Windows kernel and software security

1. Introduction ------------------------------------------------------------------------------------------------------------------- Interrupt Request Level (IRQL), is a software concept that provided by Windows, which supports an ability that management and hidden the detail of the low-level complexity of interrupt. However, as a kernel enthusiast, security researcher, it is necessaryfor understanding what it hides?? how does it worsk? This article are going to provide a simplest explanation for the IRQL. 2. Exception v.s. Trap v.s. Interrupt from processor perspectives ------------------------------------------------------------------------------------------------------------------- There are so many differences between these stuff, however, they share the only characteristic is that they also are delivered by Interrupt Descriptor Table (IDT). Exception and Trap is officially document in Intel SDM , which fixed in IDT from interrupt vector from 0 to  20 (include trap,

What is Nested virtualization? ----------------------------------------------------------------------------------------------------- Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it "Nested Virtualization", level 2. Basic Virtual Machine Monitor Architecture ------------------------------------------------------------------------------------------------------ Figure[1] Host VMM trap any type of event which wants to monitor, such as, Interrupt, exception, privileged register access, one of this event is VMX instruction, after VMM loaded, VMM can always monitor a any one of the  VMX instructions, which provide a good chance for us. As following chart: Figure[2] VMM Life Cycle