Hi:
How can I intercept Ring0 port I/O in my driver?
Just like BPIO command in SoftIce.
Walter Oney say " This is need a debug register trap"!
Where can I find data about “a debug register trap”!
Thanks!!!
In the CPU itself. Read vendor CPU datasheets.
Dan
----- Original Message -----
From: “yxf”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, April 23, 2005 11:40 AM
Subject: [ntdev] How can I intercept Ring0 port I/O in my driver?
> Hi:
> How can I intercept Ring0 port I/O in my driver?
>
> Just like BPIO command in SoftIce.
>
> Walter Oney say " This is need a debug register trap"!
>
> Where can I find data about “a debug register trap”!
>
> Thanks!!!
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Look at Intel’s documentation on x86 CPU.
I think that the number of such breakpoints is very much limited - like 16
or such.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “yxf”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, April 23, 2005 12:40 PM
Subject: [ntdev] How can I intercept Ring0 port I/O in my driver?
> Hi:
> How can I intercept Ring0 port I/O in my driver?
>
> Just like BPIO command in SoftIce.
>
> Walter Oney say " This is need a debug register trap"!
>
> Where can I find data about “a debug register trap”!
>
> Thanks!!!
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Whilst others have given some advice on this, I don’t think you’ve been
given the whole story. I haven’t got a clue how SoftICE does the BPIO
command. There is really no hardware support to do this on older (32-bit
only) x86 processors. There is support in the processor from X86-64 level,
but I suspect you want to trap I/O accesses in a generic driver that would
work on any Intel/AMD processor, not just the latest few models.
In x86-64 (A.k.a AMD64/EMT64) there is a special bit in CR4 (CR4.DE, debug
extensions) that, when enabled, allows you to use a previously undefined
setting in the “R/W/E” field of DR7. This setting allows trapping of I/O
access to a particular address. Assuming no-one else is using the debug
registers, you can program four debug registers to four different
addresses, covering at the most 32 bytes in range. Note that these
registers are formally owned by the OS, so the OS assumes it can program
these registers to whatever it likes, particularly, if you start SoftICE,
WinDBG or some other debugger (including the user using Visual studio’s
built in debugger, I would expect), you can expect these registers to be
written to.
I don’t know if there is any “hidden” register that the SoftICE people are
using… But I’m not familiar with any such register, and I’ve been doing
lots of low-level programming on x86 for many years, including working
inside AMD for seven years.
Normally, the chipset will support issuing an SMI on a single or a few I/O
addresses, but you’d need to have access to the chipset registers, and the
documentation for these features are ranging from barely adequate to
non-existant, depending on which company does the particuarl chipset. And
of course, you’d need to have code to cope with numerous different
chipsets, and finally, need some way to access the System management
interrupt. Not a single bit of this is trivial, and most of it borders on
“impossible”. I would strongly suggest that you look at other alternatives.
–
Mats
xxxxx@lists.osr.com wrote on 04/23/2005 09:40:05 AM:
Hi:
How can I intercept Ring0 port I/O in my driver?Just like BPIO command in SoftIce.
Walter Oney say " This is need a debug register trap"!
Where can I find data about “a debug register trap”!
Thanks!!!
Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT000114C6
Maxim S. Shatskih wrote:
Look at Intel’s documentation on x86 CPU.
I think that the number of such breakpoints is very much limited - like 16
or such.
If only! There are exactly 4, at least on all the Pentiums.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Mats PETERSSON wrote:
Whilst others have given some advice on this, I don’t think you’ve been
given the whole story. I haven’t got a clue how SoftICE does the BPIO
command. There is really no hardware support to do this on older (32-bit
only) x86 processors.
Of course there is. The Debug Registers (DR0 through DR7) provide
hardware I/O port breakpoints. They were part of the original Pentium.
That’s how BPIO is implemented.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@lists.osr.com wrote on 04/25/2005 06:13:22 PM:
Mats PETERSSON wrote:
>Whilst others have given some advice on this, I don’t think you’ve been
>given the whole story. I haven’t got a clue how SoftICE does the BPIO
>command. There is really no hardware support to do this on older (32-bit
>only) x86 processors.
>Of course there is. The Debug Registers (DR0 through DR7) provide
hardware I/O port breakpoints. They were part of the original Pentium.
That’s how BPIO is implemented.
Of course. My bad. I looked at the part of the register definition for CR7
that defines how it works in “backwards compatibility mode”, i.e. with
CR4.DE set to 0, in which case 10b is “unused”, but with CR4.DE set to 1,
that value means I/O read/write operation.
So to the OP, as long as you accept that the code won’t run on a 386/486
generation processor (which WinXP won’t anyway [as the older processors
lack cmpxchg8], and I’m not sure if Win2K will work either). I’m not sure
which generation of AMD processors introduced this feature, but I’m pretty
sure it’s in K6, and probably also in K5. It’s definitely in Athlon and
Athlon64.
–
Mats
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT0001163A