"... One of such ideas was to use the Call-Gate mechanism in kernel/driver exploit development on Windows, or, to be more precise, to use a write-what-where condition to convert a custom LDT entry into a Call-Gate (this can be done by modifying just one byte), and using the Call-Gate to elevate the code privilege from user-land to ring0. The idea was turned into some PoC exploits, and finally, into the paper presented below..." by Matthew "j00ru" Jurczyk and Gynvael Coldwind:
http://vexillium.org/dl.php?call_gate_exploitation.pdf <- Paper
http://vexillium.org/dl.php?ldtsource.zip <- Source code
http://j00ru.vexillium.org/?p=290&lang=en <- Post of j00ru
http://gynvael.coldwind.pl/?id=274 <- Post of Gynvael
http://www.woodmann.com/forum/showthread.php?t=13355 <- Stability problems and other stuff by Gynvael and Indy
More about call gates:
My post called: Rootkit Arsenal, Installing a Call Gate
English post: http://www.rootkit.com/blog.php?newsid=992
Others:
http://www.phrack.com/issues.html?issue=59&id=16
http://www.intel.com/design/processor/m ... 253668.pdf
http://ricardonarvaja.info/WEB/OTROS/TU ... COPHARYNX/
http://members.fortunecity.com/blackfen ... gates.html
http://www.ivanlef0u.tuxfamily.org/?p=86
Sincerely, Dreg.
http://vexillium.org/dl.php?call_gate_exploitation.pdf <- Paper
http://vexillium.org/dl.php?ldtsource.zip <- Source code
http://j00ru.vexillium.org/?p=290&lang=en <- Post of j00ru
http://gynvael.coldwind.pl/?id=274 <- Post of Gynvael
http://www.woodmann.com/forum/showthread.php?t=13355 <- Stability problems and other stuff by Gynvael and Indy
More about call gates:
My post called: Rootkit Arsenal, Installing a Call Gate
English post: http://www.rootkit.com/blog.php?newsid=992
Others:
http://www.phrack.com/issues.html?issue=59&id=16
http://www.intel.com/design/processor/m ... 253668.pdf
http://ricardonarvaja.info/WEB/OTROS/TU ... COPHARYNX/
http://members.fortunecity.com/blackfen ... gates.html
http://www.ivanlef0u.tuxfamily.org/?p=86
Sincerely, Dreg.
