[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
intercept nt/2k kernel api?
I've mostly teoretical questions, please excuse possbile mistakes/stupidity, since I'm not
using windows oftenly & I'm not a programmer, just a person who wish to understand some
security-related things, currently, I'm interested in brief understanding of nt/2k
rootkit builder problems.
Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:
*. Can I already being in kernel mode intercept Zw* and Nt* functions?
*. Can I write to kernel memory being in kernel mode (executable memory)?
*. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)?
*. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/
for particular function, but mebbe)
*. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system applications on new amd 64bit cpus?
I'd be glad to see any good urls with overview of answers on above questions. Feel free to deny a post if it's out of topic for vuln-dev.