“Descriptor tables in kernel exploitation” – a new article

Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, example source code snippets are available (attached to the document), so that the reader can check their effectiveness on their own.

I would like to say thank you to Unavowed and Agnieszka Zerka for their comments and help in the process of assembling this publication.

A complete package, including a PDF file “GDT and LDT in Windows kernel vulnerability exploitation” (with the source.zip file enclosed to the paper) can be downloaded from here (682 kB).

Read more“Descriptor tables in kernel exploitation” – a new article

x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)

What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.

One could ask, what would we want to retrieve any internal system addresses for. Well, it is indeed a very good question – as for me, the kernel addresses become most useful in the vulnerability exploitation process. Since a majority of bugs found in device drivers belong, directly (pointer validation) or indirectly (pool buffer overflow), to the write-what-where condition family, one must know the exact address to be overwritten before performing the operation. This basically means that the more information about kernel memory layout we can gather, the more stable and effective attacks can be conducted.

The idea I am writing about is not new, for sure. A great part of kernel exploits programmers has already used such techniques in their source code. However, I haven’t ever found any publication that would thoroughly describe every possible vector of obtaining somewhat “sensitive” kernel data (addresses) from within user-mode. Hence, I would like to present a short introduction of each method I could think of – a longer article will presumably be released within a few days. Huh, let’s get to the point, already!

Read morex86 Kernel Memory Space Visualization (KernelMAP v0.0.1)

Win32k.SYS system call table

Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking  system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.

Considering the above facts, the popularity of a (mostly) full  system call list created by the Metasploit Project shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.

What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls – exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work,  a need to access information about system calls IDs greater than 0x1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!

The current version of the Windows Graphical System Call List can be found under the following address: https://j00ru.vexillium.org/syscalls/win32k/32/.

Read moreWin32k.SYS system call table

Unexported SSDT functions finding method

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn’t been invented and described by some independent authors a few months/years ago. If some of you – the readers – is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let’s get to the point…

The subject of practical vulnerability exploitation of the system kernel or one of its modules is simply too wide to entirely talk it over here. The technical aspects of making use of such vulnerabilities have already been described by a number of researchers, and the results of their work can be found, inter alia, there:

Read moreUnexported SSDT functions finding method

Controlling Windows process list

In one of my previous posts (check Suspending processes in Windows), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification – extending it with the interesting functionality – would be described in the next post. Although, before getting straight to the point (this is – changing the executable binary code), we have to consider some  other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:

  • Perform a one-time TaskMgr.exe system file alteration on hard disk.
  • Create an additional executable file, called the loader – associated with the Task Manager and launched as its debugger.
  • Leave the hard disk contents unchanged – modify only the virtual memory of all active processes, meeting some specific requirements (in our case – executable image path).

Each option presented above has it’s own set of drawbacks. When it comes to physical HDD modification, we start playing with system file data, which should be always considered dangerous and unwanted behavior. What is more, since Windows keeps many backup copies of core system applications, we would have to get rid of or modify all the existing Task Manager backups. In general, I find the method a little bit too messy to use in practice. If you would like to read more about this subjects, Windows File Protection and Windows Resource Protection should be a good place to start.

Read moreControlling Windows process list

TraceHook v0.0.2

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.

A complete package (EXE + sources): TraceHook_v0.0.2.zip (50 kB)

Read moreTraceHook v0.0.2

TraceHook v0.0.1 release

Having some free time, I managed to apply some minor fixed to the TraceHook – I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development ;)

TraceHook is a tiny application keeping track over processes and dumping them when necessary. It’s main objective is to handle various types of malware samples, launched inside a virtual environment (pure malware analysis purposes). Once you choose the executable to run, TraceHook creates the process and adds its PID to the “Controlled Processes’ List”. Every single child-process created by one of these already present in our list, is also being controlled. After all the manual steps are performed (triggering the malware’s core functionality) on the virtual machine, the application dumps the memory context of all the processes inside our controlled list, to separate files inside the hardcoded C:\dump path.

The engine itself is a kernel module (device driver), having a callback routine registered using the documented PspCreateProcessNotifyRoutine API. It works in the context of all processes, thus doesn’t need to inject any additional user-mode code anywhere.

A complete package (EXE + sources): TraceHook_v0.0.1.zip (40kB)

Read moreTraceHook v0.0.1 release

Suspending processes in Windows

I have been recently encountering quite a non-typical problem – playing Starcraft was hard due to the amount of active processes running on my operating system – including a few IDA instances, virtual machines and the most disturbing… Firefox web browser. As we all know, it’s not only about the memory being used by Firefox – the main problem is that the application tends to consume large amounts of CPU time (especially when having 150-200 opened tabs at once). When we add a very easily-heating processor, the aforementioned game might really have some problems with effectiveness.

The most intuitive solution to that problem seemed to be simply killing the firefox.exe process (no matter if it means closing it the right way or just terminating it) – the rest was no longer a problem, since it is possible to pause the Virtual Machine execution etc. The real problem appeared after the game, when I wanted to start working with the web browser – loading 150 sites back is always time-consuming, no matter how fast your connection is. When such a situation began taking place a number of times a day, I became pretty frustrated.

Read moreSuspending processes in Windows

The incoming SecDay conference

I have a pleasure to inform the blog readers about the incoming event I am taking part in – the polish SecDay conference (regarding security in a general meaning)! ;)

My presentation’s subject is the practical approach to, so called, bootkit creation. To make things clear, bootkit consists of a number of code blocks present on some kind of bootable media, being able to take complete control over the attacked machine, by simply performing some run-time memory modifications at the time of OS startup process.  To be exact, I will try to show how easy pwning a machine is, provided the potential attacker has physical access to the target. The steps taken by our bootable code to achieve specific goals (hacking the user authorization mechanism etc) will be described in detail.

The event will is going to be held in polish, but I expect my presentation stuff to be released in both PL and EN versions ;)

Blog management changes

Welcome to the blog on my own hosting!

I have recently decided to add multi-language support to the blog, which obviously required the WordPress system to be moved to my own hosting (the one provided by wordpress.com lacks many important features, like the possibility to install plugins (which turned out to be very useful, by the way)). What is more, some other handy plugins have been installed as well, including code highlighting, modified theme and a few other, not visible to the user himself.

Right from now, every new post is supposed to be available in the polish language version first. However, I will do my best to translate them as soon as possible. Hope you will like the new features!