[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

intercept nt/2k kernel api?

Hello, folks.

I've mostly teoretical questions, please excuse possbile mistakes/stupidity, since I'm not 
using windows oftenly & I'm not a programmer, just a person who wish to understand some
security-related things, currently, I'm interested in brief understanding of nt/2k 
rootkit builder problems. 

Say, I'm already running in w2k as a vxd or so. AFAIK this is kernel mode. The questions are as follows:

*. Can I already being in kernel mode intercept Zw* and Nt* functions?
*. Can I write to kernel memory being in kernel mode (executable memory)?
*. Can I write to kernel memory belonging to another vxd or kernel itself (data memory)?
*. What are problems I'll meet to do so? (guess, but donno why - at least it'll be address to play w/
    for particular function, but mebbe)
*. Does M$ really use non-executable flag for pages in XP service pack 2 for XP kernel and system    applications on new amd 64bit cpus?

I'd be glad to see any good urls with overview of answers on above questions. Feel free to deny a post if it's out of topic for vuln-dev.

Bye.Olli.			http://olli.digger.org.ru