JdBP>> If you don't know what the problem is here, then I suggest that you
 JdBP>> read a bit about x86 programming.  A return instruction cannot
 JdBP>> transfer from a lower privilege ring to a higher privilege ring. 
 JdBP>> Calling ring 3 from ring 0 necessitates that some magic be
 JdBP>> performed when the ring 3 code returns.  Usually this involves
 JdBP>> some sort of trampoline.

 HR> The loader is an process as its own. 

That is ungrammatical, but if I understand it correctly you are claiming
that the loader is a separate process.  That isn't, in fact, true.  Which
makes a nonsense of the flow diagram that you posted.

The loader executes in the context of the process, and thread, that is
loading the module.  Ironically, in fact, in the case of DosExecPgm the
loader, when it is loading all of the load-time DLLs, executes in the
context of the child process, rather than the parent.  If one tries to work
out how this happens, one eventually hits the conceptual problem that I'm
asking Denis about: how, and more importantly *when*, does the loader call
into ring 3 (the InitTerm function) from ring 0 (the loader executing in
kernel mode in the context of the thread loading the module), and what are
the safeguards that are in place to prevent malicious, or buggy, InitTerm
code from deadlocking the kernel ?

 ¯ JdeBP ®

--- FleetStreet 1.19 NR