Windows Internals, Thoughts on Security, and Reverse Engineering
Previously, in Part 1 , we were able to see how the Windows Driver Foundation (WDF) can significantly simplify the development of drivers, including even “research-type” non-PnP drivers. In this part, we will now enter the guts of Hyper-V and talk about how hypercalls work (a portmanteau of syscall (system call) as applied when talking about an OS->Hypervisor transition instead of an App->OS transition).
First, it’s important to learn that there are two kinds of hypercalls that Hyper-V supports, which are described in the Top Level Functional Specification (TLFS) . The first, called regular or slow hypercalls, use physical addresses of RAM in order to send and receive input and output parameters, which are aligned to natural boundaries. We’ll have to learn about the Windows concept of Memory Descriptor Lists (MDLs) to explain how we can pass such data to Hyper-V, and this will be the topic of this part.
Nynaeve
DiabloHorn – Attempting to understand security
Diaphora | A Free and Open Source Program Diffing Tool
From Vx,Jump Security...
zerosum0x0
Satoshi's note
Never-Ending Security
Shubham Aher · Blog
superponiblog | infosec | dfir | malware
Rekall Forensics blog