This post has been edited.
Discussion in this thread has been moved on to how to interpret IOTRn registers in Windows 10. There seems to be read different values from these registers on almost every turn. Is this by design? Is this a Windows 10 feature? Does this occur on a Linux system as well? Difficult to interpret how to check for trapped IO under such conditions. Anyone got any ideas feel free to share.
Kjetil
see:
http://wiki.osdev.org/PCI#Configuration_Mechanism_.231
Just looking at your code - I've spotted multiple overwrites of you're initial parameters,
to the extent that it trashes the registers and no logic flow is evident (apart from the component parameter names required).
Please don't take this the wrong way - but look at assembly fundamentals first (register use) before attempting this.
Hello
I think it help you
http://board.flatassembler.net/topic.php?t=12738
regards,
SHL AX, 16
i don't know where you got that code, but i can tell you it isn't right :biggrin:
That code was horribly wrong. I got it working now anyway.
By the way, what data usually exists in IOTRn registers?
## IOTRn - I/O Trap Register (0-3) ##
IOTR0 value is 0x15FFFFFE63520D8B
IOTR1 value is 0x8B48000371D6E8C0
IOTR2 value is 0xFE62CF0D8B4800FF
IOTR3 value is 0xF936E8F98B48F28B
I know the Intel spec says it's default value is 0x0000000000000000. My reasoning is that the OS must use these registers so it might be correct. Not sure though as there isn't very many sources to this information.
Hi.
As an update it would seem in Windows 10 the IOTRn registers keep changing values.
I would like to know if this is normal behaviour?
iKjetil
Absolutely. In later versions of Window, they made it somewhat more difficult for the rootkits...
Quote from: jj2007 on November 01, 2015, 07:51:51 PM
Absolutely. In later versions of Window, they made it somewhat more difficult for the rootkits...
Do you know what is being done in Windows since the registers change values so dramatically? Is the values stored in those registers any good at all? Is it possible at all to trap IO using IOTRn on Windows 10?
What I am looking for is if checking these registers I am getting any valid information?
Quote from: iKjetil on November 01, 2015, 11:47:13 PMIs it possible at all to trap IO using IOTRn on Windows 10?
Possible, or rather: it depends. What exactly do you want to achieve?
Quote from: jj2007 on November 02, 2015, 12:00:28 AM
Possible, or rather: it depends. What exactly do you want to achieve?
I am trying to confirm or deny IO trap in these registers. When values change so much it is difficult to know how to do this other than analyze the values over time. Do you have any ideas? :)
Kristoffer,
This stuff is really badly documented, so it won't be easy. It gets complicated by the fact that you have posted code that is nonsense (shl ax, 16 does nothing), so you would have to convince the few guys here who will understand your problem that your project is a legit one. Forum policy on this is pretty strict, and rightly so :P
You are aware of the Bassov article, of System Address Map Initialization in x86/x64 Architecture (http://resources.infosecinstitute.com/system-address-map-initialization-x86x64-architecture-part-2-pci-express-based-systems/) and How an I/O port leads to System Management Mode (http://dreamlayers.blogspot.it/2012/10/how-io-port-leads-to-system-management.html)?
Those articles are really good. However they do not shed light on how to interpret changing IOTRn registers. As you said this is really badly documented. Any input at all is helpful right now.