CTcpFwd – cross-platform stdin/out to socket forwarding class
Hello,
A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon (greets to my team: Pawel and Wojtek!). Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i/o (stdin / stdout), which would greatly facilitate the communication process with the contest server. Because of the fact that we were going to work on different system platforms - both Microsoft Windows and GNU/Linux, the class had to be as cross-platform compatible as it was only possible. And so the CTcpFwd class, presented today, came into existence.
“Descriptor tables in kernel exploitation” – a new article
Hi there!
Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.
x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)
What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.
Unexported SSDT functions finding method
Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn't been invented and described by some independent authors a few months/years ago. If some of you - the readers - is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let's get to the point...
TraceHook v0.0.2
Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number - 0.0.2. Until now, the application has been designed for my own purposes - it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.
The main purpose and used techniques remain the same - it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.
TraceHook v0.0.1 release
Having some free time, I managed to apply some minor fixed to the TraceHook - I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development 
Suspending processes in Windows, part 1
I have been recently encountering quite a non-typical problem - playing Starcraft was hard due to the amount of active processes running on my operating system - including a few IDA instances, virtual machines and the most disturbing... Firefox web browser. As we all know, it's not only about the memory being used by Firefox - the main problem is that the application tends to consume large amounts of CPU time (especially when having 150-200 opened tabs at once). When we add a very easily-heating processor, the aforementioned game might really have some problems with effectiveness.
Extending Total Commander with some minor functionality
As a loyal standard Windows shell (explorer.exe) user I often encounter some problems with the number of opened Windows on one desktop. Since my current notebook hardly ever goes down, so does the user's shell. After a few working evenings, I often have difficulty localizing the desired windows. Having something like 40-50 of them, it is usually a hard task to switch between internet browser, IDA, programming IDE, virtual machines, file manager and so on. The worst thing for me turned out to be looking for the TotalCommander window (being used the most frequently). A situation like this was obviously causing much of a time waste and consequently frustration.
Pages
Projects
Recent Posts
- Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
- Windows CSRSS Write Up: Inter-process Communication (part 2/3)
- Blog customization, old PHP advisories
- Windows CSRSS Write Up: Inter-process Communication (part 1/3)
- Windows CSRSS Write Up: the basics (part 1/1)
Recent Comments
- j00ru: @NCR: Mmm… you should know it, already?;D
- NCR: @j00ru: what could it be?
- j00ru: @frank boldewin: thanks mate @NCR: Ahaha, yeah ;D I’ve got something for ya btw.
- NCR: Hey!, you did it!, you wrote it! thanks!
- frank boldewin: excellent writeup dude!