Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan


Another distinction between kernel-mode vulnerabilities and user-mode vulnerabilities is that it is not safe to simply let the kernel crash. If the kernel crashes, the box will blue screen and the payload that was transmitted may not even get a chance to run. As such, it is necessary to identify ways in which normal execution can be resumed after a kernel-mode vulnerability has been triggered. However, like most things in the kernel, the recovery method that can be used is highly dependent on the vulnerability in question, so it makes sense to have a few possible approaches. Chances are, though, that the methods listed in this document will not be enough to satisfy every situation and in many cases may not even be the most optimal. For this reason, kernel-mode exploit writers are encouraged to research more specific recovery methods when implementing an exploit. Regardless of these concerns, this section describes the general class of recovery payloads and identifies scenarios in which they may be most useful.