Re: intercept nt/2k kernel api?

From: Roland Postle (
Date: 04/21/04

  • Next message: Greg Kilford: "key material"
    To: "" <>
    Date: Wed, 21 Apr 2004 17:42:20 +0100

    On Tue, 20 Apr 2004 11:52:38 -0700, wrote:

    >>*. Can I write to kernel memory being in kernel mode (executable
    >Yes, but it isn't trivial. Device\\PhysicalMemory is probably what you
    >are going to want to play with. Even with this, you still have to figure
    >out the physical-virtual mappings to really do what you are asking. Theres
    >a phrack article on this: Playing with windows /dev/(k)mem (phrack 59-

    Afaik there's no reason to get into physical memory. Everything you
    want should be mapped in the address space of your device driver. The
    tricky part might be finding it because you can't rely on symbols being
    available on the target machine as is usual with Linux. If it's
    something hardware related (like you want to patch the IDT to intercept
    all calls from user mode as soon as they happen) you can find the
    structures with the right instruction (eg. SIDT). If it's something
    more kernel related, windows has certain structures at predictable
    places (the FS register points to a lot of useful stuff). For patching
    replacement system calls it's relatively easy to find the system call
    table. And from that table you could also find the executable code for
    the calls and modify that directly. For patching other drivers (that
    get loaded at random places) there are kernel calls to help you track
    them down.

    If you're doing any complicated write involving more than a single 32
    bit value you need to make sure nothing will steal control while things
    are in an inconsistent state. That's easy enough by disabling hardware
    interrupts, and it might be neccesary to make sure the memory you're
    working with is paged in at the time (there's some kernel calls to do
    this), depending on what you're doing.

    Device\\PhysicalMemory, incidentally, could be used to install a
    rootkit from user mode (assuming you have appropriate permissions of
    course) but it seems to me more complicated than just going into kernel
    mode yourself where you have more direct control.

    >>*. Can I write to kernel memory belonging to another vxd or kernel
    >>itself (data memory)?

    Same issues. There's no reason for blue screens if the code is well
    thought out and well tested, as any rootkit would be.

    >> *. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on new amd 64bit cpus?

    No idea, but you could turn it off easily enough if you were already in
    kernel mode.

    - Blazde

  • Next message: Greg Kilford: "key material"

    Relevant Pages

    • Re: Kernel malloc/realloc?
      ... > YOU related this thread to user-mode reallocation. ... The weord "kernel" in the thread title should make it quite clear what this ... How can i learn how to realloc a memory buffer in "kernel" mode by looking ... unrelated to this thread) and it maps to the user mode HeapXXX windows API, ...
    • Re: best strategy for manipulating a large file
      ... Can it be done in user mode instead? ... Anyway, assuming there's some good reason to do it at all, and that there's some reason to do it in the kernel, and that you can't play tricks with the data format, I'm not sure there's going to be a particularly more efficient way to do it. ... So I've got the file memory mapped then I create a big viewZwMapViewOfSection, do my work and then unmap the file. ... So the question is whether the memory manager is smart enough to effectively make this effort moot or will I gain something by doing this by hand? ...
    • Re: echo 0 > /proc/sys/vm/swappiness triggers OOM killer under 2.6.14.
      ... UML = User Mode Linux. ... I can try making an equivalent bootable kernel and re-running the ... of the kernel (the virtual memory subsystem) really shouldn't be affected by ... The fact that the User Mode Linux people wrote their own trap handler? ...
    • Re: K to U mode shared memory through sections
      ... The K-U shared memory must be allocated in user mode, otherwise, you will ... the best way of transferring the descriptor of the user memory to the ... kernel is the IRP, usually IOCTL IRP. ...
    • Re: VM Rootkits: The Next Big Threat? (PC Magazine)
      ... Bar For Windows Rootkit Detection. ... "even the most sophisticated Windows kernel rootkits, like FU, possess ... memory management. ...