System Call Return Address Overwrite

A potentially useful way to stage code to R3 would be to hook the system call MSR and then alter the return address of the R3 stack to point to the stage that is to be executed. This would mean that whenever a system call occurred, the return path would bounce through the stage and then into the actual return address. This is an interesting vantage point for stages because it could give them the ability to filter data that is passed back to actual processes. This could be potentially make it possible for an attacker to install a very simple memory-resident root-kit as a result of taking advantage of a vulnerability. This approach is purely theoretical, but it is thought that it could be made to work without very much overhead.

The basic implementation for such a stager would be to first copy the staged payload to a globally accessible location, such as SharedUserData. Once copied, the next step would be to hook the processor MSR for the system call instruction. The hook routine for the system call instruction would then alter the return address of the user-mode stack when called to point to the stage's global address and should also make it so the stage can restore execution to the actual return address after it has completed. Once the return address has been redirected, the actual system call can be issued. When the system call returns, it would execute the stage. The stage, once completed, would then restore registers, such as eax, and transfer control to the actual return address.

This approach would be very transparent and should be completely reliable. The added benefits of being able to filter system call results make it very interesting from a memory-resident rootkit perspective.