|
|
|
|
|
|
by c12
3252 days ago
|
|
|
I was wondering this myself until I read the pdf: > For effective results, the injector should be able to identify instructions in more privileged rings, even if it cannot actually execute those instructions. >This approach allows the injector to detect even privileged instructions: whereas a non-existing instruction will throw a #UD exception, a privileged instruction will throw a #GP exception if the executing process does not have the necessary permissions for the instruction. By observing the type of exception thrown, the injector can differentiate between
instructions that don’t exist, versus those that exist but are restricted to more privileged rings. Thus, even from ring 3, the injector can effectively explore the instruction space of ring 0, the hypervisor, and system management mode. |
|
|