Yes you could directly call non-exported functions.
I threw out the question initially to discover if the XP call
gate basically stops me from calling user mode code from the
kernel. Example, take any ntdll exported function that doesn’t
have an ntos equivalent. Calling it from the kernel in nt/2k
was fine under controlled circumstances. Maybe that same ntdll function
will call into the kernel, causing the nested SYSENTER’s.
Charles
-----Original Message-----
From: Michal Vodicka [mailto:xxxxx@veridicom.cz.nospam]
Sent: Tuesday, November 20, 2001 4:34 PM
To: NT Developers Interest List
Subject: [ntdev] RE: fast call
Alberto,
wouldn’t it be easier to locate necessary function address in services table
and call it directly? It seems that the original problem (call non-exported
kernel function from a driver) doesn’t need int 2e or sysenter at all. There
should be no problem; if already in kernel mode, call it directly and if in
user mode, no problem with nested sysenter calls. Am I missing something?
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From:
xxxxx@compuware.com[SMTP:xxxxx@compuware.com]
Reply To: xxxxx@lists.osr.com
Sent: Tuesday, November 20, 2001 10:15 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: fast call
Well, if KiServiceExit throws you back into ring 3, it’s KiServiceExit
that
does that, not syscall. The syscall instruction doesn’t necessarily behave
like a call, it should be seen more like a goto. Have you tried hooking
KiServiceExit and doing your own stuff there ?
Alberto.
-----Original Message-----
From: PeterB [mailto:xxxxx@inkvine.fluff.org]
Sent: Tuesday, November 20, 2001 3:57 PM
To: NT Developers Interest List
Subject: [ntdev] RE: fast call
But how the exit is performed is up to KiServiceExit, not me. And if that
calls SYSEXIT then it looks like a switch to ring 3 can’t be helped.
On Tue, 20 Nov 2001, Moreira, Alberto wrote:
> You don’t need a SYSEXIT to get out, do you ? I mean, that’s the party
line
> way, but it can be negotiated.
>
> Alberto.
>
>
> -----Original Message-----
> From: PeterB [mailto:xxxxx@inkvine.fluff.org]
> Sent: Tuesday, November 20, 2001 11:10 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: fast call
>
>
> On Tue, 20 Nov 2001, Moreira, Alberto wrote:
>
> > There’s nothing that prevents nested SYSENTERs, but of course you must
> > manage the transition. Note that the transition is done without going
> > through call gates ! The only exceptions you get will be if
> SYSENTER_CS_MSR
> > is zero, or if you’re not in protected mode when you invoke the
> instruction.
> >
> I’m not an asm kind of a person, but I have the Intel docs. It says
that
> SYSEXIT exits to ring 3. Doesn’t this prevent nested calls? SYSENTER
> enters ring 0 (but can be called from it). However, it doesn’t push the
> current state for SYSEXIT to pop it, or anything like that – and so
> SYSEXIT will indiscriminately return to ring 3. Might not that limit
> one’s ability to nest calls?
>
> >
> > You can take a look at the IA32 Software Developer’s Manual, vol. 2,
it’s
> > available on-line from http://developer.intel.com.
> >
> > Hope this helps !
> >
> > Alberto.
> >
> >
> > -----Original Message-----
> > From: Parton, Charles W. [mailto:xxxxx@xetron.com]
> > Sent: Tuesday, November 20, 2001 10:34 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] fast call
> >
> >
> > Can somebody shed some light on the SYSENTER call used
> > in xp for UM/KM transitions? Using the old int 2e method,
> > it was possible to call functions in ntoskrnl that weren’t
> > exported. I’m not entirely sure, but SYSENTER doesn’t allow
> > nested invocations, so if I’m a top level filter driver I can’t
> > use the call gate anymore. I’ve traced the second SYSENTER call
> > and it ends up in HalpDispatchInterrupt2ndEntry, not KiFastCallEntry
> > like I would expect.
> >
> > Charles
> >
> > —
> > You are currently subscribed to ntdev as:
xxxxx@compuware.com
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@inkvine.fluff.org
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
–
Peter xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/
logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@xetron.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com