Intermediate : Medium Nuggets

Special Purpose Processor 32 Bit Registers Modes Instructions

Segmentation Port IO

Interrupts Paging

Debugging x86 Instruction: Instruction: Processor Instruction Instruction CPUID RDTSC Intermediate x86: Small Nuggets Modes Prefixes Format

Repeat (REP), Special Processor Processor Processor Mode: Processor Repeat While Zero Flag is Operand or Purpose Debugger VM Mode: Mode: VMX Mode: Set (REPZ, REPE), Segment Branch Address Register: Detection: Detection: System Enabled LOCK (64 bit & Override Hints Size EFLAGS: RDTSC RDTSC (Virtual 8086 Management Compatibility Mode) (Unreal Mode) Repeat While Zero Flag is Override ID Flag Mode) Mode Not Set (REPNZ, REPNE)

Real & Instructions GOTO: GOTO: Virtual 8086 GOTO: : Privilege x86 Tasks: John's John's Mode David's PUSHFD Rings Concept class class Interrupts: class POPFD nodes nodes Concept nodes

Protected & x86 Tasks: Interrupt Segmentation: Long Mode Task State Debugging: Vector Concept Interrupts: Segment Concept Table (IVT) Concept (TSS)

Interrupt Interrupts: Special Debugging: Virtual Memory & Segmentation: Interrupts: Segmentation: Interrupt Port I/O: Descriptor Faults, Purpose x86 Paging: Segment Interrupt Addressing Masking Concept Table (IDT): Traps, Register: Task Hardware Concept Selectors Frame Concept Aborts Register (TR) Support

Paging: Special Instructions: Per- Per- Special Purpose Physical Paging: Special Purpose Logical Special Purpose Register: Purpose IRET, Special Translation Paging: process process Interrupts: Single Registers: Page Address Physical Size Paging: Registers: Addresses EFLAGS: Register: INT n, Purpose Instructions: Hardware Branch Lookaside Canonical Virtual Physical Interrupt Stepping & Control Registers: Faults Extensions Extensions 64 Bit Segment Registers & Far I/O Privilege Level (IOPL) EFLAGS: INT 3 (0xCC form), Register: LTR, STR Breakpoints Tracing Buffer (TLB) 32 Bit Memory Memory Descriptors Tracing CR0,CR2,CR3,CR4 (PAE) 36 (PSE) 36 Bit (CS,DS,ES,FS,GS,SS) Pointers flags (2 bits) Interrupt INTO, IDTR Separation Sharing Bit (IF) Flag UD2

Instructions Special Special Special I don't : Clear Instructions: FS, GS Purpose Purpose Purpose Malware: know Segmentation: Interrupt Debugging: MOV to/from Instruction: Use of Use of Use of CR3 if Use of CR3 if Special Interrupt Instructions: Instructions: Registers: Register: Register: Shadow anything Global Descriptor Table (GDT) Trap Gate Flag (CLI), Software Task Gate Control INVLPG CR3 CR3 CR4.PCIDE == 0 CR4.PCIDE == 1 Usage by Gate IN, OUT LIDT, SIDT Debug EFLAGS: EFLAGS: Walker about this & Local Descriptor Table (LDT) Set Breakpoints Registers OSes Registers: Trap Flag Resume yet Interrupt DR0-3,6-7 (TF) Flag (RF) Flag (STI)

Page Map Page Directory Level 4 Special Accessing Anti-debug: Page Directories & Pointer Table & (PML4) Segmentation: Purpose Interrupt IBM 8042 VMWare: Anti-Debug: Instructions: Global VM Detection: Manipulating Page Directory Entry Page Directory Table and Segment Registers: Hooking: Keyboard Accessing Self-checking MOV to/from Pages SIDT (Red Pill) Debug (PDE) format Pointer Table PML4 Descriptors GDTR & Concept Controller "backdoor" code Debug Registers Registers Entries (PDPTEs) Entries LDTR (PS2) (PML4E)

Page Directory Interrupt Keystroke Privilege Rings: Interrupt Page Tables & Large Page Directories & Pointer Table & Instructions: Hooking: Logging: Implementation Segmentation: Hooking: Page Table Entry (4MB) Page Directory Entry Page Directory LGDT, SGDT, Change IDT Hook + (CPL, DPL, Call Gates Change 32 (PTE) format Pages (PDE) format Pointer Table LLDT, SLDT Segment Port IO to RPL) Bit Offset Entries (PDPTEs) Selector 8042

Windows' Self-referential Page Tables & Large Page Directories & Large VM Detection: Virtual Addressing Page Table Entry (2MB) Page Directory (1GB) (NoPill/ Convention for finding (PTE) format Pages Entry (PDE) format Pages SnoopyNG) PDEs & PTEs

Page Windows' Self-referential Tables & Large Virtual Addressing XD/NX Bit Page Table (2MB) Convention for finding & Security Entry Pages PDEs & PTEs (PTE) format