j00ru//vx tech blog Coding, reverse engineering, OS internals covered one more time

3Jul/104

Attacking the Host via Remote Kernel Debugger (Virtual Machines)

NOTE: This post is highly related to the research performed by Alex Ionescu. He is going to present the results of his work on the RECON2010 conference, during his Debugger-based Target-to-Host Cross-System Attacks speech. As it turns out, me and Alex have been working on the same subject concurrently - while I have only managed to perform cursory analysis of the mechanism, Alex has carried out a thorough analysis and possibly developed a PoC for a real vulnerability ;) Besides this, I would like to share some of my ideas and conclusions which I came up with, during a short period of the recent weeks ;)

Filed under: Conferences, OS Internals, Ring0, Ring3, hacking, kernel, malware, rootkit Continue reading
3Oct/092

TraceHook v0.0.2

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number - 0.0.2. Until now, the application has been designed for my own purposes - it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same - it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

Filed under: C, Cpp, Ring0, Ring3, kernel, malware Continue reading
30Aug/098

TraceHook v0.0.1 release

Having some free time, I managed to apply some minor fixed to the TraceHook - I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development ;)

Filed under: C, Cpp, Programming, Ring0, blog, kernel, malware Continue reading
   

Pages

Projects

Windows Graphical System Call Table x86

Windows Graphical System Call Table x86-64

Windows CSRSS Api Table

Windows CSRSS Api List

Recent Posts

Recent Comments

  • j00ru: @NCR: Mmm… you should know it, already?;D
  • NCR: @j00ru: what could it be? :P
  • j00ru: @frank boldewin: thanks mate ;) @NCR: Ahaha, yeah ;D I’ve got something for ya btw.
  • NCR: Hey!, you did it!, you wrote it! thanks!
  • frank boldewin: excellent writeup dude!

Categories

Blogroll