IRQLs Close Encounters of the Rootkit Kind

IRQL Overview

Present since the early stages of Windows NT, an Interrupt Request Level (IRQL) defines the current hardware priority at which a CPU runs at any given time. On a multi-processor architecture, each CPU can hold a different and independent IRQL value, which is stored inside the CR8 register. We should keep this in mind as we are going to build our lab examples on a quad-core system.

Every hardware interrupt is mapped to a specific request level as depicted below.

IRQL Values x86 31High   30Power Fail   29Inter-Processor Interrupt   28Clock   27Profile/Synch     Device[n]     .    5CMCI     .     Device[1]    2Dispatch/DPC    1APC    0Passive/Low   x64/ARM 15High/Profile   14Inter-Processor Interrupt   13Clock   12Synch     Device[n]     .     .   Device[1]    2Dispatch/DPC    1APC    0Passive/Low  

A CPU is interrupted from completing its current task only when it receives an interrupt that is above the current IRQL value. The current running thread is responsible for handling these interrupts, which saves the current CPU state and then processes the Interrupt Service Routine (ISR) mapped to the incoming IRQL. Each interrupt routine is mapped inside the Interrupt Description Table (IDT), whose pointer is stored inside the idtr register. From the debugger, the IDT can be

Read More: https://www.offensive-security.com/offsec/irqls-close-encounters/