Switching to x86 mode by iretq doesnt work

EugeneZ · September 13

Hello Experts!

I have some problem with switching to x86 mode in my driver.

I use command iretq to jump to another segment. Right after jump I get needed value fo CS and SS registers, but next instruction reverts back my segments to x64 mode (0x10 and 0x18).

What could be a reason?

Here is my code:

push 38h
push rdx
pushfq
push 8h
push rcx
iretq

Thanks in advance!

With respect, Eugene.

Tim_Roberts · September 14

What on earth is the purpose of this? You can't run x86 code in kernel mode on a 64-bit system.

EugeneZ · September 14

Hello Tim, thank you for the response. Why do you think so? CPU can be switched into Compatibility mode and so 32 bit code can be executed in this mode.

Tim_Roberts · September 14

Last time I looked, segments 0x08 and 0x38 were unused, and there was no GDT entry for a code segment in compat mode in ring 0. Have you written your own entries to the GDT?

EugeneZ · September 15

Yes, I configured these descriptors by my custom.

EugeneZ · September 16

The question is solved, thank you, Tim!

MBond2 · September 18

malware? I can't think of another reason to attempt this

Tim_Roberts · September 19

Maybe, but not necessarily. I remember 100 years ago in Windows 3.1, our display drivers often shifted the chip into 32-bit mode for better performance.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging	16-20 October 2023	Live, Online
Developing Minifilters	13-17 November 2023	Live, Online
Internals & Software Drivers	4-8 Dec 2023	Live, Online
Writing WDF Drivers	10-14 July 2023	Live, Online

Before Posting...

More Info on Driver Writing and Debugging

Switching to x86 mode by iretq doesnt work

Comments

Howdy, Stranger!

Quick Links

Categories