As we known, computer process direct work with Kernel (Ring 0) is quite dangerous. More realistic to say is that Real mode, also called real address mode, is an operating mode of all x86-compatible CPUs. Real mode provides no support for memory protection, multitasking, or code privilege levels. Windows 95 executes drivers and process switching in ring 0, while applications, including API DLL such as kernel32.dll and krnl386.exe are executed in ring 3.
We found trick on Windows 10. For instance, you are allow to run 16 bit application on 32 bit (Window 10) operating system. But not allow to run 16 bit application on 64 bit (Windows 10) OS.
Why? A processor limitation of 64 bit OS to execute (non-protected mode) 16-bit code. The 64-bit versions of Windows include 32-bit protected mode runtime libraries, but do not include any 16-bit protected mode runtime libraries. But how’s the mystery allow execute a Dos command prompt on 64-bit (Windows 10)OS? The Dos emulator make the magic.
The kernel of windows 10 is located at top of memory. The 64 bit OS of memory support 3.5GB RAM above, hacker have difficulties to find out the kernel process finger print in memory. Apart from that, the 64 bit operating system Kernel executable not direct reachable! Since it can’t communicate with kernel directly. Therefore a common criteria consensus 64 bits OS is malware proof.
Have you heard the weakness of superman? Kryptonite are able to reduce his power?
The origin story of Superman relates that he was born on the planet Krypton. Kryptonite is a radioactive mineral from Krypton. It was produced during explosion of Krypton. Kryptonite are able to reduce superman power. A similar scenario of 64 bit OS system. Since Kernel executable not reachable. However PAGE TABLE is loaded below 4GB. So it is possible to do the follow concept to unlock windows 10.
Viewing and Editing Registers in WinDbg
Solution: Self-ref entry technique
Reference: In 32 bits, this entry is usually located in the PAGE DIRECTORY, even with PAE enabled.
In 64 bits, this entry is located in the PML4
- CPU CR3 register point to physical address (PA) of PML4
- PML4(entry) point to PA of PDPT
- PDPT(entry) point to PA of PD
- PD(entry) point to PA of PT
- PT contains Page Table Entries
As a result a re-used entry in the four paging levels, which means that this is used by the CPU as PML4 entry, PDPT entry, Page Directory entry and Page Table entry at the same time.
Busy this week, allow for me to complete the remaining part next week, Sorry!