flat assembler
Message board for the users of flat assembler.

Index > Windows > 64 bit not understood sub rsp,8 !

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
Overclick



Joined: 11 Jul 2020
Posts: 575
Location: Ukraine
Overclick
Sorry for stupid questions, but I mean this:
https://docs.microsoft.com/en-us/windows/win32/procthread/scheduling-priorities
https://docs.microsoft.com/en-us/windows/win32/procthread/context-switches
It doesn't seems to run by hardware only but OS. If so, how exactly that happen?
Wiki says this:


Description:
Filesize: 44.42 KB
Viewed: 1301 Time(s)

Capture.PNG


Post 19 May 2022, 02:08
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
It is a big topic, and needs it's own dedicated pages to describe fully.

In general the hardware does the background work to switch to a new state, and the software does the remainder to operate the system as it needs to.
Post 19 May 2022, 02:12
View user's profile Send private message Visit poster's website Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 575
Location: Ukraine
Overclick
Quote:

and the software does the remainder to operate the system as it needs to

That I mean. So question still the same -- how? Where exactly Windows saves context? Does it move somewhere or use apps stack? If so, doesn't it use some SSE for that? Isn't it potential timebomb for sub rsp,1 ... add rsp,1?
Post 19 May 2022, 02:20
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
The kernel keeps it's own memory to store the state of each thread's context.

Don't panic, your stack is always safe, the kernel won't touch it. It wouldn't be very secure if it needs to use user space memory to store it's data.
Post 19 May 2022, 02:22
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
This means that you can not use hardware structures to switch tasks to the full extent. But this does not negate the fact that they must be present and filled in correctly in any case, at least in one instance.

When you are in ring0, no one forbids you to manually change the ring3 data in the current TSS and switch to yourself. So, through the same gateway, you will call the same system code, which will launch another user task. Register information and status will be manually loaded into all processor registers from system structures. But switching tasks will happen by the same mechanism. Due to manual switching, the generation of an interrupt for updating the FPU/XMM context will be prevented, which will greatly simplify and speed up task switching.

That is, to create multitasking, Windows and Linux do not rely on hardware structures, but only update data in them using their own structures.


Last edited by macomics on 19 May 2022, 02:37; edited 1 time in total
Post 19 May 2022, 02:29
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 575
Location: Ukraine
Overclick
Quote:

Don't panic

I don't as I don't use rsp like this )) But we have to clear this risks too where we looking for truth about sub rsp,1 ))
Post 19 May 2022, 02:30
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
The whole truth can be gleaned from the description of the sub rsp, 1 command in the IntelSDM. What is said there does not contradict the system mechanisms in any way. An exception will never be generated by this command.
Post 19 May 2022, 02:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
One important thing to realise is that when the kernel is executing it doesn't use any of the user's registers. It has it's own values for RSP, RIP, etc. So it makes no difference what values you have in your thread, the kernel doesn't use them. With the caveat that exceptions are the one place where the kernel needs to use your RSP value is to store the context and pass it on to your app.

If you have an invalid RSP value and then cause an exception, and you have asked to receive such exceptions, then when the kernel tries to transfer the context to your invalid stack, it also gets an exception. And I bet you can guess what happens next, the kernel kills your app.

There is a slight difference to the behaviour when the app is killed in this fashion. Usually for an unhandled exception the OS displays a message saying your app was killed. But in my testing for apps killed due to exceptions encountering an invalid stack the OS silently kills the app, no message, no nothing. But this behaviour is probably version dependant. Perhaps the newer versions of Windows treat both the same now?
Post 19 May 2022, 02:42
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
revolution wrote:
If you have an invalid RSP value and then cause an exception, and you have asked to receive such exceptions, then when the kernel tries to transfer the context to your invalid stack, it also gets an exception. And I bet you can guess what happens next, the kernel kills your app.
Triple fault
Post 19 May 2022, 02:51
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 575
Location: Ukraine
Overclick
Quote:

An exception will never be generated by this command.

That is clear, I care about stack pointer.
Quote:

But in my testing for apps killed due to exceptions encountering an invalid stack the OS silently kills the app, no message, no nothing. But this behaviour is probably version dependant. Perhaps the newer versions of Windows treat both the same now?

Same here, but Windows old too (Server2008r2) I don't think they fix it ))
Post 19 May 2022, 03:43
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
macomics wrote:
Triple fault
Sadly, nope. Windows ain't that stupid.

Otherwise it would be really easy to triple fault Windows.
Code:
format ...
; <register for exceptions here>
begin:
  xor rsp, rsp
  hlt ; OMG!! Triple fault?    
If only that were true.
Post 19 May 2022, 05:57
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
revolution wrote:
macomics wrote:
Triple fault
Sadly, nope. Windows ain't that stupid.

Otherwise it would be really easy to triple fault Windows.
That's not how I put it. There are also triple fault, which kill applications without warnings and any debug windows.
Post 19 May 2022, 09:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
Triple fault is worse than that. It triggers a hardware CPU reset.

Modern OSes will not use it. However the 80286 OSes did use it, deliberately. Because once the CPU was placed into protected mode, there was no way to get out without a CPU reset. So the solution was to deliberately cause a triple fault. Then the CPU starts again in real mode, and the OS can carry on, but now it is in real mode.
Post 19 May 2022, 12:01
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
revolution wrote:
Triple fault is worse than that. It triggers a hardware CPU reset.
This was hinted at. If the OS failed to handle the error, then we see so often the previously mentioned BSOD and reboot. But for a user program, this is equally fatal compared to its forced termination.
Post 19 May 2022, 12:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
macomics wrote:
If the OS failed to handle the error, then we see so often the previously mentioned BSOD and reboot.
I saw reports from MS that the vast majority cause for BSOD was the user's hardware being flakey, and not the OS problem.

I'm not sure if it is really true, but it is plausible IMO. There is lots of badly designed cheap hardware around.
Post 19 May 2022, 12:43
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
I think so too, but for old times' sake I still mention it. Win9x could still be brought to a state of panic and BSOD even by a regular program.
Post 19 May 2022, 12:56
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1885
Furs
Technically even in latest Windows you can cause BSOD by deliberately abusing some driver bug or hardware bug.
Post 19 May 2022, 13:47
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
If we summarize the work with the stack a little and look at the operation of the mechanism for accessing virtual memory, then perhaps something will become more clear and understandable.
Code:
user command: push      rax -> microcode { subtract rsp, 8 -> move [rsp], rax } (simplified)
#virtual: move [rsp], rax -> cs selector: iiiiiiiiiiii0tcc, ss selector: iiiiiiiiiiii0trr + descriptor: b..bbddylb..bl..l
  where c & r - ring index (CPL & RPL), t - table (GDT / LDT), i - table index, b - base address, d - DPL bits, y - type, l - limit
 >>> priority check: if (cpl >= rpl > dpl) #SS(0)
read page tables & virtual mode bits (cr0.pt, cr4.pae, etc): cr3 -> base address (PLM5 / PLM4 / PDPTE / PDE)
#linear: Base address + rsp: ccccccc000000000111111111222222222333333333444444444555555555555
  where c - canonical address, 0 - PLM5 index, 1 - PLM4 index, 2 - PDPTE index, 3 - PDE index, 4 - PTB index, 5 - Page offset
 >>> alignment check: if (fl.AC and ~(b+sp) & 111b) #AC
 >>> reference check: if (~is_canonical(rsp)) #GP(0)
PLM5: b..b*up where b - base address (PLM4), * - other page flags, u - user / super, p - present
 >>> priority check: if (~u and cpl != 0 or ~p) #PF(fault_code)
PLM4: b..b*up where b - base address (PDPTE), * - other page flags, u - user / super, p - present
 >>> priority check: if (~u and cpl != 0 or ~p) #PF(fault_code)
PDPTE: b..b*up where b - base address (PDE), * - other page flags, u - user / super, p - present
 >>> priority check: if (~u and cpl != 0 or ~p) #PF(fault_code)
PDE: b..b*up where b - base address (PTB), * - other page flags, u - user / super, p - present
 >>> priority check: if (~u and cpl != 0 or ~p) #PF(fault_code)
PTB: b..b*up where b - base address (Page), * - other page flags, u - user / super, p - present
 >>> priority check: if (~u and cpl != 0 or ~p) #PF(fault_code)
#physical: [Page + Page offset] = rax    
The CPU does all this according to the initially seemingly simple push rax command (very simplified version, without the participation of the cache). All this happens when accessing correctly filled hardware structures and is invisible to the user. Although it would seem to be just a mechanism for accessing memory, which is used by a huge number of instructions.


Last edited by macomics on 19 May 2022, 16:12; edited 4 times in total
Post 19 May 2022, 14:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18842
Location: In your JS exploiting you and your system
revolution
Notice one main thing there:

There is no alignment check. You can use the stack unaligned if you wish to. It won't necessarily be optimal, but it can be done.
Post 19 May 2022, 15:30
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 650
Location: Russia
macomics
revolution wrote:
There is no alignment check.
I forgot, but I wrote about memory in a general way.

More about TLB can be mentioned. But this is already from the cache area.
Post 19 May 2022, 15:54
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.