Open Advanced Windows Exploitation
  • Introduction
    • Welcome
      • Subscribe
      • Contents
      • Intended Audience
      • Required Software and Tools
      • Thank You and Support
  • Custom Shellcode
    • 64-bit Architecture
      • 64-bit Enhancements
      • Calling Conventions
    • Shellcode Workflow
      • Visual Studio Code
      • Netwide Assembler
      • Windbg Preview
      • Workflow
    • Writing Shellcode
      • NULL-Free Position-Independent Shellcode
      • Finding kernel32.dll
      • Resolving Symbols
      • Finding VMAs
      • MessageBox Shellcode
      • Avoiding NULL
      • GetLastError
    • Reverse Shell
      • Exercise
      • Solution
  • Exploit Mitigations
    • Understanding the Battlefield
      • Memory Corruption
      • Vulnerability Primitives
      • Overview of Mitigations
    • Our Old Foes
      • DEP
      • ASLR
  • Memory Management
    • Memory Basics
      • Pages
      • Shared Memory
    • Memory Management
      • The Stack
      • The Heap
        • Heap Grooming and Overflow
        • Virtual Functions in C++
        • The Heap Continued
        • Kernel Mode Heap
      • Managed Memory
  • The Kernel
    • Kernel Basics
      • Kernel Structures
      • Kernel Debugging Options
      • Navigating the Kernel
      • Analysing the Kernel
    • Access Tokens
      • Access Token Basics
      • Token Theft
  • Drivers
    • Driver Basics
      • Implementing a Driver
      • Reversing Our Driver
      • A Basic User Mode Application
  • First Kernel Exploit
    • A Kernel Exploit
      • CVE 2020-17382
      • IDA Free
      • Writing A Basic Fuzzer
      • Controlling RIP
      • Meet SMEP
      • ROP to the Rescue
      • kASLR
      • Priv Esc Shellcode
    • Exploit Code
  • References
    • References
Powered by GitBook
On this page
  1. The Kernel
  2. Kernel Basics

Navigating the Kernel

As an exploit developer, it is important to be able to navigate the kernel to understand its structures, vulnerabilities, and develop effective exploitation techniques.

Process Context

In the Windows operating system, the kernel and each process have their own virtual address spaces. The kernel operates within a single virtual address space that is shared among all processes. This shared kernel address space allows the kernel to provide services and manage system resources on behalf of multiple processes.

On the other hand, each process has its own individual virtual address space that is unique to that process. The virtual address spaces of different processes can overlap, meaning that different processes may have memory regions with the same virtual addresses. However, these overlapping virtual addresses actually map to different physical memory locations, ensuring memory isolation and preventing one process from accessing another process's memory directly.

When you are debugging the kernel it is important to understand that you need to debug in the desired process context.

To list all of the processes currently running we can use the !process command:

0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
[omitted for brevity]
PROCESS fffffa8007e8fb30
    SessionId: 0  Cid: 069c    Peb: 7fffffdb000  ParentCid: 01f8
    DirBase: 1e42e4000  ObjectTable: fffff8a00255b4e0  HandleCount: 529.
    Image: SearchIndexer.exe

We can change the process context using the .process command:

0: kd> .process fffffa8007e8fb30
Implicit process is now fffffa80`07e8fb30
WARNING: .cache forcedecodeuser is not enabled

Now when we refer to memory in user space it will be in the context of this process.

This means we can debug and observe code in the kernel and user spaces in the same debugging session.

Work in progress

PreviousKernel Debugging OptionsNextAnalysing the Kernel

Last updated 1 year ago