flat assembler
Message board for the users of flat assembler.
Index
> Windows > 64 bit not understood sub rsp,8 ! Goto page Previous 1, 2, 3, 4, 5, 6, 7, 8, 9 |
Author |
|
revolution 19 May 2022, 16:05
You can't call the system APIs with an unaligned stack. The system uses the SSE aligned data memory access instructions.
But you can use an unaligned stack within your own code. |
|||
19 May 2022, 16:05 |
|
macomics 19 May 2022, 18:04
Code: SYSCALL: Operation IF (CS.L ≠ 1 ) or (IA32_EFER.LMA ≠ 1) or (IA32_EFER.SCE ≠ 1) THEN #UD; FI; ; Not in 64-Bit Mode or SYSCALL/SYSRET not enabled in IA32_EFER RCX := RIP; ; Will contain address of next instruction RIP := IA32_LSTAR; R11 := RFLAGS; RFLAGS := RFLAGS AND NOT(IA32_FMASK); CS.Selector := IA32_STAR[47:32] AND FFFCH ; Operating system provides CS; RPL forced to 0 ; Set rest of CS to a fixed value ; With 4-KByte granularity, implies a 4-GByte limit CS.Base := 0; ; Flat segment CS.Limit := FFFFFH; CS.Type := 11; ; Execute/read code, accessed CS.S := 1; CS.DPL := 0; CS.P := 1; CS.L := 1; ; Entry is to 64-bit mode CS.D := 0; ; Required if CS.L = 1 CS.G := 1; ; 4-KByte granularity IF ShadowStackEnabled(CPL) THEN IA32_PL3_SSP := LA_adjust(SSP); FI; ; adjust so bits 63:N get the value of bit N–1, where N is the CPU’s maximum linear-address width ; With shadow stacks enabled the system call is supported from Ring 3 to Ring 0 ; OS supporting Ring 0 to Ring 0 system calls or Ring 1/2 to ring 0 system call ; Must preserve the contents of IA32_PL3_SSP to avoid losing ring 3 state CPL := 0; IF ShadowStackEnabled(CPL) THEN SSP := 0; FI; IF EndbranchEnabled(CPL) THEN IA32_S_CET.TRACKER = WAIT_FOR_ENDBRANCH; IA32_S_CET.SUPPRESS = 0; FI; SS.Selector := IA32_STAR[47:32] + 8; ; SS just above CS ; Set rest of SS to a fixed value ; With 4-KByte granularity, implies a 4-GByte limit SS.Base := 0; ; Flat segment SS.Limit := FFFFFH; SS.Type := 3; ; Read/write data, accessed SS.S := 1; SS.DPL := 0; SS.P := 1; SS.B := 1; ; 32-bit stack segment SS.G := 1; ; 4-KByte granularity To prevent such errors, WinAPI system libraries exist. They eventually also execute the syscall command, but before that they try to prevent errors that may occur in ring-0 when using syscall directly at the ring-3 level. |
|||
19 May 2022, 18:04 |
|
I 20 May 2022, 01:59
@macomics cool and thanks for the reply, unfortunately most of it above my pay grade
All I can do is some basic tests and try and learn. A little reading in Intel's SDM says each privilege level has it's own stack(s)? and copies data if needed, doesn't seem to matter about alignment on our user stack other than maybe performance as long as it' points to valid data. Someone was asking about effect with context switching so the above code should give some context switching with wonky CPL3 stack, especially with the blocking GetMessage call. While looking at making context switches happen quickly to see if some data below rsp is trashed I came across an interesting syscall, NtYieldExecution. It's not one of the user types so unfortunately cannot be looked up with a call to win32.sys but the Ntdll call jumps straight to the syscall, no parameters are used. Code: section '.text' code readable executable start: sub rsp,1 ; wonky stack call [NtYieldExecution] sub rsp,39 ; make stack nice for needy api's? If we cut out the middleman Ntdll we can use the syscall direct with rsp==0 which I think confirms our stack isn't needed at all for this particular case. |
|||
20 May 2022, 01:59 |
|
revolution 20 May 2022, 02:32
That is correct, your RSP value is not used by the kernel for anything except delivering you the exception context if you asked for it.
Also, the alignment is only needed because of an MS decision to use the MOVDQA, and not MOVDQU, instructions to copy the stack from your space when doing transfers into the kernel. This is purely an MS decision, the hardware can do it, but MS decided to ignore that. There are some APIs that you don't need to have an aligned stack, because they don't cross over to the kernel. But the list of those APIs is not reliable, they can change from version to version, so it is useless in most cases. |
|||
20 May 2022, 02:32 |
|
Goto page Previous 1, 2, 3, 4, 5, 6, 7, 8, 9 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.