About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
j00ru
's Blog
Created: Saturday, January 16 2010 19:01.29 CST
Printer Friendly ...
GDT / LDT Windows Kernel Exploitation article
Author:
j00ru
# Views:
3845
Hi,
A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.
To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.
Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments
My blog entry:
http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog:
http://gynvael.coldwind.pl/?id=274
The article itself:
http://vexillium.org/dl.php?call_gate_exploitation.pdf
Have fun!
Blog Comments
DelightedZuk
Posted: Sunday, January 31 2010 10:15.42 CST
Good read. thanks.
Add New Comment
Comment:
There are
28,220
total registered users.
Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17
Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr
Recent Blog Entries
waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...
waleedassar
Jan/31
Yet Another Anti-Debug Trick
RolfRolles
Jan/22
Finding Bugs in VMs with a ...
waleedassar
Jan/13
An OllyDbg Bug Disables Sof...
waleedassar
Jan/01
Another OllyDbg Anti-Debug ...
More ...
Recent Blog Comments
NirIzr
on:
Feb/05
Yet Another Anti-Debug Trick
trolotou
on:
Feb/05
Doudoune Moncler -Pennies F...
waleedassar
on:
Feb/01
Yet Another Anti-Debug Trick
NirIzr
on:
Jan/31
Yet Another Anti-Debug Trick
jackchen
on:
Jan/10
nike mercurial vapor iii
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit