Penetration Testing mailing list archives
Re: Running Ring3 command from Ring0 in Windows?
From: "H D Moore" <sflist () digitaloffense net>
Date: Thu, 04 Jun 2009 23:22:48 -0500
On Thu, 04 Jun 2009 22:29:51 -0500, Jun Koi <junkoi2004 () gmail com> wrote:
It is quite clear: we can inject code from kernel to userspace using the starger you pointed out. However, the question remains: after that, how the shellcode (in userspace) is triggered?
The comments explain most of it. Basically, the ring0 code hooks the system call entrypoint to point to its own stub. This entry point is called by every process that calls any system call. The stub then tries to determine whether the calling process is the target (lsass.exe is default). If the target process name matches, we reset the syscall hook and run the code in the target process. This means that one of the target process's threads is randomly hijacked to run our code instead of what it was trying to do (call a system call). The lsass.exe target was chosen because it has many threads and frequently hits the system call entry point, other services work too (spools.exe), but you have to wait for them to execute a system call to get your code injected.
-HD ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 03)
- Re: Running Ring3 command from Ring0 in Windows? Jeffrey Walton (Jun 03)
- Re: Running Ring3 command from Ring0 in Windows? H D Moore (Jun 04)
- Re: Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 08)
- Re: Running Ring3 command from Ring0 in Windows? H D Moore (Jun 08)
- Re: Running Ring3 command from Ring0 in Windows? Jun Koi (Jun 08)