RE: Calling Interrupt vector of the IDT from

Watch out , NT is able to use EV86 mode on P5+ CPU’s.
That means that under V86 mode IDT is not used for all
interrupts, but instead many of them are redirect to a
IVT. This behaviour is controled by a flag in CR4
register and in the IRR bitmap associated with the
TSS.

Int 2B is still in use by NT , it’s used for returns
into kernel after user mode callbacks.

Double fault is also used , in the sense it will
switch to a new task (the reason is to provide a clean
stack) and it will bring down the system into a more
or less controled manner… if a Bugcheck can be
tought as a controled manner.

Int 2D is not only DebugPrint , it has more services
,
such as Load /Unload image symbols (and from this
reason is an extremly good candidate to implement
system image load-unload callbacks)

General Protection fault is used to emulate some
sensitive instructions while in V86 mode (this is the
practical usage … the other use is to efectivly
signal a GPF)

I also think that Machine check exception is hooked
by kernel on the Intel CPUs wich do support it (can be
SW enabled or disabled via CR4.MCE bit) but Im not
sure about this.

In SMP machines NT uses more interrupts , most
notably is the IPI handler , wich is used for
interprocessor comunications, and APIC supurious
vector(which should never happen, btw).

The IPI would be extremly usefull for low level
development , such as debuggers , but wrapper
interface implemented over it is obscure and critical
data structure locations keep changing all the time.
Msot solutions in the industry where to hook NMI and
use it as a target for IPI by directly programing the
LocalApic.

Altough modifing the IDT directly to hook a interrupt
is fairly easy task , unless you know very well what
you are doing and at what purpose , you should not
doit. In fact hooking the IDT is required only for an
extremly thin percent of “applications” such as
debugging tools. Always keep in mind that the virtual
address of IDT base in a SMP system is not the same.
Each CPU’s IDTR is loaded with a different value.
(However the KPCR structure holds a pointer to CPU’s
IDT inside it). There is more than one way to hook a
interrupt in a SMP compliant way , most simplier one
(and less flexible ) is based on KeSetAffinityThread ,
while for others the answers are burried deep inside
HAL into an unexported array of PKPCR , refered by NT
symbols as “_HalpProcessorPcr”.
Also , the layout of the trap frame built on stack
(on-top of the HW frame wich is built by CPU at
exception time) is somehow special , and if you plan
to call later ZwXxxxXxxx , SeXxxxXxxx or KeXxxxXxxx
API wich deal with thread context you should be sure
the layout is correct. Dont take the model Dabak’s
book “Undocumented NT” shows you for this structure ,
they mised it’s importance and it’s layout is
incorectly reverese engineered (unfortunatley this is
not the single mistake in the book …)
If anyone wishes a complete list of interrupts used
under NT , the simpliest way to check them is into a
system debugger. All handlers have very sugestive
names , so load the NT symbols into your preffered
debugger and have fun.

Best regards , Dan


Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com