use windbg to analy IDT(1)

1.Basic of IDT
in Windbg ,we can get IDT table using
lkd> !idt -a

Dumping IDT:

00: 80542550 nt!KiTrap00
01: 805426cc nt!KiTrap01
02: Task Selector = 0x0058
03: 80542ae0 nt!KiTrap03
04: 80542c60 nt!KiTrap04
05: 80542dc0 nt!KiTrap05
06: 80542f34 nt!KiTrap06
07: 805435ac nt!KiTrap07
08: Task Selector = 0x0050
09: 805439b0 nt!KiTrap09
0a: 80543ad0 nt!KiTrap0A
0b: 80543c10 nt!KiTrap0B
0c: 80543e70 nt!KiTrap0C
0d: 8054415c nt!KiTrap0D
0e: 80544858 nt!KiTrap0E
0f: 80544b90 nt!KiTrap0F
10: 80544cb0 nt!KiTrap10
11: 80544dec nt!KiTrap11
12: Task Selector = 0x00A0
13: 80544f54 nt!KiTrap13
14: 80544b90 nt!KiTrap0F
15: 80544b90 nt!KiTrap0F
16: 80544b90 nt!KiTrap0F
17: 80544b90 nt!KiTrap0F
18: 80544b90 nt!KiTrap0F
19: 80544b90 nt!KiTrap0F
1a: 80544b90 nt!KiTrap0F
1b: 80544b90 nt!KiTrap0F
1c: 80544b90 nt!KiTrap0F
1d: 80544b90 nt!KiTrap0F
1e: 80544b90 nt!KiTrap0F
1f: 806e510c
20: 00000000
21: 00000000
22: 00000000
23: 00000000
24: 00000000
25: 00000000
26: 00000000
27: 00000000
28: 00000000
29: 00000000
2a: 80541d7e nt!KiGetTickCount
2b: 80541e80 nt!KiCallbackReturn
2c: 80542030 nt!KiSetLowWaitHighThread
2d: bacbcdc4
2e: 80541801 nt!KiSystemService
2f: 80544b90 nt!KiTrap0F
30: 80540ec0 nt!KiUnexpectedInterrupt0
31: 80540eca nt!KiUnexpectedInterrupt1
32: 80540ed4 nt!KiUnexpectedInterrupt2
33: 80540ede nt!KiUnexpectedInterrupt3
34: 80540ee8 nt!KiUnexpectedInterrupt4
35: 80540ef2 nt!KiUnexpectedInterrupt5
36: 80540efc nt!KiUnexpectedInterrupt6
37: 806e4864
38: 80540f10 nt!KiUnexpectedInterrupt8
39: 80540f1a nt!KiUnexpectedInterrupt9
3a: 80540f24 nt!KiUnexpectedInterrupt10
3b: 80540f2e nt!KiUnexpectedInterrupt11
3c: 80540f38 nt!KiUnexpectedInterrupt12
3d: 806e5e2c
3e: 80540f4c nt!KiUnexpectedInterrupt14
3f: 80540f56 nt!KiUnexpectedInterrupt15
40: 80540f60 nt!KiUnexpectedInterrupt16
41: 806e5c88
42: 80540f74 nt!KiUnexpectedInterrupt18
43: 80540f7e nt!KiUnexpectedInterrupt19
44: 80540f88 nt!KiUnexpectedInterrupt20
45: 80540f92 nt!KiUnexpectedInterrupt21
46: 80540f9c nt!KiUnexpectedInterrupt22
47: 80540fa6 nt!KiUnexpectedInterrupt23
48: 80540fb0 nt!KiUnexpectedInterrupt24
49: 80540fba nt!KiUnexpectedInterrupt25
4a: 80540fc4 nt!KiUnexpectedInterrupt26
4b: 80540fce nt!KiUnexpectedInterrupt27
4c: 80540fd8 nt!KiUnexpectedInterrupt28
4d: 80540fe2 nt!KiUnexpectedInterrupt29
4e: 80540fec nt!KiUnexpectedInterrupt30
4f: 80540ff6 nt!KiUnexpectedInterrupt31
50: 806e493c
51: 8054100a nt!KiUnexpectedInterrupt33
52: 80541014 nt!KiUnexpectedInterrupt34
53: 8054101e nt!KiUnexpectedInterrupt35
54: 80541028 nt!KiUnexpectedInterrupt36
55: 80541032 nt!KiUnexpectedInterrupt37
56: 8054103c nt!KiUnexpectedInterrupt38
57: 80541046 nt!KiUnexpectedInterrupt39
58: 80541050 nt!KiUnexpectedInterrupt40
59: 8054105a nt!KiUnexpectedInterrupt41
5a: 80541064 nt!KiUnexpectedInterrupt42
5b: 8054106e nt!KiUnexpectedInterrupt43
5c: 80541078 nt!KiUnexpectedInterrupt44
5d: 80541082 nt!KiUnexpectedInterrupt45
5e: 8054108c nt!KiUnexpectedInterrupt46
5f: 80541096 nt!KiUnexpectedInterrupt47
60: 805410a0 nt!KiUnexpectedInterrupt48
61: 805410aa nt!KiUnexpectedInterrupt49
62: 805410b4 nt!KiUnexpectedInterrupt50
63: 8a0004ec b9f3dbca (KINTERRUPT 8a0004b0)
          b9f00bd8 (KINTERRUPT 89f84bb0)
64: 805410c8 nt!KiUnexpectedInterrupt52
65: 805410d2 nt!KiUnexpectedInterrupt53
66: 805410dc nt!KiUnexpectedInterrupt54
67: 805410e6 nt!KiUnexpectedInterrupt55
68: 805410f0 nt!KiUnexpectedInterrupt56
69: 805410fa nt!KiUnexpectedInterrupt57
6a: 80541104 nt!KiUnexpectedInterrupt58
6b: 8054110e nt!KiUnexpectedInterrupt59
6c: 80541118 nt!KiUnexpectedInterrupt60
6d: 80541122 nt!KiUnexpectedInterrupt61
6e: 8054112c nt!KiUnexpectedInterrupt62
6f: 80541136 nt!KiUnexpectedInterrupt63
70: 80541140 nt!KiUnexpectedInterrupt64
71: 8054114a nt!KiUnexpectedInterrupt65
72: 80541154 nt!KiUnexpectedInterrupt66
73: 8a157b1c ba517e80 (KINTERRUPT 8a157ae0)
          b9f00bd8 (KINTERRUPT 8a007bb0)
          b9c75b78 (KINTERRUPT 89f86bb0)
74: 80541168 nt!KiUnexpectedInterrupt68
75: 80541172 nt!KiUnexpectedInterrupt69
76: 8054117c nt!KiUnexpectedInterrupt70
77: 80541186 nt!KiUnexpectedInterrupt71
78: 80541190 nt!KiUnexpectedInterrupt72
79: 8054119a nt!KiUnexpectedInterrupt73
7a: 805411a4 nt!KiUnexpectedInterrupt74
7b: 805411ae nt!KiUnexpectedInterrupt75
7c: 805411b8 nt!KiUnexpectedInterrupt76
7d: 805411c2 nt!KiUnexpectedInterrupt77
7e: 805411cc nt!KiUnexpectedInterrupt78
7f: 805411d6 nt!KiUnexpectedInterrupt79
80: 805411e0 nt!KiUnexpectedInterrupt80
81: 805411ea nt!KiUnexpectedInterrupt81
82: 805411f4 nt!KiUnexpectedInterrupt82
83: 8a5c79ec ba6d8da8 (KINTERRUPT 8a5c79b0)
          b9f3dbca (KINTERRUPT 89f87bb0)
84: 80541208 nt!KiUnexpectedInterrupt84
85: 80541212 nt!KiUnexpectedInterrupt85
86: 8054121c nt!KiUnexpectedInterrupt86
87: 80541226 nt!KiUnexpectedInterrupt87
88: 80541230 nt!KiUnexpectedInterrupt88
89: 8054123a nt!KiUnexpectedInterrupt89
8a: 80541244 nt!KiUnexpectedInterrupt90
8b: 8054124e nt!KiUnexpectedInterrupt91
8c: 80541258 nt!KiUnexpectedInterrupt92
8d: 80541262 nt!KiUnexpectedInterrupt93
8e: 8054126c nt!KiUnexpectedInterrupt94
8f: 80541276 nt!KiUnexpectedInterrupt95
90: 80541280 nt!KiUnexpectedInterrupt96
91: 8054128a nt!KiUnexpectedInterrupt97
92: 89d42bec baa88a30 (KINTERRUPT 89d42bb0)
93: 89fffbec baa98495 (KINTERRUPT 89fffbb0)
94: 805412a8 nt!KiUnexpectedInterrupt100
95: 805412b2 nt!KiUnexpectedInterrupt101
96: 805412bc nt!KiUnexpectedInterrupt102
97: 805412c6 nt!KiUnexpectedInterrupt103
98: 805412d0 nt!KiUnexpectedInterrupt104
99: 805412da nt!KiUnexpectedInterrupt105
9a: 805412e4 nt!KiUnexpectedInterrupt106
9b: 805412ee nt!KiUnexpectedInterrupt107
9c: 805412f8 nt!KiUnexpectedInterrupt108
9d: 80541302 nt!KiUnexpectedInterrupt109
9e: 8054130c nt!KiUnexpectedInterrupt110
9f: 80541316 nt!KiUnexpectedInterrupt111
a0: 80541320 nt!KiUnexpectedInterrupt112
a1: 8054132a nt!KiUnexpectedInterrupt113
a2: 80541334 nt!KiUnexpectedInterrupt114
a3: 89f9684c baa9fd80 (KINTERRUPT 89f96810)
a4: 80541348 nt!KiUnexpectedInterrupt116
a5: 80541352 nt!KiUnexpectedInterrupt117
a6: 8054135c nt!KiUnexpectedInterrupt118
a7: 80541366 nt!KiUnexpectedInterrupt119
a8: 80541370 nt!KiUnexpectedInterrupt120
a9: 8054137a nt!KiUnexpectedInterrupt121
aa: 80541384 nt!KiUnexpectedInterrupt122
ab: 8054138e nt!KiUnexpectedInterrupt123
ac: 80541398 nt!KiUnexpectedInterrupt124
ad: 805413a2 nt!KiUnexpectedInterrupt125
ae: 805413ac nt!KiUnexpectedInterrupt126
af: 805413b6 nt!KiUnexpectedInterrupt127
b0: 805413c0 nt!KiUnexpectedInterrupt128
b1: 8a54b3e4 ba78431e (KINTERRUPT 8a54b3a8)
b2: 89d423fc baa88a30 (KINTERRUPT 89d423c0)
b3: 805413de nt!KiUnexpectedInterrupt131
b4: 805413e8 nt!KiUnexpectedInterrupt132
b5: 805413f2 nt!KiUnexpectedInterrupt133
b6: 805413fc nt!KiUnexpectedInterrupt134
b7: 80541406 nt!KiUnexpectedInterrupt135
b8: 80541410 nt!KiUnexpectedInterrupt136
b9: 8054141a nt!KiUnexpectedInterrupt137
ba: 80541424 nt!KiUnexpectedInterrupt138
bb: 8054142e nt!KiUnexpectedInterrupt139
bc: 80541438 nt!KiUnexpectedInterrupt140
bd: 80541442 nt!KiUnexpectedInterrupt141
be: 8054144c nt!KiUnexpectedInterrupt142
bf: 80541456 nt!KiUnexpectedInterrupt143
c0: 80541460 nt!KiUnexpectedInterrupt144
c1: 806e4ac0
c2: 80541474 nt!KiUnexpectedInterrupt146
c3: 8054147e nt!KiUnexpectedInterrupt147
c4: 80541488 nt!KiUnexpectedInterrupt148
c5: 80541492 nt!KiUnexpectedInterrupt149
c6: 8054149c nt!KiUnexpectedInterrupt150
c7: 805414a6 nt!KiUnexpectedInterrupt151
c8: 805414b0 nt!KiUnexpectedInterrupt152
c9: 805414ba nt!KiUnexpectedInterrupt153
ca: 805414c4 nt!KiUnexpectedInterrupt154
cb: 805414ce nt!KiUnexpectedInterrupt155
cc: 805414d8 nt!KiUnexpectedInterrupt156
cd: 805414e2 nt!KiUnexpectedInterrupt157
ce: 805414ec nt!KiUnexpectedInterrupt158
cf: 805414f6 nt!KiUnexpectedInterrupt159
d0: 80541500 nt!KiUnexpectedInterrupt160
d1: 806e3e54
d2: 80541514 nt!KiUnexpectedInterrupt162
d3: 8054151e nt!KiUnexpectedInterrupt163
d4: 80541528 nt!KiUnexpectedInterrupt164
d5: 80541532 nt!KiUnexpectedInterrupt165
d6: 8054153c nt!KiUnexpectedInterrupt166
d7: 80541546 nt!KiUnexpectedInterrupt167
d8: 80541550 nt!KiUnexpectedInterrupt168
d9: 8054155a nt!KiUnexpectedInterrupt169
da: 80541564 nt!KiUnexpectedInterrupt170
db: 8054156e nt!KiUnexpectedInterrupt171
dc: 80541578 nt!KiUnexpectedInterrupt172
dd: 80541582 nt!KiUnexpectedInterrupt173
de: 8054158c nt!KiUnexpectedInterrupt174
df: 80541596 nt!KiUnexpectedInterrupt175
e0: 805415a0 nt!KiUnexpectedInterrupt176
e1: 806e5048
e2: 805415b4 nt!KiUnexpectedInterrupt178
e3: 806e4dac
e4: 805415c8 nt!KiUnexpectedInterrupt180
e5: 805415d2 nt!KiUnexpectedInterrupt181
e6: 805415dc nt!KiUnexpectedInterrupt182
e7: 805415e6 nt!KiUnexpectedInterrupt183
e8: 805415f0 nt!KiUnexpectedInterrupt184
e9: 805415fa nt!KiUnexpectedInterrupt185
ea: 80541604 nt!KiUnexpectedInterrupt186
eb: 8054160e nt!KiUnexpectedInterrupt187
ec: 80541618 nt!KiUnexpectedInterrupt188
ed: 80541622 nt!KiUnexpectedInterrupt189
ee: 80541629 nt!KiUnexpectedInterrupt190
ef: 80541630 nt!KiUnexpectedInterrupt191
f0: 80541637 nt!KiUnexpectedInterrupt192
f1: 8054163e nt!KiUnexpectedInterrupt193
f2: 80541645 nt!KiUnexpectedInterrupt194
f3: 8054164c nt!KiUnexpectedInterrupt195
f4: 80541653 nt!KiUnexpectedInterrupt196
f5: 8054165a nt!KiUnexpectedInterrupt197
f6: 80541661 nt!KiUnexpectedInterrupt198
f7: 80541668 nt!KiUnexpectedInterrupt199
f8: 8054166f nt!KiUnexpectedInterrupt200
f9: 80541676 nt!KiUnexpectedInterrupt201
fa: 8054167d nt!KiUnexpectedInterrupt202
fb: 80541684 nt!KiUnexpectedInterrupt203
fc: 8054168b nt!KiUnexpectedInterrupt204
fd: 806e55a8
fe: 806e5748
ff: 805416a0 nt!KiUnexpectedInterrupt207

 

these data are generated by windbg's process.If we check in the memory interrelated with IDT,how could we do?
Before we analyze the memory,we should recognize IDTR register.It is a 48 bit ,and stores IDT Base Address and IDT limit.
Here we see.

 

  IDTR         Regsiter structure
——————————————————————————————
47                  32               16|15                       0  
--------------------------------- | ---------------------
 IDT Base Address              |     IDT Limit
HiIDTBase | LowIDTBase  |
--------------------------------- | ---------------------

 

we can get IDTR using instruction :SIDT. From IDTR Base Addreess we get IDT table.IDT table have 0x100 IDT items.These items
are called Descriptor.We can also draw IDT Descriptor.
There are 3 different Descriptors: Interrupt Gate ,Trap Gate and Task Gate.
Here we see.

 

  Interrupt    Gate
————————————————————————————————
31                                      16 15    13   12      8 7           0
---------------------------------|---|-------|----|--------|-------------
   Offset  31...16                  | P| CPL|flag|  type | 
--------------------------------------------------------------------

31                                          16                                          0
------------------------------------|----------------------------------
  Segment Selector                   |       Offset 15...0
--------------------------------------------------------------------

 

In my cmputer,I get IDTR throught SIDT instruction,here is the result:

IDT Base Address:0x8003f400
IDT Limit :0x7ff

 

 

Memory in 0x8003f400:
8003f400 50 25 08 00 00 8e 54 80 cc 26 08 00 00 8e 54 80  P%....T..&....T.
8003f410 2e 11 58 00 00 85 00 00 e0 2a 08 00 00 ee 54 80  ..X......*....T.
8003f420 60 2c 08 00 00 ee 54 80 c0 2d 08 00 00 8e 54 80  `,....T..-....T.
8003f430 34 2f 08 00 00 8e 54 80 ac 35 08 00 00 8e 54 80  4/....T..5....T.
8003f440 88 11 50 00 00 85 00 00 b0 39 08 00 00 8e 54 80  ..P......9....T.
8003f450 d0 3a 08 00 00 8e 54 80 10 3c 08 00 00 8e 54 80  .:....T..<....T.
8003f460 70 3e 08 00 00 8e 54 80 5c 41 08 00 00 8e 54 80  p>....T.\A....T.
8003f470 58 48 08 00 00 8e 54 80 90 4b 08 00 00 8e 54 80  XH....T..K....T.
[...]

8003f480 b0 4c 08 00 00 8e 54 80 ec 4d 08 00 00 8e 54 80  .L....T..M....T.
8003f490 90 4b a0 00 00 85 54 80 54 4f 08 00 00 8e 54 80  .K....T.TO....T.
8003f4a0 90 4b 08 00 00 8e 54 80 90 4b 08 00 00 8e 54 80  .K....T..K....T.
8003f4b0 90 4b 08 00 00 8e 54 80 90 4b 08 00 00 8e 54 80  .K....T..K....T.
8003f4c0 90 4b 08 00 00 8e 54 80 90 4b 08 00 00 8e 54 80  .K....T..K....T.
8003f4d0 90 4b 08 00 00 8e 54 80 90 4b 08 00 00 8e 54 80  .K....T..K....T.
8003f4e0 90 4b 08 00 00 8e 54 80 90 4b 08 00 00 8e 54 80  .K....T..K....T.
8003f4f0 90 4b 08 00 00 8e 54 80 0c 51 08 00 00 8e 6e 80  .K....T..Q....n.
[...]
8003f500 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00  ................
8003f510 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00  ................
8003f520 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00  ................
8003f530 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00  ................
8003f540 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00  ................
8003f550 7e 1d 08 00 00 ee 54 80 80 1e 08 00 00 ee 54 80  ~.....T.......T.
8003f560 30 20 08 00 00 ee 54 80 c4 cd 08 00 00 ee cb ba  0 ....T.........
8003f570 01 18 08 00 00 ee 54 80 90 4b 08 00 00 8e 54 80  ......T..K....T.
[...]

 

e.g. int0 ,we can get
8003f400 : 50 25 08 00 00 8e 54 80

 

————————————————————————————————
31                                    16 15   13   12      8 7           0
---------------------------------|--|----|-----|--------|-------------
                                            |1   00   0   1110    0000  0000
      8    0     5     4                |     8           E        0         0
--------------------------------------------------------------------

31                                         16                                      0
-----------------------------------|----------------------------------
      0    0     0     8                   |     2            5        5         0
--------------------------------------------------------------------

 

8~12bit indicate interrupt discripter type ,int 0 is interrupt instruction,so 0xE stand for interrupt gate.
Actually,in windbg,we get
int 00: 80542550 nt!KiTrap00,so KiTrapXX serial funcs are Interrupt Functions.

 

there is some one else.If we check int 0x2,
8003f410:2e 11 58 00 00 85 00 00
interrupt discripter type is 0x5, and Interrupt Service Routine(ISR) is 0x0000112e, 0x112e is not available.
how can we find the int 0x2 's ISR. Actually ,in the gate descriptor ,there a element called:Segment Selector.
To get ISR,we need to use the Selector to check GDT ,so really ISR is GDT's Descriptor Base+ IDT's offset.
(GDT's Descriptor is same like IDT's Descriptor)
int 0: Segment Selector is 0x8,
In GDT:
Sel Type Base   Limit   DPL Attributes
0008 Code32  00000000 FFFFFFFF 0 RE

So,int 0 's ISR = 80542550 + 0

int 2: Segment Selector is 0x58,
In GDT:
Sel Type Base  Limit  DPL Attributes
00058 TSS32 80872368 00000068 0 P
We know this Segment type is TSS32,int 2 is a Task Gate.
?????????????????????????????

In IDT table,most of Descriptors are Interrupt Gate. Next ,we use windbg to trace interrupt procedure.