Vulnerability Development mailing list archives
Re: intercept nt/2k kernel api?
From: <auto349979 () hushmail com>
Date: Tue, 20 Apr 2004 11:52:38 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 comments inline On Tue, 20 Apr 2004 01:50:15 -0700 "Oleg K.Artemjev" <olli () rbauto ru> wrote:
Hello, folks. I've mostly teoretical questions, please excuse possbile mistakes/stupidity,
since I'm not using windows oftenly & I'm not a programmer, just a person who wish to understand some security-related things, currently, I'm interested in brief understanding of nt/2k rootkit builder problems. Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:
First note, you probably mean sys as opposed to vxd. These really aren't supposed to be used in the newer releases of Windows
*. Can I already being in kernel mode intercept Zw* and Nt* functions?
Yes, fairly easily actually. Greg Hoglund has some sample code on rootkit.com (the basic files) that will do exactly this. Most of the time you are going to want to inercept the Zw calls.
*. Can I write to kernel memory being in kernel mode (executable memory)?
Yes, but it isn't trivial. Device\\PhysicalMemory is probably what you are going to want to play with. Even with this, you still have to figure out the physical-virtual mappings to really do what you are asking. Theres a phrack article on this: Playing with windows /dev/(k)mem (phrack 59- 16)
*. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)? *. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/ for particular function, but mebbe)
Lots of blue screens ;)
*. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on new amd 64bit cpus?
Not sure, if they do it doesn't work ;)
I'd be glad to see any good urls with overview of answers on above questions. Feel free to deny a post if it's out of topic for vuln- dev.
www.rootkit.com & google searches on windows + rootkits
-- Bye.Olli. http://olli.digger.org.ru
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkCFcXYACgkQT30L5q3LVyhSrwCgmO1Iy/KE5JU5UeRbIt7yycap144A oLBm1/ppb+EiwQDjuvrYKLEZttHI =r+1I -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Re: intercept nt/2k kernel api? auto349979 (Apr 21)
- Re: intercept nt/2k kernel api? Roland Postle (Apr 21)