OpenRCE: Blog

GDT / LDT Windows Kernel Exploitation article

Sat, 16 Jan 2010 19:01:29 -0600

Hi,

A few weeks ago, me and Gynvael had a chance to dive into the Global/Local Descriptor Table management in 32-bit Windows, and how it can be used to accomplish something, in the context of write-what-where ring-0 exploitation.

To sum-up everything we've came across during this research, a "GDT and LDT in Windows kernel vulnerability exploitation" paper was created.

Table of Contents:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

My blog entry: http://j00ru.vexillium.org/?p=290&lang=en
Gynvael blog: http://gynvael.coldwind.pl/?id=274

The article itself: http://vexillium.org/dl.php?call_gate_exploitation.pdf

Have fun!

x86 Kernel Memory Space Visualization

Mon, 04 Jan 2010 16:24:30 -0600

Hello!

Just a quick info: recently I have been playing a little bit with retrieving kernel-mode addresses from the application (ring-3) level. The first result of this small research is a visualization tool called KernelMAP v0.0.1, that aims to gather as much information about the kernel memory layout as possible and present it to the user in somewhat attractive manner.

You can find more information on my blog, HERE.

Some screenshots of the app:

WIN32k.SYS System Call Table

Wed, 11 Nov 2009 11:59:35 -0600

Hi,

I have recently created a pre-alpha version of a Windows graphical syscall table. As for now, it contains more or less the latest Windows versions, however the list is going to be continuously supplemented with new data.

You can read more @ my original blog post: http://j00ru.vexillium.org/?p=257&lang=en

Have fun!

TraceHook v0.0.1 release

Sun, 30 Aug 2009 07:19:09 -0500

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>

FPU Tracer v0.0.1 released

Mon, 28 Jan 2008 12:01:33 -0600

Hello,

Now the time has come for another post ;-)
I want to present a tool written by myself, in the original purpose, to help me with solving the HackerChallenge Phase3 - reversing the target executable ;>
But as some people found it a useful program, I decided to fix some known bugs and implement new features.

The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers and so on ;>

As for now, it's a closed-source project. If anyone would be interested in my further development, I'll rewrite most of the code (to make it look like and work better), fix reported bugs, add some new options and generally publish the sources.
What is important - keep in mind it is 0.0.1 version, so I'm sure it must have a number of bugs. In case of you finding one, just mail me ;>

The package can be downloaded from: http://vexillium.org/?sec

Aaaand some screenshots, of course (trace working on Phase1 and Phase3 HC executables ;-))