[_Lynn]

On windows 7 x64, during a system service dispatch from a user thread, is there an IDT entry for this operation opcodes 0x0f05? or does it just go directly to the relative address in global system service table?


edit -

after doing some more research, im just looking for the starting point, literally right after the syscall operation. i know if i were using an x86 machine i would be interested in vector 2e, but I am a little confused about x64.

thanks gents :D

[_Lynn]

ok so Ive realized it just starts at KiFastSystemCall, however with w7 x64 the windbg command rdmsr 176 (where the pointer) should be for this function, is null. Any ideas?

i.e.

kd> RDMSR 176
[msr] 176 00000000'00000000

Thanks!

[EP_X0FF]

x64 Windows uses MSR lstar (Long System Target-Address Register). During boot, the x64 kernel initializes MSR to KiSystemCall64. See AMD manual http://www.weblearn.hs-bremen.de/risse/ ... 6amd64.pdf, page 62. Previously it was somewhere on AMD site, but now it moved somewhere else.

So in kd type rdmsr 0xC0000082

Next KiSystemCall64 performs thread checking and converting into GUI thread in needed (well you can read this from disassemble yourself) etc etc, executes asked service.

Then if you will look on Zw services exported by kernel you will find that they are actually stubs calling KiServiceInternal. As in case of x86 such routine sets up previous mode to KernelMode and transfers control in the middle of KiSystemCall64 - to KiSystemServiceStart.

[_Lynn]

thank you EP_X0FF. spent a lot of time looking for this over the past week, can't believe i didn't think to look there. just paged through wininternals 5th edition and intel manuals but best I could come up with was index 176.

thanks much for the help ^.^