~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Ke386CallBios() is not documented. We need it, because VideoPortInt10() which
 is the function we would need only can be called from within video miniport
 drivers starting with Windows 2000. Hence we need some substitution!

 Here are my findings!

 (c) 2004 by -=Assarbad=-
 Published under the GPL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Using Sven B. Schreibers book [1] and methods I found out how it works.
The prototype looks something like this:

NTSTATUS
Ke386CallBios(
               ULONG Interrupt,
               PCONTEXT ProcessorContext
             );

The interrupt can be only 8bit maximum, but it's nevertheless passed
as ULONG as it seems (found using LiveKD). But doesn't matter anyway
in a 32bit context ;)

The PCONTEXT structure is declared in Sven B. Schreibers book as
("processor context"):

#define SIZE_OF_80387_REGISTERS 80

typedef struct _FLOATING_SAVE_AREA
        {
/*000*/ DWORD ControlWord;
/*004*/ DWORD StatusWord;
/*008*/ DWORD TagWord;
/*00C*/ DWORD ErrorOffset;
/*010*/ DWORD ErrorSelector;
/*014*/ DWORD DataOffset;
/*018*/ DWORD DataSelector;
/*01C*/ BYTE  RegisterArea [SIZE_OF_80387_REGISTERS];
/*06C*/ DWORD Cr0NpxState;
/*070*/ }
        FLOATING_SAVE_AREA,
     * PFLOATING_SAVE_AREA,
    **PPFLOATING_SAVE_AREA;

#define MAXIMUM_SUPPORTED_EXTENSION 512

typedef struct _CONTEXT
        {
/*000*/ DWORD       ContextFlags;
/*004*/ DWORD       Dr0;
/*008*/ DWORD       Dr1;
/*00C*/ DWORD       Dr2;
/*010*/ DWORD       Dr3;
/*014*/ DWORD       Dr6;
/*018*/ DWORD       Dr7;
/*01C*/ FLOATING_SAVE_AREA FloatSave;
/*08C*/ DWORD       SegGs;
/*090*/ DWORD       SegFs;
/*094*/ DWORD       SegEs;
/*098*/ DWORD       SegDs;
/*09C*/ DWORD       Edi;
/*0A0*/ DWORD       Esi;
/*0A4*/ DWORD       Ebx;
/*0A8*/ DWORD       Edx;
/*0AC*/ DWORD       Ecx;
/*0B0*/ DWORD       Eax;
/*0B4*/ DWORD       Ebp;
/*0B8*/ DWORD       Eip;
/*0BC*/ DWORD       SegCs;
/*0C0*/ DWORD       EFlags;
/*0C4*/ DWORD       Esp;
/*0C8*/ DWORD       SegSs;
/*0CC*/ BYTE        ExtendedRegisters [MAXIMUM_SUPPORTED_EXTENSION];
/*2CC*/ }
        CONTEXT,
     * PCONTEXT,
    **PPCONTEXT;

Note, that we are not at all interested in anything except the call
which actually brought me to the conclusion that CONTEXT (PCONTEXT)
is the argument was this one:
---------------------------
mov     eax, 0CCh
mov     [ebp+var_3C], eax
push    eax
push    [ebp+CPUcontext]
push    12CD0h
call    memmove
---------------------------
As you can see, the size of 0CCh can be seen in this call to memmove()!
Only two structures in SBS' book had this offset: KTHREAD and CONTEXT.
CONTEXT was the more logical one ;)

By the way, some Chinese forum site stated the following (offsets and
comments added by me):
---------------------------
typedef struct _tagBIOS_REQ
{
/*000*/ DWORD State; // ContextFlags
/*004*/ BYTE Buffer[0x88]; // Debug registers + FLOATING_SAVE_AREA
/*08C*/ DWORD GS; // SegGs
/*090*/ DWORD FS; // SegFs
/*094*/ DWORD ES; // SegEs
/*098*/ DWORD DS; // SegDs
/*09C*/ DWORD EDI;
/*0A0*/ DWORD ESI;
/*0A4*/ DWORD EBX;
/*0A8*/ DWORD EDX;
/*0AC*/ DWORD ECX;
/*0B0*/ DWORD EAX;
/*0B4*/ DWORD EBP;
/*0B8*/ DWORD EIP;
/*0BC*/ DWORD CS; // SegCs
/*0C0*/ DWORD UnKnown1; // EFlags
/*0C4*/ DWORD ESP;
/*0C8*/ DWORD SS; // SegSs
} BIOS_REQ,*PBIOS_REQ;

NTSTATUS
Ke386CallBios(
               BYTE Func,
               PBIOS_REQ BiosReq
             );
---------------------------

Which essentially proves my (+SBS) findings to be correct ;)



Oliver aka -=Assarbad=- [ERD_SMSS team]

---------------------------
PS: Damn, I am stupid, the WINNT.H from the W2K DDK already contains the
declaration for this structure :-\ ... could have saved some time :-(

typedef struct _FLOATING_SAVE_AREA {
    DWORD   ControlWord;
    DWORD   StatusWord;
    DWORD   TagWord;
    DWORD   ErrorOffset;
    DWORD   ErrorSelector;
    DWORD   DataOffset;
    DWORD   DataSelector;
    BYTE    RegisterArea[SIZE_OF_80387_REGISTERS];
    DWORD   Cr0NpxState;
} FLOATING_SAVE_AREA;

typedef FLOATING_SAVE_AREA *PFLOATING_SAVE_AREA;

//
// Context Frame
//
//  This frame has a several purposes: 1) it is used as an argument to
//  NtContinue, 2) is is used to constuct a call frame for APC delivery,
//  and 3) it is used in the user level thread creation routines.
//
//  The layout of the record conforms to a standard call frame.
//

typedef struct _CONTEXT {

    //
    // The flags values within this flag control the contents of
    // a CONTEXT record.
    //
    // If the context record is used as an input parameter, then
    // for each portion of the context record controlled by a flag
    // whose value is set, it is assumed that that portion of the
    // context record contains valid context. If the context record
    // is being used to modify a threads context, then only that
    // portion of the threads context will be modified.
    //
    // If the context record is used as an IN OUT parameter to capture
    // the context of a thread, then only those portions of the thread's
    // context corresponding to set flags will be returned.
    //
    // The context record is never used as an OUT only parameter.
    //

    DWORD ContextFlags;

    //
    // This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
    // set in ContextFlags.  Note that CONTEXT_DEBUG_REGISTERS is NOT
    // included in CONTEXT_FULL.
    //

    DWORD   Dr0;
    DWORD   Dr1;
    DWORD   Dr2;
    DWORD   Dr3;
    DWORD   Dr6;
    DWORD   Dr7;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
    //

    FLOATING_SAVE_AREA FloatSave;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_SEGMENTS.
    //

    DWORD   SegGs;
    DWORD   SegFs;
    DWORD   SegEs;
    DWORD   SegDs;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_INTEGER.
    //

    DWORD   Edi;
    DWORD   Esi;
    DWORD   Ebx;
    DWORD   Edx;
    DWORD   Ecx;
    DWORD   Eax;

    //
    // This section is specified/returned if the
    // ContextFlags word contians the flag CONTEXT_CONTROL.
    //

    DWORD   Ebp;
    DWORD   Eip;
    DWORD   SegCs;              // MUST BE SANITIZED
    DWORD   EFlags;             // MUST BE SANITIZED
    DWORD   Esp;
    DWORD   SegSs;

    //
    // This section is specified/returned if the ContextFlags word
    // contains the flag CONTEXT_EXTENDED_REGISTERS.
    // The format and contexts are processor specific
    //

    BYTE    ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];

} CONTEXT;



typedef CONTEXT *PCONTEXT;
---------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:

[1] "Undocumented Windows 2000 Secrets" by Sven B. Schreiber
    ISBN 0-201-72187-2 @ $39.99

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~