Skip to content

{ Category Archives } c

Protected Mode Segmentation as a powerful anti-debugging measure

The segmentation functionality has been present on the Intel processors since early stages of the CPU manufacturing. In real-mode, segments were the basis of 16-bit memory management, allowing the operating system or application to specify separate memory areas for different types of information, i.e. code, regular data, stack and so on. When a more complex […]

nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques

Although not the most common vulnerability class, it sometimes happens that a ring-0 module (or the kernel itself) references a local variable or buffer, which wasn’t previously properly initialized. The threat is usually mitigated by compiler warnings / errors, informing about potential security flaws present in the source code – as life shows, it is […]

Windows kernel2user transitions one more time

Hello, Before I start talking (writing?) over the real subject of this short post, I would like to make some interesting announcements. My friend mawekl has recently fired up a project called Security Traps. The website consists of numerous IT-related challenges, ranging from typical JavaScript-hackmes, through Windows software Reverse Code Engineering tasks, up to C/C++ […]

Kernel exploitation – r0 to r3 transitions via KeUserModeCallback

Hey there! I have recently came across (well, not entirely by myself… cheers Nahuel!) a fairly (un)common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation. As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like […]

Windows CSRSS Write Up: Inter-process Communication (part 2/3)

A quick beginning note: My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago. The post entry covers a recent, critical libpng vulnerability discovered by this guy; the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable. Feel free to take a […]

Blog customization, old PHP advisories

Hey there! Today, I would like to post a less-technical text, discussing two issues I have recently came across, or been busy with; don’t worry though, as CSRSS Write-Up: IPC (part 2/3) is on the way. The first matter is about recent changes applied to the blog appearance and functionality, while the latter regards the […]

“Descriptor tables in kernel exploitation” – a new article

Hi there! Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, […]

Unexported SSDT functions finding method

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that […]

TraceHook v0.0.2

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain […]

TraceHook v0.0.1 release

Having some free time, I managed to apply some minor fixed to the TraceHook – I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development ;)