2

I am trying to read data from a cpu control register using inline assembly. Im initially targeting x86-64. I'm not that familiar with c or assembly but ive managed to put together a very simple attempt as follows:

#include <stdio.h>
#include <stdint.h>

int main() {
    uint64_t result;
    asm ("movq %%cr4, %0;"
         : "=r" (result) ::
    );

    printf("result: %d \n", result);

    return 0;
}

This compiles but throws a runtime error in gdb:

Thread 1 received signal SIGILL, Illegal instruction.
main () at main.c:6
6           asm ("movq %%cr4, %0;"

I think the c/assembly is correct as I'm able to pull values from other registers. I presume the error is due to the fact that I'm not running in kernel mode (based on what I've read) but I don't fully understand what that entails and with my limited understanding of c/assembly I'm not sure i should be playing with kernel mode just yet.

Is there any other way of doing this outside of kernel mode? For example is this info available via an exposed dll call somewhere.

I would welcome any comments on the implications of running an app in kernel mode.

SwiftD
  • 5,769
  • 6
  • 43
  • 67
  • You're correct, kernel mode is a separate thing from user-space with admin privileges. No idea if Windows exports the value of CR4 through any API, or what it would take to install your app as a "driver". On Linux you'd need a custom kernel module to run your own code in kernel mode. – Peter Cordes Sep 28 '17 at 01:12
  • Are you sure you even need to know [the bits in CR4](https://en.wikipedia.org/wiki/Control_register#CR4)? – Peter Cordes Sep 28 '17 at 01:13
  • Well, I've looked into a lot of other options, until I can look at the flags I'm not 100% sure this will help. Essentially I'm looking for a way to detect if VMX (virtualization) extensions are enabled, I have a solution for everything but win7 and every other avenue has come up blank, I have a way to confirm if the extensions are available and which ones - intel / amd but this is the only place I can find flag to say if its enabled. Another approach might be to try call an instruction in the extensions... but i bet they only work in kernel mode :) – SwiftD Sep 28 '17 at 01:18
  • I have a more general query here: https://stackoverflow.com/questions/46451787/programmatically-detect-if-hardware-virtualization-is-enabled-on-windows-7 this question was to attempt the more targeted approach – SwiftD Sep 28 '17 at 01:22
  • 1
    I haven't looked into which bit where means what, but is there a CPUID feature bit that's useful? That might tell you if it's available even if not currently in use. Not sure if that's what you want. – Peter Cordes Sep 28 '17 at 01:44
  • 3
    You can test if CR4.VMXE is set by executing the VMXON instruction. It'll cause an undefined instruction fault if it's 0 and a general protection fault if not. However CR4.VMXE doesn't tell you if VMX has been disabled in the BIOS settings, since the BIOS doesn't change CR4. It changes bits in in IA32_FEATURE_CONTROL MSR which afterwards can't be changed again unless the CPU is reset. To see if the VMX has been disabled in this way use the CPUID instruction with EAX set to 1 and see if VMX bit is set in ECX. If it's not set either the CPU doesn't support VMX or the BIOS has disabled it. – Ross Ridge Sep 28 '17 at 01:47
  • Ross it sounds like you may have have just solved my puzzle, I think I started with CPUID but didn't realise the info I needed was in there. I will attempt your suggestion tomorrow and report back. Thanks to you and Peter for pointing me in the right direction! If you want to submit as an answer to the linked question I will test and accept - if not I will answer so info is out there. I think i will close this question as misguided if all goes to plan – SwiftD Sep 28 '17 at 02:11
  • @Ross i had a go at this approach and it seems that VMX bit is set in cpuid ecx register as long as the processor supports it. It doesn't seem to change if the feature is disabled in the bios – SwiftD Sep 28 '17 at 13:59
  • Hmm.. yah, I just tested it and it doesn't seem to affect the VMX bit. I don't think there's any way in user mode of testing whether or not VMX has been disabled in the BIOS other than trying to start a VM that requires it. If you happen to be using VirtualBox then it has an API for checking for hardware virtualization is supported, otherwise you'd need to use something like BeOnRope suggested to test the bits in the IA32_FEATURE_CONTROL MSR. – Ross Ridge Sep 28 '17 at 17:02
  • Thanks for confirming, Yeh I'm going to have a go with winring and report back. I am using Virtualbox, but i want to run this check before installing it to confirm its going to work, the current situation is we install virtualbox then find out here is a problem and have to uninstall again - that's exactly what i need to fix :) – SwiftD Sep 28 '17 at 17:59

1 Answers1

4

Update: This answer is not appropriate for CR registers, per this comment.

What you're looking for is the so-called 'WinRing0.sys' driver, which exposes an API allowing you to read from user-mode all the various interesting MSRs that are only available to kernel (ring 0) code.

This is an open-source component, but most importantly someone has already paid to sign to the driver so it can be loaded in Windows (as an individual, it is practically impossible to sign a current Windows driver even if you are willing to pay). You can find the 32-bit and 64-bit (WinRing0x64.sys) binaries here.

More details are available in this answer - the question there is about programming performance counters, but the access needed is the same and WinRing0.sys will work for both use-cases.

BeeOnRope
  • 60,350
  • 16
  • 207
  • 386
  • thanks bee, i have downloaded winring, looks promising - I'll have a go and report back – SwiftD Sep 28 '17 at 15:08
  • 1
    WinRing0 has no api for reading control registers aswell as for writing them. Please note cr != msr – CodeDemen Sep 05 '18 at 19:17
  • @CodeDemen - oops, good point! I guess WinRing0 is not suitable for this purpose unless you can find an MSR that somehow duplicates or otherwise give access to the CR you want. – BeeOnRope Sep 05 '18 at 19:18