This Notion page contains notes, blogs, and resources regarding advanced reverse engineering and exploitation techniques to aid you preparing for AWE course and OSEE certification by OffSec.

Table of Contents ☠︎︎ 目次

• Windows Kernel Exploitation
  • Fundamental Internals 内部詳細解説
  • Lab Setup セットアップ
    • Getting Windows on Hyper-V インストール方法
    • Kernel Debugging Settings with Hyper-V (Method 1) 一つ目方法
    • Kernel Debugging Settings with Hyper-V (Method 2) 二つ目方法
    • Loading Unsigned Drivers with OSRLoader
    • Edit the Symbols Path
    • Creating a Kernel Driver Service
    • Create a Network File Share for Hyper-V
    • Restarting the VM
  • Ghidra Setup & Tips ギドラ
    • IDA-Like Key Bindings
    • Edit Memory Base
    • Disable Printing of Type Casts
  • Articles & REsources 記事や資源
    • HEVD-Specific Blogs and Exploits
  • Vergilius Project
• Browser Exploitation
  • Browser Internals 内部詳細
  • Browser Debugging　デバッグ
  • Browser-related Blogs & Exploits
• Hypervisor Exploitation
  • Internals & Development 内部詳細や開発
  • Guest-to-Host Escape
• Next: TODO

$$ ⋆༺𓆩☠︎︎𓆪༻⋆ $$

Windows Kernel Exploitation

Fundamental Internals 内部詳細解説

How a driver is invoked via user-mode:

                        +--------------------+
                        | Call ReadFile()    | App.exe
                        +--------------------+ 
                        +---------↓----------+
                        | Call NtReadFile()  | Kernel32.dll
                        +--------------------+
                        +---------↓----------+
                        | sysenter / syscall | ntdll.dll
                        +---------↓----------+
 User Mode
--------------------------------------↓-------------------------------------
 Kernel Mode
                        +---------↓----------+
                        | call NtReadFile()  | ntoskrnl.exe
                        +---------↓----------+
                        +--------------------+
                        | NtReadFile:        | ntoskrnl.exe
                        | Call driver        |
                        +---------↓----------+
                        +--------------------+
                        | Initiate I/O       | driver.sys
                        +--------------------+

IRP (I/O Request Packet): is a structure that contains information about the I/O operation (I.e Function) to be performed, such as the IO_STACK which holds I/O control code, the device object, the buffer for data transfer, and other relevant parameters.

IOCTL (Input/Output Control) Code: is a mechanism to send control commands to a device driver from user-mode applications.

Every IRP has an I/O Stack, and each I/O stack location consists of an IO_STACK_LOCATION structure, which contains information about the IRP and its operation, Major and *Minor functions, *DeviceObject, FileObject and arguments.

Most common IRP major functions:

• IRP_MJ_CREATE: Open the target device object, indicating that it is present and available for I/O operations
• IRP_MJ_CLOSE: Close the target handle
• IRP_MJ_READ | IRP_MJ_WRITE : Read/write data from the device
• IRP_MJ_DEVICE_CONTROL: Set up the device to execute a specific function, according to device-type-specific I/O control code (IOCTL)