Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: intercept nt/2k kernel api?
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Tue, 20 Apr 2004 19:09:48 +0200
Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:

*. Can I already being in kernel mode intercept Zw* and Nt* functions?
*. Can I write to kernel memory being in kernel mode (executable memory)?
*. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)?
*. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/
    for particular function, but mebbe)
*. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system    applications on 
new amd 64bit cpus?


1/ Yes
Basically, NTDLL functions are in charge of setting up parameters and calling the right kernel service through the following ASM code : 
MOV EAX, _syscall_number
INT 0x2E
So if you are already in kernel mode you can receive the call by patching the "syscall table" (KiSystemServiceTable). I guess "1 Nt* function" = "1 INT 0x2E", but I remember there might be exceptions. 

More info :
http://www.sysinternals.com/ntw2k/info/ntdll.shtml
See strace for Windows :
http://razor.bindview.com/tools/desc/strace_readme.html

2/ Of course
If your code is a ".VXD" or a ".SYS", it runs at "ring 0" privilege level and can use all descriptors marked as "ring 0"-useable. Everything should be transparent for your application. The trick is that if your IRQ_LEVEL is high, you should check whether the destination memory page is physically in memory or has been swapped out, because you might run at higher level than the swapper and cause a BSoD "IRQ_NOT_LESS_OR_EQUAL" :-( 

3/ Yes

All memory ranging from 0x80000000 to 0xFFFFFFFF is accessible from kernel code.
If you boot with the /3GB switch, kernel memory ranges from 0xC0000000 to 0xFFFFFFFF.
Of course you still cannot write to a segment marked as "read only" ! (MOV CS:[_var],XXX will fail)

4/ Many problems :-)
IRQ_LEVEL is one of the most tricky, but you should also pay attention to the fact that kernel threads are interruptible, you should consider using asynchronous procedure calls for computation-intensive threads, etc. 

If it was really easy, there would be less drivers crashing and less BSoD :-)

5/ Yes
I did not check myself because I do not have such a CPU, but (as for XP SP2 RC1) you can enforce non-executable user pages globally or on a per-program basis. Time to upgrade to "level 2" shellcodes :-) 


You will find nice code samples in the "Undocumented Windows 2000 Secrets" book.
http://www.orgon.com/w2k_internals/

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff () edelweb fr
-----------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]