BATTLE OF SKM AND IUM
blackhat2015
blackhat2015
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SECURE MODE CALLS<br />
• Secure Mode Calls are services that SK provides to NTOS<br />
• NTOS uses the SkCallSecureMode routine and passes a special structure that identifies<br />
• The Operation Code<br />
• The Service Code<br />
• Three operations are possible<br />
• Resume Thread [0]<br />
• Secure Service Call [1]<br />
• TLB Flush [2]<br />
• This puts the CPU into VTL 1 and executes the handler for VTL which will run in <strong>SKM</strong><br />
• VTL 0->1 Switch is done with VMCALL instruction, RCX == 0x11 (RCX is saved into RAX)