Skip to content

{ Category Archives } windows xp

Kernel double-fetch race condition exploitation on x86 – further thoughts

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind) It was six weeks ago when we first introduced our effort to locate and eliminate the so-called double fetch (e.g. time-of-check-to-time-of-use during user-land memory access) vulnerabilities in operating system kernels through CPU-level operating system instrumentation, a project code-named “Bochspwn” as a reference to the x86 emulator used (bochs: The Open [...]

2013 06 17 exploitation
hacking
kernel
os internals
ring0
ring3
undocumented api
windows 7
windows vista Comments (0)

CONFidence 2013 and the x86 quirks

Another week, another conference. Just a few days ago, Gynvael and I  had the pleasure to attend and present at the CONFidence 2013 infosec conference traditionally held in Cracow, Poland. The event requires no further introduction – it has been simply the best Polish conference in the security area since it first started, and this [...]

2013 06 02 assemmbler
conferences
exploitation
hacking
kernel
os internals
programming
ring0
ring3
undocumented api
windows 7
windows vista Comments (0)

NoSuchCon’13 and crashing Windows with two instructions

The first edition of the NoSuchCon security conference held in Paris ended just a few days ago. Before anything else, I would like to thank all of the organizers (proudly listed at nosuchcon.org) for making the event such a blast! Both the location, venue and speaker line-up were amazing, with lots of free beer and [...]

2013 05 21 assemmbler
c
conferences
exploitation
hacking
kernel
os internals
papers
programming
ring0
undocumented api
windows 7
windows vista Comments (7)

SyScan 2013, Bochspwn paper and slides

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind) A few days ago we (Gynvael and I) gave a talk during the SyScan’13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis [...]

2013 05 02 conferences
exploitation
hacking
kernel
os internals
papers
ring0
ring3
undocumented api
windows 7
windows vista Comments (7)

A story of win32k!cCapString, or unicode strings gone bad

In the most recent blog post (“Fun facts: Windows kernel and guard pages”), we have learned how the code coverage of kernel routines referencing user-mode memory can be determined by taking advantage of the fact that kernel-mode code triggers guard page exceptions in the same way as user-mode does. Today, I will present how the [...]

2013 04 16 c
c++
exploitation
hacking
kernel
os internals
programming
ring0
windows 7
windows vista Comments (0)

Fun facts: Windows kernel and guard pages

It has been a while since I last posted here, so I guess it’s high time to get back to work and share some more interesting Windows kernel internals goodies. Before we get to that, however, let’s start with a few announcements. First of all, there is a number of great infosec conferences coming up [...]

2013 04 12 c
conferences
exploitation
hacking
kernel
os internals
papers
ring0
windows 7
windows vista Comments (4)

CVE-2012-2553: Windows Kernel VDM use-after-free in win32k.sys

Microsoft addressed several Windows kernel vulnerabilities in the MS12-075 security bulletin released in November this year, some of them residing in every version of the win32k.sys driver shipped with the NT family line systems. Apart from the obviously extremely interesting remote web browser => ring-0 arbitrary code execution issue, there have also been two other [...]

2012 12 18 exploitation
hacking
kernel
os internals
ring0
undocumented api
windows 7
windows vista Comments (4)

ZeroNights slides, Hack In The Box Magazine #9 and other news

First of all, it has been reported to me that the system call list for Microsoft Windows Vista SP0 available at http://j00ru.vexillium.org/ntapi was wrong, containing syscall numbers for beta2 version of the system instead of the actual RTM Service Pack 0. The issue has already been resolved – apologies for any confusion this might have [...]

2012 12 01 conferences
exploitation
hacking
kernel
os internals
papers
ring0
undocumented api
windows 7
windows vista Comments (1)

Crawling MSDN for fun and profit

Regardless of whether you are a Windows exploitation guru, a professional win32 application developer or someone whose curiosity occasionally tells him to dig up the MSDN library looking for interesting quirks or undocumented functionality, the following examples of MSDN article excerptions are very likely to look familiar to you: Simply put, the operating system operates on an [...]

2012 11 16 hacking
kernel
os internals
ring0
ring3
undocumented api
windows 7
windows vista Comments (2)

Defeating Windows Driver Signature Enforcement #1: default drivers

One of the obvious things about the Windows operating system for anyone actively working on its kernel security is that the Driver Signature Enforcement (DSE in short) is not effective and can be bypassed with relative ease by any determined individual. From a historical perspective, the “feature” was introduced in the 64-bit build of Windows [...]

2012 11 03 c
exploitation
hacking
kernel
os internals
programming
ring0
undocumented api
windows 7
windows vista Comments (8)