flat assembler
Message board for the users of flat assembler.
![]() Goto page 1, 2, 3 Next |
Author |
|
Uwar 14 Oct 2009, 17:38
What is this? Call, but what?
Code: mov eax, 00001142h ; service number? mov edx, 7FFE0300h ; something, like interrupt number? call [edx] retn 0004h |
|||
![]() |
|
Uwar 14 Oct 2009, 18:10
In user32.dll
Yes, you're right. But, this address doesn't exist anywhere. In windows dlls this is really common construction. It looks like INT 21h in MS-DOS. |
|||
![]() |
|
LocoDelAssembly 14 Oct 2009, 18:22
You guessed correctly, in my system (WinXP SP3), it points to the following procedure:
Code: 7C91E510 > 8BD4 MOV EDX,ESP 7C91E512 0F34 SYSENTER 7C91E514 > C3 RETN ;;;;;;;;;;;;;;;;;;;;;;;; 7C91E515 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP] 7C91E51C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 7C91E520 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 7C91E524 CD 2E INT 2E 7C91E526 C3 RETN The pointer must be there to select between SYSENTER method and INT method (and also SYSCALL method?). PS: According to OllyDbg, the code you posted is called from the following locations: Code: Local calls from 7E3995FD, 7E39A077, 7E39EDC9, CreatePopupMenu+2, 7E39FE24, 7E3A1894, 7E3A1F65, 7E3A2DF6, 7E3A4D0B, 7E3A7F19, GetMessagePos+2, DestroyCaret+2, 7E3AB2E4, ReleaseCapture+2, 7E3AECA8, 7E3AEF87, CreateMenu+2, 7E3B1281, 7E3B45C2, ... Last edited by LocoDelAssembly on 14 Oct 2009, 18:32; edited 1 time in total |
|||
![]() |
|
Uwar 14 Oct 2009, 18:31
Great, Thank's a lot! It is exactly that what I need. From where OLLYDBG known it?
|
|||
![]() |
|
f0dder 21 Oct 2009, 07:25
Uwar wrote: Great, Thank's a lot! It is exactly that what I need. From where OLLYDBG known it? ![]() _________________ ![]() |
|||
![]() |
|
LocoDelAssembly 21 Oct 2009, 15:50
Uwar, don't edit your post after a long time, the "posts since last visit" never shows edits and that is the reason I missed your question (or I've just dreamed that you originally asked how to get the result of the system call?).
|
|||
![]() |
|
revolution 21 Oct 2009, 16:07
LocoDelAssembly, the only post showing edits are your own.
![]() |
|||
![]() |
|
LocoDelAssembly 21 Oct 2009, 16:18
You know that the last post is never marked as edited no matter how many times you edit it
![]() |
|||
![]() |
|
Azu 04 Nov 2009, 06:42
LocoDelAssembly wrote: The pointer must be there to select between SYSENTER method and INT method (and also SYSCALL method?). ![]() Also, why on Earth is a transition to and from kernel mode needed just to get the tick count????? Isn't there an instruction for that called rdtsc? |
|||
![]() |
|
LocoDelAssembly 04 Nov 2009, 07:02
Quote:
It isn't. The code above is just an example of calling via pointer having the same code pattern the selection of system call method has. My WinXP SP3 has the following code for GetTickCount: Code: 7C80934A > BA 0000FE7F MOV EDX,7FFE0000 7C80934F 8B02 MOV EAX,DWORD PTR DS:[EDX] 7C809351 F762 04 MUL DWORD PTR DS:[EDX+4] 7C809354 0FACD0 18 SHRD EAX,EDX,18 7C809358 C3 RETN Quote: Isn't there an instruction for that called rdtsc? Not so direct, you need to account for every change in the CPU frequency and for each core (although I think there is some option on newer CPUs to make the TSC immune to frequency changes). |
|||
![]() |
|
Azu 04 Nov 2009, 07:06
Even so, the way it is implemented.. couldn't they at least standardize the address it's stored in so programs could read from it directly?? :/
|
|||
![]() |
|
Fanael 04 Nov 2009, 07:18
Nope, that address must be considered as system's internals, and these are, by definition, not expected to be known by anyone but Microsoft.
|
|||
![]() |
|
comrade 04 Nov 2009, 07:30
Azu, how do you propose to inline the correct method? Self-modifying code? If you start modifying code in the image, you'll completely kill the memory performance of the system, as all the shared copy-on-write code pages will become private to the process and can no longer be shared across processes. Note that there are solutions around this (inline the proper method in all processes, perhaps by the kernel image loader itself), but ultimately the perf win from any of this will be marginal - a kernel trap, be it via sysenter or int 2e, is already expensive enough. Furthermore modern CPUs have trace caches that can see ahead branches and add those instructions to the instruction queue.
Not sure what OS LocoDelAssembly is running, but GetTickCount has long been reading the time from the SharedUserData structure (the data structure shared by the kernel and all user processes). This is from my Win7 x64: Code: KERNELBASE!GetTickCount: 75908c96 eb02 jmp KERNELBASE!GetTickCount+0x4 (75908c9a) 75908c98 f390 pause 75908c9a 8b0d2403fe7f mov ecx,dword ptr [SharedUserData+0x324 (7ffe0324)] 75908ca0 8b152003fe7f mov edx,dword ptr [SharedUserData!SystemCallStub+0x20 (7ffe0320)] 75908ca6 a12803fe7f mov eax,dword ptr [SharedUserData+0x328 (7ffe0328)] 75908cab 3bc8 cmp ecx,eax 75908cad 75e9 jne KERNELBASE!GetTickCount+0x2 (75908c98) 75908caf a10400fe7f mov eax,dword ptr [SharedUserData+0x4 (7ffe0004)] 75908cb4 f7e2 mul eax,edx 75908cb6 c1e108 shl ecx,8 75908cb9 0faf0d0400fe7f imul ecx,dword ptr [SharedUserData+0x4 (7ffe0004)] 75908cc0 0facd018 shrd eax,edx,18h 75908cc4 c1ea18 shr edx,18h 75908cc7 03c1 add eax,ecx 75908cc9 c3 ret Bonus points for those who can tell me what the loop between -c98 to -cad is doing. |
|||
![]() |
|
LocoDelAssembly 04 Nov 2009, 07:51
Quote:
Quote:
![]() This time with WinDbg: Code: kernel32!GetTickCount: 7c80934a ba0000fe7f mov edx,offset SharedUserData (7ffe0000) 7c80934f 8b02 mov eax,dword ptr [edx] 7c809351 f76204 mul eax,dword ptr [edx+4] 7c809354 0facd018 shrd eax,edx,18h 7c809358 c3 ret 7c809359 90 nop 7c80935a 90 nop 7c80935b 90 nop 7c80935c 90 nop 7c80935d 90 nop SharedUserData here too but yet the code is really different (even without taking the loop into account). |
|||
![]() |
|
revolution 04 Nov 2009, 08:08
comrade wrote: Bonus points for those who can tell me what the loop between -c98 to -cad is doing. |
|||
![]() |
|
f0dder 04 Nov 2009, 13:21
Azu wrote:
And how much time is spent doing transition compared to the amount of time spent executing code in kernel-mode? _________________ ![]() |
|||
![]() |
|
Azu 04 Nov 2009, 15:30
Fanael wrote: Nope, that address must be considered as system's internals, and these are, by definition, not expected to be known by anyone but Microsoft. comrade wrote: Azu, how do you propose to inline the correct method? Self-modifying code? I meant JIT. Once at startup. Not every time it is called. Obviously that would cause more problems than performance (stability/security problems from writable executable sections).. f0dder wrote:
How much exactly is going to be extremely hardware dependent. I doubt even how much relatively (e.g. in %) is going to be the same from one computer to another. |
|||
![]() |
|
f0dder 04 Nov 2009, 16:45
Azu wrote:
Can you think of any API functions that do so little work in kernel mode that that mode-switching overhead is going to be a measurable (and significant) part of the function runtime? And how big a fraction of a modeswitch is an indirect pointer call going to be? Also, given a subset of API calls that perform so little work in kernelmode that the modeswitch takes up even, say, 5% of the function runtime... how many of these functions are you going to using in performance-critical code? Yes, Microsoft could have done a set-up-code-for-modeswitch-early-at-OS-boot instead of this pointer indirection, but if it doesn't give a measurable speed benefit, why bother? Calling it horribly inefficient without looking at the context is pretty silly. |
|||
![]() |
|
Azu 04 Nov 2009, 17:08
Well obviously if you aren't using them they won't affect performance, but following that logic why optimize anything at all? As long as nothing is ever called, there is no problem!
![]() |
|||
![]() |
|
Goto page 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.