Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the board
Thread view  Mix view  Order
DOS386(R)

23.07.2007, 02:42
 

VESAMTTR (recovered from Google) (DOSX)

Japheth wrote:

> VESAMTRR "switches" to ring 0 to run the privileged instructions.

I wrote:

> * VERY * interesting source :-)

Japheth wrote:

> Rayer's switches to "real-mode" and runs the instructions.
> But since "real-mode" very often is "v86-mode"

I wrote:

> Looks like very bad design :-( He uses DGJPP, and then goes "real" for
> the relevant activity ... 500 Bytes of real mode assembly could probably
> replace the 100 KB from DGJPP :lol:

> Had thought that Rayer found out how to execute privileged
> instructions under DPMI ... but he didn't ... but you did :-)

> Seem to be at least 4 ways how to execute privileged instruction from DPMI code:

> - Go "real" (bad hack needed to switch ?) ... bad
> - Emulate them in the DPMI host (CR accesses & HLT in HDPMI32)
> - Run "client" in Ring0 (CWSDPR0, DOS/32A, other "WATCOM" extenders ?)
> - Shoot a hole into the protection :lol: and jump to Ring0 (VESAMTRR)

RayeR(R)

Homepage

CZ,
03.09.2007, 20:45

@ DOS386

VESAMTTR (recovered from Google)

> > - Shoot a hole into the protection :lol: and jump to Ring0 (VESAMTRR)

Yes, hole was shooted through a callgate :)

RayeR(R)

Homepage

CZ,
03.09.2007, 20:58

@ DOS386

VESAMTTR (recovered from Google)

> > Looks like very bad design :-( He uses DGJPP, and then goes "real" for
> > the relevant activity ... 500 Bytes of real mode assembly could
> probably
> > replace the 100 KB from DGJPP :lol:

BTW this program MTRRLFBE is only a side product, it's part of my gfx library and someone ask me to make this tool as stand-alone feature so I reused my code instead coding new 500 Bytes of assembly from a scratch. And I don't account mysef to be assembler expert (the biggest ASM project I wrote is ROMOS project-for me primary a bioshacking challenge...)

Rugxulo(R)

Homepage

Usono,
04.09.2007, 02:01

@ RayeR

VESAMTTR (recovered from Google)

> BTW this program MTRRLFBE is only a side product, it's part of my gfx
> library and someone ask me to make this tool as stand-alone feature so I
> reused my code instead coding new 500 Bytes of assembly from a scratch.
> And I don't account mysef to be assembler expert (the biggest ASM project
> I wrote is ROMOS project-for me primary a bioshacking challenge...)

Nobody is hardly an assembly expert in everything these days when cpus have SSSE3, x86-64, etc. There's just too much to know. But you may get more useful help in that regard from Flat Assembler Forum than here (although some of us know a little). There are people there writing pmode OSes, tiny demos, lots of MMX stuff, Win32 apps, assemblers, compilers, and x86-64 apps.

---
Know your limits.h

RayeR(R)

Homepage

CZ,
04.09.2007, 12:59

@ Rugxulo

VESAMTTR (recovered from Google)

I dopn't need anything extra, just if here someone knows AT&T inline ASM for DJGPP:

My ring0 code is this shor function:

void ring0_rdmsr(void)                 // GCC bohuzel nepodporuje __attribute__ ((naked)) na x86
{                                      // takze misto pointeru na funkci pouzijeme ASM label
asm __volatile__ (
  "rdmsr_label:\n"                     // label at start of pure code behind C-function prologue
  "rdmsr\n"                            // read CPU MSR register value to EDX:EAX
  "movl %eax,(%ebx)\n"                 // mov dword ptr [ebx],eax
  "movl %edx,(%edi)\n"                 // mov dword ptr [edi],edx
  "lret\n"                             // far return from ring 0
  );                                   // C-function epilogue will be never reached


and callgate is called:

asm __volatile__ (                   // volani CallGate
//    "pushal\n"                         // store all registers to stack
    "cli\n"                            // disable interrupts
    "movl %0,%%ebx\n"                  // store pointer to low DWord
    "movl %1,%%edi\n"                  // store pointer to high DWord
    "movl %2,%%ecx\n"                  // store MSR index
    "lcall *%3\n"                      // far call the CallGate to enter ring 0, require code far return
    "sti\n"                            // enable interrupts
//    "popal\n"                          // restore all registers from stack
    :                                  // no outputs (readed data overwrites input arguments)
    : "g" (eax), "g" (edx), "g" (ecx), "m" (ldt_callgate_ptr) // inputs
    );


If I have pushal/popal around the call, then DJGPP crashes (but mingw32 not) so i commented it. Is it really needed? Or can I ommit it? Or any idea to improve this inline asm?

EDIT by rr: added {code} tags

---
DOS gives me freedom to unlimited HW access.

Japheth(R)

Homepage

Germany (South),
04.09.2007, 16:41

@ RayeR

VESAMTTR (recovered from Google)

Hello RayeR,

> If I have pushal/popal around the call, then DJGPP crashes (but mingw32
> not) so i commented it. Is it really needed?

The "pusha/popa" is harmless and shouldn't crash. :-D
If you want you can send me a version which crashes. Might be interesting to find out why.

> Or can I ommit it? Or any idea to improve this inline asm?

I don't know, but usually, to be safe, just use the EAX, EDX and ECX registers. Your code can be easily modified so it just uses these regs.

---
MS-DOS forever!

RayeR(R)

Homepage

CZ,
04.09.2007, 20:25

@ Japheth

VESAMTTR (recovered from Google)

> The "pusha/popa" is harmless and shouldn't crash. :-D
> If you want you can send me a version which crashes. Might be interesting
> to find out why.

Do you have DJGPP to compile it or do you want both binaries with compiled debug info? I also wonder about that when commented this lines it stops crashing...
Maybe it's due to I don't fully understand the inline assembler parameter hadling, especially 3rd section clobbered_registers
asm ( "statements" : output_registers : input_registers : clobbered_registers);
maybe when I list my used registers here i don't need to push/pop anything. Maybe I should add save/restore EDI or as you said rewite to use only EAX,EDX,ECX. Can I expect that this regs will not change when entering ring0 and return back?

---
DOS gives me freedom to unlimited HW access.

Japheth(R)

Homepage

Germany (South),
04.09.2007, 22:32

@ RayeR

VESAMTTR (recovered from Google)

> Do you have DJGPP to compile it or do you want both binaries with compiled
> debug info? I also wonder about that when commented this lines it stops
> crashing...

Just the binary of the crashing version. Debug info is not important. I will run it with my debugger (deb32f).

> maybe when I list my used registers here i don't need to push/pop
> anything. Maybe I should add save/restore EDI or as you said rewite to use
> only EAX,EDX,ECX. Can I expect that this regs will not change when entering
> ring0 and return back?

using a call gate is lowest level, there is "noone" who can change the regs content except your code.

---
MS-DOS forever!

DOS386(R)

05.09.2007, 02:17

@ Japheth

VESAMTTR (recovered from Google)

> > Do you have DJGPP to compile it or
> Just the binary of the crashing version.

But Japheth has D**PP as well ;-)

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

RayeR(R)

Homepage

CZ,
05.09.2007, 09:53

@ Japheth

VESAMTTR (recovered from Google)

> Just the binary of the crashing version. Debug info is not important. I
> will run it with my debugger (deb32f).

Well, check mail today evening.

> using a call gate is lowest level, there is "noone" who can change the
> regs content except your code.

OK I simplified code that input params are stored directly to ECX,(EDX,EAX) then far call and then reading it back. It works well but still when I pushal/popal around the code it crashes :P

BTW I tried to play with code under WinXP VDM. I can read GDTR and LDTR, I can allocate LDT descriptor, I can set descriptor's base and limit along GDTR values, but when I try to read some data (movedata or farpeekb) via selector of this descriptor it crashes. How does NT protect reading of GDT? My code has PL=3 and my LDT decriptor I'm acessing has also DLP=3 so this should be OK. Is it some paging magic here? Or does CPU have some flag to protect GDT against all PL>0 code?

---
DOS gives me freedom to unlimited HW access.

Rugxulo(R)

Homepage

Usono,
05.09.2007, 14:51

@ RayeR

VESAMTTR (recovered from Google)

> If I have pushal/popal around the call, then DJGPP crashes (but mingw32
> not) so i commented it. Is it really needed? Or can I omit it? Or any
> idea to improve this inline asm?

What compiler options are you using, -O2 and / or -fomit-frame-pointer ?? Try -Os alone (no -fomit...) and see if that also crashes. Also, are you only testing on WinXP or also in real DOS? DJGPP 2.03p2 or 2.04 beta?

---
Know your limits.h

RayeR(R)

Homepage

CZ,
05.09.2007, 16:22

@ Rugxulo

VESAMTTR (recovered from Google)

> What compiler options are you using, -O2 and / or -fomit-frame-pointer ??
> Try -Os alone (no -fomit...) and see if that also crashes. Also, are you
> only testing on WinXP or also in real DOS? DJGPP 2.03p2 or 2.04 beta?

Yes I have -O2 and -fomit-frame-pointer as default set in RHIDE... Good idea to try no/other -O. But I need to made the code to be stable at any optimalization level. I use DJGPP 2.04, now testing gcc 4.2.1 (previous i had 4.1.2) under MS-DOS 6.22 + QEMM9 and Windows 98SE

---
DOS gives me freedom to unlimited HW access.

Rugxulo(R)

Homepage

Usono,
05.09.2007, 20:56

@ RayeR

VESAMTTR (recovered from Google)

> Yes I have -O2 and -fomit-frame-pointer as default set in RHIDE... Good
> idea to try no/other -O. But I need to made the code to be stable at any
> optimalization level. I use DJGPP 2.04, now testing gcc 4.2.1 (previous i
> had 4.1.2) under MS-DOS 6.22 + QEMM9 and Windows 98SE

Try without using "-fomit-frame-pointer" since that changes the stack setup drastically (enough to mess up debugging in some cases). You might also want to try without any mem. managers running in pure DOS and see if that makes a difference.

---
Know your limits.h

RayeR(R)

Homepage

CZ,
06.09.2007, 01:08

@ Rugxulo

VESAMTTR (recovered from Google)

> Try without using "-fomit-frame-pointer" since that changes the stack

Yes dude, you was right. -fomit-frame-pointer made the evil, it works with -Os -O2 -O6 well. Could you explain what -fomit-frame-pointer does resp. how it can make crashes?

Japheth (or others) If you want to debug it, here are both bins:
http://rayer.ic.cz/350d/pmtest.zip

---
DOS gives me freedom to unlimited HW access.

Rugxulo(R)

Homepage

Usono,
06.09.2007, 04:40

@ RayeR

VESAMTTR (recovered from Google)

> Yes dude, you was right. -fomit-frame-pointer made the evil, it works with
> -Os -O2 -O6 well. Could you explain what -fomit-frame-pointer does resp.
> how it can make crashes?

Try using -fomit-frame-pointer -masm=intel -S -o myfile.asm and comparing it vs. without the -fomit-frame-pointer option. Basically, GCC always creates a stack frame (which, if absent, can save some bytes but makes debugging much much harder if not impossible). Actually, I think -Os and similar are documented to always use -fomit-frame-pointer unless it interferes with debugging (which I personally thought was kinda a copout for not working like documented but whatever).

Basically, if you screw with the stack, it can mess up and crash, so don't do it. (And GCC ain't your friend if you want really small code.)

---
Know your limits.h

Japheth(R)

Homepage

Germany (South),
06.09.2007, 07:17

@ RayeR

VESAMTTR (recovered from Google)

this is the crashing context:

[image]

the crash is at 1E7B, the far call (which is your call gate).

it is easy to see that GCC expects that register ESP isn't changed in inline assembly, which is not true if PUSHAD is done.

Fortunately, one can see as well that GCC saves registers EBX, ESI and EDI on its own, so there is no need for the PUSHAD.

---
MS-DOS forever!

Japheth(R)

Homepage

Germany (South),
06.09.2007, 08:27

@ RayeR

VESAMTTR (recovered from Google)

> BTW I tried to play with code under WinXP VDM. I can read GDTR and LDTR, I
> can allocate LDT descriptor, I can set descriptor's base and limit along
> GDTR values, but when I try to read some data (movedata or farpeekb) via
> selector of this descriptor it crashes. How does NT protect reading of
> GDT? My code has PL=3 and my LDT decriptor I'm acessing has also DLP=3 so
> this should be OK. Is it some paging magic here? Or does CPU have some
> flag to protect GDT against all PL>0 code?

on NT the pages which contain GDT, IDT, LDT and paging tables are protected ("system" PTEs). IIRC some versions of NT/XP additionally don't allow descriptor limits > 7FFFFFFFh (which caused some troubles for older versions of DJGPP).

---
MS-DOS forever!

rr(R)

Homepage E-mail

Berlin, Germany,
06.09.2007, 16:51

@ RayeR

VESAMTTR (recovered from Google)

> Yes dude, you was right. -fomit-frame-pointer made the evil, it works with
> -Os -O2 -O6 well. Could you explain what -fomit-frame-pointer does resp.

There is no "-O6". You may wish to look at GCC's opts.c.

rr(R)

Homepage E-mail

Berlin, Germany,
06.09.2007, 16:56

@ Rugxulo

VESAMTTR (recovered from Google)

> Actually, I think -Os and similar are documented to always use
> -fomit-frame-pointer unless it interferes with debugging
> (which I personally thought was kinda a copout for not working like
> documented but whatever).

"-Os" is basically "-O2" with a few tweaks. Search for optimize_size in GCC's opts.c.

RayeR(R)

Homepage

CZ,
06.09.2007, 22:33

@ rr

VESAMTTR (recovered from Google)

> There is no "-O6". You may wish to look at GCC's opts.c.

Oh, may be some undocumented/old version, I don't remember where I saw it.
BTW interesting that gcc doesn't display any error, you can enter e.g. -O9999999999999 as well :P

---
DOS gives me freedom to unlimited HW access.

RayeR(R)

Homepage

CZ,
06.09.2007, 22:34

@ Japheth

VESAMTTR (recovered from Google)

> the crash is at 1E7B, the far call (which is your call gate).
>
> it is easy to see that GCC expects that register ESP isn't changed in
> inline assembly, which is not true if PUSHAD is done.
>
> Fortunately, one can see as well that GCC saves registers EBX, ESI and EDI
> on its own, so there is no need for the PUSHAD.

Thank you (and all) here for clarification and suggestions.

---
DOS gives me freedom to unlimited HW access.

RayeR(R)

Homepage

CZ,
06.09.2007, 22:35

@ Rugxulo

VESAMTTR (recovered from Google)

> Try using -fomit-frame-pointer -masm=intel -S -o myfile.asm and

My gcc doesn't like -masm=intel :( I can produce AT&T (-S) only.

gdtdum.c: In function 'setup_ring0_callgate':
gdtdum.c:93: internal compiler error: in print_operand, at config/i386/i386.c:79
62
Please submit a full bug report,
with preprocessed source if appropriate.
See <URL:http://gcc.gnu.org/bugs.html> for instructions.


EDIT by rr: added {code} tag

---
DOS gives me freedom to unlimited HW access.

Rugxulo(R)

Homepage

Usono,
07.09.2007, 04:12

@ rr

VESAMTTR (recovered from Google)

> "-Os" is basically "-O2" with a few tweaks. Search for
> optimize_size in GCC's opts.c.

Back in the day, I think there was no -Os, so -O2 was the equivalent.

---
Know your limits.h

Rugxulo(R)

Homepage

Usono,
07.09.2007, 04:14

@ RayeR

VESAMTTR (recovered from Google)

> > Try using -fomit-frame-pointer -masm=intel -S -o myfile.asm and
>
> My gcc doesn't like -masm=intel :( I can produce AT&T (-S) only.

That means your GAS (AS.EXE) is old. Try upgrading to /current/bnu217b.zip and use that (should work).

---
Know your limits.h

Rugxulo(R)

Homepage

Usono,
07.09.2007, 05:11

@ RayeR

VESAMTTR (recovered from Google)

> > There is no "-O6". You may wish to look at GCC's opts.c.
>
> Oh, may be some undocumented/old version, I don't remmeber where I saw
> it.
> BTW interesting that gcc doesn't display any error, you can enter e.g.
> -O9999999999999 as well :P

I could be wrong, but I think EGCS used to support -O6.

---
Know your limits.h

RayeR(R)

Homepage

CZ,
07.09.2007, 10:18

@ Rugxulo

VESAMTTR (recovered from Google)

> That means your GAS (AS.EXE) is old. Try upgrading to
> /current/bnu217b.zip
> and use that (should work).

But I already have latest binutils 2.17 from DJ site I will try if it happen in other gcc versions/mingw/linux...

---
DOS gives me freedom to unlimited HW access.

rr(R)

Homepage E-mail

Berlin, Germany,
07.09.2007, 10:40

@ RayeR

VESAMTTR (recovered from Google)

> > There is no "-O6". You may wish to look at GCC's opts.c.
>
> Oh, may be some undocumented/old version, ...

How could it be undocumented, if you look at the compiler's source code?

> I don't remember where I saw it.

Probably in old Linux kernels. Recent kernels use "-O2".

> BTW interesting that gcc doesn't display any error, you can enter e.g.
> -O9999999999999 as well :P

Sure, but any number greater than 3 does the same thing.

rr(R)

Homepage E-mail

Berlin, Germany,
07.09.2007, 10:40

@ Rugxulo

VESAMTTR (recovered from Google)

> I could be wrong, but I think EGCS used to support -O6.

Yes, see Exactly what optimizations does PGCC do?. But who's still using EGCS?

rr(R)

Homepage E-mail

Berlin, Germany,
07.09.2007, 10:45

@ RayeR

VESAMTTR (recovered from Google)

> But I already have latest binutils 2.17 from DJ site I will try if it
> happen in other gcc versions/mingw/linux...

What does gcc --version report?

RayeR(R)

Homepage

CZ,
08.09.2007, 01:46

@ rr

VESAMTTR (recovered from Google)

> > But I already have latest binutils 2.17 from DJ site I will try if it
> > happen in other gcc versions/mingw/linux...
>
> What does gcc --version report?

gcc --version
gcc.exe (GCC) 4.2.1
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

gcc -v
Target: djgpp
Configured with: /v204/gcc-4.21/configure djgpp --prefix=/dev/env/DJDIR --disabl
e-nls --disable-werror --enable-languages=c,c++,fortran,objc,obj-c++,ada
Thread model: single
gcc version 4.2.1

as -v
GNU assembler version 2.17 (djgpp) using BFD version 2.17

---
DOS gives me freedom to unlimited HW access.

Rugxulo(R)

Homepage

Usono,
08.09.2007, 07:03

@ RayeR

VESAMTTR (recovered from Google)

> > > But I already have latest binutils 2.17 from DJ site I will try if it
> > > happen in other gcc versions/mingw/linux...
> >
> > What does gcc --version report?
>
> gcc --version
> gcc.exe (GCC) 4.2.1
>
> as -v
> GNU assembler version 2.17 (djgpp) using BFD version 2.17

What's the filedate and filesize and CRC32 of your GCC.EXE? AS.EXE? Mine are below:

> [ WinXP ] Fri 09/07/2007>mzav djgpp\bnu217b /s(as.exe) /n /l!
>
> BNU217B.ZIP
>
> bin/as.exe
> B311,B95F 228,409 (229,816) Mar,21,2007 09:23:28a
>
> [ WinXP ] Sat 09/08/2007>mzav djgpp\gcc421b /s(gcc.exe) /n /l!
>
> GCC421B.ZIP
>
> bin/gcc.exe
> 329B,DD7E 109,242 (110,656) Jul,28,2007 05:25:34a
>
> [ WinXP ] Sat 09/08/2007>scrndump

---
Know your limits.h

RayeR(R)

Homepage

CZ,
08.09.2007, 22:03

@ Rugxulo

VESAMTTR (recovered from Google)

> > bin/as.exe
> > B311,B95F 228,409 (229,816) Mar,21,2007 09:23:28a

my as: 247008B, 2:04:00, 17.8.2007, MD5: 2600df22e192c680eca71ccf23aebe1a

> > bin/gcc.exe
> > 329B,DD7E 109,242 (110,656) Jul,28,2007 05:25:34a

my gcc: 123620B, 4:41:06, 27.7.2007, MD5: 36fb12ce8c89cf71846eb977d22a3e4a

if i rember, i updated from dj/aplha/gnu or beta/gnu site

---
DOS gives me freedom to unlimited HW access.

rr(R)

Homepage E-mail

Berlin, Germany,
08.09.2007, 22:49

@ RayeR

VESAMTTR (recovered from Google)

> if i rember, i updated from dj/aplha/gnu or beta/gnu site

That's beta.

RayeR(R)

Homepage

CZ,
10.09.2007, 14:18

@ rr

VESAMTTR (recovered from Google)

> That's beta.

OK, btw I tried it under debian linux with gcc 4.1.2 and it works.

---
DOS gives me freedom to unlimited HW access.

DOS386(R)

11.09.2007, 06:54

@ Japheth

VESAMTTR (recovered from Google)

Japheth wrote:

> NT the pages which contain GDT, IDT, LDT and paging tables are protected ("system" PTEs).

Thanks.

And this protection means they are not even readable from Ring3 ?

VESAMTRR seems to "protect" (DPMI fault trapping) GDT reading, but not IDT writing - based on the fact that NT completely blocks all ?

Any benefit from jumping via IDT (VESAMTRR) from GDT ( RayeR's coming up solution ) ?

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

RayeR(R)

Homepage

CZ,
12.09.2007, 20:31

@ DOS386

VESAMTTR (recovered from Google)

> Any benefit from jumping via IDT (VESAMTRR) from GDT ( RayeR's coming up
> solution ) ?

I think it would be easier to hack NT from NT, I mean to use kernel mode driver to unprotect xDT, or allocate some descriptors for application and return selector. I think it would help some games/apps using VESA LFB - they needs to map physical memory and create descriptor to LFB which now couldn't (I know about nolfb TSR but this would faster). BTW setting MTRR is not needed under windows because vga/other drivers do it for you. Before I know MTRRs I was very wondered why my VGA is much faster when quick-reboot from windows to DOS (yeah write combining was enabled)

---
DOS gives me freedom to unlimited HW access.

DOS386(R)

13.09.2007, 02:21

@ RayeR

VESAMTTR (recovered from Google)

> I think it would be easier to hack NT from NT, I mean to use kernel mode
> driver to unprotect xDT, or allocate some descriptors for application and

Probably true, but absolutely unrelated to what I asked :confused:

> return selector. I think it would help some games/apps using VESA LFB

I don't need VESA LFB on NT :lol3:

So you now have working Ring0 code and will implement it into CPUID, VESATEST and MTRRLFBE (+ fix other aforementioned issues) ? :hungry:

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

Back to the board
Thread view  Mix view  Order
15111 Postings in 1359 Threads, 247 registered users, 13 users online (0 registered, 13 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum