I’m doing kernel debugging, and I put a breakpoint in userspace in ntdll.dll where it’s about to syscall to NtReadFile. I do a rdmsr 0xC0000102 in order to see the value which will ostensibly get swapped into the gs base when swapgs instruction is called. The value is 7FF`FFFDC000. But that doesn’t seem right, because when I’m in userspace it should be a kernel address, and when I’m in kernel it should be a user address shouldn’t it? (I confirmed it’s that same address when I break on the other side of the syscall in nt!KiSystemCall64.)
So is there a windbg way to actually see the real value in gs base? (I’m going to just write a kernel module to print it out, but I’m just curious.)
aside: if I set a breakpoint on KiSystemCall64 on the swapgs instruction, windbg and the system lock up. Anyone know why that is?
Thanks
Jack
Sigh, nevermind on the first question. The Intel Manual Vol 2 didn’t mention IA32_GS_BASE (0xC0000101), and I had originally got the constant for IA32_KERNEL_GSBASE (0xC0000102) from another document, otherwise I would have seen IA32_GS_BASE in the Vol 3 manual.
Still curious why setting a breakpoint on swapgs doesn’t work though.
Thanks
Jack
Probably because the break is taken in kernel space before the swap occurs, and the int3 handler sees the previous mode was kernel mode and doesn’t do a swapgs, and then accesses something incorrectly later on.
-Jeff
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, August 24, 2012 7:26 AM
To: Kernel Debugging Interest List
Subject: RE:[windbg] finding the active gs base in win 7 x64 kernel
Sigh, nevermind on the first question. The Intel Manual Vol 2 didn’t mention IA32_GS_BASE (0xC0000101), and I had originally got the constant for IA32_KERNEL_GSBASE (0xC0000102) from another document, otherwise I would have seen IA32_GS_BASE in the Vol 3 manual.
Still curious why setting a breakpoint on swapgs doesn’t work though.
Thanks
Jack
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer