giống như được sử dụng trong các máy phát điện Capstone / Fortezza, bổ sung nguồn ngẫu nhiên vật lý hiện có. Trong trường hợp đơn giản, một hoặc nhiều đăng ký thông tin phản hồi tuyến tính thay đổi (LFSRs) điều khiển từ giá trị bí mật sẽ phục vụ để bổ sung nguồn vật lý, trong khi tiêu thụ một tối thiểu tuyệt đối của bất động sản chết. Mặc dù việc sử dụng SHA-1 | 276 7 Hardware Encryption Modules equivalent privileges since it s extremely difficult to make use of the machine without these privileges. In the unusual case where the user isn t running with these privileges it s possible to use a variety of tricks to bypass any OS security measures that might be present in order to perform the desired operations. For example by installing a Windows message hook it s possible to capture messages intended for another process and have them dispatched to your own message handler. Windows then loads the hook handler into the address space of the process that owns the thread for which the message was intended in effect yanking your code across into the address space of the victim 6 . Even simpler are mechanisms such as using the HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Windows -AppInit_DLLs key which specifies a list of DLLs that are automatically loaded and called whenever an application uses the USER32 system library which is automatically used by all GUI applications and many command-line ones . Every DLL specified in this registry key is loaded into the processes address space by USER32 which then calls the DLL s DllMain function to initialise the DLL and by extension trigger whatever other actions the DLL is designed for . A more sophisticated attack involves persuading the system to run your code in ring 0 the most privileged security level usually reserved for the OS kernel or alternatively convincing the OS to allow you to load a selector that provides access to all physical memory under Windows NT selectors 8 and 10 provide this capability . Running user code in ring 0 is possible due to the peculiar way in which the NT kernel loads. The kernel is accessed via the int 2Eh call gate which initially provides about 200 functions via but is then extended to provide more and more functions as successive parts of the OS are loaded. Instead of merely adding new functions to the existing table .