[_MAX_]

yes these two posts are related to each other ,
im patching adress in HalDispatchTable but i want to restore original address when im done, now i want to read haldispatch+ 8 pointer referring value to patch again the table and restore original address!

i dont have my code here to paste but the problem is what i exaplained before, How can i read that pointer value from user-space, it seems its not possible to read kernel address fro user-mode , so do you please give me another advice?

[EP_X0FF]

yes these two posts are related to each other ,
im patching adress in HalDispatchTable but i want to restore original address when im done, now i want to read haldispatch+ 8 pointer referring value to patch again the table and restore original address!

How do you patch it and for what purpose.

[_MAX_]

Im learning windows kernel exploitation i have a vulnerable driver to play with

Code: Select all

	ULONG_PTR				HalDispatchTable;
	ULONG_PTR				HaliQuerySystemInformationPointer;
	PULONG_PTR				HaliQuerySystemInformation;

	hNtOsHandle = LoadLibrary( KernelImageName );
	if ( hNtOsHandle == NULL )
	{
		REPORT_ERROR("LoadLibrary()", &err);
		return FALSE;
	}


	// get nt!HalDispatchTable address , it is exported by kernel.
	HalDispatchTable = KernelGetProcAddress( (ULONG_PTR)hNtOsHandle, KernelBaseAddress, "HalDispatchTable" );
	if ( HalDispatchTable == NULL )
	{
		REPORT_ERROR("KernelGetProcAddress()", &err);
		return FALSE;
	}
        printf("HalDispatchTable at : %p", HalDispatchTable);

	HaliQuerySystemInformationPointer = HalDispatchTable+0x8;
	printf( "HaliQuerySystemInformation Pointer at : %p", HaliQuerySystemInformationPointer );
	HaliQuerySystemInformation= (ULONG_PTR*) HalDispatchTable+0x8;

	printf("- HaliQuerySystemInformation: %p\n", *HaliQuerySystemInformation);   <<--- Access Violation

[kmd]

HalDispatchTable used to store address of shellcode to execute. NtQueryIntervalProfile used to call this shellcode from user mode.
u have all your answers in 2nd post of 0x16/7ton

without a driver or bug in windows you cannot write or read from KM, unless this page is somehow shared between modes

[_MAX_]

HalDispatchTable used to store address of shellcode to execute. NtQueryIntervalProfile used to call this shellcode from user mode.
u have all your answers in 2nd post of 0x16/7ton

without a driver or bug in windows you cannot write or read from KM, unless this page is somehow shared between modes

Ok, But when im patching HalDispatchTable+8 Entry when i want to restart or shutdown system i have Blue Screen, and i think thats why im patching HalDispatchTable i want to restore it to original form, for that i think i need to have original value before exploiting

[EP_X0FF]

HalDispatchTable used to store address of shellcode to execute. NtQueryIntervalProfile used to call this shellcode from user mode.
u have all your answers in 2nd post of 0x16/7ton

without a driver or bug in windows you cannot write or read from KM, unless this page is somehow shared between modes

Ok, But when im patching HalDispatchTable+8 Entry when i want to restart or shutdown system i have Blue Screen, and i think thats why im patching HalDispatchTable i want to restore it to original form, for that i think i need to have original value before exploiting

Don't you think it is ridiculous expect anything else after patching kernel mode table fillled by kernel mode addresses with address pointed to nowhere in the user mode? :) You have your dump in case of BSOD - where is it analysis?

[_MAX_]

After all of this , Its not possible to restore HalDispatchTable+8 to its original value ?
Yes/No
If Yes What
Else Thank You

[EP_X0FF]

http://www.kernelmode.info/forum/viewto ... 816#p16816