Vulnerability Development mailing list archives
Re: intercept nt/2k kernel api?
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Tue, 20 Apr 2004 19:09:48 +0200
Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows: *. Can I already being in kernel mode intercept Zw* and Nt* functions? *. Can I write to kernel memory being in kernel mode (executable memory)? *. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)? *. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/ for particular function, but mebbe) *. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on new amd 64bit cpus?
1/ YesBasically, NTDLL functions are in charge of setting up parameters and calling the right kernel service through the following ASM code :
MOV EAX, _syscall_number INT 0x2ESo if you are already in kernel mode you can receive the call by patching the "syscall table" (KiSystemServiceTable). I guess "1 Nt* function" = "1 INT 0x2E", but I remember there might be exceptions.
More info : http://www.sysinternals.com/ntw2k/info/ntdll.shtml See strace for Windows : http://razor.bindview.com/tools/desc/strace_readme.html 2/ Of courseIf your code is a ".VXD" or a ".SYS", it runs at "ring 0" privilege level and can use all descriptors marked as "ring 0"-useable. Everything should be transparent for your application. The trick is that if your IRQ_LEVEL is high, you should check whether the destination memory page is physically in memory or has been swapped out, because you might run at higher level than the swapper and cause a BSoD "IRQ_NOT_LESS_OR_EQUAL" :-(
3/ Yes All memory ranging from 0x80000000 to 0xFFFFFFFF is accessible from kernel code. If you boot with the /3GB switch, kernel memory ranges from 0xC0000000 to 0xFFFFFFFF. Of course you still cannot write to a segment marked as "read only" ! (MOV CS:[_var],XXX will fail) 4/ Many problems :-)IRQ_LEVEL is one of the most tricky, but you should also pay attention to the fact that kernel threads are interruptible, you should consider using asynchronous procedure calls for computation-intensive threads, etc.
If it was really easy, there would be less drivers crashing and less BSoD :-) 5/ YesI did not check myself because I do not have such a CPU, but (as for XP SP2 RC1) you can enforce non-executable user pages globally or on a per-program basis. Time to upgrade to "level 2" shellcodes :-)
You will find nice code samples in the "Undocumented Windows 2000 Secrets" book. http://www.orgon.com/w2k_internals/ Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail : nicolas.ruff () edelweb fr -----------------------------------
Current thread:
- Windows Heap Overflow lavmarco (Apr 16)
- Re: Windows Heap Overflow runix (Apr 18)
- Re: Windows Heap Overflow johnny cyberpunk (Apr 19)
- <Possible follow-ups>
- Re: Windows Heap Overflow Douglas Santos (Apr 19)
- intercept nt/2k kernel api? Oleg K . Artemjev (Apr 20)
- Re: intercept nt/2k kernel api? Nicolas RUFF (lists) (Apr 21)
- intercept nt/2k kernel api? Oleg K . Artemjev (Apr 20)
- Re: Windows Heap Overflow runix (Apr 18)