ReactOS Community > ReactOS Forum

[paul]

I have been some lectures about NT Kernel architecture today.
Stuff like http://en.wikipedia.org/wiki/Architecture_of_Windows_NT.

My lecture have let me learn that the point of communication between user mode programs and kernel mode programs, is trough interrupt 0x2e (most normally used through NTDLL.DLL).
This is an undocumented interrupt documented at:
http://www.delorie.com/djgpp/doc/rbinter/id/65/42.html

I have found in reactos code the list of the functions accessible through this in:
http://svn.reactos.org/svn/reactos/trun ... iew=markup
which is indeed the same as the functions documented for the interrupt 0x2e:
http://www.delorie.com/djgpp/doc/rbinter/it/86/25.html

But I'd like to know where the interrupt service routine for int 0x2e is implemented.
I would consider this a nice play to study ReactOS. I have browsed quite a bit through
../reactos/ntoskrnl/ex (Executive) or ../reactos/ntoskrnl/ke but I still did not found.

Any clue to where the ISR is?

BTW some other page describing how int 0x2e is insecure:
http://insecure.org/sploits/NT.syscalls ... ility.html

Some useless detailed description of how int 0x2e is handled by the CPU:
http://www.codeguru.com/Cpp/W-P/system/ ... php/c8035/

Finally some usefull information about it:
http://wwwspies.informatik.tu-muenchen. ... e_api.html
http://www.osronline.com/showThread.cfm?link=20626

[hto]

Hi,

Look at this file, function KiSystemService. KiFastCallEntry used instead on modern machines which support sysenter feature.

See also NTDLL functions KiIntSystemCall and KiFastSystemCall.

EDIT:

I have browsed quite a bit through ../reactos/ntoskrnl/ex (Executive) or ../reactos/ntoskrnl/ke but I still did not found.

Just grep ntoskrnl sources for "2E", this immediately gives you a string

Code: Select all

ke/i386/trap.s:51:idt _KiSystemService,  INT_32_DPL3  /* INT 2E: System Call Service Handler  */


[Alex_Ionescu]

Apart from being utterly wrong about how Windows/ReactOS does system calls on any machine newer than a Pentium 166MHz and giving links to outdated (1997), specific bugs in NT 4 (and then saying the whole "inteface" is is 'insecure'), you called the ONLY link that is of -any- value: "useless". Nice work.

[hto]

Alex, why are you so harsh?..

[Z98]

He isn't anywhere near harsh. That's how Alex normally behaves. Just take his statements in stride.

[Haos]

As Alex used to say, NT on en.wiki is helplessly wrong. Windows Internals FTW.

[paul]

Thanks hto for the 2 files you pointed to me, this really seems to be what I was looking for.

Searching by myself, I was more looking how nci tool was building SSDT table, which do seems relatively complex, I was more expecting a static table than a generated one.

Well, for someone trying to understand the Windows implementation, the general gate call mechanism was not what I wanted to know. Was more interested to understand the Shadow thing there. Indeed the 'insecure' part was old, but I guess ReactOS will be/is as much insecure as Windows was by 1997. Having good parameters validation for now, just don't seems important, but later when the system will be complete enough, I guess we will have to test with some 'garbage' values, like the guy was doing to find bugs.

[hto]

Thanks hto for the 2 files you pointed to me, this really seems to be what I was looking for.

Not at all, but you should learn how to find information by yourself.

Indeed the 'insecure' part was old, but I guess ReactOS will be/is as much insecure as Windows was by 1997.

Be careful, Alex was the main ReactOS kernel developer!

Having good parameters validation for now, just don't seems important, but later when the system will be complete enough, I guess we will have to test with some 'garbage' values, like the guy was doing to find bugs.

You're right in part, there are some known places (and probably also some unknown) where kernel's functions do not use SEH, do not check their parameters.

[Haos]

Indeed the 'insecure' part was old, but I guess ReactOS will be/is as much insecure as Windows was by 1997.

ReactOS will be as secure as Windows 2003. That means - REALLY SECURE.