In IA-32 assembly language, can IDTR, GDTR or LDTR be modified or 'loaded' without the LIDT, LGDT and LLDT instructions?

In IA-32 assembly language, can IDTR, GDTR or LDTR be modified/'loaded' without the LIDT, LGDT and LLDT instructions?

Also, is there a complete list of instructions that can be used to modify other registers? I need to know which instructions could be used to modify CR3, and which instructions could be used to modify ECX.

I am new to IA-32 assembly. I am aware of MOV, ADD, SUB, etc., however it would need to be a complete list and I believe there are probably a whole lot of instructions which could potentially be used to modify these registers.

Thanks! :)

Edit: The reason I want to know is because I am considering whether monitoring an instruction trace (using hardware debugging) of executed instructions is a feasible method of detecting - in an external 'integrity monitoring' machine - any malicious rootkits which alter the addresses in these registers to perform what is known as an Address Translation Redirection Attack (ATRA). Therefore, I am trying to determine whether it is possible to determine a complete list of potential malicious instruction sequences modifying each of these registers.

Best How To :

The IDTR, GDTR or LDTR can be modified by:

LIDT, LGDT and LLDT instructions
entering system management mode, modifying the values in the "state save" area, then leaving system management mode to cause the modified values to be loaded
using hardware virtualisation extensions, where host is able to modify the virtual IDTR, GDTR or LDTR used by guest

Note that this list does not include keeping the IDTR, GDTR or LDTR the same and modifying the data they point to (the IDT, GDT or LDT).

CR3 can be changed by:

mov cr3 instruction
hardware task switch
code running in system management mode
hardware virtualisation extensions (host modifies guest)

ECX can be changed by:

a few hundred different instructions (too many to list)
hardware task switch
code running in system management mode
hardware virtualisation extensions (host modifies guest)

Note that hardware task switching is almost never used and is also no longer supported in long mode; and system management mode is normally completely unusable for software (including software running at CPL=0) and it's only really possible for the system's firmware to use it.

Reserve bytes in stack: x86 Assembly (64 bit)

assembly,x86-64,cpu-registers

Is "$32" means 32 bytes ?($number means constant ?) If yes then how are we allocating 32 bytes on 64 bit register? These 32 bytes are not allocated on 64 bit register. They are allocated on the stack. By lowering the stackpointer (which is in %rsp) the address range...

What does DX + 2 mean in mov ah,9 int 21h?

assembly

When a string is captured from keyboard with int 21h, ah=0Ah, the string has next structure: As you can see, the first two bytes are control, the characters entered by user start at the third byte (byte 2). The last char is chr(13) (ENTER key). To display this captured string...

x86 jmp asterisk %eax

assembly,x86,jmp

jmp *%eax is AT&T syntax for jmp eax, which is one form of jmp r/m32. It will jump to the address contained in register eax: Jump near, absolute indirect, address given in r/m32. Another form of the same type of jump instruction is jmp *(%eax) which corresponds to jmp [eax]...

Visual Studios building and debugging .cpp file without main()

c++,assembly,visual-studio-2013

Your code does have a main function, which is required for it to work. As you said the debugger returned a 'missing executable' error, I'm assuming you didn't compile the code, or if so, got some errors which can be found in the output and error windows. If you're working...

How is a file loaded in the FAT file system?

filesystems,fat32,assembly

There is no simple answer, so I won't delve into it here. You have to peek into the FAT (File Allocation Table) structures on the disk: https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system More, Reference: https://en.wikipedia.org/wiki/File_Allocation_Table...

assembly function with C segfault

c,assembly,x86,sse,fpu

You have forgotten to cleanup the stack. In the prologue you have: pushl %eax pushl %ecx pushl %edx pushl %ebp movl %esp, %ebp You obviously need to undo that before you ret, such as: movl %ebp, %esp popl %ebp popl %edx popl %ecx popl %eax ret PS: I have already...

Declaring Variables in the .data Versus on the Stack - ASM

assembly

Variables created in the .data section are directly accessable from every procedure. LOCAL variables are only present in the specific procedure and getting popped from the stack as soon as the procedure ends. What do you mean exactly with "end up with a random value"?

(Lower level of C++) When using “cout” on a piece of data, were does it go to before being displayed on screen?

c++,cout,cpu-registers

The lower level stuff of C++ is platform dependent. For example, reading a character from the keyboard. Some platforms don't have keyboards. Some platforms send messages when a character arrives, others wait (poll the input port). Let's talk one level down from the high level language. For cin, the underlying...

ASM : Trouble using int21h on real machine

assembly,x86,bootloader

You can't use MS-DOS services (INT 21h) in a bootloader. MS-DOS is an operating system, like Linux or Windows. Just like how you can't use Linux services before Linux has loaded, you can't use MS-DOS services before it has loaded. In a bootloader you're restricted to using BIOS services (or...

NASM assembled bootloader memory issue

assembly,nasm,bootloader

The immediate problem is that your prints destroys bx (because it sets bl and bh) so your printmem loop which requires bx to be preserved blows up. However, it also destroys al so your input loop won't be storing the correct value in memory to start with, either. Furthermore, while...

NASM: Makefile for library

assembly,makefile,nasm

The following appears to work fine for me: NAME = libfts.a SRC_ASM = file1.s \ file2.s \ file3.s \ OBJ_ASM = $(SRC_ASM:.s=.o) FLAGS = -Wall -Werror -Wextra NASM = nasm AR = ar RANLIB = ranlib ASM_FLAGS = -f macho64 all : $(NAME) $(NAME): $(OBJ_ASM) $(AR) rc $(NAME) $(OBJ_ASM) $(RANLIB)...

DB ASM variable in Inline ASM C++

c++,assembly,inline-assembly,ms-dos,borland-c++

The type int can only hold a 16-bit signed integer and the number you tried to assign to filename is way outside its range. As int variables are two bytes long, they're not all that useful for storing file names. Instead you should store the name in an array of...

ARM assembly cannot use immediate values and ADDS/ADCS together

gcc,assembly,arm,instructions

Somewhat ironically, by using UAL syntax to solve the first problem you've now hit pretty much the same thing, but the other way round and with a rather more cryptic symptom. The only Thumb encodings for (non-flag-setting) mov with an immediate operand are 32-bit ones, however Cortex-M0 doesn't support those,...

Range of Addresses for a Conditional Branch Instruction in MIPS

assembly,mips

Conditional branches are I type instructions, they have 16 bit immediate field. If the condition is met, PC is updated as PC += immediate << 2. PC is the address of the conditional jump. The immediate is a two complement value (to jump back eventually), so the range is from...

Asm x86 segmentation fault in reading from file

assembly,x86,segmentation-fault,mmap

The value in R8 at the time your program crashes is the file descriptor returned by the open syscall. Its value is probably 3 which isn't a valid address. You'll need to stores these values in a range of memory you've properly allocated. You can create a buffer in your...

Range of immediate values in ARMv8 A64 assembly

gcc,assembly,arm64

Unlike A32's "flexible second operand", there is no common immediate format in A64. For immediate-operand data-processing instructions (ignoring the boring and straightforward ones like shifts), Arithmetic instructions (add{s}, sub{s}, cmp, cmn) take a 12-bit unsigned immediate with an optional 12-bit left shift. Move instructions (movz, movn, movk) take a 16-bit...

Open Watcom Inline assembly SEG and OFFSET operators

c,assembly,memory-address,watcom

I don't think there's any way to convince the OpenWatcom compiler to emit a group based segment relocation. Part of the problem is that there's no way to declare or define the group so that you can refer to it in the inline assembly. However, it appears the OpenWatcom linker...

subl causing Floating point exception

assembly,x86

The subl $16, %esp is a red herring. The actual issue is in print_int: movl value(%ebp), %eax jge .L1 # if value >= 0 movl doesn't set flags. You are missing a test %eax, %eax or equivalent before the jge. Learn to use a debugger. It would have pointed you...

How is shellcode generated from C? - With code example

python,c,gcc,assembly,shellcode

The problem with creating shellcode from C programs is not that you cannot control the assembly generated, nor something related with the code generation. The problem with creating shellcode from C programs is symbols resolution or relocation, call it whatever you like. You approach, for what I have understand, is...

Understanding NASM Macro

assembly,macros,ffmpeg,nasm

The DEFINE_ARGS macro defines a number single line macros the are meant to be used to refer to the arguments of the function that the cglobal macro introduces. So for example, if foo is given as the name of the first argument then DEFINE_ARGS creates the following defines: %xdefine fooq...

Equivalent to asm volatile in Gfortran?

assembly,gfortran

No, there isn't. The easiest way around it is to have a C function with the asm, and then call that C function with ISO_C_BINDING.

MASM console window creation troubles (maybe my stack frame??)

winapi,assembly,stack,x86-64,masm

mov dword ptr [rsp + 20h], 0 is wrong. The last parameter has the type LPOVERLAPPED, which is here a 64-bit pointer. Change the line to mov qword ptr [rsp + 20h], 0 Also, lea rcx, handle is wrong. WriteFile expects a value, not an address (pointer). Change it to...

GCC emits vastly different code using “-march=native” on similar architectures

c,gcc,assembly,sse,avx

AVX is disabled because the entire AMD Bulldozer family does not handle 256-bit AVX instructions efficiently. Internally, the execution units are only 128-bit wide. So 256-bit operations are split up thereby providing no benefit over 128-bit. To add insult to injury, on Piledriver, there's a bug in the 256-bit store...

Why can't I use compiler intrinsics in an asm block?

delphi,assembly

You cannot use compiler intrinsics because they are processed by the Delphi compiler rather than the assembler. Intrinsics are resolved by the Pascal compiler processing and parsing Pascal expressions, and then emitting code. That's the job of a compiler rather than an assembler. At least, that's my mental model. In...

Counter not working after jumps - assembly language

loops,assembly,counter,increment

The fault is caused because the mouse interrupt 33h function AX=0003h returns the mouse position in CX and DX. This overwrites your "counter" in register CX. It is always a dangerous game to keep values in registers throughout a program. Better to have a memory variable location. You could also...

NASM: copying a pointer from a register to a buffer in .data

linux,assembly,nasm,x86-64

The problem is, you don't have debug info for the ptr type, so gdb treats it as integer. You can examine its real contents using: (gdb) x/a &ptr 0x600124 <ptr>: 0x7fffffffe950 (gdb) p/a $rsp $3 = 0x7fffffffe950 Of course I have a different value for rsp than you, but you...

nasm: jump when input is NULL

c,assembly,nasm,libc

Your first instruction is the problem: cmp rdi, 0. You're comparing the string pointer, passed to my_puts, to the value 0 to determine if you should print "(null)" rather than comparing the first byte of the string to 0. I'm supposing if you pass a 0 pointer, that would be...

How to find illegal instructions in a program?

c++,c,assembly,gdb,benchmarking

Your hex dump is just a bunch of function names so it doesn't tell us much. And you didn't mention an operating system either... I'll assume if you can run gdb on it, you can use GNU binutils too. For a start you can try objdump -h myprog. It will...

How can I access the individual elements of an array in a loop?

assembly,mips

To access any individual element of array, you can use it as: la $t3, array # put address of array into $t3 If array is a byte array, like: array: .byte 'H','E','L','L','O' to access the ith element: lb $a0, i($t3) # this load the byte at address that is (i+$t3)...

Why Masm32 only give 1 to 100 result for add and subtraction operation and beyond that I got wrong answer?

assembly,masm32

All of these operations in your code are incorrect: mov[num1 + eax-3], 0 StdIn returns the number of characters read, excluding the NUL terminator. So if you entered 100, eax will be 3, so you'll set the very first byte to 0, thereby making num1 an empty string. Even worse,...

How does this instruction look in memory?

assembly,x86

IA32 processors have a default code size, in 16 bit code segments (or in real mode) is (guess) 16 bit. In 32 bit and 64 bit code segments it is 32 bit. Instructions like mov eax, 3ch are actually something like mov A, 3ch where A is the A register...

Print a number in NASM - building an x86 Bootsector

assembly,nasm

Here's an example from a course that I teach. This is a raw bootsector that you can compile directly as an object file and use as a bootable floppy or USB image in something like Qemu, VirtualBox, VMWare, Bochs or a real machine. This makes use of the real mode...

Wrong answer from DIV assembly

assembly,x86

div di divides the 32 bit quantity dx:ax by di. We don't know what value your bx has, but presumably it produces dx=1 (due to the adc dx, dx). So the division is going to be 0x10003 / 3 = 0x5556 remainder 1, and that's exactly what you see. PS:...

MinGW's ld cannot perform PE operations on non PE output file

gcc,assembly,mingw,nasm,osdev

Old MinGW versions had the problem that "ld" was not able to create non-PE files at all. Maybe current versions have the same problem. The work-around was creating a PE file with "ld" and then to transform the PE file to binary, HEX or S19 using "objcopy"....

LC3 assembly-how to count string length

string,assembly,lc3

To define a string you can use the .STRINGZ directive, which also places the terminating zero after it. You should use BRNZP because the assembler apparently doesn't like BRZNP. Other than that, your code works fine.

Perform integer division using multiplication

assembly,optimization,bit-manipulation,division,multiplication

That method is called, "Division by Invariant Multiplication". The constants that you're seeing are actually approximates of the reciprocal. So rather than computing: N / D = Q you do something like this instead: N * (1/D) = Q where 1/D is a reciprocal that can be precomputed. Fundamentally, reciprocals...

LC3 assembly-unable to print the right character

assembly,encryption,lc3

Looking at your code I was able to find the infinite loop. PROG1 ADD R1,R1,#0 BRZ IMPOSSIBLE AND R2,R2,#0 ADD R2,R2,#1 NOT R4,R1 ADD R4,R4,#1 REP1 ADD R3,R0,R4 ; subtracts #27 from x5000 until negative BRN FIN1 ADD R0,R3,#0 BRNZP REP1 ; infinite loop IMPOSSIBLE AND R2,R2,#0 BRNZP FIN1 FIN1...

How to represent mips instruction as it's hex representation

assembly,mips

Opcode: 0000 11 Remaining 26 bits: Bits 2-27 of the address of label Explanation: The machine language equivalent that you know so far is: 0000 11xx xxxx xxxx xxxx xxxx xxxx xxxx x represents not-known-at-this-point. To find 32-bit Machine Language representation of jal func, first thing you'd need is the...

How to jump to an address saved in a register in intel assembly? [duplicate]

assembly,jmp

There simply is no such form of je. What you can do is put a relative conditional jump based on the opposite condition, followed by an unconditional register-indirect jump: jne skip jmp eax skip: You could make a macro out of this to save you from writing the same thing...

Print string using INT 0x10 in bootsector

assembly,x86,fasm

The lodsb instruction loads the byte pointed to by the DS and SI registers but you haven't loaded either with a valid value. Since this a bootloader you also need to use the ORG directive, otherwise the assembler won't know where you code, and therefor welcome, gets loaded into memory....

Is this an overflow, or maybe more keyboard data?

assembly,nasm,bootloader

The problem is that INT 16h AH=00h returns a ASCII character code in AL and an scan code in AH. The mov [qbuf], ax instruction stores both in the buffer, but INT 10h AH=0Eh only prints ASCII characters. It ends up interpreting the scan code you stored in the buffer...

Encode in machine code an Assembly MIPS instruction

assembly,mips

In MIPS, during beq the offset to add to program counter is calculated as: signextend immediate value offset = (immediate value) << 2 New PC is calculated as: pc += offset Here, in your code, you want to move pc back 12 bytes or 3 instruction if $8 == $0....

How do I check assembly output of Java code?

java,assembly

Java uses bytecode. The most similar would be javap, per the linked Oracle documentation, the javap command disassembles one or more class files. Its output depends on the options used. package com.stackoverflow; class Main { public static void main(String[] args) { System.out.println("Hello, World!"); } } If I compile that to...

Error: Junk at EOL, first unrecognised character is '('

assembly,gas,quake

The assembly file is meant to be run through the C preprocessor before being sent to the assembler. This should result in the C macro being properly expanded, assuming that the macro been defined in the one of the other files that are included by the #include lines. To have...

MASM SEG operator

assembly,masm

In MASM the label MY_VAR translates to the offset part of the address of MY_VAR relative to the segment it was declared in (if you use it like mov ax, MY_VAR) or relative the to segment you have assumed for the segment register you are using to access it (if...

puts implementation in assembly with nasm x86-64

assembly,nasm,x86-64,puts

Two problems. One, the call strlen is allowed to clobber some registers which include rdi and you need that later. So, surround the call strlen with push rdi and pop rdi to save and restore it. Second, you do not initialize rdi in the print_newline block. You need to set...

Macro to push arguments onto stack

visual-c++,assembly,macros

If you are still interested in tricking the Visual C++ compiler you can try this code #define pushargs(...) for (unsigned int _esp; ;) _esp = varcount(), _esp =(_esp-varcount(__VA_ARGS__))>>2, pushargs_c(_esp, __VA_ARGS__ ); unsigned int __declspec(naked) __forceinline varcount(...) { __asm mov eax, esp; __asm ret; } unsigned int __declspec(naked) __forceinline pushargs_c(unsigned int...

Make the input wait for mouse or keyboard - Assembly Language

assembly,input,keyboard,mouse,simultaneous

Thanks for your advice knm241. The above program now works fine thanks to you. The only problem that occurred was that the keyboard buffer was not clearing and thus the program would get stuck in a loop. I fixed that by clearing the buffer and now everything works. I used...

storing array from user and accessing it

arrays,assembly,input,user,mips

Some mistake I found is: In GETLIST: sw $v0,0($a2) #store in array add $a0,$a0,4 #next number <= instead write 'add $a2,$a2,4' if you want don't want to overwrite it. Also the problem in printing list is that you are adding $a2 to store the number in the array. But, you...