Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
Hey there!
I have recently came across (well, not entirely by myself... cheers Nahuel!) a fairly (un)common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation. As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like to present my thoughts, together with some brief explanation.
Windows CSRSS Write Up: Inter-process Communication (part 2/3)
A quick beginning note: My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago. The post entry covers a recent, critical libpng vulnerability discovered by this guy; the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable. Feel free to take a minute and read the article here.
Additionally, the video and mp3 recordings from the presentation performed by me and Gynvael on the CONFidence 2010 conference, are now publicly available on the official website: link (Case study of recent Windows vulnerabilities).
Blog customization, old PHP advisories
Hey there!
Today, I would like to post a less-technical text, discussing two issues I have recently came across, or been busy with; don't worry though, as CSRSS Write-Up: IPC (part 2/3) is on the way. The first matter is about recent changes applied to the blog appearance and functionality, while the latter regards the results of a source-code audit performed by me and my Hispasec colleagues (Gynvael Coldwind and Icewall) something like a year ago (last summer 
).
“Descriptor tables in kernel exploitation” – a new article
Hi there!
Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.
Unexported SSDT functions finding method
Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn't been invented and described by some independent authors a few months/years ago. If some of you - the readers - is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let's get to the point...
TraceHook v0.0.2
Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number - 0.0.2. Until now, the application has been designed for my own purposes - it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.
The main purpose and used techniques remain the same - it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.
TraceHook v0.0.1 release
Having some free time, I managed to apply some minor fixed to the TraceHook - I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development 
Suspending processes in Windows, part 1
I have been recently encountering quite a non-typical problem - playing Starcraft was hard due to the amount of active processes running on my operating system - including a few IDA instances, virtual machines and the most disturbing... Firefox web browser. As we all know, it's not only about the memory being used by Firefox - the main problem is that the application tends to consume large amounts of CPU time (especially when having 150-200 opened tabs at once). When we add a very easily-heating processor, the aforementioned game might really have some problems with effectiveness.
Extending Total Commander with some minor functionality
As a loyal standard Windows shell (explorer.exe) user I often encounter some problems with the number of opened Windows on one desktop. Since my current notebook hardly ever goes down, so does the user's shell. After a few working evenings, I often have difficulty localizing the desired windows. Having something like 40-50 of them, it is usually a hard task to switch between internet browser, IDA, programming IDE, virtual machines, file manager and so on. The worst thing for me turned out to be looking for the TotalCommander window (being used the most frequently). A situation like this was obviously causing much of a time waste and consequently frustration.
Pages
Projects
Recent Posts
- Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
- Windows CSRSS Write Up: Inter-process Communication (part 2/3)
- Blog customization, old PHP advisories
- Windows CSRSS Write Up: Inter-process Communication (part 1/3)
- Windows CSRSS Write Up: the basics (part 1/1)
Recent Comments
- j00ru: @NCR: Mmm… you should know it, already?;D
- NCR: @j00ru: what could it be?
- j00ru: @frank boldewin: thanks mate @NCR: Ahaha, yeah ;D I’ve got something for ya btw.
- NCR: Hey!, you did it!, you wrote it! thanks!
- frank boldewin: excellent writeup dude!