Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan


This document has illustrated some of the general techniques that can be used when implementing kernel-mode payloads. Examples have been provided for techniques that can be used to locate the base address of nt and an example routine has been provided to illustrate symbol resolution. To make kernel-mode payloads easier to grasp, their anatomy has been broken down into four distinct units that have been referred to as payload components. These four payload components can be combined together to form a logical kernel-mode payload.

The purpose of the migration payload component is to transition the processor to a safe IRQL so that the rest of the payload can be executed. In some cases, it's also necessary to make use of a stager payload component in order to move the payload to another thread context or location for the purpose of execution. Once the payload is at a safe IRQL and has been staged as necessary, the actual meat of the payload can be run. This portion of the payload is symbolically referred to as the stage payload component. After everything is said and done, the kernel-mode payload has to find some way to ensure that the kernel does not crash. To accomplish this, a situational recovery payload component can be used to allow the kernel to continue to execute properly.

While the vectors taken to achieve code execution have not been described in this document, it is expected that there will continue to be research and improvements in this field. A cycle similar to that seen for user-mode vulnerabilities can be equally expected in the kernel-mode arena once enough interest is gained. With the eye of security vendors intently focused on solving the problem of user-mode software vulnerabilities, the kernel-mode arena will be a playground ripe for research and discovery.