OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: September 21, 2006 04:41 CDT by weiss .

Has anyone here ever used WinDbg kernel debugger to modify the SSDT in order to restore the original entries from ntoskrnl.exe?

i was wondering if it would be possible to write a script or using its extensions for such operation??

i just want to be able to do this manually on a system using a debugger, if possible.

anonymouse		September 21, 2006 09:20.59 CDT
yep sure windbg has a builtin .chkimg it can restore the hooks back to original shadow table entries if you have set up correct symbols paths it can downlaod the right ntoskrnl.exe for your system from ms symbol servers and use it as base for checking also it can spit what was changed including the bytes thats changed etc etc pretty usefull give it a spin check help file for various switches and its uses you can also crank a script to do that with .for_each ()

AlexIonescu		September 21, 2006 21:49.01 CDT
Hi, I Think WinDBG's simple expression parser should be able to do it. The syntax is horrible and I've never really gotten the full hang of it (I just use the helpfile). You can also simply code a WinDBG extension DLL. This is a DLL that will work in WinDBG like a plugin, so you can write !fixup. Alternatively, you can use the Debugging COM Objects through the SDK to write your own standalone tool that does this. The Samples directory in the SDK shows ample examples on how to do this. Best regards, Alex Ionescu

weiss		September 25, 2006 13:33.12 CDT
thanks for response, i'll check these things out. AlexIonescu:reading your paper on subverting windows 2k3 sp1 kernel.not finished yet, so far, very good work!.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit