Month: October 2010

HITB eZine Issue 004 is public!

by

Traditionally – during the annual, last Hack in the Box 2010 conference edition held in Kuala-Lumpur, Malaysia (follow HITBSecConf @ Twitter), an IT-security related magazine is released ;) Since three issues, I have been contributing to the paper with my Windows-oriented articles. This time, I would like to present a publication called Creating custom console hosts on Windows 7, describing the potential possibilities in the area of console windows’ customization, being a consequence of a design-level modification, introduced in the latest Microsoft operating system – you’re encouraged to download, read, and criticize, as well as share ideas regarding the subject. Have fun.

Additionally, the editors have also put a few, particularly interesting articles from the past HITB Magazine editions. I am very happy to announce that one of the Reader’s Choice papers is my publication – Windows Objects in Kernel Vulnerability Exploitation – originally released in HITB eZine 002. This gives us a total of two papers authored by me – if you haven’t had the chance to take a look at either of them, feel free to do so. The article (as well as all of the other ones) was given a new, brilliant graphics outfit, making the entire issue pleasant for the eye, and rich in practical knowledge ;)

Read more

Windows kernel to user transitions one more time

by

Before I start talking (writing?) about the real subject of this short post, I would like to make some interesting announcements.

  1. My friend mawekl has recently fired up a project called Security Traps. The website consists of numerous IT-related challenges, ranging from typical JavaScript-hackmes, through Windows software Reverse Code Engineering tasks, up to C/C++ riddles and logical puzzles. If searching for non-trivial solutions of simple problems is what you like, taking a look at the system might appear to be both entertaining and informative – at least, it was for me ;)
    BTW. Try to beat the top2 players ;D.
  2. a_d_13, the http://kernelmode.info/ forums administrator and author of the RootRepeal anti-rootkit software has published an interesting tool called MemMAP v0.1.2, just a few minutes ago. The interesting thing about the program is that it was originally inspired by what I released in January this year: the tiny KernelMAP. AD’s application greatly enhances my idea of memory visualization, by including additional kernel memory areas (kernel stacks and GDI objects), as well as makes it possible to observe the contents of user-mode memory. Feel encouraged to take a look at the production and possibly share interesting screens of the program output ;)

Now, to the point. In the most recent post, I tried to describe the ways of performing ring0-to-ring3 transitions on the Windows platform – in particular, the ways that were known to me at the time of writing the article. After publishing the entry, I had a few interesting conversations, and I was pointed out that there is at least one (possibly more) solution with the reliability level not lower than the nt!KeUserModeCallback method, claimed to be the best one. In this post, I am going to introduce yet another way of lowering the processor privilege level in a stable manner.

Read more