Kernel mode hooking, good features getting rotten

Author profile picture

@fragFrancesco Gadaleta

This article should be read with the sole purpose of education. No users nor machines must be hurt or damaged. Ethics first. Fun later.

Modern x86 Operating Systems, use protected mode to execute instructions. In protected mode there are 4 different privilege levels, from 0 to 3. They are also referred to as ring0 — ring3, to indicate the level of separation between them.

The highest-level (the least privileged) is userland (ring3) where regular applications run. The lowest-level (the highest privileged) is kernel mode (ring0) where the kernel or the core of the operating system runs (basically the code that own the hardware).

Whenever an application needs to call the kernel, it uses an interrupt to tell to the kernel which system call to execute. This interrupt in Linux x86–32 is instruction int $0x80 and in Linux x86–64 is the instruction syscall.

When the CPU takes the interrupt, it switch from ring3 to ring0 and it calls the system_call. From this regular and seemingly harmless behavior, nice and horrible things can be made, if you know what I mean. Here is the code that allows to hook a kernel system call and, well, free your imagination. Happy hacking!

Did you enjoy the reading? Please support us with a small donation
We will really appreciate!

Originally published at on September 11, 2015.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!


The Noonification banner

Subscribe to get your daily round-up of top tech stories!