Addendum

User vs. Kernel Mode

User Mode and Kernel Mode are two operational states of a CPU in Windows: - User Mode: Limited privileges, restricted CPU instructions, access only to the process’s own virtual memory. - Kernel Mode: Full privileges, access to all memory and hardware.

Modern CPUs use ring levels: - Ring 3: User Mode - Ring 0: Kernel Mode

User processes use system calls to request kernel operations.

Components of the Windows Kernel

• Executive: Manages resources (I/O, memory, processes).
• Kernel: Thread scheduling, interrupt handling, low-level hardware control.
• HAL (Hardware Abstraction Layer): Hardware abstraction.
• Windows Subsystem: GUI and win32k.sys.
• Device Drivers: Interface with hardware devices.
• File Systems: Manage storage.
• Networking Subsystem: Handles network operations.

Image source: Microsoft
Source – Microsoft Docs

Direct Kernel Object Manipulation (DKOM)

DKOM involves modifying kernel objects directly to bypass OS mechanisms: - Kernel objects include: processes, threads, files, devices, network connections. - Uses: privilege escalation, hiding processes, disabling security features.

User Process-Kernel Driver Communication

Applications interact with drivers using DeviceIoControl().

The I/O Manager:

• Creates and routes IRPs (I/O Request Packets).
• Manages device objects.
• Queues I/O requests.
• Handles IRP completions.

IRP: I/O Request Packet

Contains: - Device object - Control code (IOCTL) - Input/output buffers - Status

Communication Process

1. DeviceIoControl() called by app.
2. I/O Manager builds IRP and routes it to driver.
3. Driver accesses buffers and performs the operation.
4. Driver completes IRP.
5. I/O Manager returns result to app.

Image source: Microsoft Press Store
Source – Microsoft Press

Key Windows Kernel Structures

_LIST_ENTRY

Used for doubly linked lists: ```cpp // 0x10 bytes (sizeof), src: Vergilius Project struct _LIST_ENTRY { struct _LIST_ENTRY* Flink; // 0x0 struct _LIST_ENTRY* Blink; // 0x8 };