https://github.com/DownWithUp/DynamicKernelShellcode

An example of how x64 kernel shellcode can dynamically find and use APIs
https://github.com/DownWithUp/DynamicKernelShellcode

Last synced: 21 days ago
JSON representation

An example of how x64 kernel shellcode can dynamically find and use APIs

• Host: GitHub
• URL: https://github.com/DownWithUp/DynamicKernelShellcode
• Owner: DownWithUp
• Created: 2020-05-10T20:25:53.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2020-05-14T19:19:50.000Z (over 4 years ago)
• Last Synced: 2024-08-05T17:24:31.134Z (4 months ago)
• Language: Assembly
• Homepage:
• Size: 11.7 KB
• Stars: 103
• Watchers: 5
• Forks: 31
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - DownWithUp/DynamicKernelShellcode - An example of how x64 kernel shellcode can dynamically find and use APIs (Assembly)

README

        
# DynamicKernelShellcode

An example of how x64 kernel shellcode can dynamically find and use kernel APIs (exported from ntoskrnl). 
 Tested on Windows 10 x64 (1903)   

The shellcode is capable of returning function addresses from ntoskrnl. For more practical use, it can easily be modified to call these functions. I used [FASM](https://flatassembler.net/) as the assembler, but there is no special syntax so others should work. The Python file included is capable of generating the hashes needed.

## Useful resources

 - [DoublePulsar Shellcode Information](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)

 - [Super useful information about IDT](https://ired.team/miscellaneous-reversing-forensics/windows-kernel/interrupt-descriptor-table-idt)

 - [PE Format Image](https://en.wikipedia.org/wiki/Portable_Executable#/media/File:Portable_Executable_32_bit_Structure_in_SVG_fixed.svg)

 - [Great In Depth Information on PE Format](https://github.com/corkami/docs/blob/master/PE/PE.md)

 - [djb2 algorithm](http://www.cse.yorku.ca/~oz/hash.html)