|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
intercept nt/2k kernel api?
From: Oleg K.Artemjev (olli
rbauto.ru)
Date: Tue Apr 20 2004 - 03:50:15 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello, folks.
I've mostly teoretical questions, please excuse possbile mistakes/stupidity, since I'm not
using windows oftenly & I'm not a programmer, just a person who wish to understand some
security-related things, currently, I'm interested in brief understanding of nt/2k
rootkit builder problems.
Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:
*. Can I already being in kernel mode intercept Zw* and Nt* functions?
*. Can I write to kernel memory being in kernel mode (executable memory)?
*. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)?
*. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/
for particular function, but mebbe)
*. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on new amd 64bit cpus?
I'd be glad to see any good urls with overview of answers on above questions. Feel free to deny a post if it's out of topic for vuln-dev.
--
Bye.Olli. http://olli.digger.org.ru
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]