viruses access hard disk directly without need of os

[wljackhero]

can a virus accesses hard disk directly without need of OS?
copy all instructions in device drivers and interrupts and etc. to skip OS's control.
Or how can an OS stop programs to do this?
I mean, OS will not inspect each instruction in a program before start executing them, right? So can a program gather all the instructions in device drive or something like that, and control hard drive all by itself?

newbie to OS dev, looking for any advice, thanks.

[Octocontrabass]

Modern OSes use the CPU's hardware privilege separation to stop ordinary programs from accessing the hardware. If you try to access hardware in an ordinary program, the CPU will tell the OS that your program is doing something it's not allowed to do, and the OS will stop your program.

[BigBuda]

Modern OSes use the CPU's hardware privilege separation to stop ordinary programs from accessing the hardware. If you try to access hardware in an ordinary program, the CPU will tell the OS that your program is doing something it's not allowed to do, and the OS will stop your program.

Although some very advanced viruses may be able to jailbreak/do privilege escalation and skip a critical set of OS protections, by exploiting either OS or hardware attack vectors.

[iansjack]

If you are a newbie to OS development then you have a lot of years of learning before you need to worry too much about virus prevention in your OS. The truth is that until your OS is in widespread use no hacker is going to devote resources towards it.

It's difficult to go into too much detail answering your question as any useful information could be used by malicious actors.

[rdos]

I don't think an ordinary virus can do it, but malicious hardware certainly can. Hardware basically can do anything with PCIe bus mastering.

[nullplan]

I don't think an ordinary virus can do it, but malicious hardware certainly can. Hardware basically can do anything with PCIe bus mastering.

That's what IOMMUs are for. But not every PC has those and the ones that do exist are not necessarily easy to use.

BTW, it doesn't even have to be malicious hardware. If an OS can be tricked into submitting bad requests, even perfectly ordinary hardware can read and write arbitrary memory.

[jaihsonk]

How does malicious software "trick" the OS? Can I have an example to study? Could that happen, say, on Windows 11 or any other modern main-stream OS?

[BigBuda]

How does malicious software "trick" the OS? Can I have an example to study? Could that happen, say, on Windows 11 or any other modern main-stream OS?

I don't have specific examples, but if you pay close attention to the major tech news sites like The Register and Slashdot, you'll see that almost weekly (roughly speaking) a new vulnerability pops up in one of the major OSs. Privilege escalation vulnerabilities are the typically the ones that allow for that.

[bellezzasolo]

Classic attack vectors apply to operating system kernels.

Don't validate the size of a buffer and strcpy() it? Now you've got malicious code in kernel space.

There's a reason a lot of modern OSes use Address Space Layout Randomisation, it makes it much harder to hit a target.

Various levels of rootkit exist - user mode privilege escalation is the most common. That's injection into a process running with a higher user privilege level - so e.g. a webserver running as root. The attack surface is minimised by not running servers as root, and giving them access to only the requisite resources.

Kernel mode rootkits - the attack surface is smaller than an arbitrary number of user processes, as this has to cross the syscall interface. But, if malicious code is run in kernel mode, it can call into drivers directly and bypass OS protections.

Bootkits - Infecting the bootloader. The virus is running before your OS is, and probably has its own drivers.

Hypervisor - The virus is running your OS in a virtual machine.

Firmware - viruses can infect the system firmware, they could even be ACPI routines in a modified DSDT.

There's even a proof of concept for infecting the Intel Management Engine (Ring -3).