[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

[Simon Clubley]

On 2014-09-25, JF Mezei <jfmezei.spamnot at vaxination.ca> wrote:
> On 14-09-25 13:17, Simon Clubley wrote:
>
>> It would do this by directly writing to the hardware registers as
>> the way you access the hardware is the same regardless of operating
>> system.
>
> This assumes that your process has write access to memory locations that
> are mapped to hardware so that you can talk directly to hardware, or
> that you are Mr VAXman and run everytrhing in kernel mode all the time.
>

JF, we are not talking about code running in a process context.

We are talking about a buffer/integer/whatever overflow/other
vulnerability in some kernel mode component which allows what should
be data to be executed as code.

As the component is a kernel mode component, that means code it
wrongly executes will also be running in kernel mode and hence
has full access to the hardware address space.

BTW, even if the OS hadn't mapped in the full hardware address space,
it would be trivial for the malware to create it's own page tables
(and reload the page table base address register) to gain that access
for itself.

Simon.

PS: What is your obsession with Brian all about ? :-)

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
(Email address unavailable until approximately the middle of October)
Microsoft: Bringing you 1980s technology to a 21st century world