IDT系列:(二)中断处理过程,使用bochs调试IDT中的中断服务程序
一、中斷處理的過程
?
根據Intel 64 and IA-32 Architectures Software Developer’s Manual 的介紹,在中斷或異常產生是,CPU會將當前執行的指令(或下一條指令)在內存中的地址,也就是EIP的值,放入棧中,同時還會放入CS段寄存器和eflags標志寄存器的值等。
根據當前的優先級不同(ring0或ring3,也就是執行與用戶態還是內核態)會有較大的不同。如果異常或中斷發生時,系統正執行在內核態,那么CPU不會切換棧,直接將EFLAGS、CS、EIP和Error Code壓入棧中,如果正執行在非內核態,那么先切換到內核,切換到內核棧,然后依次壓入SS、ESP(用戶態線程的)、EFLAGS、CS、EIP和Error Code。(上述過程CPU自行完成,操作系統只需要把ISR放到正確的位置等待調用。)然后通過IDT找到對應的ISR 開始執行。
ISR完成處理后通過IRET(IRETD)指令返回到被中斷的程序中繼續執行即可。
?
?
二、安裝配置Bochs和XP Guest系統
?
在上一篇文章中,說了為什么不能使用WinDbg調試ISR。
?
好在我們還有bochs這個帶調試功能的軟件虛擬機。bochs的調試功能比起WinDbg這個專業調試器來,功能弱了十萬八千里。但是,由于bochs是一個軟件實現的CPU(對Guest系統來說相當于硬件),比WinDbg要低一個層次,在一些特殊的情況下bochs就能出奇制勝了。bochs是CPU,是一切的主宰,不需要你guest系統給我提供任何支持。
?
安裝好bochs以后,可以在bochs中安裝windows xp。bochs運行所依賴的一切硬件的配置都是依賴于bxrc配置文件。把安裝目錄下的bochsrc.bxrc復制一份,雙擊打開。在下圖的對話框里可以編輯配置文件。
如果安裝xp需要將CPU的主頻調高一些(我用的50000000)memory調得合適一些,比如512Mb。在這之前還需要使用安裝目錄下的bximage.exe創建一個growing的硬盤文件,比如c.img。growing的方式可以避免以后guest系統硬盤不夠用。
?
?
然后配置“Disk & Boot”選項,掛載上c.img
?
?然后配置光盤。需要一個windows xp安裝光盤的iso文件,也可以映射到物理光驅。
?
?然后配置有cdrom啟動。
?
調試過程最好log下來,便于后面分析。在“logfile”選項中配置調試的日志文件。
?
?
然后save,start就可以開始運行bochs了。
安裝過程需要比較漫長的時間,畢竟軟件CPU的性能和物理CPU不在一個數量級上。打個球,洗個澡,再吃個飯的時間應該差不多了。
安裝好以后注意備份一下,在bochs里安裝xp可是一個宏大的系統工程了。然后再把boot選項設置為從disk啟動。
安裝好以后,就可以使用bochs調試器bochsdbg.exe加載配置文件運行了。在“Bochs Start Menu”里面load然后start。
bochsdbg會停在f000:fff0處(這個時候CPU還沒有切換到保護模式)是bios的起始處。
運行命令c(continue)可以繼續系統運行。不久windows系統啟動。在console里Ctrl-C可以中斷運行輸入各種調試命令。
?
操作虛擬機的鼠標需要點擊按鈕,釋放時Ctrl+鼠標第三鍵(滾輪)
?
?
三、使用bochs調試觀察中斷過程
?
先介紹幾個調試指令(不是全部,只是在本文中用的的,其他的可以參考help或Bochs的文檔)
r 查看通用寄存器
sreg 參看段寄存器(idtr被歸到這里了)
creg 參看系統寄存器(cr0等)
x 參看內存(線性地址)
xp 參看內存(物理地址)
pb 通過物理地址下執行斷點
lb 通過線性地址下執行斷點
setpmem 修改物理內存(Bochs只支持通過物理地址修改內存,不過可以通過info tab參看整個分頁表,手工轉換一下,而且單步跟蹤時Bochs也會同時打印指令對應的物理地址和線性地址)
help 幫助
info idt 參看idt信息
?
Crtl-C中斷下XP系統的執行,就可以在Console中輸入調試命令。
?
1、靜態參看IDT信息
<bochs:5> sreg
es:0x0023, dh=0x00cff300, dl=0x0000ffff, valid=7
?Data segment, base=0x00000000, limit=0xffffffff, Read/Write, Accessed
cs:0x0008, dh=0x00cf9b00, dl=0x0000ffff, valid=1
?Code segment, base=0x00000000, limit=0xffffffff, Execute/Read, Accessed, 32-bit
ss:0x0010, dh=0x00cf9300, dl=0x0000ffff, valid=7
?Data segment, base=0x00000000, limit=0xffffffff, Read/Write, Accessed
ds:0x0023, dh=0x00cff300, dl=0x0000ffff, valid=7
?Data segment, base=0x00000000, limit=0xffffffff, Read/Write, Accessed
fs:0x0030, dh=0xffc093df, dl=0xf0000001, valid=7
?Data segment, base=0xffdff000, limit=0x00001fff, Read/Write, Accessed
gs:0x0000, dh=0x00001000, dl=0x00000000, valid=0
ldtr:0x0000, dh=0x00008200, dl=0x0000ffff, valid=0
tr:0x0028, dh=0x80008b04, dl=0x200020ab, valid=1
gdtr:base=0x000000008003f000, limit=0x3ff
idtr:base=0x000000008003f400, limit=0x7ff
<bochs:6> x /100w 0x8003f400
[bochs]:
0x000000008003f400 <bogus+?????? 0>:?0x0008f19c?0x80538e00?0x0008f314?0x80538e00
0x000000008003f410 <bogus+????? 16>:?0x0058113e?0x00008500?0x0008f6e4?0x8053ee00
0x000000008003f420 <bogus+????? 32>:?0x0008f864?0x8053ee00?0x0008f9c0?0x80538e00
0x000000008003f430 <bogus+????? 48>:?0x0008fb34?0x80538e00?0x0008019c?0x80548e00
0x000000008003f440 <bogus+????? 64>:?0x00501198?0x00008500?0x000805c0?0x80548e00
0x000000008003f450 <bogus+????? 80>:?0x000806e0?0x80548e00?0x00080820?0x80548e00
0x000000008003f460 <bogus+????? 96>:?0x00080a7c?0x80548e00?0x00080d60?0x80548e00
0x000000008003f470 <bogus+???? 112>:?0x00081450?0x80548e00?0x00081780?0x80548e00
0x000000008003f480 <bogus+???? 128>:?0x000818a0?0x80548e00?0x000819d8?0x80548e00
0x000000008003f490 <bogus+???? 144>:?0x00a01780?0x80548500?0x00081b40?0x80548e00
0x000000008003f4a0 <bogus+???? 160>:?0x00081780?0x80548e00?0x00081780?0x80548e00
... ...
<bochs:3> info idt
Interrupt Descriptor Table (base=0x000000008003f400, limit=2047):
IDT[0x00]=32-Bit Interrupt Gate target=0x0008:0x8053f19c, DPL=0
IDT[0x01]=32-Bit Interrupt Gate target=0x0008:0x8053f314, DPL=0
IDT[0x02]=Task Gate target=0x0058:0x0000113e, DPL=0
IDT[0x03]=32-Bit Interrupt Gate target=0x0008:0x8053f6e4, DPL=3
IDT[0x04]=32-Bit Interrupt Gate target=0x0008:0x8053f864, DPL=3
IDT[0x05]=32-Bit Interrupt Gate target=0x0008:0x8053f9c0, DPL=0
IDT[0x06]=32-Bit Interrupt Gate target=0x0008:0x8053fb34, DPL=0
... ...
<bochs:4> info idt 3
Interrupt Descriptor Table (base=0x000000008003f400, limit=2047):
IDT[0x03]=32-Bit Interrupt Gate target=0x0008:0x8053f6e4, DPL=3
<bochs:8> u 0x8053f6e4 0x8053f6ff
8053f6e4: (??????????????????? ): push 0x00000000?????????? ; 6a00
8053f6e6: (??????????????????? ): mov word ptr ss:[esp+2], 0x0000 ; 66c74424020000
8053f6ed: (??????????????????? ): push ebp????????????????? ; 55
8053f6ee: (??????????????????? ): push ebx????????????????? ; 53
8053f6ef: (??????????????????? ): push esi????????????????? ; 56
8053f6f0: (??????????????????? ): push edi????????????????? ; 57
8053f6f1: (??????????????????? ): push fs?????????????????? ; 0fa0
8053f6f3: (??????????????????? ): mov ebx, 0x00000030?????? ; bb30000000
8053f6f8: (??????????????????? ): mov fs, bx??????????????? ; 668ee3
8053f6fb: (??????????????????? ): mov ebx, dword ptr fs:0x0 ; 648b1d00000000
?
2、ring0 內核態的INT 3中斷
進入Console后單步一次,看一下目前運行在什么地方。
<bochs:3> s
Next at t=5931168643
(0) [0x04f0833f] 0008:00000000bf80533f (unk. ctxt): pop edi?????????????????? ; 5f
?
線性地址bf80533f大于80000000應是在內核。
?
反匯編看一下指令
?
<bochs:5> u 0xbf80533f 0xbf805350
bf80533f: (??????????????????? ): pop edi?????????????????? ; 5f
bf805340: (??????????????????? ): pop esi?????????????????? ; 5e
bf805341: (??????????????????? ): leave???????????????????? ; c9
bf805342: (??????????????????? ): ret 0x0004??????????????? ; c20400
bf805345: (??????????????????? ): nop?????????????????????? ; 90
... ...
?
看一下bf805342對應物理內存中的數據。(s指令時知道 (0) [0x04f0833f] 0008:00000000bf80533f 的內存映射關系)。
?
<bochs:8> xp /20b 0x04f08342
[bochs]:
0x0000000004f08342 <bogus+?????? 0>:?0xc2?0x04?0x00?0x90?0x90?0x90?0x90?0x90
0x0000000004f0834a <bogus+?????? 8>:?0x8b?0xff?0x55?0x8b?0xec?0x83?0xec?0x10
0x0000000004f08352 <bogus+????? 16>:?0x56?0x8b?0xf1?0x8b
?
將 bf805342: ret 0x0004 修改為int 3
?
<bochs:9> setpmem 0x04f08342 1 0xcc
?
看一下修改的結果
?
<bochs:11> u 0xbf80533f 0xbf805350
bf80533f: (??????????????????? ): pop edi?????????????????? ; 5f
bf805340: (??????????????????? ): pop esi?????????????????? ; 5e
bf805341: (??????????????????? ): leave???????????????????? ; c9
bf805342: (??????????????????? ): int3????????????????????? ; cc
bf805343: (??????????????????? ): add al, 0x00????????????? ; 0400
... ...
?
中斷之前的棧
<bochs:15> x /100w rsp
[bochs]:
0x00000000f78807b8 <bogus+?????? 0>:?0xf7880808?0xe13b1008?0x00000000?0x00000000
0x00000000f78807c8 <bogus+????? 16>:?0x00000001?0x00000001?0xf7880818?0xbf808ae6
0x00000000f78807d8 <bogus+????? 32>:?0xf78807f8?0xe13b1008?0x81f187d8?0x00000001
0x00000000f78807e8 <bogus+????? 48>:?0x00000000?0x00000000?0x00000001?0x00000001
0x00000000f78807f8 <bogus+????? 64>:?0x00000000?0x00000000?0x00000001?0x00000001
0x00000000f7880808 <bogus+????? 80>:?0x820c92a8?0xe13b1008?0x00000001?0xe183c918
0x00000000f7880818 <bogus+????? 96>:?0xf788084c?0xbf80d31c?0x81f187d8?0xe13b1008
0x00000000f7880828 <bogus+???? 112>:?0x8052890c?0x820c92a8?0xe13b1008?0x00000001
0x00000000f7880838 <bogus+???? 128>:?0xf7880894?0xf7880864?0xe18c5008?0x00000000
... ...
單步到執行到int 3
<bochs:20> s
Next at t=5931168646
(0) [0x04f08342] 0008:00000000bf805342 (unk. ctxt): int3????????????????????? ; cc
?
int 3 之前寄存器和棧的情況。
?
<bochs:21> r
rax: 0x00000000:f78807c0 rcx: 0x00000000:00000001
rdx: 0x00000000:00000001 rbx: 0x00000000:e18c5008
rsp: 0x00000000:f78807d4 rbp: 0x00000000:f7880818
rsi: 0x00000000:e13b1008 rdi: 0x00000000:f7880808
r8 : 0x00000000:00000000 r9 : 0x00000000:00000000
r10: 0x00000000:00000000 r11: 0x00000000:00000000
r12: 0x00000000:00000000 r13: 0x00000000:00000000
r14: 0x00000000:00000000 r15: 0x00000000:00000000
rip: 0x00000000:bf805342
eflags 0x00000286: id vip vif ac vm rf nt IOPL=0 of df IF tf SF zf af PF cf
<bochs:22> x /100w rsp
[bochs]:
0x00000000f78807d4 <bogus+?????? 0>:?0xbf808ae6?0xf78807f8?0xe13b1008?0x81f187d8
0x00000000f78807e4 <bogus+????? 16>:?0x00000001?0x00000000?0x00000000?0x00000001
0x00000000f78807f4 <bogus+????? 32>:?0x00000001?0x00000000?0x00000000?0x00000001
0x00000000f7880804 <bogus+????? 48>:?0x00000001?0x820c92a8?0xe13b1008?0x00000001
0x00000000f7880814 <bogus+????? 64>:?0xe183c918?0xf788084c?0xbf80d31c?0x81f187d8
0x00000000f7880824 <bogus+????? 80>:?0xe13b1008?0x8052890c?0x820c92a8?0xe13b1008
0x00000000f7880834 <bogus+????? 96>:?0x00000001?0xf7880894?0xf7880864?0xe18c5008
0x00000000f7880844 <bogus+???? 112>:?0x00000000?0x00000000?0xf788086c?0xbf81f825
0x00000000f7880854 <bogus+???? 128>:?0xe13b1008?0x00000001?0x00000000?0x00000000
0x00000000f7880864 <bogus+???? 144>:?0x0006f2e4?0xbf80cf90?0xf7880888?0xbf80d003
執行int 3,程序跳轉到了 ISR 3 8053f6e4
<bochs:23> s
Next at t=5931168647
(0) [0x0053f6e4] 0008:000000008053f6e4 (unk. ctxt): push 0x00000000?????????? ; 6a00
?
寄存器和棧變化了:
<bochs:24> r
rax: 0x00000000:f78807c0 rcx: 0x00000000:00000001
rdx: 0x00000000:00000001 rbx: 0x00000000:e18c5008
rsp: 0x00000000:f78807c8 rbp: 0x00000000:f7880818
rsi: 0x00000000:e13b1008 rdi: 0x00000000:f7880808
r8 : 0x00000000:00000000 r9 : 0x00000000:00000000
r10: 0x00000000:00000000 r11: 0x00000000:00000000
r12: 0x00000000:00000000 r13: 0x00000000:00000000
r14: 0x00000000:00000000 r15: 0x00000000:00000000
rip: 0x00000000:8053f6e4
eflags 0x00000086: id vip vif ac vm rf nt IOPL=0 of df if tf SF zf af PF cf
<bochs:25> x /100w rsp
[bochs]:
0x00000000f78807c8 <bogus+?????? 0>:?0xbf805343?0x00000008?0x00000286?0xbf808ae6
0x00000000f78807d8 <bogus+????? 16>:?0xf78807f8?0xe13b1008?0x81f187d8?0x00000001
0x00000000f78807e8 <bogus+????? 32>:?0x00000000?0x00000000?0x00000001?0x00000001
0x00000000f78807f8 <bogus+????? 48>:?0x00000000?0x00000000?0x00000001?0x00000001
0x00000000f7880808 <bogus+????? 64>:?0x820c92a8?0xe13b1008?0x00000001?0xe183c918
0x00000000f7880818 <bogus+????? 80>:?0xf788084c?0xbf80d31c?0x81f187d8?0xe13b1008
... ...
?
?
CPU 在執行int 3時入棧的內容為 0xbf805343?0x00000008?0x00000286 共三個dword 其中 0xbf805343是產生異常的指令的下一條指令(3號中斷是Trap類型),0x00000008是CS寄存器的值,0x00000286是eflags寄存器的值。
由于int 3指令也是在ring0執行的,在這個異常過程中沒有優先級的切換,所以沒有切換棧,入棧的內容只有三個。
繼續執行可以調試觀察ISR過程
<bochs:26> trace on
Tracing enabled for CPU0
<bochs:27> s 100
(0).[5931168647] [0x0053f6e4] 0008:000000008053f6e4 (unk. ctxt): push 0x00000000?????????? ; 6a00
(0).[5931168648] [0x0053f6e6] 0008:000000008053f6e6 (unk. ctxt): mov word ptr ss:[esp+2], 0x0000 ; 66c74424020000
(0).[5931168649] [0x0053f6ed] 0008:000000008053f6ed (unk. ctxt): push ebp????????????????? ; 55
(0).[5931168650] [0x0053f6ee] 0008:000000008053f6ee (unk. ctxt): push ebx????????????????? ; 53
(0).[5931168651] [0x0053f6ef] 0008:000000008053f6ef (unk. ctxt): push esi????????????????? ; 56
(0).[5931168652] [0x0053f6f0] 0008:000000008053f6f0 (unk. ctxt): push edi????????????????? ; 57
(0).[5931168653] [0x0053f6f1] 0008:000000008053f6f1 (unk. ctxt): push fs?????????????????? ; 0fa0
(0).[5931168654] [0x0053f6f3] 0008:000000008053f6f3 (unk. ctxt): mov ebx, 0x00000030?????? ; bb30000000
(0).[5931168655] [0x0053f6f8] 0008:000000008053f6f8 (unk. ctxt): mov fs, bx??????????????? ; 668ee3
(0).[5931168656] [0x0053f6fb] 0008:000000008053f6fb (unk. ctxt): mov ebx, dword ptr fs:0x0 ; 648b1d00000000
(0).[5931168657] [0x0053f702] 0008:000000008053f702 (unk. ctxt): push ebx????????????????? ; 53
(0).[5931168658] [0x0053f703] 0008:000000008053f703 (unk. ctxt): sub esp, 0x00000004?????? ; 83ec04
... ...
略。
?
3、ring3 用戶態下的INT 3中斷。
?
下面我們可以在ring 3 狀態下產生中斷,看看優先級變化時的異常處理。
重啟bochs,啟動XP Ctrl-C嘗試停在ring 3(如果不是Ring 3 多嘗試幾次,CPU還是有很大比例的時間運行在ring 3態的)
如果暫停時eip線性地址小于0x80000000就是在ring 3態下
在ring 3態下的程序重復上述過程,觀察int 3前后的變化。
?
<bochs:9> r
rax: 0x00000000:1e7a18d1 rcx: 0x00000000:4d532745
rdx: 0x00000000:13f91976 rbx: 0x00000000:25dc3f3b
rsp: 0x00000000:0063efc8 rbp: 0x00000000:ffffffe0
rsi: 0x00000000:0009f7e0 rdi: 0x00000000:0009f870
r8 : 0x00000000:00000000 r9 : 0x00000000:00000000
r10: 0x00000000:00000000 r11: 0x00000000:00000000
r12: 0x00000000:00000000 r13: 0x00000000:00000000
r14: 0x00000000:00000000 r15: 0x00000000:00000000
rip: 0x00000000:68021d3b
eflags 0x00000202: id vip vif ac vm rf nt IOPL=0 of df IF tf sf zf af pf cf
<bochs:10> x /100w rsp
[bochs]:
0x000000000063efc8 <bogus+?????? 0>:?0x0063efd8?0x00000020?0x0009f7e0?0x0009f7f0
0x000000000063efd8 <bogus+????? 16>:?0x0063f004?0x6802145f?0x0009f7f0?0x25dc3f3b
0x000000000063efe8 <bogus+????? 32>:?0x0009f760?0x00000020?0x0000003b?0x0009f7e0
0x000000000063eff8 <bogus+????? 48>:?0x000a5ef8?0x0009f760?0x0009f6e0?0x0063f05c
0x000000000063f008 <bogus+????? 64>:?0x6802192d?0x0009f660?0x0009f7e0?0x000a5ef8
0x000000000063f018 <bogus+????? 80>:?0x000a4f04?0x000a500c?0x00000021?0x00000020
0x000000000063f028 <bogus+????? 96>:?0x0009f660?0x0009f6e0?0x0009f760?0x0009f7e0
0x000000000063f038 <bogus+???? 112>:?0x00000010?0x00000006?0x00000000?0x000001c5
0x000000000063f048 <bogus+???? 128>:?0x000001c5?0x00000020?0x000a5ff8?0x00000080
... ...
<bochs:12> sreg
es:0x0023, dh=0x00cff300, dl=0x0000ffff, valid=1
?Data segment, base=0x00000000, limit=0xffffffff, Read/Write, Accessed
cs:0x001b, dh=0x00cffb00, dl=0x0000ffff, valid=1
?Code segment, base=0x00000000, limit=0xffffffff, Execute/Read, Accessed, 32-bit
ss:0x0023, dh=0x00cff300, dl=0x0000ffff, valid=7
?Data segment, base=0x00000000, limit=0xffffffff, Read/Write, Accessed
ds:0x0023, dh=0x00cff300, dl=0x0000ffff, valid=7
?Data segment, base=0x00000000, limit=0xffffffff, Read/Write, Accessed
fs:0x003b, dh=0x7f40f3fd, dl=0xe0000fff, valid=1
?Data segment, base=0x7ffde000, limit=0x00000fff, Read/Write, Accessed
gs:0x0000, dh=0x00001000, dl=0x00000000, valid=0
ldtr:0x0000, dh=0x00008200, dl=0x0000ffff, valid=0
tr:0x0028, dh=0x80008b04, dl=0x200020ab, valid=1
gdtr:base=0x000000008003f000, limit=0x3ff
idtr:base=0x000000008003f400, limit=0x7ff
<bochs:26> s
Next at t=2257012356
(0) [0x05488d4a] 001b:0000000068021d4a (unk. ctxt): int3????????????????????? ; cc
<bochs:27> s
Next at t=2257012357
(0) [0x0053f6e4] 0008:000000008053f6e4 (unk. ctxt): push 0x00000000?????????? ; 6a00
<bochs:28> r
rax: 0x00000000:3edb3b9d rcx: 0x00000000:13f91977
rdx: 0x00000000:13f91977 rbx: 0x00000000:25dc3f3b
rsp: 0x00000000:f8149dcc?rbp: 0x00000000:ffffffe0
rsi: 0x00000000:0009f7e0 rdi: 0x00000000:0009f870
r8 : 0x00000000:00000000 r9 : 0x00000000:00000000
r10: 0x00000000:00000000 r11: 0x00000000:00000000
r12: 0x00000000:00000000 r13: 0x00000000:00000000
r14: 0x00000000:00000000 r15: 0x00000000:00000000
rip: 0x00000000:8053f6e4
eflags 0x00000006: id vip vif ac vm rf nt IOPL=0 of df if tf sf zf af PF cf
<bochs:30> x /100w rsp
[bochs]:
0x00000000f8149dcc <bogus+?????? 0>:?0x68021d4b?0x0000001b?0x00000206?0x0063efc8
0x00000000f8149ddc <bogus+????? 16>:?0x00000023?0x00000000?0x00000000?0x00000000
0x00000000f8149dec <bogus+????? 32>:?0x00000000?0x0000027f?0x00000000?0x00000000
0x00000000f8149dfc <bogus+????? 48>:?0x00000000?0x00000000?0x00000000?0x00001f80
0x00000000f8149e0c <bogus+????? 64>:?0x0000ffff?0x00000000?0x00000000?0x00000000
0x00000000f8149e1c <bogus+????? 80>:?0x00000000?0x00000000?0x8a885d04?0x00000048
0x00000000f8149e2c <bogus+????? 96>:?0x00000000?0x77db612a?0x00000002?0x00006148
0x00000000f8149e3c <bogus+???? 112>:?0x00000000?0x00000000?0x00000000?0x00006134
... ...
?
在int 3前后的寄存器和棧都存在變化,首先不是同一棧,int 3之前是用戶棧,int 3之后,切換到了系統棧。esp的值由0063efc8變為了f8149dcc,由于CONTEXT的切換,寄存器的值都發生了變化。
在int 3的內核棧中 0x68021d4b?0x0000001b?0x00000206?0x0063efc8?0x00000023 五個值是新壓入的,分別是:
(1)0x68021d4b 產生異常的EIP的后一條指令
(2)0x0000001b CS
(3)0x00000206 EFLAGS
(4)0x0063efc8 ESP
(5)0x00000023 SS
與文檔中描述相同。
?
4、TF標志和中斷處理
?
調試器的單步跟蹤(比如WinDbg的t命令)一般是通過CPU的TF標志實現的。如果TF標志被置位,那么在每執行一條指令后即產生一個int 1中斷。
?
<bochs:3> r
rax: 0x00000000:00a18f6a rcx: 0x00000000:ffdffc70
rdx: 0x00000000:00000000 rbx: 0x00000000:ffdffc70
rsp: 0x00000000:8054ac34 rbp: 0x00000000:8054ac50
rsi: 0x00000000:ffdffc50 rdi: 0x00000000:821e7b68
r8 : 0x00000000:00000000 r9 : 0x00000000:00000000
r10: 0x00000000:00000000 r11: 0x00000000:00000000
r12: 0x00000000:00000000 r13: 0x00000000:00000000
r14: 0x00000000:00000000 r15: 0x00000000:00000000
rip: 0x00000000:f871d162
eflags 0x00000246: id vip vif ac vm rf nt IOPL=0 of df IF tf sf ZF af PF cf
?
eflags的第八位是TF標志位,也就是將eflag and 0x100即可將TF置位
?
<bochs:38> setpmem 0x006d1d35 4 0x00034668
<bochs:39> setpmem 0x006d1d39 2 0x6600
<bochs:40> setpmem 0x006d1d3b 1 0x9d
<bochs:41> u rip rip+20
806d1d35: (??????????????????? ): push 0x00000346?????????? ; 6846030000
806d1d3a: (??????????????????? ): popf????????????????????? ; 669d
806d1d3c: (??????????????????? ): mov ebp, esp????????????? ; 8bec
806d1d3e: (??????????????????? ): mov dword ptr ss:[esp+68], eax ; 89442444
806d1d42: (??????????????????? ): mov dword ptr ss:[esp+64], ecx ; 894c2440
806d1d46: (??????????????????? ): mov dword ptr ss:[esp+60], edx ; 8954243c
?
由于bochsdbg不支持設置eflag基礎器的值,只能設置通用寄存器的值,這就通過修改代碼將eflags置位。
單步運行:
<bochs:43> s
Next at t=36941382598
(0) [0x006d1d3a] 0008:00000000806d1d3a (unk. ctxt): popf????????????????????? ; 669d
<bochs:44> s
Next at t=36941382599
(0) [0x006d1d3c] 0008:00000000806d1d3c (unk. ctxt): mov ebp, esp????????????? ; 8bec
<bochs:46> s
Next at t=36941382600
(0) [0x006d1d3e] 0008:00000000806d1d3e (unk. ctxt): mov dword ptr ss:[esp+68], eax ; 89442444
TF置位是成功了的:
<bochs:47> r
rax: 0x00000000:00a18f6a rcx: 0x00000000:ffdffc70
rdx: 0x00000000:00000000 rbx: 0x00000000:ffdffc70
rsp: 0x00000000:8054ac22 rbp: 0x00000000:8054ac22
rsi: 0x00000000:ffdffc50 rdi: 0x00000000:821e7b68
r8 : 0x00000000:00000000 r9 : 0x00000000:00000000
r10: 0x00000000:00000000 r11: 0x00000000:00000000
r12: 0x00000000:00000000 r13: 0x00000000:00000000
r14: 0x00000000:00000000 r15: 0x00000000:00000000
rip: 0x00000000:806d1d3e
eflags 0x00000346: id vip vif ac vm rf nt IOPL=0 of df IF TF sf ZF af PF cf
<bochs:48> s
Next at t=36941382601
(0) [0x0053f314] 0008:000000008053f314 (unk. ctxt): push 0x00000000?????????? ; 6a00
?
已經進入ISR 1
(這里不知為是么置位了TF后單步了兩條指令才跳入ISR 1,是bochs的實現原理問題?存疑在此。)
?
<bochs:49> info idt
Interrupt Descriptor Table (base=0x000000008003f400, limit=2047):
IDT[0x00]=32-Bit Interrupt Gate target=0x0008:0x8053f19c, DPL=0
IDT[0x01]=32-Bit Interrupt Gate target=0x0008:0x8053f314, DPL=0
... ...
總結
以上是生活随笔為你收集整理的IDT系列:(二)中断处理过程,使用bochs调试IDT中的中断服务程序的全部內容,希望文章能夠幫你解決所遇到的問題。
