Hardware Connection And mechanism for Access Control (1) :

we will discuss Intel x86 family of microprocessors performs

Access control :

.sys

Software and hardware go together. Without software, hardware would be lifeless silicon. Without hardware, software cannot exist. Software ultimately controls a computer, but under the hood, it's the hardware that implements the software code.

hardware is the ultimate enforcer of software security. Without hardware support, software would be totally insecure. Many texts cover software development without ever addressing the underlying hardware. This might work for the developers of enterprise applications, but it won't work for rootkit developers. As a rootkit developer, you will be faced with reverse-engineering problems, hand-coded assembly language, and highly technical attacks against software tools installed on the system.

process separation is enforced using “Rings” on the Intel x86 hardware

1- How Rings Work :

Rings in Intel x86 processors

The Intel x86 family of microchips use a concept called Rings for "access control" . There are (four rings) , with Ring Zero being the most privileged and Ring Three being the least privileged. Internally, each ring is stored as a Number ; there aren't Actually physical Rings on the Microchip.

All kernel code in the Windows OS runs in Ring Zero Therefore,

Rootkits running in the kernel are considered to be running in Ring Zero. User-mode programs , those that don't run in the kernel, sometimes called Ring Three programs. Many operating systems, including Windows and Linux, take advantage of only Rings Zero and Three on the Intel x86 Microchips ; they do not use Rings One and Two Since Ring Zero is the most privileged and powerful ring on the system, it's a sign of pride for Rootkit Developers 🦊 to claim that their code runs in Ring Zero .

The CPU : is responsible for keeping track of which software code and memory is assigned to each ring and enforcing access restrictions between rings.

Usually, each software program is assigned a ring number, and cannot access any rings with lower numbers.

For example : a Ring Three program cannot access a Ring Zero program. If a Ring Three program attempts to access Ring Zero memory, the CPU will throw an interrupt. In most such cases, the access will not be allowed by the OS. The attempt might even result in the shutdown of the offending program.

here are many advantages to having a Rootkit execute in Ring Zero. Such a Rootkit can manipulate not only Hardware, but also

the environment in which other software operates. This is critical for employing stealth operations on the computer.

CPU -----> (Tables)

In addition to being responsible for keeping track of rings, the CPU also is responsible for making many other decisions. For example, the CPU must decide what to do when an interrupt is thrown, when a software program crashes, when hardware signals for attention, when user-mode programs try to communicate with kernel-mode programs, and when multi-threaded programs switch threads. Clearly the operating system code must deal with such matters—but the CPU always deals with them first.

For every important event, the CPU must figure out which software routine deals with that event. Since every software routine lives in memory, it makes sense for the CPU to store addresses for important software routines. More specifically, the CPU needs to know where to find the address of an important software routine. The CPU cannot store all of the addresses internally, so it must look up the values. It does this by using tables of addresses. When an event occurs, such as an interrupt, the CPU looks up the event in a table and finds a corresponding address for some software to deal with that event. The only information the CPU needs is the base address of these tables in memory

There are many important CPU tables :

1- Global Descriptor Table (GDT), used to map addresses

2- Local Descriptor Table (LDT), used to map addresses

3- Page Directory, used to map addresses

4- Interrupt Descriptor Table (IDT), used to find interrupt handlers

These OS implemented tables are not directly supported by the CPU, so the OS includes special functions and code to manage them.

important OS implemented table :

● System Service Dispatch Table (SSDT), used by the Windows OS for handling system calls

Rootkit Developer can modify or hook these tables in order to
provide stealth or to capture data.

conclusion

I take care of the basic concepts at first and then we proceed to writing the code , learn C language and wait for me .

Rootkit developer should understands techniques Access Control in Cpu and Memory ,we here have Discussed microprocessors Access Control , other time will Discussed About different techniques in memory .

What cannot last forever has no value 🦊🌼 🌻