Is it possible to load a driver in ring-1 and execute?
Any pointers to implementation would help enormously…
It is not possible to directly access code/data on pages with PTE.U == 0 from a code executing with PTE.U == 1 without a help from a hypervisor or modification to page fault handler.
So the short answer is - no.
Incorrect question. Anything is possible. After all, all we’re dealing with here is hardware, software, time and money. Setting these variables correctly, you could run anything you want in Ring 1. Of course it’s “possible.”
If you question is “In Windows, is there any code that runs in Ring 1 today”
or
“Does Windows support running code in Ring 1 today”
or
“In Windows today, would there be a reasonable way for me to load code into Ring 1 and execute it from a kernel-mode driver”
The answers would be No.
Peter
OSR
@OSRDrivers
VirtualBox can execute some guest os code in ring 1. It’s called Raw-mode Context (or ring compression)
From documentation:
Raw-mode Context (RC) - This is the special VMM context where we execute the guest code directly on the CPU. Kernel code is patched and execute in ring-1 instead of ring-0 (ring compression). Ring-3 code execute unmodified. Only VMMs use ring-1, so we don’t need to worry about that (it’s guarded against in the scheduler (EM)). We can in theory run ring-2 there, but since practially only only OS/2 uses
ring-2, it is of little importance. The macro IN_RC indicates that we’re compiling something for RC.
You can see source here:
https://www.virtualbox.org/changeset/45276/vbox
Possibly it is some of OS-specific code, but
https://www.virtualbox.org/manual/ch10.html doesn’t point to any operation system. I hope it runs on windows too.