Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Reverse Engineering Team Blog

05.13.07

Notes on Windows Vista Forensics

Posted in General Posts at 2:51 am by evilcry

Hello,
With Vista many Forensics analysis need to be reviewed, so SecurityFocus published a paper where new Vista’s features and relative Forensics analysis.

http://www.securityfocus.com/infocus/1889

http://www.securityfocus.com/infocus/1890

Useful to learn how to hide/discover “something” in this new Environment

Have a nice Day

05.04.07

ring3 vs ring0

Posted in General Posts at 11:21 am by andreageddon

Me and my friend sgrakkyu (ciao sgra smile) were talking about this nice feature to go to ring0 from ring3, altough it is not useable for evil or tricky purposes smile There are some tricks to go to ring0 from ring3 (\device\phisicalmemory, some debug api related overflows etc), unluckily they require admin privilege (so this causes those tricks to be quite useless!). There is a way to go to r0 from r3 whenever you want, still i have to use the word “unluckily”, because you can’t use this feature to make whatever you want!
Well the thing is easy, we are just talking about conforming and non conforming segments. We usually deal with non conforming segments, that is, when you go to ring0 code without using a valid call gate you get a general protection exception. What about if the segment is conforming? Then we can call r0 code without raising exceptions, and without having to use legal call gates. How does this work? First of all, only code segments can be conforming, data segments are NON conforming. A conforming segment simply allow the execution to use ring 0 code. The caller DOES NOT change its cpl, so if you are on ring3, your cpl remains 3! In addition the conforming segment can specify the dpl permised to go to r0, so for example you can limit this execution only to r2. Since data segments are NON conforming, you can’t use this feature to execute code that modifies kernel data structures or other data. So, what does this conforming segments are used for??? Well you can use thi feature for example for math functions, so you must not have the code of such routines twice (both r0 and r3), you keep only one copy of the code in r0 code, and access them with conforming segments smile
This isn’t really a useful trick, it would be nice to see if it can be somehow exploited on win or lin to obtain r0 privileges, although i don’t think conforming segments are used. I’ll have to study this a bit, meanwhile any information is appreciated smile
Bye!
AndreaGeddon