flat assembler
Message board for the users of flat assembler.
Index
> Main > db 26 in x64 |
Author |
|
Tomasz Grysztar 12 Oct 2020, 20:57
That's an interesting question - while I was pretty sure of the answer, I decided to double-check so I went to my bookshelf and consulted the AMD x86-64 manuals from 2002. They state that these prefixes are ignored. As all the later incarnations of x64 were based on this original specification with very little deviations, my guess would be that this should be the same for all of them.
|
|||
12 Oct 2020, 20:57 |
|
l4m2 12 Oct 2020, 21:38
Fail to test
Code: ; example of simplified Windows programming using complex macro features include 'win64ax.inc' ; you can simply switch between win32ax, win32wx, win64ax and win64wx here .code start: mov eax, 0 mov edx, 0 mov ecx, 0xC0000100 wrmsr invoke MessageBox,HWND_DESKTOP,"Hi! I'm the example program!",invoke GetCommandLine,MB_OK invoke ExitProcess,0 .end start |
|||
12 Oct 2020, 21:38 |
|
revolution 12 Oct 2020, 23:41
wrmsr is a privileged instruction. You will need to ask a kernel driver to execute it for you.
|
|||
12 Oct 2020, 23:41 |
|
Tomasz Grysztar 13 Oct 2020, 07:38
If your intention was to just modify FS base for testing purposes, and if your CPU is not too old, try WRFSBASE instruction instead (it is not privileged like WRMSR).
Code: include 'win64ax.inc' .data msg db 'Oh?',0 .code start: rdfsbase rbx ; save original FS base lea rax,[msg] wrfsbase rax fs ds mov dword [0],'Hi!' wrfsbase rbx ; restore original FS base invoke MessageBox,HWND_DESKTOP,msg,invoke GetCommandLine,MB_OK invoke ExitProcess,0 .end start |
|||
13 Oct 2020, 07:38 |
|
Feryno 17 Oct 2020, 20:55
rd/wrfsbase requires CR4 bit 16 to be enabled, otherwise it generates #UD if executed from not ring0 similarly to rd/wrmsr executed from not ring0
unfortunately mov from cr4 generates #GP(0) if executed from anything else than ring0 so no easy way to determine CR4 from usermode but back to l4m2 question segment override prefixes are group 2 prefixes and when more of them used for 1 instruction only the first one or the last one (I do not remember exactly whether first or last) is used so that's why l4m2 results were different (he used them in legacy mode or compatibility submode because push dword instruction is impossible in 64 bit mode, you can push only qword or word in 64 bit mode, but not dword) in 64-bit mode CS, DS, ES, SS prefixes are ignored (but using too many prefixes and generating too long instruction may lead to #UD) and only FS and GS prefixes are treated moreover in his second post in this thread he is attempting to destroy FS base which may lead to completely damage execution of the program and generating access violations at any attempt to access any memory referenced by FS Tomasz posted correct way and in his sample the FS base is restored, but meanwhile the program execution may be interrupted prior restoring FS base and again access violation could occur (that could be prevented by disabling interrupts by the CLI instruction - again privileged instruction for ring0 or by raising IRQL by writing CR8 - again privileged instruction for ring0) |
|||
17 Oct 2020, 20:55 |
|
Tomasz Grysztar 17 Oct 2020, 21:57
Your objections should be valid in general context, but please note that this was just about an ability to simply test/demonstrate the execution of these prefixed instructions under a normal user-mode Windows environment. With the sample I provided I was able to test them on Windows 10. To get the test results we do not need to worry about rare occurrences like interrupt happening before FS base is restored - if you are unlucky and this happens, you can simply run the program once more to get the results (it did not happen even once for me, though).
|
|||
17 Oct 2020, 21:57 |
|
HopekForth 18 Oct 2020, 07:56
Wow! if you are unlucky and General Protection Fault happens, you can simply run the program once more to get the results
|
|||
18 Oct 2020, 07:56 |
|
Tomasz Grysztar 18 Oct 2020, 08:51
Sometimes the exception IS the test result. Keep a debugger ready.
|
|||
18 Oct 2020, 08:51 |
|
l4m2 19 Oct 2020, 17:09
Anyway fs:start crashes on my computer, so I just checked if it crash. and 26 is ignored
|
|||
19 Oct 2020, 17:09 |
|
Feryno 20 Oct 2020, 16:04
l4m2 of course it crashes as MSR_fs_base is nonzero so the base adds to the address of start so you get bogus pointer which generates #PF
in 64 bit everything else than FS, GS is ignored some of these registers at some older Intel microarchitecture were hints in branching instructions to tell the CPU which branch target executed more frequently but otherwise they are completely ignored from intel man: Quote: 2EH—Branch not taken (used only with Jcc instructions). Tomasz - nice, so your version of win runs with CR4 bit 16. enabled, I did not test these instructions from usermode yet... interesting ! It is also possible to install an exception handler and skip any faulting instruction... |
|||
20 Oct 2020, 16:04 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.