P. 1
2008 Hack.lu Aumaitre

2008 Hack.lu Aumaitre

|Views: 25|Likes:
Published by chepimanca

More info:

Published by: chepimanca on Apr 24, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/25/2011

pdf

text

original

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

26 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Arbitrary code execution

Context

Read/write access

But no execute access...

A solution

Functions pointers hooking

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

27 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Arbitrary code execution

Which pointers?

KUSER SHARED DATA structure

SystemCall field

Called before each system call

Where to store the payload?

The KUSER SHARED DATA structure occupies only 334 bytes

on a 4K-page...

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

27 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Arbitrary code execution

DEMO

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

27 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Arbitrary code execution

How it works ?

Each process belongs to a desktop.

Only one desktop can interact with a user.

For an interactive user, 3 desktops Default, Disconnect et
Winlogon

With CreateProcess, we can specify the desktop

We can spawn a cmd in Winlogon desktop.

Thus we have a pre-authentication SYSTEM shell :)

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

28 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

What if DEP is enabled?

KUSER SHARED DATA is not executable.

Per process DEP control with KEXECUTE OPTIONS.

Stored inside the KPROCESS structure.

typedef struct KEXECUTE OPTIONS // 7 elements , 0x1 bytes ( sizeof )

{
/∗0x000∗/

UINT8

ExecuteDisable : 1;

// 0 BitPosition

/∗0x000∗/

UINT8

ExecuteEnable : 1;

// 1 BitPosition

/∗0x000∗/

UINT8

DisableThunkEmulation : 1; // 2 BitPosition

/∗0x000∗/

UINT8

Permanent : 1;

// 3 BitPosition

/∗0x000∗/

UINT8

ExecuteDispatchEnable : 1; // 4 BitPosition

/∗0x000∗/

UINT8

ImageDispatchEnable : 1; // 5 BitPosition

/∗0x000∗/

UINT8

Spare : 2;

// 6 BitPosition

}KEXECUTE OPTIONS, ∗PKEXECUTE OPTIONS;

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

29 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Conclusion

iPod 101

Physical access = root

We can reconstruct a high-level view of the operating system

with only physical memory.

Many applications: forensics, debug, intrusion.

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

30 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Questions ?

Thanks for your attention

Questions ?

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

31 / 32

Memory basics
How to access physical memory
RWX

Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Bibliography

Adam Boileau: http://storm.net.nz/projects/16

Andreas Schuster:

http://computer.forensikblog.de/en/

Sandman: http://sandman.msuiche.net/

Coldboot attacks: http://citp.princeton.edu/memory/

D.Aumaitre - SOGETI/ESEC

A little journey inside Windows memory

32 / 32

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->