We know that when the operating system loads the executable, it will scan through its IAT table to locate the DLLs and functions the executable is using. This is done because the OS must map the required DLLs into the executable's address space. To be more precise, IAT is ...

Simple Example of Export Directory Let's take a look at a simple example to understand how the export directory is used by the executables/libraries. Let's suppose that we're dealing with a .dll library that has 10 exported functions, so the NumberOfFunctions=10. It has 5 names ...

Introduction In the previous tutorial, we've seen how one would go about booting the Linux operating system by using GRUB. We presented the basic overview of the booting process in Linux and we also mentioned that the boot loader must support the file system the root operating system is ...

Introduction In this article, we'll take a closer look at the booting process of the Linux operating system. We've already described the booting process in this article, especially how the system boots if the system partition is encrypted. Let's take a look again at the same picture ...

Introduction In this tutorial, we'll introduce a few basic tools that we need to have available when doing kernel debugging on Windows. Besides that, we'll present Windows debuggers that can help us with debugging Windows programs and Windows internals. We'll also take a look at how we ...

In this article, we'll present a couple of examples where we'll be using the 0x2e int instruction to interrupt the kernel and call some interrupt service routine. We'll also be using the sysenter instruction to do the same. The basic idea is presenting both methods of transferring ...

Introduction The MSDOS system uses IVT (Interrupt Vector Table) to hold the interrupt vectors that are called whenever some action occurs: like an interrupt is generated. But modern execution environments, like the protected mode, require more complex data structures. Therefore, the protected mode uses IDT, which is almost the same ...

Introduction Each process started on x86 version of Windows uses a flat memory model that ranges from 0x00000000 - 0xFFFFFFFF. The lower half of the memory, 0x00000000 - 0x7FFFFFFF, is reserved for user space code. While the upper half of the memory, 0x80000000 - 0xFFFFFFFF, is reserved for the kernel code. The Windows ...

Introduction In the past, systems such as MSDOS used the real mode, and it had no protections against accessing any memory address. Programs then were able to access even the system data that was stored in memory. We can imagine that how bad this was when some programs did something ...

Getting the Physical Address Manually So far we've figured that the virtual address is the same as linear address, so in the next part of the article we can use virtual addresses because they are the same as linear. Let's take a look at the 0x0012ff60 virtual/linear ...