OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, January 16 2010 19:01.29 CST

Direct Link, View / Make / Edit Comments

GDT / LDT Windows Kernel Exploitation article

Author:

j00ru

# Views: 1190

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!

Created: Monday, January 4 2010 16:24.30 CST

Modified: Monday, January 4 2010 16:27.29 CST

Direct Link, View / Make / Edit Comments

x86 Kernel Memory Space Visualization

Author:

j00ru

# Views: 1362

Hello!

Just a quick info: recently I have been playing a little bit with retrieving kernel-mode addresses from the application (ring-3) level. The first result of this small research is a visualization tool called KernelMAP v0.0.1, that aims to gather as much information about the kernel memory layout as possible and present it to the user in somewhat attractive manner.

You can find more information on my blog, HERE.

Some screenshots of the app:

Created: Wednesday, November 11 2009 11:59.35 CST

Direct Link, View / Make / Edit Comments

WIN32k.SYS System Call Table

Author:

j00ru

# Views: 2182

Hi,

I have recently created a pre-alpha version of a Windows graphical syscall table. As for now, it contains more or less the latest Windows versions, however the list is going to be continuously supplemented with new data.

You can read more @ my original blog post: http://j00ru.vexillium.org/?p=257&lang=en

Have fun!

Created: Sunday, August 30 2009 07:19.09 CDT

Direct Link, View / Make / Edit Comments

TraceHook v0.0.1 release

Author:

j00ru

# Views: 2576

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>

Created: Monday, January 28 2008 12:01.33 CST

Modified: Monday, January 28 2008 12:02.17 CST

Direct Link, View / Make / Edit Comments

FPU Tracer v0.0.1 released

Author:

j00ru

# Views: 4371

Hello,

Now the time has come for another post ;-)
I want to present a tool written by myself, in the original purpose, to help me with solving the HackerChallenge Phase3 - reversing the target executable ;>
But as some people found it a useful program, I decided to fix some known bugs and implement new features.

The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers and so on ;>

As for now, it's a closed-source project. If anyone would be interested in my further development, I'll rewrite most of the code (to make it look like and work better), fix reported bugs, add some new options and generally publish the sources.
What is important - keep in mind it is 0.0.1 version, so I'm sure it must have a number of bugs. In case of you finding one, just mail me ;>

The package can be downloaded from: http://vexillium.org/?sec

Aaaand some screenshots, of course (trace working on Phase1 and Phase3 HC executables ;-))

Archived Entries for j00ru

Subject	# Views	Created On
Virtual Machine detection method cd.	4916	Sunday, January 20 2008
Old new Virtual Machine detection method.	5042	Wednesday, January 16 2008
Hello world	3426	Friday, January 11 2008

There are 16,591 total registered users.

Recently Created Topics
how to crate a PATC...	Mar/10
wsnpoem audio.dll	Mar/09
suggestions - RE tra...	Mar/09
Requesting Suggestio...	Mar/06
Force enable debug p...	Mar/05
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03
Can some one give me...	Mar/02
Error in generating ...	Feb/28

Recent Forum Posts
wsnpoem audio.dll	zhane
suggestions - RE tra...	Silkut
how to crate a PATC...	Silkut
suggestions - RE tra...	RolfRolles
wsnpoem audio.dll	debbie
Requesting Suggestio...	secursig
Requesting Suggestio...	phn1x
how to get executabl...	RabidCi...
how to get executabl...	RabidCi...
Force enable debug p...	Silkut

Recent Blog Entries
	RolfRolles	Mar/08
Compiler Optimizations for ...
	ReWolf	Mar/04
When memory management goes...
	thesprawler	Feb/20
log1949.txt -- Wondering ho...
	thesprawler	Feb/20
log1949.log -- created on C...
	thesprawler	Feb/17
Trying to reverse the firmw...
More ...

Recent Blog Comments
	Boken on:	Mar/12
Compiler Optimizations for ...
	wildinto on:	Mar/10
Compiler Optimizations for ...
	Orr on:	Mar/10
Compiler Optimizations for ...
	bughoho on:	Mar/09
Compiler Optimizations for ...
	cliffwolf on:	Mar/08
Compiler Optimizations for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit