Programming | j00ru//vx tech blog

5Sep/107

Kernel exploitation – r0 to r3 transitions via KeUserModeCallback

Hey there!

I have recently came across (well, not entirely by myself... cheers Nahuel!) a fairly (un)common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation. As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like to present my thoughts, together with some brief explanation.

Filed under: Assembler, C, OS Internals, Programming, Ring0, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel Continue reading

27Jul/104

Windows CSRSS Write Up: Inter-process Communication (part 2/3)

A quick beginning note: My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago. The post entry covers a recent, critical libpng vulnerability discovered by this guy; the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable. Feel free to take a minute and read the article here.

Additionally, the video and mp3 recordings from the presentation performed by me and Gynvael on the CONFidence 2010 conference, are now publicly available on the official website: link (Case study of recent Windows vulnerabilities).

Filed under: Assembler, C, CSRSS, Conferences, OS Internals, Programming, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking Continue reading

19Jul/101

Blog customization, old PHP advisories

Hey there!
Today, I would like to post a less-technical text, discussing two issues I have recently came across, or been busy with; don't worry though, as CSRSS Write-Up: IPC (part 2/3) is on the way. The first matter is about recent changes applied to the blog appearance and functionality, while the latter regards the results of a source-code audit performed by me and my Hispasec colleagues (Gynvael Coldwind and Icewall) something like a year ago (last summer ).

Filed under: C, Other, Programming, blog, hacking Continue reading

19Apr/103

CTcpFwd – cross-platform stdin/out to socket forwarding class

Hello,

A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon (greets to my team: Pawel and Wojtek!). Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i/o (stdin / stdout), which would greatly facilitate the communication process with the contest server. Because of the fact that we were going to work on different system platforms - both Microsoft Windows and GNU/Linux, the class had to be as cross-platform compatible as it was only possible. And so the CTcpFwd class, presented today, came into existence.

Filed under: Cpp, OS Internals, Programming, Ring3, Undocumented API, Windows XP Continue reading

16Jan/103

“Descriptor tables in kernel exploitation” – a new article

Hi there!

Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.

Filed under: Assembler, C, Cpp, OS Internals, Programming, Ring0, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel, rootkit Continue reading

4Jan/105

x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)

What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.

Filed under: Assembler, Cpp, OS Internals, Programming, Ring0, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel Continue reading

2Nov/091

Unexported SSDT functions finding method

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn't been invented and described by some independent authors a few months/years ago. If some of you - the readers - is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let's get to the point...

Filed under: C, Cpp, OS Internals, Programming, Ring0, Ring3, Windows 7, Windows Vista, Windows XP, kernel Continue reading

8Oct/091

Controlling Windows process list, part 1

First of all, I would like to point out that my old bootkit presentation related stuff is available since a few weeks now. As the whole event was held in polish language, so are the slides / materials. One way or another, if some of you were interested, just take a look at the Slow kilka o SecDay 2k9 post entry.

In one of my previous posts (check Suspending processes in Windows, part 1), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification - extending it with the interesting functionality - would be described in the next post. Although, before getting straight to the point (this is - changing the executable binary code), we have to consider some other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:

Filed under: CSRSS, OS Internals, Programming, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, kernel Continue reading

3Oct/092

TraceHook v0.0.2

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number - 0.0.2. Until now, the application has been designed for my own purposes - it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same - it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

Filed under: C, Cpp, Ring0, Ring3, kernel, malware Continue reading

30Aug/098

TraceHook v0.0.1 release

Having some free time, I managed to apply some minor fixed to the TraceHook - I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development