Call Gates and Parameters

[Crazed123]

Reading up on call gates in the system programmer's manual I found the stack arrangement after a call through said gates. First (or never if there is no privilege change) the old ss and esp are pushed onto the stack, followed by X dwords, where X was specified by the gate descriptor, followed finally by the old CS and EIP. ESP is set to where EIP was pushed.

However, looking at the assembly produced by compiling any old function it would seem that this assembly only works for near calls, because EBP is set to the old ESP and then subsequently used with negative numbers (for example -4(EBP)) to access parameters passed to the routine.

Is there a way to have parameter accesses to work with far calls without having to patch my compiler's 32-bit mode to support far? Lacking that, is there any way to patch source code to transparently support far calls?

[Pype.Clicker]

adding a fake "segment" argument to each of your functions ?

[Crazed123]

Hmmm.... that'll need a certain calling convention, along with the call gate not copying the "reserved" segment argument, but it should work. Thanks!

Let's see... stdcall pushes parameters right to left... so:

Direction of expansion: up
Old EIP (always there)
Old CS (or Reserved Parameter)
Parameter 1 (from the left)
Parameter 2 (from the left)
Parameter 3 (from the left)
Old ESP
Old SS

Yup, declaring inter-privilege level procedures stdcall or another push-from-right convention should work.

It's either that or trampolines that check the stack themselves before calling the real procedure locally, but I'd rather not leave such an essential function as assembler trampolines.