Embed Size (px)
DESCRIPTION
Windows Handle. somma _at_ vmcraft _dot_ com VMCraft inc., Ltd. 2008. 11. 15. Contents. Windows kernel architecture Object ? Handle table Reversing the PspCidTable Exploit #1 Exploit #2. Applications. Subsystem servers. DLLs. System Services. Login/GINA. Kernel32. - PowerPoint PPT Presentation
Citation preview
Windows Handle
somma_at_vmcraft_dot_comVMCraft inc., Ltd.
2008. 11. 15
Contents
Windows kernel architectureObject ?Handle tableReversing the PspCidTableExploit #1 Exploit #2
Windows kernel architecture
User-mode
Kernel-mode Trap interface / LPC
ntdll / run-time library
Win32 GUIProcs & threads
Kernel run-time / Hardware Adaptation Layer
Virtual memoryIO ManagerSecurity refmon
Cache mgr
File filters
File systems
Volume mgrs
Device stacks
Scheduler
Kernel32 User32 / GDI
DLLs
Applications
System Services
Object Manager / Configuration Management
FS run-time
exec synchr
Subsystemservers
Login/GINA
Critical services
Object ?
Object structure
DEMO - Digging windows object
HANDLE ?
Handle table
Handle table structure
Handle table structure
Reversing the PspCidTableHandle table contains every Process and Thread object.
DEMO - Reversing windows kernel
Exploit #1 OpenProcess() trick
Exploit #2 process hiding
Q & A
