Re: Running Ring3 command from Ring0 in Windows?

[Jeffrey Walton <noloader () gmail com>]

Hi Jun,

OSR or microsoft.public.win32.programmer.kernel might generate more responses.

NtCreateProcess and the native Ps* functions should be of interest.
Unfortunately, my knowledge of the way software components interact is
based more on a standard Windows model. For example, a driver and user
land program communicating through standard IPC such as sockets,
completion ports, memory sections and signaling with events, etc.

Perhaps Hoglund or McGraw have written something interesting on root
kits that may peak your interest.

Jeff

On 6/3/09, Jun Koi <junkoi2004 () gmail com> wrote:
> Hi,
>
>  I am looking for a way to execute Ring3 command (for ex, "net user
>  passwd" to change password of an user) from Ring0 of Windows.
>
>  The motivation of this is that I can exploit Windows kernel, and can
>  execute my code there. So far so good. But I am not content with
>  executing in Ring0 only, and want to run some code in Ring3, too. The
>  code can be injected by me, or I just simply run an existent command
>  tool (like cmd.exe)
>
>  Could anybody recommend any technique to achieve this?
>
>  (I am on Windows XP, but generic techniques that can also work on
>  other version of Windows are even more appreciated :-)
>
>  Thanks a lot,
>  J

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------