401:
and Win16). This address is obtained by calling INT 2Fh, with 1684h in the AX register. To identify which VxD an entry point is being requested for, the BX register is set to the 16-bit VxD ID. Upon return from the INT instruction, the ES.DI registers contain a far pointer that can be called to transfer control to the VxD running at ring 0. The descriptor pointed by ES is actually a call gate. 32-bit applications, however, when they need to access
Windows 95 driver code, call undocumented VxDCall function in KERNEL32.DLL which essentially calls INT 30h, which changes ring mode.
43:
400:
Windows 95 executes drivers and process switching in ring 0, while applications, including API DLL such as kernel32.dll and krnl386.exe are executed in ring 3. Driver VWIN32.VXD provides key operating system primitives at ring 0. It allows calling of driver functions from 16-bit applications (MSDOS
420:
Call gates are more flexible than the SYSENTER/SYSEXIT and SYSCALL/SYSRET instructions since unlike the latter two, call gates allow for changing from an arbitrary privilege level to an arbitrary (albeit higher or equal) privilege level. The fast SYS* instructions only allow control transfers from
221:, and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP, in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor.
413:(SYSENTER/SYSEXIT by Intel and SYSCALL/SYSRET by AMD), a new faster mechanism was introduced for control transfers for x86 programs. As most other architectures do not support call gates, their use was rare even before these new instructions, as software interrupts or
433:
To preserve system security, the Global
Descriptor Table must be held in protected memory, otherwise any program will be able to create its own call gate and use it to raise its privilege level. Call gates have been used in software
213:(the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/
224:
The kernel may return to the user space program by using a RET FAR instruction which pops the continuation information off the stack and returns to the outer privilege level.
163:
Call gates are intended to allow less privileged code to call code with a higher privilege level. This type of mechanism is essential in modern operating systems that employ
60:
126:
107:
64:
409:
Modern x86 operating systems are transitioning away from CALL FAR call gates. With the introduction of x86 instructions for
190:, which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used for
79:
86:
435:
53:
528:
206:
168:
93:
497:
458:
183:
75:
187:
214:
417:
were preferred for portability, even though call gates are significantly faster than interrupts.
218:
446:
164:
100:
414:
394:
210:
203:
176:
144:
422:
148:
31:
30:
This article is about call gates on Intel x86 hardware. For more general information, see
380:
438:, when ways have been found around this protection. One example of this is the e-mail
522:
439:
152:
383:
had call gates as part of the architecture, but
Multics simulated them on the older
482:
182:
Call gates use a special selector value to reference a descriptor accessed via the
509:
397:
running in ring 3, privileged code running in ring 2, and kernel code in ring 0.
463:
410:
172:
42:
449:
operating system, which uses \Device\PhysicalMemory to install a call gate.
191:
17:
376:
27:
Mechanism in Intel's x86 architecture for changing the privilege level
384:
390:
36:
393:
was an early user of Intel call gates to transfer between
202:
Assuming a call gate has been set up already by the
67:. Unsourced material may be challenged and removed.
209:, code simply does a CALL FAR with the necessary
8:
151:of a process when it executes a predefined
167:since it allows user applications to use
127:Learn how and when to remove this message
475:
175:in a way that can be controlled by the
379:was the first user of call gates. The
498:The Intel SYSRET privilege escalation
487:Windows 95 System Programming Secrets
7:
65:adding citations to reliable sources
25:
41:
309:// 01100 in i386, 00100 in i286
52:needs additional citations for
228:Format of call gate descriptor
155:using a CALL FAR instruction.
1:
510:Worm:W32/Gurong.A Description
545:
143:is a mechanism in Intel's
29:
445:, written to exploit the
231:
459:Global Descriptor Table
425:3 to 0 and vice versa.
184:Global Descriptor Table
188:Local Descriptor Table
76:"Call gate" Intel
61:improve this article
217:is loaded from the
219:segment descriptor
447:Microsoft Windows
436:security exploits
267:NumberOfArguments
165:memory protection
147:for changing the
137:
136:
129:
111:
16:(Redirected from
536:
529:X86 architecture
513:
507:
501:
500:Xen Project Blog
495:
489:
480:
395:application code
367:
364:
361:
358:
355:
352:
349:
346:
343:
340:
337:
334:
331:
328:
325:
322:
319:
316:
313:
310:
307:
304:
301:
298:
295:
292:
289:
286:
283:
280:
277:
274:
271:
268:
265:
262:
259:
256:
253:
250:
247:
244:
241:
238:
235:
211:segment selector
204:operating system
177:operating system
145:x86 architecture
132:
125:
121:
118:
112:
110:
69:
45:
37:
21:
544:
543:
539:
538:
537:
535:
534:
533:
519:
518:
517:
516:
508:
504:
496:
492:
481:
477:
472:
455:
431:
429:Security issues
407:
374:
369:
368:
365:
362:
359:
356:
353:
350:
347:
344:
341:
338:
335:
332:
329:
326:
323:
320:
317:
314:
311:
308:
305:
302:
299:
296:
293:
290:
287:
284:
281:
278:
275:
272:
269:
266:
263:
260:
257:
254:
251:
248:
245:
242:
239:
236:
233:
230:
200:
161:
149:privilege level
133:
122:
116:
113:
70:
68:
58:
46:
35:
32:Privilege level
28:
23:
22:
15:
12:
11:
5:
542:
540:
532:
531:
521:
520:
515:
514:
502:
490:
474:
473:
471:
468:
467:
466:
461:
454:
451:
430:
427:
406:
403:
381:Honeywell 6180
373:
370:
232:
229:
226:
199:
196:
171:functions and
160:
157:
135:
134:
49:
47:
40:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
541:
530:
527:
526:
524:
512:F-Secure Labs
511:
506:
503:
499:
494:
491:
488:
484:
479:
476:
469:
465:
462:
460:
457:
456:
452:
450:
448:
444:
441:
437:
428:
426:
424:
418:
416:
412:
404:
402:
398:
396:
392:
388:
386:
382:
378:
371:
227:
225:
222:
220:
216:
212:
208:
205:
197:
195:
193:
189:
185:
180:
178:
174:
170:
166:
158:
156:
154:
153:function call
150:
146:
142:
131:
128:
120:
109:
106:
102:
99:
95:
92:
88:
85:
81:
78: –
77:
73:
72:Find sources:
66:
62:
56:
55:
50:This article
48:
44:
39:
38:
33:
19:
505:
493:
486:
483:Matt Pietrek
478:
442:
432:
419:
408:
399:
389:
375:
372:Previous use
223:
201:
181:
173:system calls
162:
140:
138:
123:
114:
104:
97:
90:
83:
71:
59:Please help
54:verification
51:
464:System call
411:system call
117:August 2020
470:References
405:Modern use
363:PCALL_GATE
345:OffsetHigh
240:_CALL_GATE
192:interrupts
87:newspapers
354:CALL_GATE
249:OffsetLow
141:call gate
18:Call gate
523:Category
453:See also
443:Gurong.A
282:Reserved
258:Selector
159:Overview
377:Multics
330:Present
234:typedef
186:or the
101:scholar
385:GE 645
342:USHORT
255:USHORT
246:USHORT
237:struct
207:kernel
169:kernel
103:
96:
89:
82:
74:
415:traps
327:UCHAR
312:UCHAR
294:UCHAR
279:UCHAR
264:UCHAR
198:Usage
108:JSTOR
94:books
440:worm
423:ring
391:OS/2
297:Type
80:news
315:Dpl
215:EIP
63:by
525::
485:,
387:.
194:.
179:.
139:A
366:;
360:*
357:,
351:}
348:;
339:;
336:1
333::
324:;
321:2
318::
306:;
303:5
300::
291:;
288:3
285::
276:;
273:5
270::
261:;
252:;
243:{
130:)
124:(
119:)
115:(
105:·
98:·
91:·
84:·
57:.
34:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.