When writing a program to view the windows kernel resources, I found that index No. 10 is neither a segment descriptor nor a gate descriptor, and the content has been changing. Therefore, I want to know what content is saved in it.
Environment Description: Windows 10 x64 1903
The item marked with the red line in the figure above is the index item No. 10.
After running tests for many times, it is found that the interrupt is near NT! Swapcontext + 0x3cb.
When a hardware interrupt is triggered, the instruction executed is the last instruction at the interrupt location.
mov rcx,qword ptr [rbx-180h]
Analysis of this instruction shows that RCX points to gdtbase. The value to be set is stored in rax. As long as you find the value in rax, you can know what value is set at this location.
Search the memory range of RBX and rbx-180h, and suspect that it may be the address pointing to PRCB
Through the! PRCB instruction, we can find that the conjecture is correct.
According to the logical discovery, as long as you find where the RSI points, you can know what value is set in rax
View the swapcontext function definition in IDA pro
Looking at the cross reference, it is found that kiswapcontext calls this function.
From the fourth parameter of swapcontext function, it is found that RSI points to the ethread structure
Dynamic debugging RSI and ethread values are equal, which also verifies the conclusion in IDA pro.
In IDA pro, complete the relevant structure and analyze the relevant logic. It can be seen that if the user layer is a 32-bit program, the low-32 address of TEB plus 0x2000 is saved in the GDT target location. , if it is a 64 bit program, the_ EPROCESS.UserFsBase The lower 32 bits of are stored in the target location.