一 kernel 漏洞 的空指针引用 利用
1. Trigger the NULL pointer dereference for a denial of service.
2. Use the zero page to get control over EIP/RIP.
第三章那个内核漏洞的利用真是经典啊
二 开源系统的系统驱动漏洞查找
Step 1: List the IOCTLs of the kernel.
? Step 2: Identify the input data.
? Step 3: Trace the input data.
三 内核驱动的挖掘
Step 1: Prepare a VMware guest for kernel
debugging.
? Step 2: Generate a list of the drivers and
device objects created by avast!
? Step 3: Check the device security settings.
? Step 4: List the IOCTLs.
? Step 5: Find the user-controlled input values.
? Step 6: Reverse engineer the IOCTL handler
irp 60 8 4 c currentstack inputlength outputlenght ioctrlcode
01 #include <windows.h>
02 #include <stdio.h>
03
04 int
05 main (int argc, char *argv[])
06 {
07 unsigned int method = 0;
08 unsigned int code = 0;
09
10 if (argc != 2) {
11 fprintf (stderr, "Usage: %s <IOCTL code>\n", argv[0]);
12 return 1;
13 }
14
15 code = strtoul (argv[1], (char **) NULL, 16);
16 method = code & 3;
17
18 switch (method) {
19 case 0:
20 printf ("METHOD_BUFFERED\n");
21 break;
22 case 1:
23 printf ("METHOD_IN_DIRECT\n");
24 break;
25 case 2:
26 printf ("METHOD_OUT_DIRECT\n");
27 break;
28 case 3:
29 printf ("METHOD_NEITHER\n");
30 break;
31 default:
32 fprintf (stderr, "ERROR: invalid IOCTL data transfer method\n");
33 break;
34 }
35
36 return 0;
37 }
METHOD_BUFFERED =====》Irp->AssociatedIrp.SystemBuffer====》mov eax, [ebx+0Ch] ; ebx = address of IRP mov eax, [eax]
dt -v _DRIVER_OBJECT
dt -v -r 3 _IRP
dt -v -r 2 _IRP