Michael Hale Ligh

  • Andrii Pastushenkohar citeretfor 6 måneder siden
    kernel mode is implemented in ring 0 (most privileged) and user mode in ring 3 (least privileged). When the processor is executing in kernel mode, the code has unrestricted access to the underlying hardware, including privileged instructions, and to kernel and process memory regions (except on newer systems with SMEP, which prevents ring 0 execution of user pages).
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    most operating systems define a set of stable APIs that map to one or more system calls (for example, the APIs provided by ntdll.dll and kernel32.dll on Windows)
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    user application requests a service from the operating system’s kernel using a system call
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    When a program executes, a new process is created and associated with its own set of attributes, including a unique process ID and address space. The process address space becomes a container for the application’s code, shared libraries, dynamic data, and runtime stack. A process also possesses at least a single thread of execution. A process provides the execution environment, resources, and context for threads to run.
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    A thread is often characterized by a thread ID, CPU register set, and execution stack(s), which help define a thread’s execution context. Despite their unique execution contexts, a process’s threads share the same code, data, address space, and operating system resources. A process with multiple threads can appear to be simultaneously performing multiple tasks.
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    Switching execution of one thread to another is called a context switch
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    Examples of operating system resources that are typically tracked include processes, threads, files, network sockets, synchronization objects, and regions of shared memory.
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    By leveraging knowledge of how the program uses the data, the characteristics of how the data is stored in memory, and the conventions of the programming language, you can often recognize an abstract data-type pattern that will help give clues as to how the data can be processed.
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    An example of a Windows bitmap of in-use network ports
  • Andrii Pastushenkohar citeretfor 6 måneder siden
    when analyzing the physical address space of a system that leverages paged virtual memory, you could encounter a string that crosses a page boundary to a page that is no longer memory resident, which would require special processing or heuristics to determine the actual size of the string
fb2epub
Træk og slip dine filer (ikke mere end 5 ad gangen)