Windows - IDT table entries all 0's

NTDEV
1

I have created windows test driver which reads through to IDT entries (only top 5 so far) to display or output IDT entry contents. However, I am getting all 1’s or 0xFFFFFFFF in 8 bytes. I don’t know what I am missing. Below is the code. Can somebody please help

Code:

//Structures
typedef struct _SIDT
{
USHORT Limit;
ULONG Descriptor;
USHORT wUnused; //Forced 32-bit alignment
} SIDT, *PSIDT, GDT, *PGDT;

typedef struct _IDTEntry
{
ULONG LowPart;
ULONG HighPart;
} IDTEntry, *PIDTEntry;

void OutputIDT()
{
SIDT sidtResult;
PIDTEntry pidtEntry = 0;
PVOID pVoid = 0;
PVOID pVoidTmp = 0;
PHYSICAL_ADDRESS IoAddress;
ULONG nCurrentProcessorNum = 0;

sidtResult.Limit = 0;
sidtResult.Descriptor = 0;

nCurrentProcessorNum = KeGetCurrentProcessorNumber();

__asm sidt sidtResult;

IoAddress.LowPart = sidtResult.Descriptor;
IoAddress.HighPart = 0;

//Get virtual address
pVoid = (PVOID)MmMapIoSpace(IoAddress, sizeof(IDTEntry) * 30, MmNonCached);

//Output top 5 entries
for(nCounter = 0; nCounter < 5; nCounter++)
{
pidtEntry = (PIDTEntry)((PUCHAR)pVoid + (nCounter * sizeof(IDTEntry)) );

RtlStringCbPrintfA(buffer, sizeof(buffer), “%#X LowPart: %#X HighPart: %#X\r\n”, pidtEntry, (ULONG)pidtEntry->LowPart, pidtEntry->HighPart);
DoTraceEx(buffer); //This function outputs it to a file
}
}

Result:

IDT: Limit: 2047

Current Processor: 0X3  
  
0XAD9DF800 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF808 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF810 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF818 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF820 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
  
I repeatedly keep seeing 0xFFFFFFFF in IDT entries. Can anybody help me please
2

You should not be directly poking at the IDT. If you need to determine the contents for diagnostic purposes then use !idt in the debugger.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 6:33 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Windows - IDT table entries all 0’s

I have created windows test driver which reads through to IDT entries (only top 5 so far) to display or output IDT entry contents. However, I am getting all 1’s or 0xFFFFFFFF in 8 bytes. I don’t know what I am missing. Below is the code. Can somebody please help

Code:

//Structures
typedef struct _SIDT
{
USHORT Limit;
ULONG Descriptor;
USHORT wUnused; //Forced 32-bit alignment
} SIDT, *PSIDT, GDT, *PGDT;

typedef struct _IDTEntry
{
ULONG LowPart;
ULONG HighPart;
} IDTEntry, *PIDTEntry;

void OutputIDT()
{
SIDT sidtResult;
PIDTEntry pidtEntry = 0;
PVOID pVoid = 0;
PVOID pVoidTmp = 0;
PHYSICAL_ADDRESS IoAddress;
ULONG nCurrentProcessorNum = 0;

sidtResult.Limit = 0;
sidtResult.Descriptor = 0;

nCurrentProcessorNum = KeGetCurrentProcessorNumber();

__asm sidt sidtResult;

IoAddress.LowPart = sidtResult.Descriptor;
IoAddress.HighPart = 0;

//Get virtual address
pVoid = (PVOID)MmMapIoSpace(IoAddress, sizeof(IDTEntry) * 30, MmNonCached);

//Output top 5 entries
for(nCounter = 0; nCounter < 5; nCounter++)
{
pidtEntry = (PIDTEntry)((PUCHAR)pVoid + (nCounter * sizeof(IDTEntry)) );

RtlStringCbPrintfA(buffer, sizeof(buffer), “%#X LowPart: %#X HighPart: %#X\r\n”, pidtEntry, (ULONG)pidtEntry->LowPart, pidtEntry->HighPart);
DoTraceEx(buffer); //This function outputs it to a file
}
}

Result:

IDT: Limit: 2047

Current Processor: 0X3  
  
0XAD9DF800 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF808 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF810 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF818 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
0XAD9DF820 LowPart: 0XFFFFFFFF HighPart: 0XFFFFFFFF  
  
I repeatedly keep seeing 0xFFFFFFFF in IDT entries. Can anybody help me please   
  
---  
NTDEV is sponsored by OSR  
  
For our schedule of WDF, WDM, debugging and other seminars visit:   
http://www.osr.com/seminars  
  
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
3

My question is why direct poking is not working. I have read through Intel documentation which clearly states that SIDT will return IDT base physical address. Am I missing something here?

4

Yes, you are missing the fact that you should not be doing that.

What is it you are trying to accomplish here? This sounds suspiciously like
someone whose next step is to “hook” one of those entries…

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 9:48 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Windows - IDT table entries all 0’s

My question is why direct poking is not working. I have read through Intel
documentation which clearly states that SIDT will return IDT base physical
address. Am I missing something here?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

I am trying to read what’s in IDT but not hook. I don’t have debugger as of now, therefore, I am gathering IDT information.

6

So why don’t you have WinDbg? It’s in the WDK. Or is it that you don’t have
the target/host (2 systems) needed to run WinDbg?

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 10:11 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Windows - IDT table entries all 0’s

I am trying to read what’s in IDT but not hook. I don’t have debugger as of
now, therefore, I am gathering IDT information.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 5145 (20100525) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 5145 (20100525) __________

The message was checked by ESET Smart Security.

http://www.eset.com

7

I don’t have target / host system.

I have only 1 HP laptop, thus, can’t use WinDbg. This is the reason for my driver I have to output debug contents to a file.

8

On Wed, May 26, 2010 at 12:27 PM, Gary G. Little wrote:
> So why don’t you have WinDbg? It’s in the WDK. Or is it that you don’t have
> the target/host (2 systems) needed to run WinDbg?
>

I think the main point here is why his code doesnt work, and that
alone is worth the answer.

For the sake of research at least, it is good to know why his code, or
Windows, works that way. The question like “why dont you do this …”
should not be raised in case like this.

Nor I dont really like to see so many people questioned his motivation
for doing this. That is good to know sometimes, but does that matter
in this specific case?

Thanks,
Jun

9

Actually, you have the cart before the horse. One of the costs of doing
kernel development in Windows is the target/host system. The time and $$$
wasted in trying to end run the target/host pair is far greater than the
$600 it cost to get a cheap ass second system with which to debug a driver.
Not to mention that when you come here for assistance we are going to ask
you for the contents of “!analyze -v” and then laugh our asses off at you
and your organization, when you proffer the lame-ass excuse that you aren’t
using WinDbg because you only have a single system for development.

If your company can’t afford to get you a second system, perhaps they need
to rethink their need to develope kernel software. It’s the cost of doing
business in the kernel.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 10:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Windows - IDT table entries all 0’s

I don’t have target / host system.

I have only 1 HP laptop, thus, can’t use WinDbg. This is the reason for my
driver I have to output debug contents to a file.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 5145 (20100525) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 5145 (20100525) __________

The message was checked by ESET Smart Security.

http://www.eset.com

10

We have one technical question here: “why reading IDT fail …”. It
is nice to point the poster to the answer, rather than bashing the
poster, or his company for being “cheap”. That is not related, and has
nothing to do with his technical question at all.

Thanks,
J

On Wed, May 26, 2010 at 1:16 PM, Gary G. Little wrote:
> Actually, you have the cart before the horse. One of the costs of doing
> kernel development in Windows is the target/host system. The time and $$$
> wasted in trying to end run the target/host pair is far greater than the
> $600 it cost to get a cheap ass second system with which to debug a driver.
> Not to mention that when you come here for assistance we are going to ask
> you for the contents of “!analyze -v” and then laugh our asses off at you
> and your organization, when you proffer the lame-ass excuse that you aren’t
> using WinDbg because you only have a single system for development.
>
> If your company can’t afford to get you a second system, perhaps they need
> to rethink their need to develope kernel software. It’s the cost of doing
> business in the kernel.
>
> Gary G. Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
> Sent: Tuesday, May 25, 2010 10:44 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Windows - IDT table entries all 0’s
>
> I don’t have target / host system.
>
> I have only 1 HP laptop, thus, can’t use WinDbg. This is the reason for my
> driver I have to ?output debug contents to a file.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> Information from ESET Smart Security, version of virus signature
> database 5145 (20100525)
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> Information from ESET Smart Security, version of virus signature
> database 5145 (20100525)
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

11

Jun: I think people here wants to authenticate my intentions :slight_smile:

Further addition to your comments: -
There is nothing in Intel manual saying IDT should never be touched, and I don’t know why it’s much of an issue reading IDT table. Knowledge is power and gaining knowledge shouldn’t be considered a bad thing.

12

“If your company can’t afford to get you a second system, perhaps they need
to rethink their need to develope kernel software. It’s the cost of doing
business in the kernel.”

This is not bussiness Gary, it’s my own learning experience and I am happy to waste my time for now.

13

The intel manual doesn’t tell you how write an OS. The OS is the one that makes the rule that you don’t touch the IDT, the OS owns the IDT

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 9:46 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Windows - IDT table entries all 0’s

Jun: I think people here wants to authenticate my intentions :slight_smile:

Further addition to your comments: -
There is nothing in Intel manual saying IDT should never be touched, and I don’t know why it’s much of an issue reading IDT table. Knowledge is power and gaining knowledge shouldn’t be considered a bad thing.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

14

“The intel manual doesn’t tell you how write an OS. The OS is the one that makes
the rule that you don’t touch the IDT, the OS owns the IDT”

I haven’t read OS manual, but my view point is that OS shouldn’t care as long as IDT contents are not tampered.

Having said that, I posted the question thinking I will get an answer. It seems as if no body is interested in giving me the answer. Somebody who thinks my query is logical and that I need to know something please provide me the details. And importantly I am not asking for any code sample. I think I can write it myself.

15

On Wed, May 26, 2010 at 2:31 PM, wrote:
> “The intel manual doesn’t tell you how write an OS. ?The OS is the one that makes
> the rule that you don’t touch the IDT, the OS owns the IDT”
>
> I haven’t read OS manual, but my view point is that OS shouldn’t care as long as IDT contents are not tampered.
>
> Having said that, I posted the question thinking I will get an answer. It seems as if no body is interested in giving me the answer.

when posting questions to mailing list, it is good to wait few days,
or even 1 week, before you can conclude that nobody is interested. you
need to be more patient.

thanks,
J

16

Question: Is it 1st 3 bytes of IDTR (BASE) identify the starting address of the IDT in physical memory? Just read this somwhere

17

If you just want to hack on Intel processors, you’d be WAY better off
fooling with an OS than has full source access.

If you want to learn to write commercial driver software for Windows, there
is a pretty significant technical knowledge and culture you will need to
learn about. A large percentage of us here on this list are commercial
driver developers. It’s kind of like many of us are highly experienced
surgeons, and we don’t want to have to deal with the mess left by somebody
else.

I won’t mind you writing Windows drivers if you don’t mind me performing
brain surgery on you. A little difference is you can pretty easily say NO
when I show up with my Dremel tool, but I don’t really have any easy way of
assuring any code you write will not end up running on my or one of my
customers systems, so all I and other list members can do it try to convince
YOU not to do irresponsible things in software.

You may think software is totally safe and no harm can come to anybody, but
just a couple months ago, a large software company had a glitch in their
antivirus software which brought down vast numbers of systems. I heard one
hospital emergency room had to refuse treating anybody who was not in
critical condition, because all their computers were down. Your computer may
not be all that critical, but there are organizations and people in the
world who correct operation of their computer literally can mean the
difference in someone’s life.

So next time you drive across a bridge, or are in a tall building, or fly in
an airplane, think to yourself: “Do I want the people who designed this to
just be fooling around, and anything that doesn’t instantly fall apart is
ok, or do I want them to be as skilled as possible, and use engineering
practices that have evolved over many years to the point of an advanced
science”. MANY pieces of software are no different than the engineering for
that airplane, where the consequences of flaws can ruin your life. Even for
very skilled software professionals, using the best processes available, the
overall quality of software is not as good as it needs to be.

Yes, knowledge is power, and what goes along with that power is a
responsibility not to screw things up. The whole world of kernel software is
one of trust. Trust that YOU will not screw up my code and trust that I will
not screw up your code. That trust is earned by demonstrating you can be
responsible with the power you have. This is very different than user mode
software, where the assumption is we don’t have to trust each other, because
the operating system will protect us from each other. Even in user mode
software, this isolation is not perfect.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-412421-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 9:46 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Windows - IDT table entries all 0’s

Jun: I think people here wants to authenticate my intentions :slight_smile:

Further addition to your comments: -
There is nothing in Intel manual saying IDT should never be touched,
and I don’t know why it’s much of an issue reading IDT table. Knowledge
is power and gaining knowledge shouldn’t be considered a bad thing.

18

Personally I think there is nothing wrong with learning how interrupt
handling and the local APIC work on Windows. However this is a professional
forum, as driver writers don’t need to touch the IDT directly you will meet
some hostility when posting questions like this. There is little point in
doing this from code.

I suggest you install Windows inside a virtual machine (VmWare is great,
VirtualBox comes for free). Then attach WinDbg to that and use the !idt
command, that will dump the IDT for you. WinDbg may be hard to set up the
first time but the time invested on it will pay off soon.

//Daniel

wrote in message news:xxxxx@ntdev…
> I don’t have target / host system.
>
> I have only 1 HP laptop, thus, can’t use WinDbg. This is the reason for my
> driver I have to output debug contents to a file.
>

19

Jan Bottorff: You wrote quite a bit of story. I understand your professionalism. I am a software professional too but the only difference is you are a drive professional and I am not. However, at the same time, if somebody asks for a help I am always ready for it but you seems to be totally opposite. Sorry!!! I am here not to start word’s war because it won’t make any difference to you or me.

Too keep story short if you can advise what I am missing in my code; well and good, if not that’s also well and good because I am going to find out sooner or later.

20

Very excellent summarization of the situation. If I can just add one thing
left out. Many of the techniques discussed here can also be twisted and
used for purposes of creating intentionally destructive software (malware,
Trojans, root kits, etc). The skills many on this list possess are the very
skills and knowledge sought after by those creating such software. That is
why many on this list are reluctant to answer questions of this nature since
the answers can be subverted (and have in the past) to create malware.

When you come to the list with a question that sounds too close to something
that can be subverted, you will get LOTS of push-back until you can justify
why there is no other way to solve your legitimate problem.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bottorff
Sent: Wednesday, May 26, 2010 2:36 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Windows - IDT table entries all 0’s

If you just want to hack on Intel processors, you’d be WAY better off
fooling with an OS than has full source access.

If you want to learn to write commercial driver software for Windows, there
is a pretty significant technical knowledge and culture you will need to
learn about. A large percentage of us here on this list are commercial
driver developers. It’s kind of like many of us are highly experienced
surgeons, and we don’t want to have to deal with the mess left by somebody
else.

I won’t mind you writing Windows drivers if you don’t mind me performing
brain surgery on you. A little difference is you can pretty easily say NO
when I show up with my Dremel tool, but I don’t really have any easy way of
assuring any code you write will not end up running on my or one of my
customers systems, so all I and other list members can do it try to convince
YOU not to do irresponsible things in software.

You may think software is totally safe and no harm can come to anybody, but
just a couple months ago, a large software company had a glitch in their
antivirus software which brought down vast numbers of systems. I heard one
hospital emergency room had to refuse treating anybody who was not in
critical condition, because all their computers were down. Your computer may
not be all that critical, but there are organizations and people in the
world who correct operation of their computer literally can mean the
difference in someone’s life.

So next time you drive across a bridge, or are in a tall building, or fly in
an airplane, think to yourself: “Do I want the people who designed this to
just be fooling around, and anything that doesn’t instantly fall apart is
ok, or do I want them to be as skilled as possible, and use engineering
practices that have evolved over many years to the point of an advanced
science”. MANY pieces of software are no different than the engineering for
that airplane, where the consequences of flaws can ruin your life. Even for
very skilled software professionals, using the best processes available, the
overall quality of software is not as good as it needs to be.

Yes, knowledge is power, and what goes along with that power is a
responsibility not to screw things up. The whole world of kernel software is
one of trust. Trust that YOU will not screw up my code and trust that I will
not screw up your code. That trust is earned by demonstrating you can be
responsible with the power you have. This is very different than user mode
software, where the assumption is we don’t have to trust each other, because
the operating system will protect us from each other. Even in user mode
software, this isolation is not perfect.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-412421-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 25, 2010 9:46 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Windows - IDT table entries all 0’s

Jun: I think people here wants to authenticate my intentions :slight_smile:

Further addition to your comments: -
There is nothing in Intel manual saying IDT should never be touched,
and I don’t know why it’s much of an issue reading IDT table. Knowledge
is power and gaining knowledge shouldn’t be considered a bad thing.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer