ALPC monitoring

Microsoft did nice work related to callback mechanism, to avoid nasty patching across kernel, and support monitoring in clean way. Currently we can use, among others, for example callbacks on loading new image, process, thread, opening & duplicating handles, dropping files etc. For monitoring network communication you can attach to some device drivers, which is cleaner than hooking, but still does not cover as much as i want to. And there comes ALPC, because even resolving host comes through, and when you are able to recognize it ..


In april I attend awesome training at Syscan, training was led by Alex Ionescu. Among a lot of deep kernel stuffs, there was deeply covered ALPC mechanism, which is the point of this blog – post. Nice presentation about ALPC, which I really recommend to read : All about the RPC, LRPC, ALPC, and LPC in your PC 

C++ in Kernel Drivers (c++, boost, std)

Recently i was looking for another approaches how to use c++ features in kernel mode drivers. I found some references, but no one will fullfill my needs & desires to use also boost & std (at least partially).

Some time ago my friend show me a way how to add mentioned libraries to kernel code, so i decided to do it from scratch, do some minimalistic approach with some kind of ‘manual’ and PoC, and maybe it can be for someone, except myself, usefull.

Boost your VadRoot iterator!

When it comes to working with memory of process, it comes handy to have information about whole address space of process, to do not touch PAGE_GUARD, knowing exec and writable pages, etc.

For that purpose i already implemented VadWalker in my kernel common repo, and also use it in DbiFuzz frmwrk. But recently i come accross some ideas, how to improve my recent approach and do it more efficiently and kinda smarter.


Callgate to user : nt!KeUserModeCallback & ROP / MDL

Sometimes in kernel developement is needed to process some user mode data. But some of data – structs are internal and not so well documented, and due to this are available functions which work with these structures, but these are often exported just for user mode only. What are options in that case ?

  • user mode component – service / application
  • find kernel mode alternative function – often not exported
  • reverse structure – parse it by yourself
  • nt!KeUserModeCallback

Appendum to “How Safe is your Link ?” – how to fool LFH

Heap overflow bug can potentionaly lead to alter heap in that way, that you can rule on its allocation / deallocation mechanism. Nowdays it is litle bit harder, because you need to fullfill some subset of prerequisities for choosen technique, and it is in more than less case not possible.

This post will describe how to break even LFH trough plugin, custom PoC for IE10 on win8 CP, vulnerable to winXP-8CP backend attack.

DBI framework for fuzzing on the board, part I.

Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 2839453 bytes) in /nfsmnt/hosting1_2/f/0/f0be16df-7df3-4c59-aaca-b95220e69f53/ on line 37