Vulnerability Development mailing list archives
intercept nt/2k kernel api?
From: Oleg K.Artemjev <olli () rbauto ru>
Date: Tue, 20 Apr 2004 12:50:15 +0400
Hello, folks. I've mostly teoretical questions, please excuse possbile mistakes/stupidity, since I'm not using windows oftenly & I'm not a programmer, just a person who wish to understand some security-related things, currently, I'm interested in brief understanding of nt/2k rootkit builder problems. Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows: *. Can I already being in kernel mode intercept Zw* and Nt* functions? *. Can I write to kernel memory being in kernel mode (executable memory)? *. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)? *. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/ for particular function, but mebbe) *. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on new amd 64bit cpus? I'd be glad to see any good urls with overview of answers on above questions. Feel free to deny a post if it's out of topic for vuln-dev. -- Bye.Olli. http://olli.digger.org.ru
Current thread:
- Windows Heap Overflow lavmarco (Apr 16)
- Re: Windows Heap Overflow runix (Apr 18)
- Re: Windows Heap Overflow johnny cyberpunk (Apr 19)
- <Possible follow-ups>
- Re: Windows Heap Overflow Douglas Santos (Apr 19)
- intercept nt/2k kernel api? Oleg K . Artemjev (Apr 20)
- Re: intercept nt/2k kernel api? Nicolas RUFF (lists) (Apr 21)
- intercept nt/2k kernel api? Oleg K . Artemjev (Apr 20)
- Re: Windows Heap Overflow runix (Apr 18)