OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, January 16 2010 19:01.29 CST

Direct Link, View / Make / Edit Comments

GDT / LDT Windows Kernel Exploitation article

Author:

j00ru

# Views: 819

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!

Created: Monday, January 4 2010 16:24.30 CST

Modified: Monday, January 4 2010 16:27.29 CST

Direct Link, View / Make / Edit Comments

x86 Kernel Memory Space Visualization

Author:

j00ru

# Views: 1046

Hello!

Just a quick info: recently I have been playing a little bit with retrieving kernel-mode addresses from the application (ring-3) level. The first result of this small research is a visualization tool called KernelMAP v0.0.1, that aims to gather as much information about the kernel memory layout as possible and present it to the user in somewhat attractive manner.

You can find more information on my blog, HERE.

Some screenshots of the app:

Created: Wednesday, November 11 2009 11:59.35 CST

Direct Link, View / Make / Edit Comments

WIN32k.SYS System Call Table

Author:

j00ru

# Views: 1908

Hi,

I have recently created a pre-alpha version of a Windows graphical syscall table. As for now, it contains more or less the latest Windows versions, however the list is going to be continuously supplemented with new data.

You can read more @ my original blog post: http://j00ru.vexillium.org/?p=257&lang=en

Have fun!

Created: Sunday, August 30 2009 07:19.09 CDT

Direct Link, View / Make / Edit Comments

TraceHook v0.0.1 release

Author:

j00ru

# Views: 2337

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>

Created: Monday, January 28 2008 12:01.33 CST

Modified: Monday, January 28 2008 12:02.17 CST

Direct Link, View / Make / Edit Comments

FPU Tracer v0.0.1 released

Author:

j00ru

# Views: 4150

Hello,

Now the time has come for another post ;-)
I want to present a tool written by myself, in the original purpose, to help me with solving the HackerChallenge Phase3 - reversing the target executable ;>
But as some people found it a useful program, I decided to fix some known bugs and implement new features.

The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers and so on ;>

As for now, it's a closed-source project. If anyone would be interested in my further development, I'll rewrite most of the code (to make it look like and work better), fix reported bugs, add some new options and generally publish the sources.
What is important - keep in mind it is 0.0.1 version, so I'm sure it must have a number of bugs. In case of you finding one, just mail me ;>

The package can be downloaded from: http://vexillium.org/?sec

Aaaand some screenshots, of course (trace working on Phase1 and Phase3 HC executables ;-))

Archived Entries for j00ru

Subject	# Views	Created On
Virtual Machine detection method cd.	4885	Sunday, January 20 2008
Old new Virtual Machine detection method.	4994	Wednesday, January 16 2008
Hello world	3403	Friday, January 11 2008

Active in Last 5 Minutes
	hugo
	Wannabe

There are 15,871 total registered users.

Recently Created Topics
Career: Technical Pr...	Feb/04
Help needed with: ge...	Feb/04
A question regarding...	Feb/01
Compiler infector an...	Jan/29
Yahoo autoupdater vi...	Jan/27
Solidshield VM Analyse	Jan/27
Tuto about unpacking...	Jan/25
IDA Pro plugins don'...	Jan/20
Bug -- proc_peek_rec...	Jan/17
SYSTEM_INFORMATION_C...	Jan/16

Recent Forum Posts
IDA Pro plugins don'...	Cluster
RECON	hugo
A question regarding...	ronnie2...
A question regarding...	lallous
A question regarding...	detlef
RECON	hugo
Tuto about unpacking...	jumpzero
Yahoo autoupdater vi...	invisghost
Kindle for PC DRM	clarknova
Stack tracing with I...	Hanumaan

Recent Blog Entries
	mjobin	Feb/08
Malware Research Analyst Op...
	lin0xx	Feb/04
User-supplied Array Index E...
	cyphunk	Feb/03
JTAG Enumeration (tool)
	dragula	Jan/29
Reversing compiler infector...
	GynvaelColdwind	Jan/26
The tale of Syndicate Wars ...
More ...

Recent Blog Comments
	cyphunk on:	Feb/03
JTAG Enumeration (tool)
	GynvaelColdwind on:	Feb/03
JTAG Enumeration (tool)
	suirp on:	Feb/02
Administrator account VS. S...
	DelightedZuk on:	Jan/31
GDT / LDT Windows Kernel Ex...
	DelightedZuk on:	Jan/31
Administrator account VS. S...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit