We should all understand what IRQL Levels and the differences between Kernel-Mode and User-Mode. The general nature of this bugcheck indicates that the a thread has returned to User-Mode from Kernel-Mode at a IRQL Level greater than Level 0 or PASSIVE_LEVEL. All User-Mode runs at IRQL Level 0.
You could also use the rdmsr (read Model Specific Register) with the address of 176, to view the sysenter instruction handler which is used on modern processors. The IDT is more backwards compatibility for older processors. The sysenter instruction is executed and enabled transition into Kernel Mode. The sysexit instruction is used to exit Kernel-Mode, and return to User-Mode. In some circumstances, like when the Single Step (or Trap) flag has been enabled, the iretd (Interrupt Return) instruction may be used instead.
In this instance, the flag is disabled and not set:
The Trap flag causes the processor to execute one instruction and then stop. This can cause a crash if used with the sysexit instruction.
Check Volume 3 Chapter 35 in the Intel Developer's Manual for more information about MSRs.
The syscall and sysret are used to call and return from System Calls stored within the System Call Descriptor Table. The System Call Number which is used to look in the SSDT and execute the System Call routine is stored within the eax register. The parameters of the call are stored on the Kernel Stack of the thread to prevent modification from User-Mode.
We can view the SSDT here:
On x86 systems, these structure can be hooked onto and patched.
Additional Reading:
User-Mode Interactions: Guidelines for Kernel Mode Drivers
Hooking Shadow SSDT on Windows 7
Listview with Example
ReplyDeleteAlgorithms for the Singly Linked List
Operator Precedence Parsing Algorithm Using Stack
Services Provided by Operating System
Introduction to Non-monotonic Reasoning
Features of Real Time Operating System
Implementation of Readers Writer Problem using Semaphore
Quality Standards ISO 9000 and 9001 and CMM