anyone got 5492569df2b1c63e2b97e443a9ce5cd6 ?
I'm trying to get all TEB base addresses from all threads with the purpose of installing a global SEH, but i haven't figured out how can i do it, anyone could help me please?
Findwindow+GetWindowThreadProcessId would be a good solution for this problem?
This is a very interesting vulnerability i'd like to talk about, we can exploit it from ring3 calling syscall from a non canonical address, but what i do not understand is what really happens when #GP(0) is executed, how can we control execution flow? I haven't seen any much information in intel man...
i'm gonna try to play with it, but we are dealing with hell trying to exploit a kernel pool overwriting
"stealthiest" i mean, hard to detect, great, but i'd like to do the whole thing from ring3, ofc ring0 code can give us superpowers but i still think loading a driver is very "noisy" (at least the documented and undocumented methods i know)
So, i was just thinking, what's the most stealth way of closing another process? creating a remote thread with a null pointer, window message flooding maybe?