Preliminary: This thread is a twin to the other thread where I explored the dark corners of the internet. You can find it here https://www.nairaland.com/6820385/me-dark-corner
I won't go into practical details in this thread just the theoretical.

Materials I will be using: Intel Manual, Microsoft Documentation, An online class, Google Chrome

Why I am doing this: I believe that the best way to learn / study well is to teach what you know in the simplest way and also spaced repetition
I am also a big fan of low level stuffs.

Let's jump right in!!!!!!

Dec 3, 2021: Downloaded materials to study OS internals.
Trusted the process even of I don't know where it will take me.

Later in the day, I might write a short summary of what I've learnt today. Time for breakfast and study. See you soon

So in the coming days I'll learn more on the Intel Architecture and its relations with the Windows OS.

CPUID is an assembly instruction very related with the Intel Architecture.
So in essence the CPUID is kinda a mechanism to find out if the CPU/processor support features like 64bit mode, hardware virtualization, Hyper threading, thermal monitor amongst other features. When I checked page 2843(Volume 3) in the Intel Manual, that is also index 1.3.6, the CPUID takes input from values stored at EAX register. (Note that I am using the Intel manual dated May 2020).
The hardware/processor knows if CPUID is supported by checking the ID flag in the EFLAG register, the ID flag is located at bit 21 in the EFLAG register.
It is possible to read and write to the EFLAG register by using 2 assembly instruction which are PUSHFQ and POPFQ.
When there is a 0x0 in the EAX register before the CPUID is executed, the correct string output from EDX, ECX, EBX should be "Genuine Intel", that shows the Intel processor is running on the system. Checking CPUID info on Wikipedia shows this information, the link here https://en.m.wikipedia.org/wiki/CPUID
When the input to EAX before CPUID is executed is 0x7, then it starts getting interesting (according to the Intel Manual), the 2bit in EBX register will notify us if the system supports Software Guard Extension to provide some level of security, the 7th bit will notify us if the system supports Supervisory Mode Execution Prevention, the SMEP makes sure that kernel mode software are not run in user mode, the 20th bit will notify us if the system supports Supervisory Mode Access Prevention, the SMAP will forcefully stop the kernel from accessing data from user space, this is very used in rootkit, but armed with this info, that bit can be monitored. Based on VM settings the Hypervisor can intercept the CPUID configuration, part of the reason why using raw processor is necessary to monitor CPUID related information.

Next I learned about the different processor mode in Intel.
Starting with Real Address Mode. Generally the RAM(Real Address Mode) is not the best security-wise, DOS used the RAM. The real reason why the RAM suck is that there are privilege rings, so a typical malware can both infect the kernel and users space. When a processor is reset it reverts back to RAM.
Next is the System Management Mode. The SMM is triggered by the System Management Interrupt, the SMM makes sure there is added protection.
The SMM is dubbed the most privileged execution mode, security is of Paramount importance.
Next is the Protected Mode. This is one of the mode common mode of execution, checking page 72(Volume 1) provides more information. A lot of Systems uses/operates the Protected Mode, the PM provides support for privilege rings which the RAM lacks.
AMD originally named the x86-64 the Long Mode(by the way I think that the Finite State Machine from AMD is more presentable than that of Intel). What I am trying to convey is that the graphical representation of the execution mode from AMD feels more presentable and logical.
After the Protected Mode comes the Long Mode, now the Long Mode has 2 Operating mechanism/mode which are compatibility mode and x64 mode. The compatibility mode allows for backward compatibility that is why it is possible to run 32bit programs on a 64bit machine. The AMD also shows the bits to tweak to traverse through the various mode. AMD rocks on this one!!!!
Next I learned about MSR or Model Specific Register, and I must say that the MSR is a hoooge topic that Intel dedicated an entire volume on MSR, and I must still say that knowledge of MSR and MSR mapping is really fantastic.
Let's ride on.
So the CPUID allows software(particularly Operating System) to know what features are supported by a given processor, but how does the features get enabled? The answer is MSR. For example, on a particular processor, Bluetooth feature is available, how then can we enable Bluetooth through the OS? Once again MSR. One common convention with Architectural MSR is the fact that "IA32_" is very common, what this means is that this MSR is generic to all processor. I knew this after some asking around lol. During class today, we did a little experiment. Before I detail the experiment, there are 2 very important assembly instructions related to MSR, these are RDMSR(Read MSR) which reads MSR specified at ECX into EDX:EAX(imul comes to mind here) and WRMSR(Write MSR). Now to the experiment.
Step 1: Opening to page 4532 in Volume 4 of the Intel Manual.
Step 2: I am actually seeing an hex value(C000_00B0). This is a IA32_EFER MSR.
Step 3: Looking at the bit 8 field, notice that it signifies that IA32e mode is enabled, that means that the bit 8 field is what enabled 64bit mode, notice the e which means extended.
Step 4: Looking at the bit 10 field, this notifies us if 64bit mode is active.

Now looking at the comment column, that pseudo code is showing us basically that IF CUPID 80000001 return true(1) for bit 20 or 29. What does this mean? Let's check Volume 3 that is Table 3-8 for the initial EAX value of 80000001 and then check EDX for bit 20 or 29, notice that bit 20 didn't give a desirable output but bit 29 reads "Intel Architecture 64 available of 1".
So this makes us know that 64 bit is available on this particular processor.
Now linking it all up, first the CPUID allowed us to know if 64 bit mode is available on this processor, but we can only enable the 64 bit mode via MSR.

So today I learned about CPUID , Execution Modes available in Intel and MSR

Dec 4, 2021: Learned about the various Privilege Rings in Intel, Segmentation, and Interrupts.

The concept of Privilege Rings was originally introduced by Multics in year 1960, Multics was the first OS to hardware-enforce privilege rings. Later on Intel copied or should I say Intel later added that feature(is hardware-enforced privilege rings). In Intel processor, there are 4 privilege rings which are ring 0, ring 1, ring 2, ring 3.
Ring 0: This is the most privileged ring. Makes me remember Alina malware. The OS kernel works in this ring.
Ring 1 & 2: This is the second most privileged ring, the OS services works in this ring.
Ring 3: This is the least privileged ring. User mode application works here.
But there is a little thing to remember with privileged rings, and that is!!!
In the real world of OS development, the entire OS runs in ring 0 and user mode application runs in ring 3, so therefore we can infer that there are only 2 rings involved, ring 0 and ring 3. This explain why OS security is hard to achieve, when I analyzed the Alina malware, it was very common to see user space code calling the ntdll api or the kernel32.dll api.
This means that a skilled malware author can attempt to affect or compromise the Kernel even using user space code.
Guys please always update your OS to the latest version.
Segmentation [/b[
Segmentation is a very important topic especially with memory management. Now I am going to detour a little bit. From my prior experience with C coding, I will like to take about segmentation fault. Segmentation fault simply refers to "trying to access and or modify memory you shouldn't". This is very common especially with allocating memory, reallocating memory or not remembering to free up used memory.
Turning to page 2786 of the Intel Manual(dated May 2020), we are presented with every thing to know about Segmentation. On page 2871 a detailed summary is provided.
Segmentation provides a [b]mechanism for dividing the processor's addressable memory space into smaller protected address space called segments. Segments can hold code, data structure, data, stack for a program. Segmentation is a very interesting topic and I believe that the Intel manual really explains the topic well enough.
Now we've gotten to the Interrupt and Exception land.....
Interrupts and exceptions are events that indicates that a condition exist somewhere in the system, you can begin to think about the System Management interrupt I mentioned earlier. So once an interrupt or exception is detected, the currently running state is suspended and then the processor jumps to the handle the interrupt or exception. The processor receives interrupts from 2 main sources: external(hardware) or internal(software).
Exception indicates error conditions, while interrupts are likely related to hardware events. For example, when you press a key on the keyboard, the interrupt can trigger the processor to handle the key pressed. After an interrupt has been handled then the Interrupt Flag is cleared to eliminate recursive interrupts.
The interrupt and or exception handler are tasked with saving the buck of the previous running state since the hardware/processor saves little states.

Dec 5, 2021: Other things occupying my time, no time for study today. By tomorrow I'll try upload what I've learned.

Dec 6, 2021: Learned about System Calls

The major reason why system call is necessary is simply to provide a mechanism for interaction between kernel and user mode. Prior to x86-64 CALL GATE and Interrupts where used to achieve system calls. A stable API also know as System Call Interface is what exposes useful functions from kernel to user mode.
To elaborate better let me use this very simple example.
In the Kernel there is a function called NTWriteFile(), in the user mode there is a provision for the function WriteFile(), now the Kernel provides this function to the user mode because it knows the user mode will need this functionality. So the System Call Interface exposes this function to ensure a 2 way communication from kernel to user mode.
The SCI available to x86-32 processor (Intel) is the assembly instruction SYSENTER/SYSEXIT.
SYSENTER: This SCI(System Call Interface) transition from user mode to kernel.
SYSEXIT: This SCI moves back to user mode.
The SCI available to x86-64 processor is the assembly instruction SYSCALL / SYSRET and they work similar to the 32 bit version just name changed

Dec 14, 2021: Taking a deep delve into Segmentation.
Segment Registers in Intel
There are six Segment Registers in Intel namely:
CS - Code Segment
SS - Stack Segment
DS - Data Segment
ES
FS
GS - The above 3 are extra data segment registers
Each of these Segment Registers contains a 16-bit Segment Selector
Segment Selectors
There is more to the fact that the six segment registers contain segment selector.
In every segment selector (16-bits), there is a visible part and a hidden part, so these means that every 16-bit selector has 2 parts.
Details of the Segment Selector parts
* Hidden part: This part contains cache of information from lookup table(more on this in a moment), as a user you cannot directly access the hidden part.
* Visible Part: The visible part is what can be changed to point to different entry in the look up table.
Segment Selectors in action
I am going to provide a technical analogy of how the segment selectors works on Intel processors(32bit or 64bit)
First of important note in 64-bit Intel processor (according to the Manual), the CS, SS, DS, ES registers in the Hidden part all have a Harcoded Base of 0 and a Hardcoded Limit of 2^64 -1, but the other segment register have the liberty to set hardcoded base to whatever is gotten from the lookup table.
Now to the analogy.
Register CS(visible part) has a Table Indicator of 0 this means it will point to a table called Global Descriptor Table. When the index is 3, then it will select a Data Structure at 3rd index in the GDT. Access from table information is then stored in the hidden part of CS register.
Register FS(visible part) has a Table Indicator of 1 this means it will point to the Local Descriptor Table. When the index is 1, then it will select a data structure at 1st index in LDT. Access from table information will go to the hidden part of the FS register.

Note that the above is just an analogy (sample), in real life it may point at different index, the Table Indicators might change.
Segmentation Review
The Intel manual says the a processor's addressable memory space can also be called linear address space
To locate a byte on a particular segment a logical address or far pointer must be provided.
What is this Logical Address?
Logical Address = Segment Selector + Offset
What this means is that on 32-bit Intel processor a logical address is 47-bits in size.
While on 64-bit Intel Processor a logical address is 79-bit in size.
So in lay man English a logical address is telling the Intel processor , "I want this segment and offset
In an orderly chain, the Logical Address translates to Linear Address, as a result of Paging Linear Address translate into Virtual Address, VA translates into Physical Address(RAM).
How does this translation occur?
1. Segment Selector does Table Lookup (whether GDT or LDT)
2. Each table has a description of each segment.
3. The description is what is used to locate where the base of a segment is, and then the offset will be added to the base of the segment.
4. Once step 3 is completed, a linear address is gotten.

.

Dec 15, 2021: Crafting my write up on Paging and the CMOS concept. Tomorrow I'll drop the write-ups.

Dec 16, 2021: Paging and CMOS

Before I go deep into Paging, it is note worthy that Virtual Address are address that takes paging into account. When paging is enabled, virtual address gets translated to physical address. We can then infer that once paging is enabled on a processor, linear address become virtual address which then gets translated to physical address.
Why the term paging?
It is termed paging because physical memory is divided into fixed size parts called pages
Effects of Paging
1. As a result of paging, memory access becomes virtual in that there is no one to one correspondence between linear address and physical address. eg high linear address may map to low physical address and vice versa.
2. As a result of paging, redundant memory can or may be removed from RAM and transferred to say the Hard Drive or Solid State Drive, and that's why there is the saying that "the RAM is paged out to disk". When a new process is fired up and there is limited memory, the OS can pull out the memory back into RAM.
[b[Benefits of Paging[/b]
Paging allows the OS behave as if it has more RAM than present, and this allows redundant memory to be paged out and retrieved once needed. You can then run multiple processes on your machine without much issues.