One of Windows kernel subsystem I recently dug into is the Configuration Manager (CM), mostly because I found very scarce public resources about it despite its criticality: this subsystem is responsible for managing the configuration of all...
Sometimes you read about a completely awesome exploitation technique, so you want to go deeper. So this is my notes about how trying to totally understand the exploitation of CVE-2020-0796, I ended up struggling finding good explanation about a...
This is tiny Post-It post to remind of different ways to enumerate processes from KD: using nt!PsActiveProcessHead dx Debugger.Utility.Collections.FromListEntry( *(nt!_LIST_ENTRY*)&(nt!PsActiveProcessHead), "nt!_EPROCESS", "ActiveProcessLinks")...
The short version The short version is that there's a small logic bug in user32!EndTask() which doesn't really check the HWND handle passed when forcefully killing the process, allowing unprivileged process to BSoD the host by killing the...
Or, on how to use the (Windows 10) new field _ETHREAD.ThreadName to stabilize kernel RW primitives SetThreadDescription() as a way to allocate controlled kernel pools Keeping on with experimenting with Windows 10 I noticed a field part of the...
Still on my way to learning of Windows kernel, I spend considerable amount of time on WinDbg Preview. I've been scripting my way to understand its components, the last in date was nt!ObpRootDirectoryObject. This pointer is well documented,...
Back again to modern Windows kernel exploitation! After understanding how to build shellcodes for Windows 64-bit and applying this knowledge on a trivial kernel stack overflow vulnerability we are ready to start moving towards more real-life...
Hi there ✋ This post is the third chapter of this series, where we dive into Windows kernel. The previous posts introduced respectively how to painlessly setup a Windows exploit lab, then how to create a custom shellcode for the kernel to...
Continuing on the path to Windows kernel exploitation... Thanks to the previous post, we now have a working lab for easily (and in a reasonably fast manner) debug Windows kernel. Let's skip ahead for a minute and assume we control PC using some...
This is the first on a series of posts on Windows kernel debugging and exploitation. In this part, we'll cover in details how to get everything setup using Linux as host, VirtualBox as hypervisor and Windows virtual images from Modern.IE. Note:...