NCHOVY 인터넷 스톰 센터 : 윈도우 커널모드 페이로드

윈도우 커널모드 페이로드
xeraph	작성 일시 : 2009-10-02 12:34:07
Kernel-mode Payloads on Windows bugcheck (chris@bugcheck.org) skape (mmiller@hick.org) 1. Foreword 2. Introduction 3. General Techniques 3.1 Finding Ntoskrnl.exe Base Address 3.1.1 IDT Scandown 3.1.2 KPRCB IdleThread Scandown 3.1.3 SYSENTER EIP MSR Scandown 3.1.4 Known Portable Base Scandown 3.2 Resolving Symbols 4. Payload Components 4.1 Migration 4.1.1 Direct IRQL Adjustment 4.1.2 System Call MSR/IDT Hooking 4.1.3 Thread Notify Routine 4.1.4 Hooking Object Type Initializer Procedures 4.1.5 Hooking KfRaiseIrql 4.2 Stagers 4.2.1 System Call Return Address Overwrite 4.2.2 Thread APC 4.2.3 User-mode Function Pointer Hook 4.2.4 SharedUserData SystemCall Hook 4.3 Recovery 4.3.1 Thread Spinning 4.3.2 Throwing an Exception 4.3.3 Thread Restart 4.3.4 Lock Release 4.4 Stages 5. Conclusion
uninformed_v3a4.pdf

Kernel-mode Payloads on Windows

bugcheck (chris@bugcheck.org)
skape (mmiller@hick.org)

1. Foreword

2. Introduction

3. General Techniques
3.1 Finding Ntoskrnl.exe Base Address
3.1.1 IDT Scandown
3.1.2 KPRCB IdleThread Scandown
3.1.3 SYSENTER EIP MSR Scandown
3.1.4 Known Portable Base Scandown
3.2 Resolving Symbols

4. Payload Components
4.1 Migration
4.1.1 Direct IRQL Adjustment
4.1.2 System Call MSR/IDT Hooking
4.1.3 Thread Notify Routine
4.1.4 Hooking Object Type Initializer Procedures
4.1.5 Hooking KfRaiseIrql
4.2 Stagers
4.2.1 System Call Return Address Overwrite
4.2.2 Thread APC
4.2.3 User-mode Function Pointer Hook
4.2.4 SharedUserData SystemCall Hook
4.3 Recovery
4.3.1 Thread Spinning
4.3.2 Throwing an Exception
4.3.3 Thread Restart
4.3.4 Lock Release
4.4 Stages

5. Conclusion

최근 글

최근 덧글