This is why operating systems use a special mechanism for switching from
user mode to kernel mode. The general idea is that the user-mode code
invokes a special CPU instruction that tells the processor to switch to its priv-
ileged mode (the CPUs terminology for kernel-mode execution) and call a spe-
cial dispatch routine. This dispatch routine then calls the specific system
function requested from user mode.
The specific details of how this is implemented have changed after Win-
dows 2000, so I’ll just quickly describe both methods. In Windows 2000 and
earlier, the system would invoke interrupt 2Ein order to call into the kernel.
The following sequence is a typical Windows 2000 system call.ntdll!ZwReadFile:
77f8c552 mov eax,0xa1
77f8c557 lea edx,[esp+0x4]
77f8c55b int 2e
77f8c55d ret 0x24The EAXregister is loaded with the service number (we’ll get to this in a
minute), and EDXpoints to the first parameter that the kernel-mode function
receives. When the int 2einstruction is invoked, the processor uses the inter-
rupt descriptor table (IDT) in order to determine which interrupt handler to call.
The IDT is a processor-owned table that tells the processor which routine to
invoke whenever an interrupt or an exception takes place. The IDT entry for
interrupt number 2Epoints to an internal NTOSKRNLfunction called KiSys-
temService, which is the kernel service dispatcher. KiSystemServicever-
ifies that the service number and stack pointer are valid and calls into the
specific kernel function requested. The actual call is performed using the
KiServiceTablearray, which contains pointers to the various supported
kernel services. KiSystemServicesimply uses the request number loaded
into EAXas an index into KiServiceTable.
More recent versions of the operating systems use an optimized version of
the same mechanism. Instead of invoking an interrupt in order to perform the
switch to kernel mode, the system now uses the special SYSENTERinstruction
in order to perform the switch. SYSENTERis essentially a high-performance
kernel-mode switch instruction that calls into a predetermined function whose
address is stored at a special model specific register (MSR) called
SYSENTER_EIP_MSR. Needless to say, the contents of MSRs can only be
accessed from kernel mode. Inside the kernel the new implementation is quite
similar and goes through KiSystemService and KiServiceTablein the
same way it did in Windows 2000 and older systems. The following is a typi-
cal system API in recent versions of Windows such as Windows Server 2003
and Windows XP.92 Chapter 3