Hy to all,

I am trying to write some code that switch the CPU back to real mode under WIN98...I know this could appear to be unuseful or dangerous but it is very interesting for me.

So I wrote a VXD ( unnecessary but under WIN2000/XP I 'll need to use some sort of KMD to achieve the same results ) to get on ring 0 code.

The passes should be the following :

;disable interrupts,
;do a far jump to a 16-bit code segment (i.e. switch briefly to 16-bit pmode),
;load SS with a selector to a 16-bit data/stack segment,
;clear the PE bit,
;do a far jump to a real-mode address,
;load the DS, ES, FS, GS, and SS registers with real-mode values,
;(optional)set IDTR to real-mode values (base 0, limit 0xFFFF),
;re-enable interrupts.

My questions are :

[1] Is it really necessary to create/find a selector to 16 bit segment ?
[2] How does LIDT instruction work ?

I used this code :

IVT df 000000000400h
...end data


I think this says to CPU that IVT is located at address 0 and is long 400h bytes ( as it should be in real mode )
Should it be :

IVT df 040000000000h ?

My code is "similar" to this and cause a system hang :

xor ebx, ebx
mov cr0, ebx; Go to real Mode
lidt ;Set IVT at proper address
mov ds, bx
mov es, bx
mov fs, bx
mov gs, bx

Thanks in advance, guys.
Posted on 2002-11-02 03:38:04 by fooCoder
one problem switching to real mode is that it disables paging as well. So before executing your code you have to find a free place in physical memory in address range 0-FFFFF and copy your code to that location. If you just want to "boot" your system afterwards this shouldnt be a big problem.
Posted on 2002-11-02 10:13:44 by japheth
Actually KMD isn't really needed in nt/2k/xp either... check out
http://www.phrack.org/show.php?p=59&a=16 for info on callgates on
nt based systems.. not really useful for big ring-0 things since it's ot really
stable but it works for quick hacks and stuff like that... the examples
are in C but not exactly hard to port... even if you're not going to use it it's
a good read....
Posted on 2002-11-02 10:24:39 by NervGaz
Japhet - Thank you for the advice, yes I think it should be considered if one want to perform something more complicated than just rebooting by int 19h...
NerveGaz - Thank you for the link, it is very very interesting...

I continued my "expensive" attempts...everytime my system hang and I have to reboot the PC!!

I think the correct form of LIDT's operand is :

IVT df 0000000003FFh;

But I don't know the right form of LIDT instruction in MASM....


It assembles each form...

I continue...

Posted on 2002-11-04 08:37:42 by fooCoder