Stagers

The stager payload component is designed to set up the execution of a separate payload either at R0 or R3. This payload component is pretty much equivalent to the concept of stagers in user-mode payloads, but instead of reading in a payload off the wire for execution, R0 stagers typically have the staged payload tacked on to the stager already since there is no elegant method of reading in a second stage from the network without consuming a lot of space in the process. This section will describe some of the techniques that can be used to execute a stage at either R0 or R3. The techniques that are theoretical and do not have proof of concept code will be described as such.

Although most stagers involve reading more code in off the wire, it could also be possible to write an egghunt style stager that searches the address space for an egg that is prepended or appended to the code that should be executed[3]. The only requirement would be that there be some way to get the second stage somewhere in the address space for a long enough period of time. Given the right conditions, this approach for staging can be quite useful because it reduces the size of the initial payload that has to be transmitted or included as part of the exploitation request.

• System Call Return Address Overwrite
• Thread APC
• User-mode Function Pointer Hook
• SharedUserData SystemCall Hook