Re: intercept nt/2k kernel api?

[<auto349979 () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

comments inline

On Tue, 20 Apr 2004 01:50:15 -0700 "Oleg K.Artemjev" <olli () rbauto ru>
wrote:
> Hello, folks.
>
> I've mostly teoretical questions, please excuse possbile mistakes/stupidity,

> since I'm not
> using windows oftenly & I'm not a programmer, just a person who
> wish to understand some
> security-related things, currently, I'm interested in brief understanding
> of nt/2k
> rootkit builder problems.
>
> Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel
> mode. The questions are as follows:

First note, you probably mean sys as opposed to vxd.  These really aren't
supposed to be used in the newer releases of Windows
> *. Can I already being in kernel mode intercept Zw* and Nt* functions?

Yes, fairly easily actually.  Greg Hoglund has some sample code on rootkit.com
(the basic files) that will do exactly this.  Most of the time you are
going to want to inercept the Zw calls.

> *. Can I write to kernel memory being in kernel mode (executable
> memory)?

Yes, but it isn't trivial.  Device\\PhysicalMemory is probably what you
are going to want to play with.  Even with this, you still have to figure
out the physical-virtual mappings to really do what you are asking. Theres
a phrack article on this: Playing with windows /dev/(k)mem (phrack 59-
16)

> *. Can I write to kernel memory belonging to another vxd or kernel
> itself (data memory)?
> *. What are problems I'll meet to do so? (guess, but donno why -
> at least it'll be address to play w/
>    for particular function, but mebbe)

Lots of blue screens ;)

> *. Does M$ really use non-executable flag for pages in XP service
> pack 2 for XP kernel and system    applications on new amd 64bit
> cpus?

Not sure, if they do it doesn't work ;)
> I'd be glad to see any good urls with overview of answers on above
> questions. Feel free to deny a post if it's out of topic for vuln-
> dev.

www.rootkit.com & google searches on windows + rootkits
> --
> Bye.Olli.                      http://olli.digger.org.ru
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkCFcXYACgkQT30L5q3LVyhSrwCgmO1Iy/KE5JU5UeRbIt7yycap144A
oLBm1/ppb+EiwQDjuvrYKLEZttHI
=r+1I
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427