j00ru
December 10th, 2011, 12:14
Quote:
[Originally Posted by Indy;91509]Callbacks is a lot. You have chosen Hal, this is not acceptable. |
Whether a solution is acceptable or not depends on the context, and HalDispatchTable was just an example for triggering ring-0 execution through an overwritten static function pointer, suitable in many cases.
Quote:
[Originally Posted by Indy;91509]First it will cause a reactionAV. Second dynamic detective(wincheck etc.). The above creation of SDT ideal. |
I am unsure of what you're referring to, but in general, mangling with the IDT is as noisy and easy to detect as anything else (if not easier).
Quote:
[Originally Posted by Indy;91509]You do not need to know basis or kernel, or export to analyze. |
Yes, that's a nice advantage indeed, but it makes no difference on the Windows editions available today, with lots of other kernel leakages described in the paper. However, it might make a difference in a few years, who knows
Quote:
[Originally Posted by Indy;91509]In addition, as it will behave at W8 ? |
I haven't had a chance to verify that yet, but my guess is that it works just fine (if you mean Windows 8, that is).
Quote:
[Originally Posted by Indy;91509]That the table used R.Santamarta(reversemode.com). It has long been a detective. And information about this backdoor is older than I am  |
I don't know of any other sources describing the techniques before Ruben, who did so in 2007. You must be really young...
Quote:
[Originally Posted by Indy;91509]Why did you decide that AV does not filter the challenge ?
For example the simplest task - set the interrupt vector. How do you be a t-frame ? |
Could you rephrase?
Honestly, I can't really see the point of this discussion. The paper lists all of the potential exploitation vectors made available by lack of kernel address space information restrictions, no matter of how good or bad they can be in real scenarios (although using most of them is usually feasible). And IDT is discussed, as well...