Using NuMega SoftICE

How Windows NT uses GDT to implement "kernel mode" and "user mode"

Programs running in "kernel mode" (e.g. OS kernel and drivers) have more privilege than those running in "user mode" (e.g. OS environment subsystems and application programs). Windows implements this by using Intel x86's built-in "privilege levels".

There are four "privilege levels" in the processor, and they are refered to as "ring 0", "ring 1", "ring 2", and "ring3". Windows uses only "ring 0" and "ring 3" with "ring 0" having more privilege than "ring 3". SoftICE is a debugger which can debug programs in both mode, and it is running in "ring 0".

Global Descriptor Table (GDT) is an in-memory data structure, defined by Intel x86, which contains entries known as "segment descriptors" or just "descriptors". Each "descriptor" describes (defines) attributes of a range of linear memory. Attributes include "memory should be interpreted as 16-bit or 32-bit", "memory is for storing instructions or data", and "which privilege level (ring 0 or ring 3) the memory belongs to". A particular descriptor is indexed by "selector". A selector appears at right-hand side of "XXXX:XXXXXXXX" address format.

SoftICE "GDT" command walks the Global Descriptor Table, showing the content of each descriptor, so you don't have to interpret them. However, understanding GDT and its descriptor is important if you want to understand the Intel x86 architecture and how Windows uses it. The figure below shows you the process of how to interpret a raw memory dump of GDT, and how it relates to SoftICE "GDT" command output.

 

 contact guestbook | control panel 
1998-2000 Tsuyoshi Watanabe. All rights reserved.