Press "Enter" to skip to content

Posts published in “Kernel Mode”

A first look at some aspects of Intel’s "Vanderpool" initiative

Sinaei 4

A few hours ago, I was working on Intel VT-x which enables a hardware support for virtualization then I saw the following slides which gives me lots of information about Hypervisor instructions,VMM, Virtual machine control structure (VMCS) and other practical information. I don’t know about its author actually but I should give my thanks to him/her for gathering this slides. I think it worth a lot to read ,it can be downloaded here .

Fooling Windows about its internal CPU

Sinaei 0

In this post, I’m gonna show you how you can fool windows about its internal structure and sometimes give it wrong information about its internal capabilities or internal information which can bring you a lot of fun. (At least for me !) But don’t do that it can hurt your system actually but this post is about how to change CPU Capacity measurement of Windows and see its result in user-mode programs. There is a good article here which gives you lots…

Exploring from User-Mode to Kernel-Mode

Sinaei 0

There were times when I want to trace instructions from User Mode and continue tracing it into Kernel mode to reverse Windows’s internal implementation with my own supplied parameters from User Mode but there were a big problem and that was, How to access User Mode when you are in a Kernel Debugger or vice versa. Even if I knew about changing debugger context to specific process but there were other problems which cause reversing kernel in this case, impossible.…

Change User-Mode application’s virtual address through Kernel Debugging

Sinaei 1

Well, it’s somehow an odd topic but sometimes it could be really helpful in some situations. So what are the situations? Imagine sometimes you need to access windows stuffs that aren’t available from user-mode debuggers like ollydbg or through user-mode debugging (e.g memory after 0x7fffffff). In my experience I see some conditions that protectors make a sophisticated check for finding any debugger in memory and then change their approach to stop reverser from reversing the rest of the code. In…

How to get every detail about SSDT , GDT , IDT in a blink of an eye

Sinaei 0

  In a few days ago I was looking for something to show me the SSDT and GDT (Which is really important in malware analyzing because most of rootkits are interested in hooking and changing this stuffs.) • SSDT (System Service Descriptor Table) • GDT (Global Descriptor Table) • IDT (Interrupt Descriptor Table) They’re really important table in OSes for example SSDT is something like IAT (Import Address Table) in user-mode applications which holds pointer to exported functions of all…