Jump to content
Nytro

Kernel-mode Payloads on Windows

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Kernel-mode Payloads on Windows

bugcheck, chris@bugcheck.org

skape, mmiller@hick.org

This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows. 

Contents
1 Foreword 2
2 Introduction 3
3 General Techniques 5
3.1 Finding Ntoskrnl.exe Base Address . . . . . . . . . . . . . . . . . 5
3.1.1 IDT Scandown . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 KPRCB IdleThread Scandown . . . . . . . . . . . . . . . 7
3.1.3 SYSENTER EIP MSR Scandown . . . . . . . . . . . . . . 7
3.1.4 Known Portable Base Scandown . . . . . . . . . . . . . . 8
3.2 Resolving Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Payload Components 11
4.1 Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1.1 Direct IRQL Adjustment . . . . . . . . . . . . . . . . . . 13
4.1.2 System Call MSR/IDT Hooking . . . . . . . . . . . . . . 14
4.1.3 Thread Notify Routine . . . . . . . . . . . . . . . . . . . . 16
4.1.4 Hooking Object Type Initializer Procedures . . . . . . . . 20
4.1.5 Hooking KfRaiseIrql . . . . . . . . . . . . . . . . . . . . . 20
4.2 Stagers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2.1 System Call Return Address Overwrite . . . . . . . . . . 21
4.2.2 Thread APC . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.3 User-mode Function Pointer Hook . . . . . . . . . . . . . 23
4.2.4 SharedUserData SystemCall Hook . . . . . . . . . . . . . 23
4.3 Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.1 Thread Spinning . . . . . . . . . . . . . . . . . . . . . . . 28
4.3.2 Throwing an Exception . . . . . . . . . . . . . . . . . . . 29
4.3.3 Thread Restart . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3.4 Lock Release . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.4 Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5 Conclusion 32

Download:

http://www.uninformed.org/?v=3&a=4&t=pdf

Online:

http://www.uninformed.org/?v=3&a=4

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...