Dig into IRQL

1. Introduction

-------------------------------------------------------------------------------------------------------------------
Interrupt Request Level (IRQL), is a software concept that provided by Windows, which supports an ability that management and hidden the detail of the low-level complexity of interrupt.

However, as a kernel enthusiast, security researcher, it is necessaryfor understanding what it hides?? how does it worsk?


This article are going to provide a simplest explanation for the IRQL.


2. Exception v.s. Trap v.s. Interrupt from processor perspectives

-------------------------------------------------------------------------------------------------------------------
There are so many differences between these stuff, however, they share the only characteristic is that they also are delivered by Interrupt Descriptor Table (IDT).

Exception and Trap is officially document in Intel SDM , which fixed in IDT from interrupt vector from 0 to  20 (include trap, exception.)

Exception is synchronous with instruction stream, and which is as same as interrupt, it will disable IF flag in RFLAG register.

Trap is synchronous event with instruction stream, and it will not disable IF flag in RFLAG register.

Interrupt is asynchronous, which is always fired by the external component, and delivered by LAPIC for each logical process (core)

3. Exception v.s. Trap v.s. Interrupt from kernel perspectives

-------------------------------------------------------------------------------------------------------------------
This is the main point of this article, windows kernel treats interrupt (interrupt vector 32 to 255) different from the exception and trap.

In Windows 7 x64, it always dispatch its interrupt by nt!KiInterruptDispatch, it always manipulate CR8 register before real interrupt dispatching , in Intel 64 Architecture CR8 should be mapped to APIC Task Priority Register (TPR), as shown Figure[1], In older windows, it will call a hal!HalBeginSystemInterrupt and hal!HalEndSystemInterrupt.

Figure[1]

Figure[2] 
As shown in Figure[1] , CR8 register is filled by byte ptr [rsi+5Dh], which is a IRQL stored in interrupt object (see Figure[2]) , initialized by IoConnectInterrupt function. it is significantly important for the interruptibility.

After the instruction, TPR Register is reflected also, and it could be call the interrupt callback with the expected IRQL (it should be same as the device IRQ)

TPR register will be compared when an external interrupt comes, if interrupt comes, and the priority (IRQ) is not greater TPR, it cannot be fired instantly, but pending interrupt state. That's why IRQL can be affect the interruption progress.

Figure[3]


However Exception dispatching is not affect IRQL, when the exception occurred, IRQL will not be change, but the maskable interrupt is still be block.



Comments

Post a Comment

Popular posts from this blog

Android Kernel Development - Kernel compilation and Hello World

Image
Introduction Due to the lack of the material that clearly kick off the  android kernel development , hopefully it will gives the clearer  guide to develop your own android driver and debugging it. p.s. Due to the version differential, this article  is not ensure all of the Android Version , SDK version,  source  code , and   Emulator is compatible , however,  the door of   research is always opened,   just   feel   free   to contact me  and play together :P All the materials   are also  saved   in   the VM  ,   you can just directly leverage  the  existing VM Image for  development or  alternatively, as a research and studying, follow the following guide  to create your own workplace.  Android kernel didn't have dynamically insmod like the other linux, so this tutorial is trying to build a new Android Kernel and make test our kernel driver as well. Material Ubuntu 18.04.2 LTS  Android studio Android ndk-r10 Android SDK Goldfish v3.10 VMWare 15   
Read more

How does Nested-Virtualization works?

Image
What is Nested virtualization? ----------------------------------------------------------------------------------------------------- Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it "Nested Virtualization", level 2. Basic Virtual Machine Monitor Architecture ------------------------------------------------------------------------------------------------------ Figure[1] Host VMM trap any type of event which wants to monitor, such as, Interrupt, exception, privileged register access, one of this event is VMX instruction, after VMM loaded, VMM can always monitor a any one of the  VMX instructions, which provide a good chance for us. As following chart: Figure[2] VMM Life Cycle
Read more

Understanding ACPI and Device Tree

Image
This blog document and help to understand how ACPI works AML (ACPI Machine Language) AML is compiled binary that written in the ACPI Source Language (ASL) and it is interpreted binary that interpreted by AML interpreter during OS runtime. AML is provided by hardware manufacture and embedded in the firmware, it provides the entire device base hierarchy (all thing that equipped on your motherboard, and cannot be removed.) and function to OS that could interface the dedicated hardware, like PCI-ISA bridge or processor, controlling the power, turn on/off, etc. AML operated by different object type, and defined in definition block in firmware table (DSDT / SSDT) AML object type Scope String   Constant Package Control Method Device   ACPI Object  Naming Convention 1. All object names are 32 bits long. 2. The first byte of a name must be one of 'A' - 'Z', '_'. 3. Each of the remaining bytes of a name must be one of 'A' - 'Z', '0' - '
Read more