[x86] Information request about the Global Descriptor Table (GDT) | Intel® Developer Zone

[x86] Information request about the Global Descriptor Table (GDT) | Intel® Developer Zone

Hello,

I am currently working on a forensics project (32 bits OS), and to reach one of my goals, I need to play a bit with the GDT. From what I understood, an instruction like call dword ptr [gs:0x10] does the following things :

  • GS is used as a segment selector (16 bits) : The lower three bits indicate the privilege level of access and the descriptor table to be used. In my case, we'll consider we use the GDT. The higher 13 bits represent the entry index in the GDT. Let's call A the base address corresponding to GTD[GS>>3].
  • A is returned, and the processor computes A+0x10 and gathers the value at this address, called B.
  • A simple call B instruction is the executed.

This kind of instruction happends when the code wants to perform a syscall : this instruction allows calling the __kernel_vsyscall function without knowing its address. Correct me if I'm wrong, but I understood that :

  • The base address A corresponds to a section of the userland memory called the Thread Control Block (TCB)
  • The Global Descriptor Table (GDT) is stored in kernel memory and may be accessed through kernel modules or system calls thanks to the store_gdt function

So, what is my problem ? Well, I need to be able to change to location of the TCB in my userland memory, that is to say not only relocate the contents but also the GDT entry that tells the processor "GS points toward this base address that is the TCB".

Now, all the documents I saw indicated that there was only one GDT in the kernel (or one per CPU if you have more than one). Therefore, a GDT switch must be performed when the processor switches context (and running program), since two executions of the same process (with ASLR on) return different TCB location. My questions are :

  • If I access the GDT with the help of a kernel module (see attached file) or a system call from my user process, what GDT do I access ?
  • How can I read the GDT associated with segment descriptors of a process from his PID ?

Thanks in advance for any answer. This is my last resort since all the questions I asked around gave no answer and GDT documentation is rather short.

AdjuntoTamaño
Descargar print_kern.c856 bytes
publicaciones de 3 / 0 nuevos
Último envío
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.

As soon as I have some feedback on this case, I will post a response for you.  For now, you might to check with open-source to see how they would handle the issue that you are having. 

Here are some examples of Virtualization code:

-Thai

Sorry I didn't flag it as solved.

I don't know if this was the intended way, but using the get_thread_area syscall, I am able to access an array of values, including one (the 6th one) pointing to the TCB's first address.

Not knowing though the size of the TCB, I make the assumption it is no bigger than one page (4K), and therefore, I allocate a page with mmap at a random place (*addr = NULL), copy the page where my TCB is and then change the value using set_thread_area.

For compatibility reasons, I also keep *GDT[%GS] = GDT[%GS]

Deje un comentario

Por favor inicie sesión para agregar un comentario. ¿No es socio? Únase ya