![]() ![]() Otherwise, the OS also provides access to a lot of these functions to user mode applications, mainly through ntdll.dll and some other libraries. All of these functions are implemented in the Windows kernel and are easily accessible if you have code running in the kernel. The Windows Native API (NTAPI) exposes thousands of kernel and executive functions. In every OS, the main way of communicating with the kernel code is through system calls. Instead, I will focus on retaining kernel access once you have your code already running at CPL 0 and doing it in a pretty stealthy way. I will not go into detail on this, as hundreds of articles already exist on this topic. But you can use exploits like r0ak (demonstrated by Alex Ionescu) or exploit a vulnerable system driver (capcom.sys, asmmap64.sys, iqvw64e.sys…), which are not supported by Microsoft in any way. The only official way provided by Microsoft is through the Windows Loader (NtLoadDriver). If you want to modify OS’s kernel code, you will need to gain access to kernel/system memory first. This severely limits the attacker’s options when it comes to hooking and modifying system code unless you manage to bypass PG all together.īut let’s start at the beginning. That’s why they have introduced various protection mechanisms to the NT kernel, a major one being PatchGuard (PG), Microsoft’s implementation of KPP. Furthermore, Microsoft heavily discourages it, as it can open up the system to a wide range of security threats. Windows, unlike Linux, is a closed source OS, so it is much harder to modify its internal structure. Note: This project was developed and tested on Windows 10 圆4 version 1903. With that out of the way, let’s start with the first blog post, which is going to be something really simple to start things off and should be easy enough to understand with some basic knowledge of the Windows kernel structure. I am always open to suggestions and critics about my work, so feel free to send me an email or write a comment down below. ![]() ![]() I hope it will inspire others to start their own and share knowledge on the field of reverse engineering and exploitation with everyone. Firstly, I’d like to thank everybody who has decided to read my blog. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |