The windows device drivers remain vulnerable and that is why many hackers are drawn to taking advantage of the situation. They aim to trigger a stack overflow, which allows them to overwrite the stored EIP value. The code is run as a SYSTEM, so as to control flow direction. They extend the same knowledge to exploiting kernel vulnerabilities. Shockingly, the code is readily available online for anyone that wants to try their hand at this type of hacking. The pathway begins with Windows 7, which does not support SMEP through its 32-bit. That means that the Super mode Execution and Supervisor Mode Access Prevention, allows the hackers to map shellcode, so that it gets into mode memory. Consequently, it is used to redirect the driver’s execution flow.

Making the shell run as a system

The hacker will ensure that the shellcode can escalate the privileges, which are then open to exploitation as intended. For example, they can use shellcode that is capable of stealing access tokens. This is the way, in which they can corrupt the security context of any given thread or process. Normally, the token will contain sensitive information such as, the privileges of a certain user account as well as the overall identity of the user. The shellcode runs as SYSTEM and is then able to get to the permissions, which it can, in turn use according to its needs. This is not a direct process, because they tend to experiment with different forms of debugging and fixes, until they can return from the kernel model without experiencing the dreaded Blue Screen of Death.

There is such a thing as “clean” hacking code. What that really means is that it is able to infiltrate the system without causing noticeable errors, which would inspire the user to find protective solutions. The hackers come up with an algorithm that can work clandestinely, inflicting damage without alerting the user to its presence. They are so effective that they can save the driver registers as they put in the shellcode. This means that they are able to restore them in order to avoid crashing them. The shellcode works like a macro, looking for specific files and then stealing specific information from them without disrupting the outward appearance of normal functionality.

The Kernel Processor Control Region

It is notable that the KPRC has a structure which contains CPU data. This is used by the Hardware Abstraction Layer (HAL). During the hacking, they restore it as a fixed location at: “fs[0] on x86, gs[0] on AMD64”. The reason for this location is so that low level components are able to easily get to it. The vulnerability is that it contains important information about the key functions of the system as well as executing damaging interrupts. It really is the dream for a hacker, because they will know that they are now able to get to the heart of the system and change its normal function for their own purposes. A lot follows, in order to take full control over the system.