ALPC monitoring

Microsoft did nice work related to callback mechanism, to avoid nasty patching across kernel, and support monitoring in clean way. Currently we can use, among others, for example callbacks on loading new image, process, thread, opening & duplicating handles, dropping files etc. For monitoring network communication you can attach to some device drivers, which is cleaner than hooking, but still does not cover as much as i want to. And there comes ALPC, because even resolving host comes through, and when you are able to recognize it ..

http://mba.shengwushibie.com/itbook/BookChapter.asp?id=28217

http://mba.shengwushibie.com/itbook/BookChapter.asp?id=28217

 

In april I attend awesome training at Syscan, training was led by Alex Ionescu. Among a lot of deep kernel stuffs, there was deeply covered ALPC mechanism, which is the point of this blog – post. Nice presentation about ALPC, which I really recommend to read : All about the RPC, LRPC, ALPC, and LPC in your PC 

C++ in Kernel Drivers (c++, boost, std)

Recently i was looking for another approaches how to use c++ features in kernel mode drivers. I found some references, but no one will fullfill my needs & desires to use also boost & std (at least partially).

Some time ago my friend show me a way how to add mentioned libraries to kernel code, so i decided to do it from scratch, do some minimalistic approach with some kind of ‘manual’ and PoC, and maybe it can be for someone, except myself, usefull.

Boost your VadRoot iterator!

When it comes to working with memory of process, it comes handy to have information about whole address space of process, to do not touch PAGE_GUARD, knowing exec and writable pages, etc.

For that purpose i already implemented VadWalker in my kernel common repo, and also use it in DbiFuzz frmwrk. But recently i come accross some ideas, how to improve my recent approach and do it more efficiently and kinda smarter.

vadroot

http://www.codemachine.com/figure_protopte_2.png

Callgate to user : nt!KeUserModeCallback & ROP / MDL

Sometimes in kernel developement is needed to process some user mode data. But some of data – structs are internal and not so well documented, and due to this are available functions which work with these structures, but these are often exported just for user mode only. What are options in that case ?

  • user mode component – service / application
  • find kernel mode alternative function – often not exported
  • reverse structure – parse it by yourself
  • nt!KeUserModeCallback

DBI framework for fuzzing on the board, part I.

I started a bit researching around fuzzers, fuzzing techniques and practices. As i study materials about fuzzing, code (node / edge) coverage approach quickly impressed me. But for this method is essential to have a good dbi. Pin or valgrind are good solutions, but will i try to make it in lightweight way – specificated for further fuzzing needs.

Already implemented features :

  • BTF – Hypervisor based
  • PageTable walker
  • VAD walker
  • full Process control [images, threads, memory]
  • Syscall monitoring – implemented process virtual memory monitor


Follow

Get every new post delivered to your Inbox

Join other followers: