Re: Running Ring3 command from Ring0 in Windows?

["H D Moore" <sflist () digitaloffense net>]

On Thu, 04 Jun 2009 22:29:51 -0500, Jun Koi <junkoi2004 () gmail com> wrote:

> It is quite clear: we can inject code from kernel to userspace using
> the starger you pointed out. However, the question remains: after
> that, how the shellcode (in userspace) is triggered?


The comments explain most of it. Basically, the ring0 code hooks the  
system call entrypoint to point to its own stub. This entry point is  
called by every process that calls any system call. The stub then tries to  
determine whether the calling process is the target (lsass.exe is  
default). If the target process name matches, we reset the syscall hook  
and run the code in the target process. This means that one of the target  
process's threads is randomly hijacked to run our code instead of what it  
was trying to do (call a system call). The lsass.exe target was chosen  
because it has many threads and frequently hits the system call entry  
point, other services work too (spools.exe), but you have to wait for them  
to execute a system call to get your code injected.

-HD

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------