Introduction This is the 7th part of the tutorial Hypervisor From Scratch, and it’s about using the Extended Page Table (EPT) in an already running system. As you might know, paging is an essential part of managing memory on modern operating systems. Hypervisors use an additional paging table; this gives us an excellent opportunity to monitor different aspects of memory (Read-Write-Execute) without modifying the operating systems page-tables. EPT is a hardware mechanism, so it’s fast, but on the other hand,…
Posts published by “Sina Karvandi”
Sven, Are you still so blue under that armor?
Introduction Welcome to the first part of a series of posts about Exploring & Reversing Windows Concepts and Internals. If you reach here then you’re probably a security researcher or a programmer and this post and similar posts can help you understand what’s going on in some parts of Windows when you use objects with different users and credentials and what you can expect from Windows and how it internally works. If you want to follow other parts of this…
Introduction Hi guys, The title of this topic is somehow weird, if you think everything in MSDN is 100% match with what Microsoft implemented in Windows (like what I used to think), you’re definitely wrong, this post shows some proofs and in the last part, I’ll give you a solution to ACCESS_RIGHTS problem. Before starting let’s talk about some backgrounds about “ACCESS_MASK“. Most of the explanations derived from here. Backgrounds The ACCESS_MASK data type is a DWORD value that defines standard, specific, and generic…
Introduction Hello and welcome to the 6th part of the tutorial Hypervisor From Scratch. In this part, I try to give you an idea of how to virtualize an already running system using Hypervisor. Like other parts, this part is really dependent to the previous parts so make sure to read them first. Overview In the 6th part, we’ll see how we can virtualize our currently running system by configuring VMCS, then we use monitoring features to detect execution of…
Have you ever thought how transitions between different rings performed? Well, SYSENTER & SYSCALL used in modern OSs for transitioning between ring 3 to ring 0 but if there are other rings, then what’s Intel solution for entering them? The answer is call gates. The rest of this topic described how to use call gates in modern processors. 80386 and its successors have 4 levels protections which isolate and protect user programs from each other and the operating system. It…