The notion of a system call ceases to exist in kernel space,
as code running in kernel space is already in ???the system.??? The only functions that you will
have access to initially will be those exported by the kernel. The interface to those functions
may ormay not be published, depending on the operating system that you are dealing
with. An excellent source of information on the Windows kernel programming
interface is Gary Nebbett??™s book Windows NT/2000 Native API Reference. Once you are
familiar with the native Windows API, you will still be faced with the problem of locating
all of the functions that you wish to make use of. In the case of the Windows kernel, techniques
similar to those used for locating functions in user space can be employed, as the
Windows kernel (ntoskrnl.exe) is itself a Portable Executable (PE) file.
Stability becomes a huge concern when developing kernel level exploits. As mentioned
previously, one wrongmove in the kernel can bring down the entire system. Any shellcode
you use will need to take into account the effect your exploit will have on the thread that
you exploited. If the thread crashes or becomes unresponsive, the entire system may soon
follow. Proper cleanup is a very important piece of any kernel exploit.
Pages:
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408