Why address 7FFE0308 always gets compared in 64bit applications before making a syscall in Ntdll?

Question

So there was a question asked before about this :

What are the difference syscall and int 0x2E instructions?

and it has two answer, one says that is just a way to check if we are in a 32 bit or 64 bit windows!

if this is the actual answer, then why do we need to check if we are in a 32 bit system in a 64 bit app! it wont even start if its in a 32 bit system, and this check doesn't happen on the 32 bit version of the app

and if the other answer is true, then i couldn't find anything clear on the relation of this address and "virtualization security", can anyone elaborate a bit more on this? why is this check happens? :

test    byte ptr ds:7FFE0308h, 1
jnz     short loc_a
syscall
retn

Answer 1

During Kernel Initialization ntKiSystemCallSelector is Initialized from LOADER_PARAMETER_BLOCK

0: kd> dt nt!_LOADER_PARAMETER_BLOCK Extension->VsmConfigured
   +0x0f0 Extension                : 
      +0x074 VsmConfigured            : Pos 8, 1 Bit

if SystemCallSelector is Set to True

KUSER_SHARED_DATA->SystemCall is also set to true and int 2E is used else syscall is used

IsVsmConfigured = Loader_Param_Block->Extension->_bitfield_116;
if ((IsVsmConfigured & 8) != 0) {
  _KiBootDebuggerActive = 1;
  IsVsmConfigured = Loader_Param_Block->Extension->_bitfield_116;
}
if ((IsVsmConfigured >> 8 & 1) != 0) {
  _KiSystemCallSelector = 1;
}
KiInitializeIdt(lVar7,0);
HalInitializeBios(0xffffffff,Loader_Param_Block);
InbvDriverInitialize(0xffffffff,Loader_Param_Block,0);

Based On the Extension->VsmConfigured kuser->SysstemCall is set

  if (((param_5 == 0) &&
      (local_2a0 = param_1, local_280 = param_3, local_278 = param_2, local_270 = param_2,
      local_268 = param_4, HvlPhase0Initialize(param_6), _KiSystemCallSelector == 1)) &&
     ((HvlEnlightenments & 0x80000) != 0)) {
    _kuser->SystemCall = 1;
  }

Windows Details

C:\>wmic os get Caption,OsArchitecture,Version /format:list

Caption=Microsoft Windows 10 Pro
OSArchitecture=64-bit
Version=10.0.17763

details of the global KiSystemCallSelector and its usage in module ntkrnlmp

0: kd> x /v /t nt!*ki*sys*sel*
pub global fffff805`4fa23164    0 <NoType> nt!KiSystemCallSelector = <no type information>


0: kd> lm m nt
Browse full module list
start             end                 module name
fffff805`4f016000 fffff805`4fa87000   nt (pdb symbols)   
 \ntkrnlmp.pdb\9A729548AB1A93E90D0A48528CE30B7A1\ntkrnlmp.pdb


0: kd> # *nt!KiSystemCallSelector* fffff805`4f016000 l?(fffff805`4fa87000-fffff805`4f016000)

nt!KiInitializeBootStructures+0x224:
f805`4f5865a4 44892db9cb4900  mov dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r13d 
nt!KiInitializeKernel+0x5be:
f805`4f587e6e 443935efb24900  cmp dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r14d
nt!KiInitializeIdt+0x169:
f805`4f58954d 833d109c490001  cmp dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],1

Back And Forward Disassembly of Search Hits

0: kd> ub fffff805`4f5865a4
nt!KiInitializeBootStructures+0x206:
f805`4f586586 488b96f0000000  mov rdx,qword ptr [rsi+0F0h] <<<<;LPARMBLOCK->Extension
f805`4f58658d 8b4274          mov eax,dword ptr [rdx+74h] <<<<;LPARMEXT->@#74
f805`4f586590 a808            testal,8
f805`4f586592 740a            je  nt!KiInitializeBootStructures+0x21e (fffff805`4f58659e)
f805`4f586594 44892d81d04900  mov dword ptr [nt!KiBootDebuggerActive (f805`4fa2361c)],r13d
f805`4f58659b 8b4274          mov eax,dword ptr [rdx+74h]
f805`4f58659e 0fbae008        bt  eax,8           <<<< bittesting bit 8 
f805`4f5865a2 7307            jae nt!KiInitializeBootStructures+0x22b (fffff805`4f5865ab)

0: kd> $$ rsi = LOADER_PARAMETER_BLOCK

0: kd> dt nt!_LOADER_PARAMETER_BLOCK -y Exten
   +0x0f0 Extension : Ptr64 _LOADER_PARAMETER_EXTENSION

0: kd> dt nt!_LOADER_PARAMETER_EXTENSION -y vsm
   +0x074 VsmConfigured : Pos 8, 1 Bit

0: kd> $$ r13d = 1

0: kd> u fffff805`4f5865a4
nt!KiInitializeBootStructures+0x224:
;set if vsmConfigured
f805`4f5865a4 44892db9cb4900  mov dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r13d
f805`4f5865ab 33d2            xor edx,edx
f805`4f5865ad 498bcf          mov rcx,r15
f805`4f5865b0 e82f2e0000      call nt!KiInitializeIdt (fffff805`4f5893e4)
f805`4f5865b5 83cbff          or ebx,0FFFFFFFFh
f805`4f5865b8 488bd6          mov rdx,rsi
f805`4f5865bb 8bcb            mov ecx,ebx

ntKiSystemStartup Calls nt!KiInitializeKernel post nt!KiInitializeBootStructures where this global is used again

0: kd> uf /c nt!KiSystemStartup
nt!KiSystemStartup (fffff805`4f57c010)
  nt!KiSystemStartup+0x2d (fffff805`4f57c03d):
    call to nt!KdInitSystem (fffff805`4f92d140)
  nt!KiSystemStartup+0x14b (fffff805`4f57c15b):
    call to nt!KiInitializeBootStructures (fffff805`4f586380)
  nt!KiSystemStartup+0x167 (fffff805`4f57c177):
    call to nt!KdInitSystem (fffff805`4f92d140)
  nt!KiSystemStartup+0x17e (fffff805`4f57c18e):
    call to nt!KiInitializeXSave (fffff805`4f589850)
  nt!KiSystemStartup+0x204 (fffff805`4f57c214):
    call to nt!KiInitializeKernel (fffff805`4f5878b0)
  nt!KiSystemStartup+0x284 (fffff805`4f57c294):
    call to nt!KiIdleLoop (fffff805`4f1cd920)

Disassembly Of nt!KiInitializeKernel

0: kd> u fffff805`4f587e6e
nt!KiInitializeKernel+0x5be:
f805`4f587e6e 443935efb24900  cmp dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r14d
f805`4f587e75 0f85affaffff    jne nt!KiInitializeKernel+0x7a (f805`4f58792a)
f805`4f587e7b e902660000      jmp nt!KiInitializeKernel+0x6bd2 (fffff805`4f58e482)  <<<<---



0: kd> u fffff805`4f58e482 <<<<----
nt!KiInitializeKernel+0x6bd2:
f805`4f58e482 f70550aefcff00000800 test dword ptr [nt!HvlEnlightenments (f805`4f5592dc)],80000h
f805`4f58e48c 0f849894ffff    je nt!KiInitializeKernel+0x7a (f805`4f58792a)
f805`4f58e492 418bc6          mov eax,r14d
f805`4f58e495 a30803000080f7ffff mov   dword ptr [FFFFF78000000308h],eax  <<<<<------
f805`4f58e49e e98794ffff      jmp nt!KiInitializeKernel+0x7a (f805`4f58792a)

the Address FFFFF78000000308h is part of KUSER_SHARED_MAP

0: kd> dt nt!_KUSER_SHARED_DATA -y SystemCall fffff78000000000
   +0x308 SystemCall : 0  <<<<
   +0x30c SystemCallPad0 : 0
   +0x310 SystemCallPad : [2] 0