Why can't i do xor eax, eax mov ebx, in a Kernel Mode Driver? I also tried other random addresses and it still crashed. Shouldn't it be operating under ring0 and be able to read/write to any physical address? Do I have to change page permissions or something? If so, how?

Thx!
Posted on 2002-06-06 04:54:19 by Rama
Just because you operate in ring0 doesnt mean you can do whatever you want AND get away with it. It's true that you can access phys. address 0, but if nothing's there, you'll still be generating a fault. Only, since you're running in ring0, there's noone to fix it for ya, hence the crash.

Fake
Posted on 2002-06-06 06:38:32 by Fake51
"but if nothing's there" Do you mean if no memory has been allocated into that physical address space? If so then how do you check whether memory has been allocated or not to a physical address space? And does anyone know anything about exception handling in Kernel Mode Drivers?
Posted on 2002-06-06 07:15:34 by Rama
In PM, your instructions would never access physical memory, all memory is virtual regardless of Ring. It just so happens that some of this virtual memory is mapped onto physical memory, sometimes as a direct correspondence (virtual addr X=physical addr X) but not always (virtual addr X=physical addr Y). Apparently Windows doesn't map anything at addr 0.

The fact that in PM you never access physical memory means that if the OS you're writing has a bug, you can lose access to your GDT... can't alloc memory any more... nasty... :grin:
Posted on 2002-06-06 07:51:02 by AmkG
Wrong, access to memory is only virtually accessed/paged if the paging-bit is set in CR0 and has nothing to do with the protected mode being on or off itself. Beyond that, if he is in Ring-0 then he should be able to access any part of memory he chooses (especially for something like reading memory!!!) The only thing I can think of is that he enabled paging without setting up a proper IDT with IDT handler routines in memory, without one your program would crash because there was nothing to handle the page that is out of RAM. Otherwise the "mov ebx,DWORD" should work.
Posted on 2002-06-06 21:36:52 by SpooK
spook: That's what I thought. But what's with this IDT stuff? How do I set it up and why do I need to?

Btw the original source for the KMD is here: www.rama.timewarp.co.uk/z.asm and was written by someone going by the name "roaknog" on this board. All I did was put: xor eax, eax Mov ebx, at the beginning of the Speaker_On proc in \SYS\Z.ASM just for testing purposes and this is ofcourse where it crashes.
Posted on 2002-06-07 04:16:52 by Rama
So, I suppose you are talking about a Protected Mode Kernel Driver for Windows, yick. With that I can't help you. If you are talking about designing your own OS stuff, I can help you then ;) The only thing I can really think of is the fact that your driver is most likely not running in Ring-0, Windows is goofy like that. You are trying to access a Ring-0 segment through Ring-3 code... big no no... crashy crashy ;)

PS: The IDT comment was for OS design, ignore it if you are making a Windows Device Driver (not to be confused with a REAL Kernel Mode Driver.)
Posted on 2002-06-07 07:52:02 by SpooK
"The only thing I can really think of is the fact that your driver is most likely not running in Ring-0"?? But it must be, because I can do: mov eax, dr7 without any problems. :confused:
Posted on 2002-06-07 08:34:04 by Rama
May I remind you, Windows employs alot of Ring-3 -> Ring-0 hacks, most of the Core System Programmers for Microsoft don't know their head from... you get the idea, so they try to cover things up as nicely and quickly and cheaply as possible. You will probably never be able to access that portion of memory (I can't imagine a reason you would anyways.) It just might be that 0000:0000 in RAM is where the GDT or IDT is being held... or possibly reserved for DMA transfers, and you are not allowed access to that section of memory, I doubt that it is ever paged in or out... just protected by Kernel code. I can do alot of things in Ring-3 that seem like they are working in Ring-0... that doesn't mean that they are running in Ring-0.
Posted on 2002-06-07 15:47:52 by SpooK
I bet a coin that the linear memory location 0 is intentionally protected to catch refs to NULL pointers..
Posted on 2002-06-07 17:03:48 by Maverick
You betcha! Address 0 IS not used so it can be tested to be valid. If you allocate memory, and you get a null pointer, the memory allocate failed. This is well-documented (well not so well) in the MSDN library.
Posted on 2002-06-07 18:27:43 by Andareed
But I have tried numerous other random addresses and it never works! It always crashes no matter what address I try. :confused:
Posted on 2002-06-07 19:14:10 by Rama
Simple answer, the code was design to run the way it does... no extensive changes were planned by the author. If you want to go about doing something like this, learn about Windows Device Drivers and start from scratch.
Posted on 2002-06-07 20:34:49 by SpooK
Rama, your problem is most likely (as amkg hinted) that there's
no mapping set up for the linear addresses you're trying to access.
This will fail even in ring0. While I have only done very minimal KMD
development, I believe you can use ring0 SEH to avoid bsod's.
Otherwise, there's probably r0 equivalents to the IsBad*Ptr APIs.
I suggest you get your hands on the NTDDK, it used to be available
somewhere at the microsoft site - dunno if it's removed now that
XP is the current OS.

Also, remember that you can't just write to arbitrary memory locations,
even if they're mapped - at least not unless you flip the WP bit.



The only thing I can really think of is the fact that your driver is most
likely not running in Ring-0, Windows is goofy like that.

Silly. Of course kernel mode drivers run ring0. Let's try not to
talk about stuff we have no knowledge of, shall we?
Posted on 2002-06-09 18:19:15 by f0dder

Silly. Of course kernel mode drivers run ring0. Let's try not to
talk about stuff we have no knowledge of, shall we?


Fine, give me a list of every single driver ever designed/made and show me that 100% of them run in Ring-0.
Posted on 2002-06-09 19:12:23 by SpooK
This thread is about NT KMD's. These, by definition, run ring0.
Simple as that.
Posted on 2002-06-09 23:36:38 by f0dder
there's no mapping set up for the linear addresses you're trying to access


How do u do this?
Can I use normal windows API's in KMD's?
Posted on 2002-06-10 05:37:39 by Rama
read up on page tables in the intel system programmers guide.
I think there's an API for doing physical->linear mapping, and you
ought to use that instead of manual pagetable modification.

No, I don't think it's very safe to use normal windows ring3 API calls
from KMDs - probably your KMD wont even load if you import from
wrong DLLs (just a theory, not tested).

Anyway, get the NTDDK for documentation and samples.
Posted on 2002-06-10 08:04:39 by f0dder
Posted on 2002-06-10 11:31:47 by f0dder