Explore remote Windows kernel exploitation techniques in this Black Hat USA 2005 conference talk by Barnaby Jack. Dive into Ring 0 operations, covering topics such as the Colonel exploit, user API interactions, firewall considerations, and exception handling. Learn about memory dump analysis, redirect execution, and clean return methods. Examine the Send vulnerability, kernel heap overflow techniques, and the Colonel Loader. Discover how to predict stack behavior, implement userland shells, and utilize Ring 3 mapping. Witness the Bomberfish demo and explore Colonel keylogging capabilities, including keystroke capture and interrupt vector manipulation. Investigate methods for overriding kernel code and the Interrupt Descriptor Table (IDT). Gain insights into modular structure, ICMP echo handlers, and custom keyboard handlers. Delve into Colonel payloads, real mode operations, and techniques for preventing interruptions. Master the intricacies of remote Windows kernel exploitation to enhance your understanding of system vulnerabilities and protection mechanisms.
Remote Windows Kernel Exploitation - Step Into the Ring 0
Overview
Syllabus
Introduction
Overview
Colonel
Exploit
User API
Firewall Considerations
Exception Handling
Memory Dump Analysis
Redirect Execution
Clean Return
Send Vulnerability
Kernel Heap Overflow
Overwrite
Colonel Loader
GetProcAddress
Predict Stack
Dispatch Level
Userland Shell
Ring 3 Map
APC
Bomberfish Demo
Colonel Keylogger
Keystroke Capture
Interrupt Vector
Overriding Kernel Code
Overriding IDT
Modular structure
ICMP echo handler
Custom keyboard handler
Colonel payloads
Real mode
The sickest room
The boring part
Preventing interruptions
Copying
payload
the payload
Taught by
Black Hat
