[MS Windows segmentation]: User space segmentation howto
Posted: Thu Jun 10, 2010 7:45 am
I'm currently developing a home-built debugging plug-in.
It consists in reading the code segment of a debugged program. Nevertheless, it doesn't work at all.
Obviously, I can't read the targeted segment code. Something is read (no Segmentation Fault) but I don't know what ...
I've observed that user processes use the same descriptor selector that is CS = 1B indicating this is the GDT, involved. So, no matter to load CS value in a Data Selector Register. Just EIP value should be loaded.
So, I wrote a test program given an address, reads and tries to disassemble.
But what a surprise, if I run two instances of this test program at the same time, EIP remains the same.
If I do the same with two releases of my tested program (compiled with different level of optimization: -g for the first and -O3 for the other). EIP values differ. Agree.
Reading its own code works for all of two. Agree.
But, reading code of the other gives unexpected result.
Can't understand that. I feel confused but it's crazy:
CS value remains the same referencing the gdt.
EIP remains the same.
Conclusion:
could GDT be switched between process ?
Answer is yes. GDTR value changes against process.
Unthinkable.
What is the benefit against using of several segments entry in gdt or use of LDT.
Does someone know how to access memory of an other process ?
Can someone explain the advantage of such memory management in Windows Vista ?
Thanks a lot
It consists in reading the code segment of a debugged program. Nevertheless, it doesn't work at all.
Obviously, I can't read the targeted segment code. Something is read (no Segmentation Fault) but I don't know what ...
I've observed that user processes use the same descriptor selector that is CS = 1B indicating this is the GDT, involved. So, no matter to load CS value in a Data Selector Register. Just EIP value should be loaded.
So, I wrote a test program given an address, reads and tries to disassemble.
But what a surprise, if I run two instances of this test program at the same time, EIP remains the same.
If I do the same with two releases of my tested program (compiled with different level of optimization: -g for the first and -O3 for the other). EIP values differ. Agree.
Reading its own code works for all of two. Agree.
But, reading code of the other gives unexpected result.
Can't understand that. I feel confused but it's crazy:
CS value remains the same referencing the gdt.
EIP remains the same.
Conclusion:
could GDT be switched between process ?
Answer is yes. GDTR value changes against process.
Unthinkable.
What is the benefit against using of several segments entry in gdt or use of LDT.
Does someone know how to access memory of an other process ?
Can someone explain the advantage of such memory management in Windows Vista ?
Thanks a lot