Research on the content of index No.10 in GDT table under Windows 10 x64 environment

Time:2020-10-18

Background

 

When writing a program to view the windows kernel resources, I found that index No. 10 is neither a segment descriptor nor a gate descriptor, and the content has been changing. Therefore, I want to know what content is saved in it.

Environment Description: Windows 10 x64 1903

The item marked with the red line in the figure above is the index item No. 10.

 

0x01 process

Set the hardware write breakpoint at the address of index entry No.10 in GDT table

 

After running tests for many times, it is found that the interrupt is near NT! Swapcontext + 0x3cb.

 

Interrupt environment

 

When a hardware interrupt is triggered, the instruction executed is the last instruction at the interrupt location.

mov     rcx,qword ptr [rbx-180h]

Analysis of this instruction shows that RCX points to gdtbase. The value to be set is stored in rax. As long as you find the value in rax, you can know what value is set at this location.

 

Search the memory range of RBX and rbx-180h, and suspect that it may be the address pointing to PRCB

 

Through the! PRCB instruction, we can find that the conjecture is correct.

 

According to the logical discovery, as long as you find where the RSI points, you can know what value is set in rax

 

View the swapcontext function definition in IDA pro

 

Looking at the cross reference, it is found that kiswapcontext calls this function.

 

From the fourth parameter of swapcontext function, it is found that RSI points to the ethread structure

 

Dynamic debugging RSI and ethread values are equal, which also verifies the conclusion in IDA pro.

Conclusion

In IDA pro, complete the relevant structure and analyze the relevant logic. It can be seen that if the user layer is a 32-bit program, the low-32 address of TEB plus 0x2000 is saved in the GDT target location. , if it is a 64 bit program, the_ EPROCESS.UserFsBase The lower 32 bits of are stored in the target location.