I am currently working on a forensics project (32 bits OS), and to reach one of my goals, I need to play a bit with the GDT. From what I understood, an instruction like call dword ptr [gs:0x10] does the following things :
- GS is used as a segment selector (16 bits) : The lower three bits indicate the privilege level of access and the descriptor table to be used. In my case, we'll consider we use the GDT. The higher 13 bits represent the entry index in the GDT. Let's call A the base address corresponding to GTD[GS>>3].
- A is returned, and the processor computes A+0x10 and gathers the value at this address, called B.
- A simple call B instruction is the executed.
This kind of instruction happends when the code wants to perform a syscall : this instruction allows calling the __kernel_vsyscall function without knowing its address. Correct me if I'm wrong, but I understood that :
- The base address A corresponds to a section of the userland memory called the Thread Control Block (TCB)
- The Global Descriptor Table (GDT) is stored in kernel memory and may be accessed through kernel modules or system calls thanks to the store_gdt function
So, what is my problem ? Well, I need to be able to change to location of the TCB in my userland memory, that is to say not only relocate the contents but also the GDT entry that tells the processor "GS points toward this base address that is the TCB".
Now, all the documents I saw indicated that there was only one GDT in the kernel (or one per CPU if you have more than one). Therefore, a GDT switch must be performed when the processor switches context (and running program), since two executions of the same process (with ASLR on) return different TCB location. My questions are :
- If I access the GDT with the help of a kernel module (see attached file) or a system call from my user process, what GDT do I access ?
- How can I read the GDT associated with segment descriptors of a process from his PID ?
Thanks in advance for any answer. This is my last resort since all the questions I asked around gave no answer and GDT documentation is rather short.