Vulnerability Development mailing list archives
intercept nt/2k kernel api?
From: Oleg K.Artemjev <olli () rbauto ru>
Date: Tue, 20 Apr 2004 12:50:15 +0400
Hello, folks.
I've mostly teoretical questions, please excuse possbile mistakes/stupidity, since I'm not
using windows oftenly & I'm not a programmer, just a person who wish to understand some
security-related things, currently, I'm interested in brief understanding of nt/2k
rootkit builder problems.
Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:
*. Can I already being in kernel mode intercept Zw* and Nt* functions?
*. Can I write to kernel memory being in kernel mode (executable memory)?
*. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)?
*. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/
for particular function, but mebbe)
*. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on
new amd 64bit cpus?
I'd be glad to see any good urls with overview of answers on above questions. Feel free to deny a post if it's out of
topic for vuln-dev.
--
Bye.Olli. http://olli.digger.org.ru
Current thread:
- Windows Heap Overflow lavmarco (Apr 16)
- Re: Windows Heap Overflow runix (Apr 18)
- Re: Windows Heap Overflow johnny cyberpunk (Apr 19)
- <Possible follow-ups>
- Re: Windows Heap Overflow Douglas Santos (Apr 19)
- intercept nt/2k kernel api? Oleg K . Artemjev (Apr 20)
- Re: intercept nt/2k kernel api? Nicolas RUFF (lists) (Apr 21)
- intercept nt/2k kernel api? Oleg K . Artemjev (Apr 20)
- Re: Windows Heap Overflow runix (Apr 18)