相信大家都不陌生call指令了,但除了常見的段內調用(CS當前指向的段)外,還有其他幾種不同的調用,手冊上說明是有4種,在第 2A 卷: 指令集參考(A-L)中的CALL—Call Procedure
其中我們要說的另一種就是Far Call(段間調用),Far Call也分爲兩種類型,一種是特權級別相同的段間調用,一種是特權級別不同的段間調用
我們先來看看段內調用和段間調用的區別,在手冊中第 1 卷: 基本架構的6.31中
共同點是都會改變Stack和EIP,不同點是Far Call還會改變CS並且會把調用前的CS壓入棧中,在返回的時候也不同,Far Call會將棧頂返回地址pop到eip中,然後再將段選擇子pop到cs中,返回時候具體區別在第 2B 卷: 指令集參考(M-Z)中的RET—Return from Procedure
還有一種就是特權級別不同之間的Far Call和return,這個解釋在手冊中的第 1 卷: 基本架構 6.3.6 CALL and RET Operation Between Privilege Levels
這裏改變的值有eip cs ss esp,壓入堆棧的東西也不同,保存了切換前代碼段的堆棧位置,因爲特權級別的不同發生了堆棧的切換,但切換esp和ss的值從哪來,這裏有說明
- Temporarily saves (internally) the current contents of the SS, ESP, CS, and EIP registers.
- Loads the segment selector and stack pointer for the new stack (that is, the stack for the privilege level being
called) from the TSS into the SS and ESP registers and switches to the new stack.- Pushes the temporarily saved SS and ESP values for the calling procedure’s stack onto the new stack.
這裏要注意的一點是如果在Far Calls in Protected Mode下(第 2A 卷: 指令集參考(A-L)CALL—Call Procedure),那麼
大概意思就是會通過提供的段選擇子來進行對段描述符的訪問
這裏提出瞭如果是不同權限間的代碼段調用,使用調用門是首選的辦法,使用調用門會進行權限的提升,後面還說了
When executing an inter-privilege-level far call, the code segment for the procedure being called must be accessed through a call gate. The segment selector specified by the target operand identifies the call gate. Here again, the target operand can specify the call gate segment selector either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). The processor obtains the segment selector for the new code segment and the new instruction pointer (offset) from the call gate descriptor. (The offset from the target operand is ignored when a call gate is used.) On inter-privilege-level calls, the processor switches to the stack for the privilege level of the called procedure. The segment selector for the new stack segment is specified in the TSS for the currently running task. The branch to the new code segment occurs after the stack switch. (Note that when using a call gate to perform a far call to a segment at the same privilege level, no stack switch occurs.) On the new stack, the processor pushes the segment selector and stack pointer for the calling procedure’s stack, an (optional) set of parameters from the calling procedures stack, and the segment selector and instruction pointer for the calling procedure’s code segment. (A value in the call gate descriptor determines how many parameters to copy to the new stack.) Finally, the processor branches to the address of the procedure being called within the new code segment.
大概理解一下就是在執行特權級之間的遠距離調用時,必須通過調用門訪問被調用過程的代碼段。目標操作數指定的段選擇子標識了調用門。處理器從調用門描述符中獲取新代碼段的段選擇子和新指令指針(偏移量).(使用調用門時,與目標操作數的偏移將被忽略。)
舉個例子,call cs:eip這裏這條指令
在執行特權級之間的遠距離調用時,必須通過調用門,而cs指向的段描述符必須是一個調用門,而我們cpu最終執行代碼的位置並不是由後面接的操作數eip決定的,而是通過cs中指向的調用門中獲取新代碼段的段選擇子和新指令指針(偏移量),也就是在使用調用門時候後面的eip是被忽略的
如果是同級別的話
A far call to the same privilege level in protected mode is very similar to one carried out in real-address or virtual-8086 mode. The target operand specifies an absolute far address either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). The operandsize attribute determines the size of the offset (16 or 32 bits) in the far address. The new code segment selector and its descriptor are loaded into CS register, and the offset from the instruction is loaded into the EIP register
大概意思就是 目標操作數可以直接使用指針(ptr16:16或ptr16:32)或間接使用內存位置(m16:16或m16:32)指定絕對遠程地址。
新的代碼段選擇器及其描述符被加載到CS寄存器中,指令的偏移量被加載到EIP寄存器中。也就說是後面的EIP是有效的
總結一下:
1.跨段調用時,一旦有權限切換,就會切換堆棧
2.CS的權限一旦改變,SS的權限也要跟隨改變,CS和SS的權限等級必須一致
3.JMP FAR 只能跳轉到同級非一致代碼段,但CALL FAR 可以通過調用們進行提權,提升CPL權限
4.切換棧時候ESP和SS從哪來,參見TSS段
5.執行特權級之間的遠距離調用時call cs:eip中的Eip是被忽略的,如果是同級別權限eip則是有效的