How to run userland code from the kernel on Windows – Version 2.0

Introduction 2 years ago, Thierry F. wrote an article in this blog about a technique that could allow a driver to inject a DLL in a process (https://thisissecurity.net/2014/04/08/how-to-run-userland-code-from-the-kernel-on-windows/). This was based on the reverse engineering of the field PEB.KernelCallbackTable, which is untyped and completely undocumented. You may have discovered, through the article mentioned above that,... Continue Reading →

How to run userland code from the kernel on Windows

Introduction Before Windows NT 4.0, the graphical part of the Windows subsystem was implemented completely in userland. Starting from NT 4.0 Microsoft decided to move a large part of the Window Manager and the Graphics Device Interface to kernel-mode in the Win32k.sys component. However, part of the implementation is still present in userland and the... Continue Reading →

Blog at WordPress.com.

Up ↑