When searching the memory dump we analyze one block of it at a time. A good block size could be for example 4096 bytes. In particular it should be a multiple of 8 bytes (the size of an IDT Gate Descriptor).

Looping through the block we look at each 8-byte entry one at a time, and determine if it matches a predefined set of requirements. First, it has to have the Present flag set. Second, bits 8-12 must be one of the patterns 00101, 00110, 01110, 00111, or 01111. These patterns are the only valid gate types. Third, if the entry looks like an Interrupt Gate or a Trap Gate, it has to have a non-zero Offset as well as zeroes in bits 5-7. Fourth, the Segment Selector has to be non-zero, but with a zero high byte (which is usually the case). We count all the matches in each block (MATCHES).

If we have a match we determine if the entry is a possible Task Gate. These are more problematic than the others since they have fewer defined fields, and thus raise more false positives. To counter that problem we use a simple check for repeating entries (TASKREPEAT). Any simple algorithm for counting repeating TSS Segment Selectors will probably do. Counting all of them is not necessary, all we have to do is keep track of the repeat count of one single TSS Segment Selector value as long as it is one that repeats. In practice there will usually not be more than one value repeating anyway.

Finally we have to keep track of the largest number of entries in a row which match the criteria (INAROW).

To single out the interesting blocks we check the values of MATCHES and INAROW. I have had good results with a MATCHES limit set to 25 and an INAROW limit set to 4 - that is, accept blocks with values at least that high.

Looping through the block we look at each 8-byte entry one at a time, and determine if it matches a predefined set of requirements. First, it has to have the Present flag set. Second, bits 8-12 must be one of the patterns 00101, 00110, 01110, 00111, or 01111. These patterns are the only valid gate types. Third, if the entry looks like an Interrupt Gate or a Trap Gate, it has to have a non-zero Offset as well as zeroes in bits 5-7. Fourth, the Segment Selector has to be non-zero, but with a zero high byte (which is usually the case). We count all the matches in each block (MATCHES).

If we have a match we determine if the entry is a possible Task Gate. These are more problematic than the others since they have fewer defined fields, and thus raise more false positives. To counter that problem we use a simple check for repeating entries (TASKREPEAT). Any simple algorithm for counting repeating TSS Segment Selectors will probably do. Counting all of them is not necessary, all we have to do is keep track of the repeat count of one single TSS Segment Selector value as long as it is one that repeats. In practice there will usually not be more than one value repeating anyway.

Finally we have to keep track of the largest number of entries in a row which match the criteria (INAROW).

To single out the interesting blocks we check the values of MATCHES and INAROW. I have had good results with a MATCHES limit set to 25 and an INAROW limit set to 4 - that is, accept blocks with values at least that high.

IDT #1 follows:

00h / Interrupt Gate:

- DPL: 0

- Segment Selector: 8

- Offset: 804df350

01h / Interrupt Gate:

- DPL: 0

- Segment Selector: 8

- Offset: 804df4cb

02h / Task Gate:

- DPL: 0

- TSS Segment Selector: 58

03h / Interrupt Gate:

- DPL: 3

- Segment Selector: 8

- Offset: 804df89d

.

.

.

/Arne