Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: System Call Return Address
Up: Payload Components
Previous: Hooking KfRaiseIrql
  Contents
StagersThe stager payload component is designed to set up the execution of a separate payload either at R0 or R3. This payload component is pretty much equivalent to the concept of stagers in user-mode payloads, but instead of reading in a payload off the wire for execution, R0 stagers typically have the staged payload tacked on to the stager already since there is no elegant method of reading in a second stage from the network without consuming a lot of space in the process. This section will describe some of the techniques that can be used to execute a stage at either R0 or R3. The techniques that are theoretical and do not have proof of concept code will be described as such.
Although most stagers involve reading more code in off the wire, it
could also be possible to write an egghunt style stager
that searches the address space for an egg that is prepended or
appended to the code that should be executed[3]. The
only requirement would be that there be some way to get the second
stage somewhere in the address space for a long enough period of
time. Given the right conditions, this approach for staging can be
quite useful because it reduces the size of the initial payload that
has to be transmitted or included as part of the exploitation
request.
Subsections
Next: System Call Return Address
Up: Payload Components
Previous: Hooking KfRaiseIrql
  Contents
|