5

I want to simulate a iret condition on a Linux x86_64 server. I found there are three instructions

  1. iret:operand size 16
  2. iretd:operand size 32
  3. iretq:operand size 64

I can't tell the difference of them,and which one to use. thanks for anyone's help!!

I have another question about simulate iret,can you have a look?http://stackoverflow.com/questions/11756274/how-to-simulate-a-iret-on-linux-x86-64

hellolwq
  • 531
  • 3
  • 7
  • 18
  • 6
    They are all the same opcode, 0xcf. IRETQ has the REX.W prefix for 64-bit code. What you do depends on the mode of the processor and the mode of the code that was interrupted. Not easily simulated. – Hans Passant Aug 01 '12 at 10:27

1 Answers1

13

From this link:

IRET returns from an interrupt (hardware or software) by means of popping IP (or EIP), CS, and the flags off the stack and then continuing execution from the new CS:IP.

IRETW pops IP, CS and the flags as 2 bytes each, taking 6 bytes off the stack in total. IRETD pops EIP as 4 bytes, pops a further 4 bytes of which the top two are discarded and the bottom two go into CS, and pops the flags as 4 bytes as well, taking 12 bytes off the stack.

IRET is a shorthand for either IRETW or IRETD, depending on the default BITS setting at the time.

Very similar is also for IRETQ

GJ.
  • 10,810
  • 2
  • 45
  • 62
  • IOW, `IRET` will correctly return from an ISR in the current CPU mode in most cases. Special cases may require `IRETW/D/Q`, which will insert the appropriate instruction prefix. – Alexey Frunze Aug 01 '12 at 17:16
  • I have another question about simulate iret,can you have a look?http://stackoverflow.com/questions/11756274/how-to-simulate-a-iret-on-linux-x86-64 – hellolwq Aug 02 '12 at 01:48