21 Oct 2009, 15:50
Uwar, don't edit your post after a long time, the "posts since last visit" never shows edits and that is the reason I missed your question (or I've just dreamed that you originally asked how to get the result of the system call?).
Post 21 Oct 2009, 15:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 21 Oct 2009, 16:07
LocoDelAssembly, the only post showing edits are your own. Question
Post 21 Oct 2009, 16:07
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 21 Oct 2009, 16:18
You know that the last post is never marked as edited no matter how many times you edit it Smile
Post 21 Oct 2009, 16:18
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu 04 Nov 2009, 06:42
LocoDelAssembly wrote:
The pointer must be there to select between SYSENTER method and INT method (and also SYSCALL method?).
What a horribly inefficient coding style! Why not just check at startup which method the CPU supports, and then inline whatever the best available method is, rather than reading some memory address and jumping to a far away location over and over during runtime!? Confused

Also, why on Earth is a transition to and from kernel mode needed just to get the tick count????? Isn't there an instruction for that called rdtsc?

_________________
Post 04 Nov 2009, 06:42
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 04 Nov 2009, 07:02
Quote:

Also, why on Earth is a transition to and from kernel mode needed just to get the tick count?????

It isn't. The code above is just an example of calling via pointer having the same code pattern the selection of system call method has. My WinXP SP3 has the following code for GetTickCount:
Code:
7C80934A > BA 0000FE7F      MOV EDX,7FFE0000
7C80934F   8B02             MOV EAX,DWORD PTR DS:[EDX]
7C809351   F762 04          MUL DWORD PTR DS:[EDX+4]
7C809354   0FACD0 18        SHRD EAX,EDX,18
7C809358   C3               RETN    


Quote:
Isn't there an instruction for that called rdtsc?

Not so direct, you need to account for every change in the CPU frequency and for each core (although I think there is some option on newer CPUs to make the TSC immune to frequency changes).
Post 04 Nov 2009, 07:02
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu 04 Nov 2009, 07:06
Even so, the way it is implemented.. couldn't they at least standardize the address it's stored in so programs could read from it directly?? :/

_________________
Post 04 Nov 2009, 07:06
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Fanael



Joined: 03 Jul 2009
Posts: 168
Fanael 04 Nov 2009, 07:18
Nope, that address must be considered as system's internals, and these are, by definition, not expected to be known by anyone but Microsoft.
Post 04 Nov 2009, 07:18
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 04 Nov 2009, 07:30
Azu, how do you propose to inline the correct method? Self-modifying code? If you start modifying code in the image, you'll completely kill the memory performance of the system, as all the shared copy-on-write code pages will become private to the process and can no longer be shared across processes. Note that there are solutions around this (inline the proper method in all processes, perhaps by the kernel image loader itself), but ultimately the perf win from any of this will be marginal - a kernel trap, be it via sysenter or int 2e, is already expensive enough. Furthermore modern CPUs have trace caches that can see ahead branches and add those instructions to the instruction queue.

Not sure what OS LocoDelAssembly is running, but GetTickCount has long been reading the time from the SharedUserData structure (the data structure shared by the kernel and all user processes). This is from my Win7 x64:

Code:
KERNELBASE!GetTickCount:
75908c96 eb02            jmp     KERNELBASE!GetTickCount+0x4 (75908c9a)
75908c98 f390            pause
75908c9a 8b0d2403fe7f    mov     ecx,dword ptr [SharedUserData+0x324 (7ffe0324)]
75908ca0 8b152003fe7f    mov     edx,dword ptr [SharedUserData!SystemCallStub+0x20 (7ffe0320)]
75908ca6 a12803fe7f      mov     eax,dword ptr [SharedUserData+0x328 (7ffe0328)]
75908cab 3bc8            cmp     ecx,eax
75908cad 75e9            jne     KERNELBASE!GetTickCount+0x2 (75908c98)
75908caf a10400fe7f      mov     eax,dword ptr [SharedUserData+0x4 (7ffe0004)]
75908cb4 f7e2            mul     eax,edx
75908cb6 c1e108          shl     ecx,8
75908cb9 0faf0d0400fe7f  imul    ecx,dword ptr [SharedUserData+0x4 (7ffe0004)]
75908cc0 0facd018        shrd    eax,edx,18h
75908cc4 c1ea18          shr     edx,18h
75908cc7 03c1            add     eax,ecx
75908cc9 c3              ret    


Bonus points for those who can tell me what the loop between -c98 to -cad is doing.
Post 04 Nov 2009, 07:30
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 04 Nov 2009, 07:51
Quote:

Not sure what OS LocoDelAssembly is running

Quote:

My WinXP SP3 has the following code for GetTickCount
Smile

This time with WinDbg:
Code:
kernel32!GetTickCount:
7c80934a ba0000fe7f      mov     edx,offset SharedUserData (7ffe0000)
7c80934f 8b02            mov     eax,dword ptr [edx]
7c809351 f76204          mul     eax,dword ptr [edx+4]
7c809354 0facd018        shrd    eax,edx,18h
7c809358 c3              ret
7c809359 90              nop
7c80935a 90              nop
7c80935b 90              nop
7c80935c 90              nop
7c80935d 90              nop    

SharedUserData here too but yet the code is really different (even without taking the loop into account).
Post 04 Nov 2009, 07:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 04 Nov 2009, 08:08
comrade wrote:
Bonus points for those who can tell me what the loop between -c98 to -cad is doing.
Interrupts are not disabled during the execution so of course the value stored there can change at any time. Read the high value, then the low value, then the high value again. If the two high values don't match then do it again.
Post 04 Nov 2009, 08:08
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 04 Nov 2009, 13:21
Azu wrote:
LocoDelAssembly wrote:
The pointer must be there to select between SYSENTER method and INT method (and also SYSCALL method?).
What a horribly inefficient coding style! Why not just check at startup which method the CPU supports, and then inline whatever the best available method is, rather than reading some memory address and jumping to a far away location over and over during runtime!? Confused
How often do you have a time-critical inner loop that revolves around calling kernel-mode functions?

And how much time is spent doing transition compared to the amount of time spent executing code in kernel-mode?

_________________
Image - carpe noctem
Post 04 Nov 2009, 13:21
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu 04 Nov 2009, 15:30
Fanael wrote:
Nope, that address must be considered as system's internals, and these are, by definition, not expected to be known by anyone but Microsoft.
Why? Can't they put them in a documented location like the PEB or something? Even high level compilers make use of stuff from that!

comrade wrote:
Azu, how do you propose to inline the correct method? Self-modifying code?
Self-modifying implies at runtime.

I meant JIT. Once at startup.


Not every time it is called. Obviously that would cause more problems than performance (stability/security problems from writable executable sections)..


f0dder wrote:
Azu wrote:
LocoDelAssembly wrote:
The pointer must be there to select between SYSENTER method and INT method (and also SYSCALL method?).
What a horribly inefficient coding style! Why not just check at startup which method the CPU supports, and then inline whatever the best available method is, rather than reading some memory address and jumping to a far away location over and over during runtime!? Confused
How often do you have a time-critical inner loop that revolves around calling kernel-mode functions?

And how much time is spent doing transition compared to the amount of time spent executing code in kernel-mode?

How much exactly is going to be extremely hardware dependent. I doubt even how much relatively (e.g. in %) is going to be the same from one computer to another.

_________________
Post 04 Nov 2009, 15:30
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 04 Nov 2009, 16:45
Azu wrote:
f0dder wrote:
How often do you have a time-critical inner loop that revolves around calling kernel-mode functions?

And how much time is spent doing transition compared to the amount of time spent executing code in kernel-mode?


How much exactly is going to be extremely hardware dependent. I doubt even how much relatively (e.g. in %) is going to be the same from one computer to another.


Can you think of any API functions that do so little work in kernel mode that that mode-switching overhead is going to be a measurable (and significant) part of the function runtime? And how big a fraction of a modeswitch is an indirect pointer call going to be?

Also, given a subset of API calls that perform so little work in kernelmode that the modeswitch takes up even, say, 5% of the function runtime... how many of these functions are you going to using in performance-critical code?

Yes, Microsoft could have done a set-up-code-for-modeswitch-early-at-OS-boot instead of this pointer indirection, but if it doesn't give a measurable speed benefit, why bother? Calling it horribly inefficient without looking at the context is pretty silly.
Post 04 Nov 2009, 16:45
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu 04 Nov 2009, 17:08
Well obviously if you aren't using them they won't affect performance, but following that logic why optimize anything at all? As long as nothing is ever called, there is no problem! Laughing

_________________
Post 04 Nov 2009, 17:08
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.