Chapter 3

01010010, 01101111, 01101111, 01110100, 01101001, 01110100, 01110011, 00100000, 01000011, 01000000

Hardware Briefing

As mentioned in tiie concluding remarks of the previous ciiapter, to engineer

a rootkit we must first decide:

■ What part of the system we want the rootkit to interface with.

■ Where the code that manages this interface will reside.

Addressing these issues will involve choosing the Windows execution

mode(s) that our code will use, which in turn will require us to have some

degree of insight into how hardware-level components facilitate these

system-level execution modes. In the landscape of a computer, all roads lead

to the processor. Thus, in this chaptcr we'll dive into aspects of Intel's 32-bit

processor architecture (i.e., IA-32). This will prepare us for the next chapter

by describing the structural foundation that the IA-32 provides to support the

Windows OS.

Note: As mentioned in this book's preface, I'm focusing on the desktop as a target.

This limits the discussion primarily to 32-bit hardware. Although 64-bit processors are

definitely making inroads as far as client machines are concerned, especially among

the IT savvy contingent out there, 32-bit desktop models still represent the bulk of this

market segment.

3.1 Physical Memory

The IA-32 processor family accesses each 8-bit byte of physical memory

(e.g., the storage that resides on the motherboard) using a unique physical ad¬

dress. This address is an integer value that the processor places on its address

lines. The range of possible physical addresses that a processor can specify

on its address line is known as the physical address space.

A physical address is just an integer value. Physical addresses start at zero

and are incremented by one. The region of memory near address zero is

55