Dimitri Fourny
Personal website and computer security blog.

Dumping the VEH in Windows 10

The Vectored Exception Handling (VEH) is a Windows mecanism to handle application exceptions. Even if you have an official Windows API to add and remove handlers via AddVectoredExceptionHandler and RemoveVectoredExceptionHandler, there is no official way to list all registered handlers in an application. Inside the source code of ReactOS you can find a source file with these API reimplemented and it can give us good information about how it works.

Writing Optimized Windows Shellcode

You always have a lot of possibilities when you make a shellcode payload, especially on Windows. Do you need to write all your ASM manually or can you be helped by your compiler? Do I need to directly use syscall or to search the functions in memory? Because it’s not always simple to make it, I have made the decision to write an article about that. I have the habit to do all the work in C and compile it with Visual Studio: the source code is nicer in C, the compiler do a better job to optimize it and you can implement your own obfuscator with LLVM if you want.

Attacking AES and DSA

Recently I was involved in a security conference called SecuDay where I have presented Attacking Games for Fun and Profit. At the end of the conference, we have been invited to resolve some challenges conceived by Charles Bouillaguet. There was three levels, easy and medium level are based on the bruteforce of an Advanced Encryption Standard 128-bits encryption and the hard level was to crack a bad implementation of the Digital Signature Algorithm. The same implementation failure of DSA was used to break the Sony PS3.

VTable Hooking

Today, I will try to explain how we can make a hook on a C++ class method. This technique works on Linux and Windows, but my examples are compiled on Linux.

Driver write-what-where vulnerability

In this article, we will exploit a write-what-where vulnerability in Windows 7 x64. To do that, we will use the last level of 0vercl0k: the level 3. We need to do some changes to make a driver which work on a x64 system:

Driver dereferenced pointer in Windows 7 x64

In my previous article, I have talked about the exploitation of kernel buffer overflow. This time, I will not play with Windows XP x86 but with Windows 7 x64 on the 0vercl0k’s level 2 driver. 0vercl0k have coded this driver for a x86 environment, so we need to do some changes:

Make a plugin for WinDbg

WinDbg is a powerfull Windows debugger, it can debug x86 application and x64 application, in user-land or in kernel-land. Despite its useful commands, we would like to make some plugin to do a faster and better debugging session. Fortunately for us, it’s possible to write WinDbg plugins in C or C++ to add a lot of commands in our favorite debugger.I will use C++, but it’s possible to use another language if this language support the DLL creation. With Python, you can use PyKd. The plugin that you will be able to code after this article and with a little documentation looks like that:

Kernel buffer overflow on Windows

The buffer overflow are cool in user-land but they can be more funny in kernel-land. This time, we will use a buffer overflow to make an escalade privilege to get the SYSTEM rights, so we will could make anything we want on the system. To train us, we don’t need to code a driver by ourself: 0vercl0k have done it for us! So we got the level 1 files and we start our XP VM.

How to detect and exploit a buffer overflow

The buffer overflow is the most classical vulnerability, on Linux and on Windows. In this article, I will try to show you how to exploit a buffer overflow on Windows with WinDbg and a little Python code.