Skip to main content

Windows Kernel Exploitation - Part 0x0 [WKE P0]

Hello Readers,

It's been so long since I have written any blog post but now, the time has come :p Firstly I thought of writing a series of tutorials on Active Directory Pentesting but setting up a good AD lab will take some time so we can learn it once the AD lab is ready ;) :)

If you hate theories then you may not like this post because I have to include this in order to start it from scratch. I assume that you have some experience in binary exploitation because I won't be covering the user-land exploitation.

Introduction 

I thought of learning the basics of kernel exploitation on Win7 as a virtual environment. This blog post is a 0th part of this series on Windows Kernel Exploitation. Please feel free to point out mistakes, send suggestions and also criticize wherever you feel like ;) 

Let us start ! 


Kernel -

According to Wikipedia - a kernel is a central part of an operating system which manages the operations of the computer and hardware - most notably memory and CPU time. 

* it schedules activities that is performed by CPU
* you can call it as the heart of an operating system

Basic outline - 



CPU spend time in two very distinct modules - a) kernel mode & b) user mode 

a) Kernel Mode -

* the executing code has complete and unrestricted access to the underlying hardware
* can execute CPU instructions and reference any memory address
* generally reserved for low-level, most trusted functions on the operating system
* any crash in kernel mode will halt the entire PC

b) User Mode - 

* executing code has no ability to directly access hardware or reference memory
* code running in user-mode must delegate to system APIs to access hardware or memory
* crashes in user-mode is always recoverable
* most of the code running in your computer will execute in user mode

x86 CPU Protection rings - 


Ring 0 -

Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. 
Ring 0 is for kernel code and device drivers.

Ring 3 -

Ring 3 is the level with least privileges which runs all user programs.

Ring 1 and Ring 2 are rarely used, but could be configured with different levels of access.

Kernel-Mode Architecture of Windows 



Hardware Abstraction Layer - 
* layer between physical hardware of computer and rest of the operating system
* designed to hide differences in hardware and provide consistent platform on which the kernel is run
*  it includes hardware specific code that controls I/O interfaces, Interrupt controller and multiple processors


Bored with the theories ?? :p Expect some exploitation in next part of the tutorial. :) :D

References -
https://blog.codinghorror.com/understanding-user-and-kernel-mode/
https://www.cs.fsu.edu/~zwang/files/cop4610/Fall2016/windows.pdf

Comments

  1. KING CASINO, LLC GIVES A $100 FREE BET
    KING CASINO, LLC GIVES A $100 FREE https://sol.edu.kg/ BET to try. 출장샵 Visit us today and receive https://vannienailor4166blog.blogspot.com/ a $100 FREE BET! Sign 토토사이트 up herzamanindir.com/ at our new site!

    ReplyDelete

Post a Comment

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Brute Force Basic Authentication - PSP Assignment 0x1

Before we start I would like to bring your attention to this PSP course from Pentester Academy   - https://www.pentesteracademy.com/course?id=21 . The course is focused on Powershell scripting which can be used in pentesting activities. AGENDA  : 1. Introduction to Powershell 2. Basic Authentication lab setup 3. Brute-force Basic Authentication using Powershell Script -   - cmdlet   - IP,Port and word-list should be easily configurable 1.  Introduction to Powershell  -  Microsoft says- PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell includes a rich expression parser and a fu

Shellcode Analysis x86 - SLAE Assignment 0x5

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ We all use metasploit in our daily pentest engagements so let's break-up some of the shellcode comes with metasploit. Analysis :  1. linux/x86/chmod  2. linux/x86/exec  3. linux/x86/read_file 1. linux/x86/chmod -   msfvenom -p linux/x86/chmod -f raw | ndisasm -u - msfvenom -p linux/x86/chmod -f c msfvenom -p linux/x86/chmod -f raw | sctest -vvv -Ss 100000 -G chmod.dot dot chmod.dot -Tpng -o chmod.png  2. linux/x86/exec -   msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | ndisasm -u - msfvenom -p linux/x86/exec CMD=ls -f c msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | /opt/libemu/bin/sctest -vvv -Ss 100000 -G exec.dot dot exec.dot -Tpng -o exec.png 3. linux/x86/read_file - msfvenom -p linux/x86/shell/revers