Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
Hey there!
I have recently came across (well, not entirely by myself... cheers Nahuel!) a fairly (un)common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation. As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like to present my thoughts, together with some brief explanation.
Windows CSRSS Write Up: Inter-process Communication (part 2/3)
A quick beginning note: My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago. The post entry covers a recent, critical libpng vulnerability discovered by this guy; the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable. Feel free to take a minute and read the article here.
Additionally, the video and mp3 recordings from the presentation performed by me and Gynvael on the CONFidence 2010 conference, are now publicly available on the official website: link (Case study of recent Windows vulnerabilities).
Windows CSRSS Write Up: the basics (part 1/1)
NOTE: The following post entry opens a series of CSRSS-oriented articles, aiming at describing the uncovered CSRSS mechanism internals, present in the Windows OS for more than fifteen years now. Although some great research has already been carried out by a few curious guys (check out the references), no thorough case study is available until now. In this series, I am going to cover both the very basic ideas and their implementations, as well as the recent CSRSS changes applied in modern operating systems (i.e. Windows 7). And so, just have a good read! 
A quick insight into the Driver Signature Enforcement
Hey!
I have recently had some fun playing around with driver signing on Windows x64, and so I like to share some matters that have came into my head Therefore, let me briefly describe some internal mechanisms lying behind well known Driver Signature Enforcement, a significant part of the Code Integrity feature introduced by Microsoft in Windows Vista and Windows 7. Understanding the underlying system behavior would let us think of possible attack vectors against the protection, as well as better apprehend the existing techniques, such as the ones developed by Joanna Rutkowska or Alex Ionescu. Let the fun begin!
Windows CSRSS cross-version API Table
Hello!
It seems like half a year has passed since I published the Win32k.SYS system call table list on the net. During this time (well, it didn't take so long ) I managed to gather enough information to release yet another API list - this time, concerning an user-mode application - CSRSS (Client/Server Runtime SubSystem). As a relatively common research subject, I think a table of this kind can make things easier for lots of people.
“Descriptor tables in kernel exploitation” – a new article
Hi there!
Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.
x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)
What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.
Win32k.SYS system call table
Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers' definitions). As one of the most important part of the communication process between user's applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.
Unexported SSDT functions finding method
Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn't been invented and described by some independent authors a few months/years ago. If some of you - the readers - is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let's get to the point...
Controlling Windows process list, part 1
First of all, I would like to point out that my old bootkit presentation related stuff is available since a few weeks now. As the whole event was held in polish language, so are the slides / materials. One way or another, if some of you were interested, just take a look at the Slow kilka o SecDay 2k9 post entry.
In one of my previous posts (check Suspending processes in Windows, part 1), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification - extending it with the interesting functionality - would be described in the next post. Although, before getting straight to the point (this is - changing the executable binary code), we have to consider some other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:
Pages
Projects
Recent Posts
- Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
- Windows CSRSS Write Up: Inter-process Communication (part 2/3)
- Blog customization, old PHP advisories
- Windows CSRSS Write Up: Inter-process Communication (part 1/3)
- Windows CSRSS Write Up: the basics (part 1/1)
Recent Comments
- j00ru: @NCR: Mmm… you should know it, already?;D
- NCR: @j00ru: what could it be?
- j00ru: @frank boldewin: thanks mate @NCR: Ahaha, yeah ;D I’ve got something for ya btw.
- NCR: Hey!, you did it!, you wrote it! thanks!
- frank boldewin: excellent writeup dude!