Im, Running user code format ELF64 executable, Just im looking at best ways to do remote process injection with PTRACE and vm_read type syscalls. Just im looking now into the CR0 - CR8 REGISTERS. Just know these are not really designed to work with user space code. So if i can only change the CR0 from bios .bin org type code and i am already execed into the remote machine with my bash prompt open on target side with a PTY to my child. Anybody know the best way to be able to alter the CR0 register on remote machine, Was thinking if i can attach like a .bin binary like you do attach shared libraries to the user code i could some how change the Permissions this way, does anybody know if this would be possible. just any ideas would do. Im moving away from trying to do this with LKM'S and just using assembly code.

Another quick question, so my executable is root SUID Right, i can execve into any virtual machine so my bash is then running as my machine on the target, so i then issue standard commands like:

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ Ctrl-Z
$
$ stty raw -echo
$ fg
$
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color

So once i issue these and gone to background/foreground -via- my PTY CHILD.

I have (root) access on the remote system ???

Surely it cant be as easy as this to get a remote shell as root on any system in the world, it also works to my gcloud AWS server, so it obviously is.. Has anyone ever got remote access to anything this easy lol, im not complaining like, i could just load or download my .bin file via https or anything from this prompt anyway but im thinking its maybe a problem with my gcloud or KVM machines i dunno.

Anyway any info on this first question CR0 question would be appreciated. Cheers

To make changes to CR0 the code needs to be running in ring-0. Running as root isn't enough, it requires a kernel mode driver to get code into ring-0.

"root" is still user code (runs in ring-3), just with more permissions. "root" code can install a kernel mode driver and then use the kernel mode driver to change CR0.

Yeah i know that bout root, but format ELF64 executable is user code , what i read is that ring 0 code is mainly run from bios code like .bin which is a completely differant binary from my user code. Main info i need is was it possible to somehow statically link a .bin file to my user code somehow like shared libraries work. Then i would be able to change or access the ring 0 syscalls at least, ive tried from user code most time the calls dont work, i mean i could only try do it with gdb and alter stack but wanted a differant way. or wanted to know if i could somehow dynamically link a .bin file with the org setting like with ldpreload or dlopen. i dont know

Anyway if i execve into a remote machine and bash fg/bg can switch between my executable and escape the shell and access the remote system, how exactly is my binary which is a copy of my machine with a kernel version as same as my machine will the memory MMU be completely different tho than my executable as its executed on a differant machine but its still a copy of my computer, i was completely not thinking about that, so like wont the ring 0 be a completely differant system from my computer even tho its a reverse shell, the underlining memory mappings should be completely differant, do u know what i mean ?? quite important question

Another thing thats why i was trying to create a LKM or kernel driver in FASM before, So i could load it dynamically , but i tried the old code from kernel 2.6 but doesnt work nomore in newer kernels, even tho its a REL file format think it needs to be built with KBUILD and it always fails on the object file. So thats why im looking into trying to load .bin file after my user code has run, this hacking stuff is complicated . basically wanted a way to run linux kernel commands from assembley as well. that would be a huge advantage as only other way is with EBGP or LKM'S which i would have to learn C and i CBA with that. Do u know any suggestions, im trying to do process injection but the hardest part is changing Writable memory locations to RWX as to inject u need Writable memory. So i need a stable way to change to Ring 0 after ive execved into a target. There must be a way to write a linux driver in FASM. but ive searched and says FASM needs a patch but the posts were from long ago. Im going to look more into .bin files now, just all my libC calls and main tools are in format ELF64 executable. do u know what im trying to accomplish lol

ok, SO IS THIS POSSIBLE AND HOW ???

"root" code can install a kernel mode driver and then use the kernel mode driver to change CR0

In FASM tho not Kernel Driver in C