Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In the Book Rootkits: Subverting the Windows Kernel Chapter 5: Runtime Patching Page 120-125 (Greg Hoglund, James Butler, 2006)
he says that
JMP FAR 0x08:0xAAAAAAAA will jump to 0xAAAAAAAA
but, Wiki says
0x08:0xAAAAAAAA = (0x08 * 0x10) + 0xAAAAAAAA
what’s true.
In protected mode, the selector values (the segment part of the address in your example) do not use the “shift by 4” calculation. Instead, the value is used as an index into the Local or Global descriptor table, and the base address from the table is used.
The linked code seems to be made for Windows. Windows uses a simple, flat memory model, where most selectors map the whole 4BG address space with the base of 0. That’s why the selector 8 will map to 0 and the jump will (try to) go to the address 0xAAAAAAAA.
I’m not sure what’s the point of using a far jump, I think a normal jump (without reloading the selector) would work just as well.