Skip to main content

Windows Kernel Exploitation - Part 0x0 [WKE P0]

Hello Readers,

It's been so long since I have written any blog post but now, the time has come :p Firstly I thought of writing a series of tutorials on Active Directory Pentesting but setting up a good AD lab will take some time so we can learn it once the AD lab is ready ;) :)

If you hate theories then you may not like this post because I have to include this in order to start it from scratch. I assume that you have some experience in binary exploitation because I won't be covering the user-land exploitation.

Introduction 

I thought of learning the basics of kernel exploitation on Win7 as a virtual environment. This blog post is a 0th part of this series on Windows Kernel Exploitation. Please feel free to point out mistakes, send suggestions and also criticize wherever you feel like ;) 

Let us start ! 


Kernel -

According to Wikipedia - a kernel is a central part of an operating system which manages the operations of the computer and hardware - most notably memory and CPU time. 

* it schedules activities that is performed by CPU
* you can call it as the heart of an operating system

Basic outline - 



CPU spend time in two very distinct modules - a) kernel mode & b) user mode 

a) Kernel Mode -

* the executing code has complete and unrestricted access to the underlying hardware
* can execute CPU instructions and reference any memory address
* generally reserved for low-level, most trusted functions on the operating system
* any crash in kernel mode will halt the entire PC

b) User Mode - 

* executing code has no ability to directly access hardware or reference memory
* code running in user-mode must delegate to system APIs to access hardware or memory
* crashes in user-mode is always recoverable
* most of the code running in your computer will execute in user mode

x86 CPU Protection rings - 


Ring 0 -

Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. 
Ring 0 is for kernel code and device drivers.

Ring 3 -

Ring 3 is the level with least privileges which runs all user programs.

Ring 1 and Ring 2 are rarely used, but could be configured with different levels of access.

Kernel-Mode Architecture of Windows 



Hardware Abstraction Layer - 
* layer between physical hardware of computer and rest of the operating system
* designed to hide differences in hardware and provide consistent platform on which the kernel is run
*  it includes hardware specific code that controls I/O interfaces, Interrupt controller and multiple processors


Bored with the theories ?? :p Expect some exploitation in next part of the tutorial. :) :D

References -
https://blog.codinghorror.com/understanding-user-and-kernel-mode/
https://www.cs.fsu.edu/~zwang/files/cop4610/Fall2016/windows.pdf

Comments

  1. KING CASINO, LLC GIVES A $100 FREE BET
    KING CASINO, LLC GIVES A $100 FREE https://sol.edu.kg/ BET to try. 출장샵 Visit us today and receive https://vannienailor4166blog.blogspot.com/ a $100 FREE BET! Sign 토토사이트 up herzamanindir.com/ at our new site!

    ReplyDelete

Post a Comment

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Shellcode Analysis x86 - SLAE Assignment 0x5

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ We all use metasploit in our daily pentest engagements so let's break-up some of the shellcode comes with metasploit. Analysis :  1. linux/x86/chmod  2. linux/x86/exec  3. linux/x86/read_file 1. linux/x86/chmod -   msfvenom -p linux/x86/chmod -f raw | ndisasm -u - msfvenom -p linux/x86/chmod -f c msfvenom -p linux/x86/chmod -f raw | sctest -vvv -Ss 100000 -G chmod.dot dot chmod.dot -Tpng -o chmod.png  2. linux/x86/exec -   msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | ndisasm -u - msfvenom -p linux/x86/exec CMD=ls -f c msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | /opt/libemu/bin/sctest -vvv -Ss 100000 -G exec.dot dot exec.dot -Tpng -o exec.png 3. linux/x86/read_file - msfvenom -p linux/x86/shell/revers

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu