module Rex::Payloads::Win32::Kernel::Recovery

Recovery stubs are responsible for ensuring that the kernel does not crash. They must 'recover' after the exploit has succeeded, either by consuming the thread or continuing it on with its normal execution. Recovery stubs will often be exploit dependent.

Public Class Methods

default(opts = {}) click to toggle source

The default recovery method is to spin the thread

# File lib/rex/payloads/win32/kernel/recovery.rb, line 17
def self.default(opts = {})
  spin(opts)
end
idlethread_restart(opts = {}) click to toggle source

Restarts the idle thread by jumping back to the entry point of KiIdleLoop. This requires a hard-coded address of KiIdleLoop. You can pass the 'KiIdleLoopAddress' in the options hash.

# File lib/rex/payloads/win32/kernel/recovery.rb, line 33
def self.idlethread_restart(opts = {})
  # Default to fully patched XPSP2
  opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?

  "\x31\xC0" +                                     # xor eax,eax
  "\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
  "\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
  "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
  "\x6A\x00" +                                     # push byte +0x0
  "\xFF\xE0"                                       # jmp eax
end
spin(opts = {}) click to toggle source

Infinite 'hlt' loop.

# File lib/rex/payloads/win32/kernel/recovery.rb, line 24
def self.spin(opts = {})
  "\xf4\xeb\xfd"
end