Let's focus now on the way parameters required for the APi are passed to kernel mode from user mode and finally how the control moves back to user mode again.
The first four parameters are passed in rcx, rdx, r8 and r9 and rest are there on the stack. Before calling the corresponding System Service call, kernel restores all the register arguments and copies the in memory arguments from User mode to kernel, so that while the call is in progress user doesn't modify the actual arguments.
Once the system call is done, KiSystemCall64 restores the registers from Trap Frame and calls Sysret instruction, which finally is responsible for the switching to User mode.
Again from Intel Manual below are the steps performed by processor when it sees the Sysret instruction:
Target code segment — Reads a non-NULL selector from IA32_STAR[47:32].
Target instruction — Reads a 64-bit canonical address from IA32_LSTAR.
Stack segment — Computed by adding 8 to the value in IA32_STAR[47:32].
System flags — The processor sets RFLAGS to the logical-AND of its current value with the complement of the value in the IA32_FMASK MSR.
When SYSRET transfers control to 64-bit mode user code using REX.W, the processor gets the privilege level 3 target instruction and stack pointer from:
Target code segment — Reads a non-NULL selector from IA32_STAR[63:48] +16.
Target instruction — Copies the value in RCX into RIP.
Stack segment — IA32_STAR[63:48] + 8.EFLAGS — Loaded from R11.
As explained in the previous post, you should be able to understand the above steps. Hope this post would be helpful to you. Your comments are welcome....
No comments:
Post a Comment