Windows kernel and software security

This blog document and help to understand how ACPI works AML (ACPI Machine Language) AML is compiled binary that written in the ACPI Source Language (ASL) and it is interpreted binary that interpreted by AML interpreter during OS runtime. AML is provided by hardware manufacture and embedded in the firmware, it provides the entire device base hierarchy (all thing that equipped on your motherboard, and cannot be removed.) and function to OS that could interface the dedicated hardware, like PCI-ISA bridge or processor, controlling the power, turn on/off, etc. AML operated by different object type, and defined in definition block in firmware table (DSDT / SSDT) AML object type Scope String   Constant Package Control Method Device   ACPI Object  Naming Convention 1. All object names are 32 bits long. 2. The first byte of a name must be one of 'A' - 'Z', '_'. 3. Each of the remaining bytes of a name must be one of 'A' - 'Z', '0' - '

Introduction Have you ever thought how device memory mapping work internally? This article is going to explain peripheral devices internal since I've been asked couple of time to explain how peripheral devices works and are communicated with processors, for example, LPC controller, SCSI controller, LAN controller. Physical Memory partitioning by Host Bridge / NorthBridge As we all known, There's two way to communicate between processor to PCI devices(in PCI speaking master-slave) , I/O port access or Memory mapped access. For memory mapped access, for the same address, for example - 0xA1000, how hardware distinguish that's for devices, and isn't for system memory access? The secret is hidden by host bridge memory partitioning. In Host bridge / North Bridge, there's memory controller, and graphic controller and the root complex logic that connects to SouthBridge / PCH by Direct Media Interface (DMI) , to handle all device communication from processor. As f

Introduction - This blogpost is going to summarized my recent research and idea between PCI Device, MMIO, SSE instruction set. Recently, I have a research topic that require to access and copy the device memory (BAR memory). For my previous knowledge , BAR memory is actually as same as the physical memory, but somehow it is mapped to the devices. However, I changed my thought after I met a problem when coping device memory by kernel optimized memcpy. I used memcpy for memory-mapped space, it all return 0xFF, however, it works great I copy it by normal pointer, it stimulate me to dig inside, what's happening. PCI Device A device that meet PCI specification, in PCI device spec, there's one great point that enable you could easier communicate with the device, it called Mapped Memory I/O, MMIO.  PCI device has it's own device memory and register inside the hardware, for the register is always responsible for communication from external device , like the device driv

Introduction Due to the lack of the material that clearly kick off the  android kernel development , hopefully it will gives the clearer  guide to develop your own android driver and debugging it. p.s. Due to the version differential, this article  is not ensure all of the Android Version , SDK version,  source  code , and   Emulator is compatible , however,  the door of   research is always opened,   just   feel   free   to contact me  and play together :P All the materials   are also  saved   in   the VM  ,   you can just directly leverage  the  existing VM Image for  development or  alternatively, as a research and studying, follow the following guide  to create your own workplace.  Android kernel didn't have dynamically insmod like the other linux, so this tutorial is trying to build a new Android Kernel and make test our kernel driver as well. Material Ubuntu 18.04.2 LTS  Android studio Android ndk-r10 Android SDK Goldfish v3.10 VMWare 15   

Introduction To be short... This article is going to try how could we let our EFI file get loaded under Windows 10 with disabled secure boot. Content 0. Install a VM as UEFI base VM. 1. Turn off your secure boot as following: Figure[1] 2. Mounting your GPT partition to the system by mount <drive_name> /s, so EFI partition that is visible to us. Figure[2] 3. We could place our .EFI driver / application here now (these action could be implemented programmatically, simply file coping after mounting, here is showing the concept.) 4. Configure the boot setting by SetFirmwareEnvironment API which is exported by Windows.  a) The pararmeter and GUID will be specified by UEFI spec, depend on your UEFI version.  b) For example, we need to change the BOOT#### or DRIVER#### Variable, the parameter is EFI_LOAD_OPTION as following definition: Figure[3] 5. The path of the OPTION will set as followed Figure[4] 6.  After reboot, the drive

Introduction Recently, our security research on leverage a Performance Monitor Unit as a technique for monitoring a function call and control-flow integrity. We leverage a following perf event , and we faced an interesting problem ,  Figure[1] The one of the following event is almost always get counted by Performance Counter. BR_MISP_EXEC.TAKEN_INDIRECT_NEAR_CALL The interesting question is that why such instruction is always get mispredicted ?  There are couples of things we need to clarify and dive into.... Indirect Branch jmp rax ; Indirect jmp call  rax ; Indirect call Branch Target Buffer BTB is a table that in a processor internal, for optimising the processor performance during it's making a branch decision (yes/no), and it is indexed by current RIP (instruction pointer) and the value is branch target address ,  BTB's structure as following figure Figure[2] Branch Predictor Branch predictor leverages BTB and perform as

1. Introduction ------------------------------------------------------------------------------------------------------------------- Interrupt Request Level (IRQL), is a software concept that provided by Windows, which supports an ability that management and hidden the detail of the low-level complexity of interrupt. However, as a kernel enthusiast, security researcher, it is necessaryfor understanding what it hides?? how does it worsk? This article are going to provide a simplest explanation for the IRQL. 2. Exception v.s. Trap v.s. Interrupt from processor perspectives ------------------------------------------------------------------------------------------------------------------- There are so many differences between these stuff, however, they share the only characteristic is that they also are delivered by Interrupt Descriptor Table (IDT). Exception and Trap is officially document in Intel SDM , which fixed in IDT from interrupt vector from 0 to  20 (include trap,