I wonder how to get in (and out) of ring0, and what are the purpouse with ring0 and ring3 is, and are there more rings?
Is the WBINVD an instruction that only operates in ring0, since it doesn't work in the "standard ring", ring3???
Posted on 2002-07-16 11:45:38 by scientica
you can read a lot about rings in the intel PDFs... but basically,
ring3 = application level, ring0 = kernel level, and rings 1/2 aren't
used by any OS that I know of. In ring3 what you can do is limited,
and this is good for system stability - there's very few programs I
would trust running in ring0.

You go ring0 by writing a VXD (9x) or KMD or WDM (NT). There are
various hacks for 9x to gain ring0, but usually it's better to do
it the clean way.

Why ring0? Good question, most people don't have a reason for using
this mode. Device drivers, "system-level tools", and some tools usually
used in the reversing scene need ring0 to operate.

If you don't know you need ring0, you very likely dont (:
Posted on 2002-07-16 12:08:33 by f0dder
Posted on 2002-07-16 12:59:00 by bitRAKE
e.g. from ring3 you can't monitor called file functions (dos applications don't call file api ones, etc) so the only way is jump to ring0 and hook them here...

there're some ways how to jump from ring3 to ring0 without using external VxD/SYS/WDM drivers... so directly from r3 code... most of them are very safety...
Posted on 2002-07-16 17:42:44 by prizzy
Ring zero is where you have the most control over the system because that is the ring where you have the most control over the cache.

no overhead

Posted on 2002-07-17 02:39:16 by IwasTitan

Ring zero is where you have the most control over the system because that is the ring where you have the most control over the cache.

no overhead


Whats overhead?
Posted on 2002-07-17 05:59:13 by scientica
Sorry Scientica. "No Overhead" was a bad choice of words. I just meant that as you head for ring zero your allowing M$Windows less control over the system and you are controlling more of it.

Same as when you are in protected mode you are demanding more from the system or more control over your prog.

Posted on 2002-07-17 10:42:55 by IwasTitan
I believe there is source code on Icelion's Homepage that uses Ring 0 to issue a HLT command to the CPU for CPU cooling. I believe it uses a VXD to achieve this. I didn't quite have a look at it but I guess that's what it does.
Posted on 2002-07-17 14:17:51 by goofee
If you want no overhead write your own OS. :tongue:
Posted on 2002-07-17 14:21:57 by bitRAKE
Write your own OS?

I have trouble with Masm at ring 3.

Posted on 2002-07-17 15:55:28 by IwasTitan
Trouble at ring3? THen you're doing unconventional stuff, or are lame ;)
Posted on 2002-07-17 19:29:31 by f0dder
f0dder..no need to be insulting. I just don't put much effort into programming in the win32api environment. I find it nice to use when i really want to try some asm stuff out because you have direct access to the processor/registers. But i do find the interface extremely bulky with all the complex proto types, includes, a billion api constants, and the like. I guess i should have said i find it cumbersome at times rather than i have trouble with it.

Live long and prosper and head for ring 0

Posted on 2002-07-17 20:00:19 by IwasTitan
IwasTitan, I can understand exactly what you mean - it is like knowing ASM isn't nearly enough. I know many here miss the days of direct access to hardware and full control of the machine. But when I really think about it, I don't ever just do one thing with my computer - like I used to do in the 'old' days. Now I really want stablity and co-operation between applications; to leverage features of even the smallest applications with global connectivity features (clipboard, drag-n-drop, piping, etc.). Knowing exactly where every cycle is going was cool, but there is a great deal more, imho.
Posted on 2002-07-17 22:39:10 by bitRAKE
The best code I got to go to ring 0 in 98 was from EliCZ's site.
You can download my twisted version of that code if you take
out the * below at:


You can use wbinvd in the handler. Although I have no experience
with the call. What does it do?
Posted on 2002-07-22 22:53:31 by roaknog
You can use wbinvd in the handler. Although I have no experience
with the call. What does it do?

wbinvd - Write-Back and Invalidate Cache, it flushes the internal (CPU) cache, *then* signals the external cache to write back current data followed by a signal to flush the external cache.
There is also the invd (Invalidate Cache) instruction wich simply flushes the caches but *doesn't* write back , data in the external caches is *lost* since the cache isn't beeing send a write back signal.

I found this instruction while encountering a strange bug-problem, thougt it had to do with some sort of cache, but the bugs turned out to be ants... :grin: (realy I still don't know why that code crashed, I trashed it and did it another way)
Posted on 2002-07-23 12:37:51 by scientica