OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, January 16 2010 19:01.29 CST

Direct Link, View / Make / Edit Comments

GDT / LDT Windows Kernel Exploitation article

Author:

j00ru

# Views: 2421

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!

Created: Monday, January 4 2010 16:24.30 CST

Modified: Monday, January 4 2010 16:27.29 CST

Direct Link, View / Make / Edit Comments

x86 Kernel Memory Space Visualization

Author:

j00ru

# Views: 2301

Hello!

Just a quick info: recently I have been playing a little bit with retrieving kernel-mode addresses from the application (ring-3) level. The first result of this small research is a visualization tool called KernelMAP v0.0.1, that aims to gather as much information about the kernel memory layout as possible and present it to the user in somewhat attractive manner.

You can find more information on my blog, HERE.

Some screenshots of the app:

Created: Wednesday, November 11 2009 11:59.35 CST

Direct Link, View / Make / Edit Comments

WIN32k.SYS System Call Table

Author:

j00ru

# Views: 3029

Hi,

I have recently created a pre-alpha version of a Windows graphical syscall table. As for now, it contains more or less the latest Windows versions, however the list is going to be continuously supplemented with new data.

You can read more @ my original blog post: http://j00ru.vexillium.org/?p=257&lang=en

Have fun!

Created: Sunday, August 30 2009 07:19.09 CDT

Direct Link, View / Make / Edit Comments

TraceHook v0.0.1 release

Author:

j00ru

# Views: 3184

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>

Created: Monday, January 28 2008 12:01.33 CST

Modified: Monday, January 28 2008 12:02.17 CST

Direct Link, View / Make / Edit Comments

FPU Tracer v0.0.1 released

Author:

j00ru

# Views: 4963

Hello,

Now the time has come for another post ;-)
I want to present a tool written by myself, in the original purpose, to help me with solving the HackerChallenge Phase3 - reversing the target executable ;>
But as some people found it a useful program, I decided to fix some known bugs and implement new features.

The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers and so on ;>

As for now, it's a closed-source project. If anyone would be interested in my further development, I'll rewrite most of the code (to make it look like and work better), fix reported bugs, add some new options and generally publish the sources.
What is important - keep in mind it is 0.0.1 version, so I'm sure it must have a number of bugs. In case of you finding one, just mail me ;>

The package can be downloaded from: http://vexillium.org/?sec

Aaaand some screenshots, of course (trace working on Phase1 and Phase3 HC executables ;-))

Archived Entries for j00ru

Subject	# Views	Created On
Virtual Machine detection method cd.	5017	Sunday, January 20 2008
Old new Virtual Machine detection method.	5227	Wednesday, January 16 2008
Hello world	3551	Friday, January 11 2008

Active in Last 5 Minutes
	timtoady

There are 21,677 total registered users.

Recently Created Topics
PyEmu error when cal...	Sep/02
Restore Themida/Winl...	Sep/02
Anti-olly technique	Aug/30
RAR Password	Aug/29
Heap protection on W...	Aug/23
Why Inline asm in C+...	Aug/20
Bypassing OllyAdvance	Aug/17
Error in logic for g...	Aug/17
Has anyone seen this...	Aug/17
ARM Executable - Pat...	Aug/16

Recent Forum Posts
reverse engineering ...	raiden56
pydbg, memory breakp...	Researc...
RAR Password	Ineedhelp
RAR Password	cod
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	psylocn
Why Inline asm in C+...	ronnie2...

Recent Blog Entries
	meshmesh	Sep/01
Is it legal??
	waleedassar	Aug/30
Anti-olly technique
	QvasiModo	Aug/24
WinAppDbg 1.4 is out!
	artemblagodarenko	Aug/18
Dataflow-0.2.0 released. Ne...
	grzonu	Aug/17
Bypassing OllyAdvanced
More ...

Recent Blog Comments
	tosanjay on:	Sep/02
PyEmu 0.0.2
	GynvaelColdwind on:	Sep/01
Is it legal??
	PeterFerrie on:	Aug/31
Anti-olly technique
	dennis on:	Aug/26
Dr. Gadget IDAPython plugin
	halsten on:	Aug/19
Dataflow-0.2.0 released. Ne...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit