The Control Registers

 < Day Day Up > 

Aside from the system tables, a few special registers control important features of the CPU. These registers may be used by rootkits.

Control Register Zero (CR0)

The control register contains bits that control how the processor behaves. A popular method for disabling memory-access protection in the kernel involves modifying a control register known as CR0.

The control register was first introduced in the lowly '286 processor and was previously called the machine status word. It was renamed Control Register Zero (CR0) with the release of the '386 family of processors. It wasn't until the '486 series of processors that the write protect (WP) bit was added to CR0. The WP bit controls whether the processor will allow writes to memory pages marked as read-only. Setting WP to zero disables memory protection. This is very important for kernel rootkits that are intended to write to OS data structures.

The following code shows how to disable and re-enable memory protection using the CR0 trick.

       // UN-protect memory       __asm       {             push eax             mov  eax, CR0             and  eax, 0FFFEFFFFh             mov  CR0, eax             pop  eax       }       // do something       // RE-protect memory       __asm       {             push eax             mov  eax, CR0             or   eax, NOT 0FFFEFFFFh             mov  CR0, eax             pop  eax       } 

Other Control Registers

There are four more control registers, and they handle other functions for the processor. CR1 remains unused or undocumented. CR2 is used when the processor is in protected mode; it stores the last address that caused a page fault. CR3 stores the address of the page directory. CR4 was not implemented until the Pentium series of processors (and later versions of the '486); it handles matters such as when the virtual 8086 mode is enabled that is, when running an old DOS program on Windows NT. If this mode is enabled, the processor will trap privileged instructions such as CLI, STI, and INT. For the most part, these additional registers are not useful for rootkits.

The EFlags Register

The EFlags register is also important. For one thing, it handles the trap flag. When this flag is set, the processor will single-step. A rootkit can use a feature such as single-stepping to detect whether a debugger is running or to hide from virus-scanner software. You can disable interrupts by clearing the interrupt flag. Also, the I/O Privilege Level can be used to modify the ring-based protection system used by most Intel-based operating systems.

     < Day Day Up > 


    Rootkits(c) Subverting the Windows Kernel
    Rootkits: Subverting the Windows Kernel
    ISBN: 0321294319
    EAN: 2147483647
    Year: 2006
    Pages: 111

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net