Download - Windows Handle
![Page 1: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/1.jpg)
Windows Handle
somma_at_vmcraft_dot_comVMCraft inc., Ltd.
2008. 11. 15
![Page 2: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/2.jpg)
Contents
Windows kernel architectureObject ?Handle tableReversing the PspCidTableExploit #1 Exploit #2
![Page 3: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/3.jpg)
Windows kernel architecture
User-mode
Kernel-mode Trap interface / LPC
ntdll / run-time library
Win32 GUIProcs & threads
Kernel run-time / Hardware Adaptation Layer
Virtual memoryIO ManagerSecurity refmon
Cache mgr
File filters
File systems
Volume mgrs
Device stacks
Scheduler
Kernel32 User32 / GDI
DLLs
Applications
System Services
Object Manager / Configuration Management
FS run-time
exec synchr
Subsystemservers
Login/GINA
Critical services
![Page 4: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/4.jpg)
Object ?
![Page 5: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/5.jpg)
Object structure
![Page 6: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/6.jpg)
DEMO - Digging windows object
![Page 7: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/7.jpg)
HANDLE ?
![Page 8: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/8.jpg)
Handle table
![Page 9: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/9.jpg)
Handle table structure
![Page 10: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/10.jpg)
Handle table structure
![Page 11: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/11.jpg)
Reversing the PspCidTableHandle table contains every Process and Thread object.
![Page 12: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/12.jpg)
DEMO - Reversing windows kernel
![Page 13: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/13.jpg)
Exploit #1 OpenProcess() trick
![Page 14: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/14.jpg)
Exploit #2 process hiding
![Page 15: Windows Handle](https://reader038.vdocuments.pub/reader038/viewer/2022102622/56814274550346895dae9c0d/html5/thumbnails/15.jpg)
Q & A