OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, January 16 2010 19:01.29 CST

Direct Link, View / Make / Edit Comments

GDT / LDT Windows Kernel Exploitation article

Author:

j00ru

# Views: 3838

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!

Created: Monday, January 4 2010 16:24.30 CST

Modified: Monday, January 4 2010 16:27.29 CST

Direct Link, View / Make / Edit Comments

x86 Kernel Memory Space Visualization

Author:

j00ru

# Views: 3093

Hello!

Just a quick info: recently I have been playing a little bit with retrieving kernel-mode addresses from the application (ring-3) level. The first result of this small research is a visualization tool called KernelMAP v0.0.1, that aims to gather as much information about the kernel memory layout as possible and present it to the user in somewhat attractive manner.

You can find more information on my blog, HERE.

Some screenshots of the app:

Created: Wednesday, November 11 2009 11:59.35 CST

Direct Link, View / Make / Edit Comments

WIN32k.SYS System Call Table

Author:

j00ru

# Views: 4145

Hi,

I have recently created a pre-alpha version of a Windows graphical syscall table. As for now, it contains more or less the latest Windows versions, however the list is going to be continuously supplemented with new data.

You can read more @ my original blog post: http://j00ru.vexillium.org/?p=257&lang=en

Have fun!

Created: Sunday, August 30 2009 07:19.09 CDT

Direct Link, View / Make / Edit Comments

TraceHook v0.0.1 release

Author:

j00ru

# Views: 3939

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>

Created: Monday, January 28 2008 12:01.33 CST

Modified: Monday, January 28 2008 12:02.17 CST

Direct Link, View / Make / Edit Comments

FPU Tracer v0.0.1 released

Author:

j00ru

# Views: 5678

Hello,

Now the time has come for another post ;-)
I want to present a tool written by myself, in the original purpose, to help me with solving the HackerChallenge Phase3 - reversing the target executable ;>
But as some people found it a useful program, I decided to fix some known bugs and implement new features.

The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers and so on ;>

As for now, it's a closed-source project. If anyone would be interested in my further development, I'll rewrite most of the code (to make it look like and work better), fix reported bugs, add some new options and generally publish the sources.
What is important - keep in mind it is 0.0.1 version, so I'm sure it must have a number of bugs. In case of you finding one, just mail me ;>

The package can be downloaded from: http://vexillium.org/?sec

Aaaand some screenshots, of course (trace working on Phase1 and Phase3 HC executables ;-))

Archived Entries for j00ru

Subject	# Views	Created On
Virtual Machine detection method cd.	5305	Sunday, January 20 2008
Old new Virtual Machine detection method.	5889	Wednesday, January 16 2008
Hello world	3808	Friday, January 11 2008

There are 28,212 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	Ludwig	Feb/04
chi on sale
	Ludwig	Feb/04
Monster In The Vicinity Of ...
	Ludwig	Feb/04
Supra footwear Online
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
More ...

Recent Blog Comments
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
	NirIzr on:	Jan/31
Yet Another Anti-Debug Trick
	jackchen on:	Jan/10
nike mercurial vapor iii
	waleedassar on:	Dec/27
A new Anti-Olly trick.
	PeterFerrie on:	Dec/27
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit