[x86] Information request about the Global Descriptor Table (GDT) | Intel® Developer Zone

Jean_M_ — Tue, 14 Jan 2014 09:05:32 GMT

Hello,

I am currently working on a forensics project (32 bits OS), and to reach one of my goals, I need to play a bit with the GDT. From what I understood, an instruction like call dword ptr [gs:0x10] does the following things :

GS is used as a segment selector (16 bits) : The lower three bits indicate the privilege level of access and the descriptor table to be used. In my case, we'll consider we use the GDT. The higher 13 bits represent the entry index in the GDT. Let's call A the base address corresponding to GTD[GS>>3].
A is returned, and the processor computes A+0x10 and gathers the value at this address, called B.
A simple call B instruction is the executed.

This kind of instruction happends when the code wants to perform a syscall : this instruction allows calling the __kernel_vsyscall function without knowing its address. Correct me if I'm wrong, but I understood that :

The base address A corresponds to a section of the userland memory called the Thread Control Block (TCB)
The Global Descriptor Table (GDT) is stored in kernel memory and may be accessed through kernel modules or system calls thanks to the store_gdt function

So, what is my problem ? Well, I need to be able to change to location of the TCB in my userland memory, that is to say not only relocate the contents but also the GDT entry that tells the processor "GS points toward this base address that is the TCB".

Now, all the documents I saw indicated that there was only one GDT in the kernel (or one per CPU if you have more than one). Therefore, a GDT switch must be performed when the processor switches context (and running program), since two executions of the same process (with ASLR on) return different TCB location. My questions are :

If I access the GDT with the help of a kernel module (see attached file) or a system call from my user process, what GDT do I access ?
How can I read the GDT associated with segment descriptors of a process from his PID ?

Thanks in advance for any answer. This is my last resort since all the questions I asked around gave no answer and GDT documentation is rather short.

As soon as I have some

Quoc-Thai_L_Intel — Wed, 05 Mar 2014 17:23:37 GMT

As soon as I have some feedback on this case, I will post a response for you. For now, you might to check with open-source to see how they would handle the issue that you are having.

Here are some examples of Virtualization code:

Citrix XenServer*: http://www.citrix.com/products/xenserver/overview.html
Xen* project: http://www.xenproject.org/

-Thai

Sorry I didn't flag it as

Jean_M_ — Thu, 06 Mar 2014 08:58:42 GMT

Sorry I didn't flag it as solved.

I don't know if this was the intended way, but using the get_thread_area syscall, I am able to access an array of values, including one (the 6th one) pointing to the TCB's first address.

Not knowing though the size of the TCB, I make the assumption it is no bigger than one page (4K), and therefore, I allocate a page with mmap at a random place (*addr = NULL), copy the page where my TCB is and then change the value using set_thread_area.

For compatibility reasons, I also keep *GDT[%GS] = GDT[%GS]

topic As soon as I have some in Software Archive

[x86] Information request about the Global Descriptor Table (GDT) | Intel® Developer Zone

As soon as I have some

Sorry I didn't flag it as