Sorry for digging up an old thread but I found it’s interesting.
The 0xc th entry of gdt is a 32-bit ring zero code. I don’t work for msft
hence I don’t know what they use that for. In my own 64-bit kernel, I also
have a 32-bit ring 0 code descriptor in my GDT. It’s used for mode
switching.
When a x64 core bootstraps, it switches to 32-bit protected mode from real
mode first. In the 32-bit pmode, it then setup PML4 page mapping, turns on
PAE, activates LONG_MODE bit in one of the MSRs, now it’s in 32-bit
COMPATIBLE mode. Until this point, the code is still in 32-bit ring 0 code
section, hence, it needs a 32b r0 selector. The processor then executes a
far jump to native long mode code (64-bit code with LM bit set in the
descriptor). Now that the long mode is fully activated on that core.
On the other way, when my OS loader (running in native 64-bit long mode)
needs to read the kernel and boot drivers from disk, it needs to switch
from long mode to 32-bit compatible mode, then to 32-bit protected mode,
then to 16-bit protected mode, and finally to 16-bit real mode, to invoke
BIOS int 13h. When done, switches back to long mode. A 32-bit r0 selector
is necessary for this purpose.
If Windows kernel needs to call bios functions, or to switch to real mode
for any reasons, then such selector is necessary. One might be able to
switch to long mode from real mode without going through 32-bit PMODE and
32-bit COMPAT mode, but this is not the official way supported by AMD or
INTC.
TSS is important for double fault handling which can (it coded carefully)
prevent a triple fault – which is a BITCH to debug when rolling your
own OS in the early stage even you have an ICE in hand.
Calvin
On Fri, Aug 9, 2013 at 7:43 AM, Jimbo Bob wrote:
> I’ve read all of Intel Vol 3 Ch 1-10 & Ch 35 (MSRs) backwards and
> forwards. I would hope that already showed in my original post. The manuals
> tell you how something can be used, not how an OS vendor chose to use it.
> Hence, the manuals can’t tell me what MS is using GDT index 0xC for, or how
> they’re using the LDT for win 7 user mode scheduling. I know this is not
> common knowledge, as typically it’s only people like the Windows Internals
> authors or Miller/Johnson (both now at MS and probably prevented from
> talking, but I know they lurk on this list) who bother to dig this deep
> into how stuff works. But I do appreciate all atempts to help.
>
> JB
> p.s. Rootkits Arsenal is pretty bad. 2nd edition somehow managed to be
> even worse than the first by cutting out more of the OS stuff (which the
> author clearly doesn’t know well) in favor of the forensics stuff (which
> the author does know, but which I don’t care about). But if you like
> reading books by people who don’t know how to use the -> C operator, it’s
> great.
> On Fri, Aug 9, 2013 at 5:04 AM, Sergey Pisarev wrote:
>
>> Virtual CPU (virtual machine control structure for intel and something
>> similar for amd) has fields for segment selectors , base addresses for
>> segment descriptor and segment limits. Also it has such fields as gdt and
>> ldt base and limits.
>>
>> To op - if you really want to know that stuff you should download intel
>> or amd developer manual: volume 3 for intel and volume 2 for amd
>>
>>
>> On Thursday, August 8, 2013, Maxim S. Shatskih wrote:
>>
>>> >I cares, because I like to know how stuff works 
Isn’t that usually
>>> reason enough for this list?
>>>
>>> This is a tiny undocumented detail, which can change even from SP to SP,
>>> not to say from version to version.
>>>
>>> If you have a practical need to implement some functionality in
>>> Windows - then you do not need segments and selectors anyway.
>>>
>>> For instance, at some older times (NT4/w2k), when I was interested in
>>> this, Windows was not using LDT at all and just nearly ignored its
>>> existence (except NTVDM’s Win16 emulation).
>>>
>>> If you never ever use LDT selectors - then you can ignore the very fact
>>> LDT exists.
>>>
>>> It is not so with GDT, which is mandatory for some stuff like the TSS,
>>> and TSS is mandatory for user/kernel stack switching.
>>>
>>> From what I remember, there is per-CPU GDT, with some pre-defined
>>> selector value describing the PCR in kernel mode (and this value is loaded
>>> to FS in kernel mode), and with some pre-defined selector value for TEB in
>>> user mode, this value is loaded to FS in user mode. The “TEB descriptor” in
>>> the GDT was updated each time on a thread switch in the kernel.
>>>
>>> Offset 0 in both PCR and TEB - aka fs:[0000000] - is IIRC the current
>>> top of try/ except handler list.
>>>
>>> I don’t think there were more then “kernel data, kernel code, user data,
>>> user code, TSS, TLS and PCR” descriptors in the GDT.
>>>
>>> Note that this feature is peculiar to particular CPU, i.e. x86, and
>>> there is a major possibility that, in last 10 years, Intel have introduced
>>> some new CPU features to replace this obsolete stuff (like SYSENTER to
>>> replace INT 2EH). Probably modern Windows use these new features.
>>>
>>> Hypervisors do not need to virtualize GDT/LDT, they work at lower level
>>> of paging (all addresses in the descriptors are linear ones).
>>>
>>> x86/MS-DOS emulators surely need to emulate GDT/LDT.
>>>
>>> –
>>> Maxim S. Shatskih
>>> Microsoft MVP on File System And Storage
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>
>>> OSR is HIRING!! See http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>