Informative Information for the Uninformed
Current
v9
v8
v7
v6
v5
v4
v3
v2
v1
All
About
Vol 3
»
2006.Jan
Next:
Foreword
Up:
Windows Kernel-mode Payload Fundamentals
Previous:
Windows Kernel-mode Payload Fundamentals
Contents
Foreword
Introduction
General Techniques
Finding Ntoskrnl.exe Base Address
IDT Scandown
KPRCB IdleThread Scandown
SYSENTER_EIP_MSR Scandown
Known Portable Base Scandown
Resolving Symbols
Payload Components
Migration
Direct IRQL Adjustment
System Call MSR/IDT Hooking
Thread Notify Routine
Hooking Object Type Initializer Procedures
Hooking KfRaiseIrql
Stagers
System Call Return Address Overwrite
Thread APC
User-mode Function Pointer Hook
SharedUserData SystemCall Hook
Recovery
Thread Spinning
Throwing an Exception
Thread Restart
Lock Release
Stages
Conclusion
Bibliography
About this document ...