Sysenter
In the old CPU architecture, operating system interrupts (Windows use: int 0x2E) implement a system call, the CPU will now support rapid system calls (Fast System Call).
Quick call using instructions 0 sysenter into the ring, here is the "Intel white paper" describes the process of execution of sysenter:
1. Loads the segment selector from the IA32_SYSENTER_CS into the CS register.
2. Loads the instruction pointer from the IA32_SYSENTER_EIP into the EIP register.
3. Adds 8 to the value in IA32_SYSENTER_CS and loads it into the SS register.
4. Loads the stack pointer from the IA32_SYSENTER_ESP into the ESP register.
5. Switches to privilege level 0.
6. Clears the VM flag in the EFLAGS register, if the flag is set.
7. Begins executing the selected system procedure.
Is briefly summarize: Gets the value CS, EIP, SS, ESP MSR from the plurality of registers and filled, by the formula wherein SS is: calculated CS + 8.
With WinDbg can use the command (the Read MSR): RDMSR Address View MSR content.
kd> rdmsr 174
msr [174] = 00000000`00000008
kd> rdmsr 175
msr [175] = 00000000`f8ac2000
kd> rdmsr 176
msr [176] = 00000000`8053e540
Sysenter and interrupts are to the object of the entry 0 of the ring, since the data read by the MSR sysenter register instead of reading the memory, the speed of the relative efficiency is higher.
But the results there will be some differences: different contents of the stack. By way of entering interrupt 0 the SS ring 3 rings, ESP, EFLAGS, CS, EIP will CPU pushed onto the stack, but is not pressed into sysenter values of these registers. This is why Windows were to be interrupted and quick access to ready 0 ring entrance.
Find KiFastCallEntry
Obtained by the above the MSR [ IA32_SYSENTER_EIP ] 0 ring that can function entry for quick access to Windows Address: 0x8053e540.
kd> u 8053e540
nt KiFastCallEntry!:
8053e540 b923000000 mov ecx,23h
8053e545 6a30 push 30h
8053e547 0fa1 pop fs
8053e549 8ed9 mov ds,cx
8053e54b 8ec1, cx
8053e54d 8b0d40f0dfff ecx, dword PTR ds: [0FFDFF040h]
8053e553 8b6104 mov esp,dword ptr [ecx+4]
8053e556 6a23 push 23h
Switching register
Entered KiFastCallEntry immediately modify fs / ds / es / esp these registers.
More interesting is
- fs using immediate 0x30,
- ds / es is the number of 0x23 immediately.
- esp directly switched became TSS.Esp0.
Save site
int2e will automatically ss / esp / eflags / cs / eip these five registers onto the stack, but not quick call, so to manually push these five registers to the stack.
It is worth noting: KTRAP_FRAME.Eip been set to SystemCallReturn address.
At last
The final code and KiSystemService very similar. After this code is executed, will jump directly to SharedCode.
