Phenom Tlb Patch Disable
Alex Ionescus Blog. Introduction. A few months ago, as part of looking through the changes in Windows 1. Anniversary Update for the Windows Internals 7th Edition book, I noticed that the kernel began enforcing usage of the CR4FSGSBASE feature introduced in Intel Ivy Bridge processors, see Section 4. AMD Manuals in order to allow usage of User Mode Scheduling UMS. This led me to further analyze how UMS worked before this processor feature was added something which I knew a little bit about, but not enough to write on. AMD Phenom X4 9500 desktop CPU detailed specifications, benchmarks, side by side comparison, FAQ, pictures and more from CPUWorld. Phenom Tlb Patch Disable' title='Phenom Tlb Patch Disable' />What I discovered completely changed my understanding of 6. Long Mode semantics and challenged many assumptions I was making pinging a few other experts, it seems they were as equally surprised as I was even Mateuszj. Jurczyk wasnt aware. Throughout this blog post, youll see how x. Still support the usage of a Local Descriptor Table LDTStill support the usage of Call Gates, using a new descriptor format. Still support descriptor table based GDTLDT segmentation using the fsgs segment ignoring the new MSR based mechanism that was intended to replace it. Plus, well see how x. Windows still allows user mode applications to create an LDT with specific limitations. At the end of the day, well show that j. Odin 1.85 For Samsung Galaxy Y on this page. Gynvael Coldwinds amazing paper on abusing Descriptor Tables is still relevant, even on x. Windows 1. 0 Anniversary Update. Phenom Tlb Patch Disable' title='Phenom Tlb Patch Disable' />Phenom f n m is the 64bit AMD desktop processor line based on the K10 microarchitecture, in what AMD calls family 10h 10 hex, i. Some history After the release of the 6th Edition of the book, which covered Windows 7, its fair to say that I was pretty burned out. The book incurred heavy. Hardware fix for the infamous TLB bug was implemented in core revision B3 of Phenom and ThirdGeneration Opteron microprocessors. Jsp Project With Source Code. These CPUs no longer required the. As such, reading that paper should be considered a prerequisite to this post. Please, take into consideration that all these techniques no longer work on Anniversary Update systems or later, nor will they work on Intel Ivy Bridge processors or later, which is why I am presenting them now. Additionally, there is no vulnerability or zero day presented here, so there is no cause for alarm. This is simply an interesting combination of CPU, System, and OS Internals, which on older systems, couldve been used as a way to gain code execution in Ring 0, in the presence of an already existing vulnerability. Phenom Tlb Patch Disable' title='Phenom Tlb Patch Disable' />A brief primer on User Mode Scheduling. UMS efficiently allows user mode processes to switch between multiple user threads without involving the kernel an extension and large improvement of the older fiber mechanism. A number of videos on Channel 9 explain how this is done, as does the patent. One of the key issues that arises, when trying to switch between threads without involving the kernel, is the per thread register thats used on x. TEB. On x. 86 systems, the FS segment is used, leveraging an entry in the GDT KGDTR3TEB, and on x. GS segment is used, leveraging the two Model Specific Registers MSRs that AMD implemented MSRGSBASE and MSRKERNELGSSWAP. No more missed important software updates UpdateStar 11 lets you stay up to date and secure with the software on your computer. Because UMS would now need to allow switching the base address of this per thread register from user mode as involving a kernel transition would defy the whole point, two problems exist On x. FS segments. But doing so in the GDT would limit the number of UMS threads available on the system plus cause performance degradation if multiple processes use UMS, while doing so in the LDT would clash with the existing usage of the LDT in the system such as NTVDM. On x. 64 systems, modifying the base address of the GS segment requires modifying the aforementioned MSRs which is a Ring 0 operation. It is worth bringing up the fact that fibers never solved this problem instead having all fibers share a single thread and TEB. But the whole point of UMS is to provide true thread isolation. So, what can Windows do Well, it turns out that close reading of the AMD Manuals Section 4. Segmentation is disabled in 6. Data segments referenced by the FS and GS segment registers receive special treatment in 6. For these segments, the base address field is not ignored, and a non zero value can be used in virtual address calculations. I cant begin to count how many times Ive heard, seen, and myself repeated the first bullet. But that FSGS can still be used with a data segment, even in 6. This literally brought back memories of Unreal Mode. Clearly, though, Microsoft was paying attention did they request this. As you can probably now guess, UMS leverages this particular feature which is why it is only available on x. Windows. As a matter of fact, the kernel creates a Local Descriptor Table as soon as one UMS thread is present in the process. This was my second surprise, as I had no idea LDTs were still something supported when executing native 6. But they still are, and so adding in the TABLEINDICATOR TI bit 0x. LDTR to recover the LDT base address and dereference the segment indicated by the other bits. Lets see how we can get our own LDT for a process. Local Descriptor Table on x. Unlike the x. 86 Nt. Set. Ldt. Entries API and the Process. Ldt. Information information class, the x. Windows kernel does not provide a mechanism for arbitrary user mode applications to create an LDT. In fact, these APIs all return STATUSNOTSUPPORTED. That being said, by calling the user mode API Enter. Ums. Scheduling. Mode, which basically calls Nt. Set. Information. Thread with the Thread. Ums. Information class, the kernel will go through the creation of an LDT Ke. Initialize. Process. Ldt. This, in turn, will populate the following fields in KPROCESS Ldt. Free. Selector. Hint which indicates the first free selector index in the LDTLdt. Table. Length which stores the total number of LDT entries this is hardcoded to 8. K LDT is allocated. Ldt. System. Descriptor which stores the LDT entry that will be stored in the GDTLdt. Base. Address which stores a pointer to the LDT of this process. Ldt. Process. Lock which is a FASTMUTEX used to synchronize changes to the LDTFinally, a DPC is sent to all processors which loads the LDT into all the processors. This is done by reading the KPROCESS Ldt. System. Descriptor and writing into the GDT at offset 0x. Windows 1. 0, or offset 0x. Windows 8. 1 bonus round well see why theres a difference a bit later. Then, the LLDT instruction is used, and the selector is stored in the KPRCB Ldt. Selector field. At this point, the process has an LDT. The next step is to fill it out. The function now reads the address of the TEB. If the TEB happens to fall in the 3. FFFFFF0. 00, it is set as the base address of a new segment in the LDT using Ldt. Free. Selector. Hint to choose which selector in this case, 0x. Unlock Lg Viewty Ku990 Code. Teb. Mapped. Low. Va field in KTHREAD replicates the real TEB address. On the other hand, if the TEB address is above 4. GB, Windows 8. 1 and earlier will transform the private allocation holding the TEB into a shared mapping using a prototype PTE and re allocate a second copy at the first available top down address available which would usually be 0x. FFFFE0. 00. Then, Teb. Mapped. Low. Va will have this re mapped address below 4. GB. Additionally, the VAD, which remains private and this will not show up as a truly shared allocation will be marked as No. Change, and further will have the Vad. Flags. Teb field set to indicate it is a special allocation. This prevents any changes to be made to this address through calls such as Virtual. Protect. Why this 4. GB limitation and re mapping How does an LDT help here Well, it turns out that the AMD6. XXX and pop gs instructions Wipe the upper 3. GS base address shadow register. Load the lower 3. GS base address shadow register with the contents of the descriptor table entry at the given selector.