current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 0 down vote favorite

In this document is detailed technique of exploiting Windows kernel. But writer is talking about accessing kernel memory & doing exploit from user-mode application at the same time. Can I do this from user-mode application, or do I need to do it from driver? Thanks.

share|improve this question
    
I believe you don't need a driver, if you can code C or C++ or any low-level languages that has the capability to do this, you'd be set. Keep in mind that messing with the windows kernel will raise AV's attention for your application, also, i don't believe using ntQuerySystemInformation nowadays and other API's that document shows will actually acomplish that, if you could elevate priviledges (i hope i didn't read wrong) with UAC on, you'd make some $.. –  SomeNickName Jan 15 at 19:53
    
@SomeNickName if UAC is in play you're already elevated - the application just doesn't get access to the full token directly. Its relatively easy to get the full token. It doesn't offer any protection at all. –  Steve Jan 16 at 5:25
    
@SteveS Are you saying it's easy to bypass UAC? "Unabling" all his purpose? which is when you try to elevate an application, it pop's up? In short, getting admin priviledges without popup ? –  SomeNickName Jan 16 at 12:40
    
@SomeNickName I'm saying its possible to bypass UAC, and its relatively easy, but does require some effort. UAC is not actually a security boundary. It offers some protection against simple bits of malicious code, but advanced attacks can and do bypass it. –  Steve Jan 16 at 17:07
    
I'm talking in terms of elevation, any attempt to elevate an application's priviledges to "admin" or higher should trigger UAC if enabled, i was asking if you can do that without triggering uac. I've seen exploits and other "tweaks" or something, but i believe public one's are already patched, haven't tested any though, but i'm sure it's not that easy, otherwise everyone could do it... :/ and that would be sad lol. –  SomeNickName Jan 16 at 17:34
add comment

2 Answers

up vote 1 down vote

You need admin rights to normally get code into the kernel, and code is usually executed by a driver. Code in user mode cannot by design execute in kernel, so you have to find a bypass vulnerability to get past the user-mode barrier. If you can find such a vulnerability you can execute from user mode.

Other attack vectors are to find an EOP vulnerability, elevate to admin, and install a malicious driver.

share|improve this answer
add comment
up vote 0 down vote

The document uses Windows API (NtQuerySystemInformation, NtOpenThreadToken ...) to have the pointer of Kernel Objects like _EPROCESS, _TOKEN, OBJECT_HEADER. This is done from User land.

Knowing the pointer address allows altering these object, but this can be done from the Kernel land only, for example by exploiting a Driver or a some Kernel API vulnerability that could allow for arbitrary write.

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.