Hello, I have got a problem with segment loading, segment rights; my goal is to write code that, under
Win98, can do anything, so I have studied VxD ( many many thanks to Iczelion).
I realized a dynamically loadable VxD that offers some functions by the DeviceIoControl interface. All works well, all is ok.
I have been stopped by the fact that I am not able to address in protected mode the byte located at 0000:0417 in real mode to change the state of Bloc Num, Bloc Scorr ,Caps Lock.
I want to implement in protected mode the same thing that I can do in real mode but, when I load ds with 0 or with another value, an exception 0xD occurs. Can I build my own data segment with an extension 0h-FFFFFFFFh to access memory or all is a lot more complicated than I expect ?
Is really my VxD running at privilege level 0 ?

This is the code :

;Write in Conv.memory
push esi
push ds
mov ax, 0
-----> Gen.Prot.Fault mov ds, ax ;
mov esi, 00000417h
mov al, 70h
-----> Gen.Prot.Fault mov , al
pop ds
pop esi
xor eax,eax

I hope someone can help me, so many thanks to all of you.

Posted on 2001-09-12 03:34:04 by fooCoder
Hi Foo ! Well , there are 1001 ways to do what you want to , and in fact you don't even need the powers of a VxD !

As concerns your principal question : accessing the BIOS area at absolute ( physical as well as virtual , as far as Win32 processes are concerned ) addresses 400-500h , the simplest and cleanest way is this : use segment ( selector ) 0040h ! This is a ('bi-modal') selector that Windows has graciously created for just this purpose .

So you would just code , e.g :

mov ax, 40h
mov gs, ax ; let's put gs to work !
mov , whatever ; no GPF even in "ring" 3 !

HTH ! Note the similarity of this code with good old real mode BIOS/DOS programs !

For your second question : accessing the whole of memory without bothering about the protections , I shall refrain from explaining it because I feel only one who is able to devise the means by himself should even think of doing such things.
From ring zero ( such as from a vxd ; but you really do NOT need to embark in vxd's and the DDK to access ring zero ;) you might just want to use the predefined selectors 0028h / 0030 h !

Posted on 2001-09-12 05:19:27 by Ninho
Thank you Ninho, but it seems not to work !
The instruction mov , al generates an assembly
I am using SysAccess to study the GDT and I have noticed that
I can only load ds with segments at DPL 3.
Those segments, obviusly, don't allow me to see the whole memory, while there are a lot of other segments at DPL 0 that
allow that [00000000-FFFFFFFF] read/write data.
If I load ds with a segment of DPL I get a GPF.
The same happens sometimes if I try to write by esi at some location after I have loaded ds with a DPL 3 segment.


Using SysAccess ( thanks to RODY Thierry ) I see that segment 8 should be good; infact it is data read/write access, DPL 3, Limit
I load ds with this segment, it is ok.
mov al, 70h
mov esi, 00000417h
mov , al

and I get a GPF.

If I read
mov al,
All is ok.

I don't understand how I have to use esi; If segment is Read/Write, why do an error occur when I try to write ?
And why cannot I load a segment at DPL 0 ( I am using a VxD ) ?

Thanks to all, it is hard, but it is worth the hassle.
Posted on 2001-09-13 02:37:51 by fooCoder
>The instruction mov , al generates an assembly error.

Well , did you ASSUME gs: ? For instance ,
BIOS_Seg segment AT 0400h
org 17h
KB_flag db ?
BIOS_Seg ends

or KB_flag , 1 ; should work


OK ?

You don't understand the protections very well ! You have to consider protection at the SEGMENT level ( which you did , lookin at the GDT :) AND also protection at the PAGE level - which you did not ;)


BTW : although I told you how to do what you asked to , I should have added a word of caution : Windows tries to prevent you from doing such things for GOOD reasons , the keyboard hardware is normally virtualized and you just should not have to access it at the BIOS and/or hardware level !

I am realizing from your new post that you are really a beginner with all this : you should try to learn protected mode by other means than brute force , and if possible - outside wind*ws ( which does not make correct use of the -marvellous- capabilities of the 80386+ architecture ). I would suggest you take the time to study AND THINK with some good doc , and PENCIL and PAPER.

Then try to make your own mode swithing system , and learn about gates , protection rings , and TASKS - which you cannot do under wind*ws crap... Tools such those you are mentionning in your post , or SoftICE etc are very useful , but they are not good for learning the very mechanisms IMO )

Good luck ,


Of course this is all for educationnal purposes I understand ;)
Posted on 2001-09-13 03:33:48 by Ninho