1. Segment selector

First, let's look at the composition of segment selectors

The picture is taken from intel Three volumes of white paper Vol. 3A 3-7

1. index : This represents a point GDT Cable of table , and GDT What is stored in the table is the segment descriptor we want to see ( Intel doesn't use LDT surface ), How will I Use index Inquire about GDT surface Put it at the end

   The original text says ： This is a point GDT Table or LDT Index of tables (GDT The location of the table (base address) from GDTR Registers store ,LDT The location of the table (base address) from LDTR Registers store )

2. TI (table indicator) flag : As shown in the figure ,TI == 0 when , Will arrive GDT Query segment descriptor in the table ,TI == 1 when , To LDT Query in table (windows Of TI It's always 0)

3. RPL (Requested Privilege Level) : Request permission level , Below DPL Explain together

How to split a segment selector ？
example 1: 0x0023 = 0000 0000 0010 0011 B, Divide it a little 0000 0000 00100011, therefore index = 100 B = 4,TI = 0,RPL = 11 B = 3
example 2: 0x0008 = 0000 0000 0000 1000 B,index = 1, TI = 0,RPL = 0
example 3: 0x002B = 0000 0000 0010 1011 B,index = 5, TI = 0,RPL = 3

2. Segment descriptor

The picture is taken from intel Three volumes of white paper Vol. 3A 3-10

 Segment register  {
    
	WORD  selector;
	WORD  attibute;
	DWORD base;
	DWORD limit;
}

• Base Address : altogether 32 position , It is directly stored in the segment register Base Segment
• Segment Limit : ( 16 - 19 ) position + ( 0 - 15 ) position , The number of digits can be expressed as 0x0 - 0xFFFFF ( total 20 position , So how to use 20 Bit Segment Limit Fill in 32 Bit Limit Well , Please have a look at G position )

• P (segment-present) : Whether this descriptor is valid , P == 1 It works , P == 0 Invalid

• G (granularity) : For filling 32 Bit Limit, When G ==1 when ,Limit = 0xFFF + Segment Limit << 0xC, When G == 0 when ,Limit = 0x0 + Segment Limit. How will I Fill segment register hidden bit At the end

  for instance ：

  • G = 1,Segment Limit = 0x12345
    Limit = 0xFFF + Segment Limit << 0xC = 0xFFF + 0x12345 << 0xC = 0x12345FFF
  • G = 0,Segment Limit = 0x12345
    Limit = 0x00000000 + Segment Limit = 0x00000000 + 0x12345 = 0x00012345

• type : With the following S relevant
• S (descriptor type) : System segment descriptor
  • When S == 1 when , On behalf of this is Code segment or Data segment The descriptor of
    • When 11 position == 0 when , It stands for Data segment The descriptor of
      • When ( The first 8 position ) A == 0 when , The representative has not been visited
        When A == 1 when , The representative has not been visited
      • When ( The first 9 position ) W == 0 when , It means not to write ,
        When W == 1 when , Representative may write
      • When ( The first 10 position ) E == 0 when , representative Expand up
        When E == 1 when , representative Expand down
    • When 11 position == 1 when , It stands for Code segment The descriptor of
      • ( The first 8 position )A position ditto
      • When ( The first 9 position ) R == 0 when , Means unreadable ,
        When R == 1 when , Representative readable
      • When ( The first 10 position ) E == 0 when , representative Consistent code snippets
        When E == 1 when , representative Inconsistent code snippets
  • When S == when , On behalf of this is System segment The descriptor of

The picture is taken from intel white paper Vol. 3A 3-12 ( I didn't use that one , My book , The picture is not very intuitive , So I prefer the one above )

• D/B position
  • Yes CS The impact of paragraph
    • D/B == 0, Default 16 Bit addressing
    • D/B == 1, Default 32 Bit addressing
  • Yes SS The impact of paragraph
    • D/B == 0, Implicit stack access Use 32 Bit stack pointer register ESP
    • D/B == 1, Implicit stack access Use 16 Bit stack pointer register SP
  • For data segment Expand down Influence
    • D/B == 0, Expand down The range of is except Limit In addition to the 0 - 4G Space
    • D/B == 1, Expand down The range of is except Limit In addition to the 0 - 64K Space

• DPL (descriptor privilege level) : The privilege level required to access this segment
  notes ：CPL (current privilege level) : Current privilege level (CS Low stored in register 2 Bit is CPL, Such as ： Current CS The value in the register is 0x1B = 0001 1011B, therefore CPL = 3)

 mov ax, 0x000B 	//0000 0000 0000 1011 RPL = 3
 mov ds, ax 		//ax Of the segment descriptor pointed to DPL = 0

The higher the value, the lower the permission ,windows It is divided into ring 0 and ring 3,ring 0 System layer ,ring 3 For the user layer
If and only if CPL <= DPL && RPL <= DPL when , Statement can be executed normally , In other words, low permissions cannot access high permissions

AVL : Available and Reserved Bit ( The simple understanding is Keep a , Usually set to 0)

The white paper says ：Bit 20 of the second doubleword of the segment descriptor is available for use by system software. ( The second double word 20 The bit segment descriptor is available to the system software )

L : 64 Bit extension uses , Compatibility mode (32 Bit program ) by 0,L by 1 be D It must be 0 ( If you are interested, please refer to the white paper Vol. 3A 3-13)

annotation ：

Segment selector index Use

1. Turn on the virtual machine , And use windbg debug
2. Enter the desktop and click break Button to pause debugging
   
3. Input instruction dq gdtr L20, among dq The instruction indicates that the memory address is displayed gdtr After start 20 An address , And 8 Bytes are a set of
   alike , We can also type r gdtr Check it out. gdtr The value in the register , This value points to GDT surface , So we can use it dq 0x8003f000 Check it out. GDT surface ( Corresponding dq Instructions , We can also use dd, db The instructions are queried by dword Query and press byte Inquire about )
   
4. We select a segment selector 0x2B As a demonstration ,0x2B = 00101 0 11 B, among index = 5, So check GDT The subscript in the table is 5 One of the 8 byte ,
   
   

check GDT Table fill segment register

We use the above index = 5, So the segment descriptor found is 80008b04`200020ab, Then look up the table , First fill in
attribute : 80 008b 04`200020ab, therefore attribute = 008b
base : 80 008b 04 ` 2000 20ab, therefore base = 80042000
limit : 80 00 8b04`2000 20ab, therefore limit = 000 020ab (G = 0)

index = 2, 00 c f 93 00 ` 0000 ffff
attribute : cf93,base : 00000000,limit : fffff fff (G = 1)

Up and down

Pictures in the courseware , Moved here to use

• In the picture On the left Yes. Expand up , It represents only The red part Of Limit yes Accessible Of
• In the picture On the right Yes. Expand down , Also, only the red part can be accessed , amount to except Limit The address of yes Cannot access , Other addresses are accessible , It's equivalent to Limit The address of the reverse operation is valid

Consistent and inconsistent code snippets

• Consistent code snippets ： If the current privilege level is low, you can also directly access high-level code segments , such as ring 3 Direct access ring 0 Consistent snippets in , But high permissions do not allow access to low permissions
  Conditions ：CPL >= DPL
• Inconsistent code snippets ： Must have the same level To access
  Conditions ：CPL == DPL && RPL <= DPL

Implicit stack access

When using push, pop, call When waiting for operation , Register will be modified , for example push eax, amount to sub esp, 4 and mov [esp], eax there esp Not explicitly written