Flag: Tornado! Hurricane!

Blogs >> j00ru's Blog

Created: Saturday, January 16 2010 19:01.29 CST  
Printer Friendly ...
GDT / LDT Windows Kernel Exploitation article
Author: j00ru # Views: 2422

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog:  http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!


Blog Comments
DelightedZuk Posted: Sunday, January 31 2010 10:15.42 CST
Good read. thanks.



Add New Comment
Comment:









Active in Last 5 Minutes
excavationfondations
bigines

There are 21,678 total registered users.


Recently Created Topics
PyEmu error when cal...
Sep/02
Restore Themida/Winl...
Sep/02
Anti-olly technique
Aug/30
RAR Password
Aug/29
Heap protection on W...
Aug/23
Why Inline asm in C+...
Aug/20
Bypassing OllyAdvance
Aug/17
Error in logic for g...
Aug/17
Has anyone seen this...
Aug/17
ARM Executable - Pat...
Aug/16


Recent Forum Posts
reverse engineering ...
raiden56
pydbg, memory breakp...
Researc...
RAR Password
Ineedhelp
RAR Password
cod
Heap protection on W...
voila
Heap protection on W...
j00ru
Heap protection on W...
voila
Heap protection on W...
j00ru
Heap protection on W...
psylocn
Why Inline asm in C+...
ronnie2...


Recent Blog Entries
meshmesh
Sep/01
Is it legal??

waleedassar
Aug/30
Anti-olly technique

QvasiModo
Aug/24
WinAppDbg 1.4 is out!

artemblagodarenko
Aug/18
Dataflow-0.2.0 released. Ne...

grzonu
Aug/17
Bypassing OllyAdvanced

More ...


Recent Blog Comments
tosanjay on:
Sep/02
PyEmu 0.0.2

GynvaelColdwind on:
Sep/01
Is it legal??

PeterFerrie on:
Aug/31
Anti-olly technique

dennis on:
Aug/26
Dr. Gadget IDAPython plugin

halsten on:
Aug/19
Dataflow-0.2.0 released. Ne...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit