Hi everybody,

The article below explains a few things about ring0 that are useful for coding exploits, for example:

Finding the image base of ntoskrnl.
Enumerating processes -> threads.
Running user-level code from ring0 (this was discussed in this forums).

I think it is an interesting reading:

http://www.eeye.com/html/research/whitepapers/index.html

"remote windows kernel exploitation -step into the ring 0 (pdf)"

Regards,
Havok.

Beg ur perdon ,
ANother idea would be : =>

why use this type of tricky code , where you can build your custom exploitated device driver and use it to run code in RING 0 from Ring 3 by cleaver use of code . AND THE OS WILL ALWAYS WELCOMES TO LOAD NEW DRIVER ANYTIME WITH OUT ANY CHECK.
and provides u a ntAPI to get the kernel base.

Use the driver as Resource and load it from there in runtime and hook sepecific parts of the OS!

See the code like used in InpOut32.dll.The source code is available for free from codersheaven.com

waiting for ur critisism!

The techniques in that paper are focused on code injected directly into ring 0 code (by means of e.g. a buffer overflow) and then you must use these tricks to "break out of the driver" first before being able to do anything else...

This method is used here and there (most prominently in regmon and filemon I guess), BUT: You have to have the permissions to load drivers
There are sanity checks, so much for sure. (Just my $0.05... ah well, inflation all around...) E.g. the OS won't load a driver with a wrong or no proper PE header checksum. (This can be fixed easily, and after some tool destroyed my patch code in the PE header by adding a tag mindlessly, I made up my own patcher, dead easy )

The OS will load any driver without checks, but that doesn't mean that some AV or anti-rootkit program hasn't hooked into driver loading and will halt your driver from being loaded if it resembles a virus or rootkit In this case, the method presented in the article might be more stealthy (albeit more complex and less stable).

Clandestiny