j00ru//vx tech blog Coding, reverse engineering, OS internals covered one more time

5Sep/107

Kernel exploitation – r0 to r3 transitions via KeUserModeCallback

Hey there!

I have recently came across (well, not entirely by myself... cheers Nahuel!) a fairly (un)common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation. As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like to present my thoughts, together with some brief explanation.

Filed under: Assembler, C, OS Internals, Programming, Ring0, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel Continue reading
27Jul/104

Windows CSRSS Write Up: Inter-process Communication (part 2/3)

A quick beginning note: My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago. The post entry covers a recent, critical libpng vulnerability discovered by this guy; the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable. Feel free to take a minute and read the article here.

Additionally, the video and mp3 recordings from the presentation performed by me and Gynvael on the CONFidence 2010 conference, are now publicly available on the official website: link (Case study of recent Windows vulnerabilities).

Filed under: Assembler, C, CSRSS, Conferences, OS Internals, Programming, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking Continue reading
16Jan/103

“Descriptor tables in kernel exploitation” – a new article

Hi there!

Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.

Filed under: Assembler, C, Cpp, OS Internals, Programming, Ring0, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel, rootkit Continue reading
4Jan/105

x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)

What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.

Filed under: Assembler, Cpp, OS Internals, Programming, Ring0, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel Continue reading
   

Pages

Projects

Windows Graphical System Call Table x86

Windows Graphical System Call Table x86-64

Windows CSRSS Api Table

Windows CSRSS Api List

Recent Posts

Recent Comments

  • j00ru: @Ivanlef0u: Hey. As for the first question, well… there is no particular reason for using...
  • Ivanlef0u: Yo, Stupid question but why do you use GetFSBase() for GetThreadSelectorEntry() ? You can use : mov...
  • j00ru: @NCR: Mmm… you should know it, already?;D
  • NCR: @j00ru: what could it be? :P
  • j00ru: @frank boldewin: thanks mate ;) @NCR: Ahaha, yeah ;D I’ve got something for ya btw.

Categories

Blogroll