Running Ring3 command from Ring0 in Windows?

[Jun Koi <junkoi2004 () gmail com>]

Hi,

I am looking for a way to execute Ring3 command (for ex, "net user
passwd" to change password of an user) from Ring0 of Windows.

The motivation of this is that I can exploit Windows kernel, and can
execute my code there. So far so good. But I am not content with
executing in Ring0 only, and want to run some code in Ring3, too. The
code can be injected by me, or I just simply run an existent command
tool (like cmd.exe)

Could anybody recommend any technique to achieve this?

(I am on Windows XP, but generic techniques that can also work on
other version of Windows are even more appreciated :-)

Thanks a lot,
J

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------