Chapter 3/ Hardware Briefing
Real mode implements the 16-bit execution environment of the old Intel
8086/88 processors. Like a proud parent (driven primarily for the sake of
backwards compatibility), Intel has required the IA-32 processor to speak the
native dialect of its ancestors. When an IA-32 machine powers up, it does
so in real mode. This explains why you can still boot IA-32 machines with a
DOS boot disk.
Protected mode implements the execution environment needed to run con¬
temporary system software like Windows 7. After the machine boots into
real mode, the operating system will set up the necessary bookkeeping data
structures and then go through a series of elaborate dance steps to switch the
processor to protected mode so that all the bells and whistles that the hard¬
ware offers can be leveraged.
System management mode (SMM) is used to execute special code embedded
in the firmware (e.g., think emergency shutdown, power management, system
security, etc.). This mode of processor operation first appeared in the 80386
SL back in 1990. Leveraging SMM to implement a rootkit has been publicly
discussed.'
The two modes that we're interested in for the time being (real mode and
protected mode) happen to be instances of the seginented memory model.
One offers segmentation without protection, and the other offers a variety of
memory protection facilities. SMM is an advanced topic that I'll look into
later on in the book.
Real Mode
As stated earlier, real mode is an instance of the segmented memory model.
Real mode uses a 20-bit address space. This reflects the fact that real mode
was the native operating mode of the 8086/88 processors, which had only 20
address lines to access physical memory,
In real mode, the logical address of a byte in memory consists of a 16-bit seg¬
ment selector and a 16-bit effective address. The selector stores the base ad¬
dress of a 64-KB memory segment (see Figure 3.4). The effective address is
an offset into this segment that specifies the byte to be accessed. The effective
address is added to the selector to form the physical address of the byte.
1. BSDaemon, coideloko, DOnaiidOn, "System Management Mode Hacks," Phrack, Volume 12,
Issue 65.