Informative Information for the Uninformed
Current
v9
v8
v7
v6
v5
v4
v3
v2
v1
All
About
Vol all
»
Archive
Next:
Contents
 
Contents
Kernel-mode Payloads on Windows
Dec 12, 2005
bugcheck
skape
chris@bugcheck.org
mmiller@hick.org
Contents
Foreword
Introduction
General Techniques
Finding Ntoskrnl.exe Base Address
IDT Scandown
KPRCB IdleThread Scandown
SYSENTER_EIP_MSR Scandown
Known Portable Base Scandown
Resolving Symbols
Payload Components
Migration
Direct IRQL Adjustment
System Call MSR/IDT Hooking
Thread Notify Routine
Hooking Object Type Initializer Procedures
Hooking KfRaiseIrql
Stagers
System Call Return Address Overwrite
Thread APC
User-mode Function Pointer Hook
SharedUserData SystemCall Hook
Recovery
Thread Spinning
Delaying Thread Execution
Spinning the Calling Thread
Throwing an Exception
Thread Restart
Lock Release
Stages
Conclusion
Bibliography
About this document ...