[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

[VAXman- at SendSpamHere.ORG]

In article <m01t5p$r0f$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>On 2014-09-25, JF Mezei <jfmezei.spamnot at vaxination.ca> wrote:
>> On 14-09-25 13:17, Simon Clubley wrote:
>>
>>> It would do this by directly writing to the hardware registers as
>>> the way you access the hardware is the same regardless of operating
>>> system.
>>
>> This assumes that your process has write access to memory locations that
>> are mapped to hardware so that you can talk directly to hardware, or
>> that you are Mr VAXman and run everytrhing in kernel mode all the time.
>>
>
>JF, we are not talking about code running in a process context.
>
>We are talking about a buffer/integer/whatever overflow/other
>vulnerability in some kernel mode component which allows what should
>be data to be executed as code.
>
>As the component is a kernel mode component, that means code it
>wrongly executes will also be running in kernel mode and hence
>has full access to the hardware address space.
>
>BTW, even if the OS hadn't mapped in the full hardware address space,
>it would be trivial for the malware to create it's own page tables
>(and reload the page table base address register) to gain that access
>for itself.
>
>Simon.
>
>PS: What is your obsession with Brian all about ? :-)

Maybe it's a hair thing?  :)

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.