ALPC monitoring

Microsoft did nice work related to callback mechanism, to avoid nasty patching across kernel, and support monitoring in clean way. Currently we can use, among others, for example callbacks on loading new image, process, thread, opening & duplicating handles, dropping files etc. For monitoring network communication you can attach to some device drivers, which is cleaner than hooking, but still does not cover as much as i want to. And there comes ALPC, because even resolving host comes through, and when you are able to recognize it ..


In april I attend awesome training at Syscan, training was led by Alex Ionescu. Among a lot of deep kernel stuffs, there was deeply covered ALPC mechanism, which is the point of this blog – post. Nice presentation about ALPC, which I really recommend to read : All about the RPC, LRPC, ALPC, and LPC in your PC 

C++ in Kernel Drivers (c++, boost, std)

Recently i was looking for another approaches how to use c++ features in kernel mode drivers. I found some references, but no one will fullfill my needs & desires to use also boost & std (at least partially).

Some time ago my friend show me a way how to add mentioned libraries to kernel code, so i decided to do it from scratch, do some minimalistic approach with some kind of ‘manual’ and PoC, and maybe it can be for someone, except myself, usefull.

Boost your VadRoot iterator!

When it comes to working with memory of process, it comes handy to have information about whole address space of process, to do not touch PAGE_GUARD, knowing exec and writable pages, etc.

For that purpose i already implemented VadWalker in my kernel common repo, and also use it in DbiFuzz frmwrk. But recently i come accross some ideas, how to improve my recent approach and do it more efficiently and kinda smarter.


Callgate to user : nt!KeUserModeCallback & ROP / MDL

Sometimes in kernel developement is needed to process some user mode data. But some of data – structs are internal and not so well documented, and due to this are available functions which work with these structures, but these are often exported just for user mode only. What are options in that case ?

  • user mode component – service / application
  • find kernel mode alternative function – often not exported
  • reverse structure – parse it by yourself
  • nt!KeUserModeCallback

Appendum to “How Safe is your Link ?” – how to fool LFH

Heap overflow bug can potentionaly lead to alter heap in that way, that you can rule on its allocation / deallocation mechanism. Nowdays it is litle bit harder, because you need to fullfill some subset of prerequisities for choosen technique, and it is in more than less case not possible.

This post will describe how to break even LFH trough plugin, custom PoC for IE10 on win8 CP, vulnerable to winXP-8CP backend attack.

DBI framework for fuzzing on the board, part I.

I started a bit researching around fuzzers, fuzzing techniques and practices. As i study materials about fuzzing, code (node / edge) coverage approach quickly impressed me. But for this method is essential to have a good dbi. Pin or valgrind are good solutions, but will i try to make it in lightweight way – specificated for further fuzzing needs.

Already implemented features :

  • BTF – Hypervisor based
  • PageTable walker
  • VAD walker
  • full Process control [images, threads, memory]
  • Syscall monitoring – implemented process virtual memory monitor

Monitor everything you want (in Intel vt-x style)

Virtualization can be utilized to reach various goals as monitoring system, system resources and applications as well. It can be used for full system virtualuzation, but i like apporach using it just as a tool too . This post will shortly cover implementation of mini-hypervisor (which is now available on github) for intel vt-x on x64 platform, and demonstrate concept how-to-use-it.

How to boost PatchGuard : it’s all about gong fu!

In this post i will take a look at PatchGuard, at classic scenario of bypassing this protection and also at little bit diferent one. I will also examine new way (bust most probably not new, just reinvented cause it is too obvious and quite efective) how to locate & abuse page guard context and its behaviour.

PoC and some explanation of code, of its weaknes and points to research are included

Uint8Array pwn them all!

This week I take a look at the research blog post by @vupen Advanced Exploitation of Mozilla Firefox Use-after-free CVE-2012-0469 . It is one year old vulnerability, but thanks to it, simple idea come into my mind…

Exploitation of this vulnerability presented at vupen’s blogs, was not easy, because it have into arsenal just controlled OR for certain location, and it uses nothing more – which is quite interesting ! Because of that, exploitation grows complexity, and the first step was logical expanding length of string object, for memory leak. As the next move was performed OR at one tag-object targeting its VTable, which ends to arbitrary code execution.

but … in generation of HTML5 and its new features, more easier and more general method could be used for this exploitation

Story of two pointers attack on LFH

This time post will be based on talk by Steven Seeley (Ghost in the allocator) and talk by Chris Valasek & Tarjei Mandt (Windows 8 Heap Internals).

I would like to focus on win8 _HEAP_USERDATA_HEADER structure, and its main perfomance feature – missing validation check per allocation from its block.


Get every new post delivered to your Inbox

Join other followers: