GDT / LDT Windows Kernel Exploitation article
 j00ru <j00ru vx gmailcom> |
Saturday, January 16 2010 19:01.29 CST |
Hi,
A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.
To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.
Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments
My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274
The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf
Have fun!
Comments
 DelightedZuk |
Posted: Sunday, January 31 2010 10:15.42 CST |
| Good read. thanks. | |