Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan


Abstract: This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows.

Thanks: The authors would like to thank Barnaby Jack and Derek Soeder from eEye for their great paper on ring 0 payloads[2]. Thanks also go out to jt, spoonm, #vax, and everyone at nologin.

Disclaimer: The subject matter discussed in this document is presented in the interest of education. The authors cannot be held responsible for how the information is used. While the authors have tried to be as thorough as possible in their analysis, it is possible that they have made one or more mistakes. If a mistake is observed, please contact one or both of the authors so that it can be corrected.

Notes: In most cases, testing was performed on Windows 2000 SP4 and Windows XP SP0. Compatibility with other operating system versions, such as XP SP2, was inferred by analyzing structure offsets and disassemblies. It is theorized that many of the implementations described in this document are also compatible with Windows 2003 Server SP0/SP1, but due to lack of a functional 2003 installation, testing could not be performed.