Press "Enter" to skip to content

Posts published in “Kernel Mode”

Why you should not always trust MSDN: Finding Real Access Rights Needed By Handles

Sinaei 0

Introduction Hi guys, The title of this topic is somehow weird, if you think everything in MSDN is 100% match with what Microsoft implemented in Windows (like what I used to think), you’re definitely wrong, this post shows some proofs and in the last part, I’ll give you a solution to ACCESS_RIGHTS problem. Before starting let’s talk about some backgrounds about “ACCESS_MASK“. Most of the explanations derived from here. Backgrounds The ACCESS_MASK data type is a DWORD value that defines standard, specific, and generic…

PacketScript overview: A Lua scripting engine for in-kernel packet processing

Shahriar 0

As I was surfing the net, trying to find a way to prototype network protocols or features in Linux. I stumbled upon PacketScript. PacketScript is the an implementation of the Lua VM inside Linux kernel. Such implementations aren’t new ,luak and lunatik have been existed for some time. However what makes PacketScript different is the ability to mangle network packets with Lua. Not just running Lua code in kernel. as a matter of fact PacketScript uses lunatik underneath as its…

Start linux kernel module development!

Shahriar 1

Hi everyone! In this post I’m going to introduce you to the world of linux kernel module development. I am a newcomer in this field myself but I decided to document everything in this blog as I gradually learn them. To start you need some sort of virtual machine. Of course you can test kernel modules on your own system but it is very risky and you can’t really debug them effectively and must use printk and debug messages to…

Using Intel’s Streaming SIMD Extensions 3 (MONITOR\MWAIT) As A Kernel Debugging Trick

Sinaei 0

  Introduction MONITOR and MWAIT are using when the CPU needs to be stopped executing the instruction and enter an implementation-dependent optimized state until some special event happens. MONITOR sets up an address range used to monitor write-back stores while MWAIT enables a logical processor to enter into an optimized state while waiting for a write-back store to the address range set up by MONITOR instruction.   MWAIT and MONITOR may be executed only at privilege level 0, if you use these…

x64 Inline Assembly in Windows Driver Kit

Sinaei 0

As my testing always interferes with running assembly directly in kernel-level and unfortunately Microsoft no longer supports x64 inline assembly through their compilers and as I always have struggle creating a simple inline assembly project so I decided to create a post to describe how to create a Windows Driver Kit project with Inline assembly to run kernel code directly in a kernel driver. This terms only applies to x64 Windows Kernel Driver, you can use _asm and asm directly in…