Search code examples
x86interruptkernel-modentdll

Do Windows NT Native Applications have access to x86 software interrupts (like int 19)?


Let's say I want to write an application or driver that runs in Windows NT Native mode (ie uses nothing but NTDLL.DLL functions and runs when ntoskrnl.exe starts.

Would this application have access to x86 interrupts? IE, could I write code like this:

    __asm
    {
        int 19
    }

And have it return back to the boot menu? Or is that still not allowed even in kernel mode?


Solution

  • No. There are a few things wrong with what you're asking.

    First of all, "Native Applications" (those linked only with NTDLL.dll) are still user mode (Ring 3) applications. They are not in kernel mode (Ring 0)- they have no extra privileges, as far as the CPU / hardware is concerned. They don't run automatically when the kernel starts.

    Secondly, what you're asking about (e.g. int 19h - Bootstrap loader) are 16-bit BIOS calls, not just general x86 interrupts. Since the system is running in Protected Mode, not even the kernel can call these.

    At some point in the boot process, when switching to protected mode, the kernel installs its own Interrupt Vector Table (IVT), which essentially overrides the one that the BIOS provided earlier for BIOS calls. The only entries in this table that are useful to user-mode process are int 3 for breakpoints, and the one (whose number escapes me) for old-style system calls (on Linux it's int 80h).

    Read: