Jump to content
Nytro

Kernel-mode Payloads on Windows

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Kernel-mode Payloads on Windows

bugcheck, chris@bugcheck.org

skape, mmiller@hick.org

This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows. 

Contents
1 Foreword 2
2 Introduction 3
3 General Techniques 5
3.1 Finding Ntoskrnl.exe Base Address . . . . . . . . . . . . . . . . . 5
3.1.1 IDT Scandown . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 KPRCB IdleThread Scandown . . . . . . . . . . . . . . . 7
3.1.3 SYSENTER EIP MSR Scandown . . . . . . . . . . . . . . 7
3.1.4 Known Portable Base Scandown . . . . . . . . . . . . . . 8
3.2 Resolving Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Payload Components 11
4.1 Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1.1 Direct IRQL Adjustment . . . . . . . . . . . . . . . . . . 13
4.1.2 System Call MSR/IDT Hooking . . . . . . . . . . . . . . 14
4.1.3 Thread Notify Routine . . . . . . . . . . . . . . . . . . . . 16
4.1.4 Hooking Object Type Initializer Procedures . . . . . . . . 20
4.1.5 Hooking KfRaiseIrql . . . . . . . . . . . . . . . . . . . . . 20
4.2 Stagers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2.1 System Call Return Address Overwrite . . . . . . . . . . 21
4.2.2 Thread APC . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.3 User-mode Function Pointer Hook . . . . . . . . . . . . . 23
4.2.4 SharedUserData SystemCall Hook . . . . . . . . . . . . . 23
4.3 Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.1 Thread Spinning . . . . . . . . . . . . . . . . . . . . . . . 28
4.3.2 Throwing an Exception . . . . . . . . . . . . . . . . . . . 29
4.3.3 Thread Restart . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3.4 Lock Release . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.4 Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5 Conclusion 32

Download:

http://www.uninformed.org/?v=3&a=4&t=pdf

Online:

http://www.uninformed.org/?v=3&a=4

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...