Focus on Virus
Using windows local kernel debugger to hook functions in kernel space Jun 08 2015 10:30PM
DonVallejo . (j v vallejo gmail com)
Hello all,

These days i have been doing some proofs with Windbg and Windows's
local kernel debugging functionality.

Windbg, when it is working as local kernel debugger, donesn't let you
to modify some parts of kernel memory space if you try to write to the
virtual address. For example if you try to modify code of ntoskrnl or
other drivers, it fails. However, if you convert the virtual address
that you want to modify to physical adress (command vtop) and you
modify the physical memory directly (command !eb), it lets you to
modify it.

From my point of view this could be a security risk. A malware
consisting of a simple batch script, and by using only Microsoft
signed tools, could be able to inject a rootkit to kernel memory
skipping common Windows's protections. It could inject code in kernel
memory space and hook a function (for example NtCreateFile) to point
to its code. It wouldn't need to execute unsigned executables at user
mode (only some Microsoft tools in the system and windbg, that it
could dump from the batch) or load signed drivers, and patchGuard
doesn't stop these memory modifications that are done with Windbg.

I wrote a proof of concept code to test this behaviour. You can get
the code and the explanation here:

The PoC consists of a batch file that will dump a subset of Windbg's
binaries (those that are necessary for that we want to do). It will
enable local kernel debugging functionality and It will attach Windbg
to execute automatically a Windbg script that will inject some code to
kernel memory and will hook a point at NtCreateFile to call our code.


Javier Vicente Vallejo

This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus