WINDBG II

 

lkd> !cpuinfo

CP  F/M/S Manufacturer  MHz PRCB Signature    MSR 8B Signature Features

0        6,13,6 GenuineIntel  598 0000001700000000  0000001700000000 80033fff

 

The extension  cpuinfo gives us more information about the cpu. The features field 80033fff gives us more details about the cpu we are using. The 11^th bit is called the SEP bit which if 1 tells us whether the cpu supports the sysenter instructions. The cpu may support sysenter but the os must take advantage of this support. In our case the 11 bit is on as the third nibble is f.

 

lkd> rdmsr 174

msr[174] = 00000000`00000008

lkd> rdmsr 175

msr[175] = 00000000`f78b3000

lkd> rdmsr 176

msr[176] = 00000000`804de6f0

 

The rdmsr instruction reads the value of a model specific register. The address 174 is for the code segment value SYSENTER_CS_MSR which in our case is selector 8. When we look at the entry 1 in the GDT this will give us details of the code segment which contains the first function to be called in ring 0 KiFastCallEntry. The address 176 tells us the address of the kiFastCallEntry which is 804de6f0.

 

lkd> u 804de6f0

nt!KiFastCallEntry:

804de6f0 b923000000       mov     ecx,0x23

804de6f5 6a30             push    0x30

 

The u command just confirmed our suspicions.

 

The selector 8 we get by running the command gdt in soft ice. We are told that the type is Code32, the base is 00000000 and the limit is fffffff. The DPL is 0 of this selector 8.