NTOSKRNL


NTOSKRNL

PRELIMINARY ANALYSIS OF 2005 DFRWS FORENSIC CHALLENGE
Accordingly we requested copies of the presumptive Windows kernel ( ntoskrnl.exe ) and important networking components ( tcpip.sys and afd.sys ). These files then were used to
http://www.dfrws.org/2005/challenge/rossettoecioccolato-DFRWSChallengeOverview.pdf

eEye Digital Security White Paper
A register is loaded with an index number, which indexes into the System Service Table, and subsequently accesses the offset into NTOSKRNL that represents the required function.
http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf

WEF - W eb E xploit F inder
listV Ms () SSDT - System Service Descriptor Table ServiceTable ArgumentTable ServiceLimit CounterTable SSDT Zw CreateFile()--SST Ntoskrnl. ex e Zw CreateFile() 1 ServiceTable ArgumentTable
http://www.kes.info/archiv/material/bsikongress2007/poster-mack.pdf

Concepts for the Stealth Windows Rootkit
of deciding weather the access came from scheduler or not should be researched 4. The first idea here is just to check if EIP 5 belongs to the address space occupied by the ntoskrnl
http://invisiblethings.org/papers/chameleon_concepts.pdf

Vbootkit: Compromising Windows Vista Security
Explaining loading and execution of NTOSKRNL.EXE by WINLOAD.EXE ? AhCreateLoadOptionsString (create a boot.ini style string to pass to kernel ? OslInitializeLoaderBlock (create
http://www.nvlabs.in/files/vbootkit_nitin_vipin_whitepaper.pdf

Bypassing PatchGuard on Windowsx64
protect the following critical structures: ?SSDT (System Service Descriptor Table) ?GDT (Global Descriptor Table) ?IDT (Interrupt Descriptor Table) ?System images (ntoskrnl.exe
http://uninformed.org/?v=3&a=3&t=pdf

Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass
The heap manager is represented by a set of function for memory allocation/freeing which are localised in two places: ntdll. dll and ntoskrnl. exe. Every process at creation time is
http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf

IT'S NEVER DONE THAT BEFORE!
42 Chapter 3 Load the Windows Kernel The file ntoskrnl.exe in your Windows installation is the Windows kernel; it contains the core of the Windows XP operating system.
http://www.nostarch.com/download/indtb_ch3.pdf

Remote and Local Exploitation of Network Drivers
of stack-based overflows, call esp/jmp esp/push esp - ret - Searching for trampolines (SoftICE):: mod ntos* hMod Base PEHeader Module Name File Name 804D7000 804D70E8 ntoskrnl
http://www.wifightclub.org/downloads/bh-usa-07-bulygin.pdf

RootKit Hunting
The output looks like: lkd> lmkv start end module name 804d7000 806eb780 nt (pdb symbols) E: \DebugSymbols\ntoskrnl.pdb\8592B6763F34476B 9BB560395A383F962\ntoskrnl
http://malwareinfo.googlecode.com/files/RootKitHunting.pdf

DIGITAL Personal Workstation Pentium II Dual Processor Upgrade Kit
Search for the string NTOSKRNL. Replace the second occurrence of NTOSKRNL.EXE with NTKRNLMP.EXE. Search for the string HAL.DLL. Replace the second occurrence of HAL.DLL with HALMPS
http://vt100.net/mirror/mds-199909/cd2/pc/b30wwcaa.pdf

Windows Vista 32bits and unexported kernel symbols.
Rocket to the HAL The difference between HAL and Ntoskrnl is that HAL uses KPCR structure to get the IDT entry base address. For reminding, in kernel-land FS points to the Processor
http://www.msuiche.net/papers/Windows_Vista_32bits_and_unexported_kernel_symbols.pdf

HIR, restore, boot
Document ID: 20070817-00366 Last Modified: 17/08/2007 Key Words HIR, restore, boot Situation ntoskrnl.exe error Message on boot after restoring image Solution This is likely due to
http://forum.storagecraft.com/Community/files/folders/317/download.aspx

Native Debugging
NTDLL and NTOSKRNL are built together, so it's normal for them to have intricate knowledge of each others. They share the same structures, they need to have the same system call IDs
http://www.alex-ionescu.com/dbgk-2.pdf

NT (and XP) Native API Compression
This is the HAL-9000 (reference to Odyssey 2001) of the NT OS. ? NTOSKRNL.EXE, the kernel itself, the brain of the OS. Also called Executive. ? NTDLL.DLL, the kernel API library
http://www.alex-ionescu.com/Native.Pdf

WINDOWS VISTA UIPI
load time of the graphical subsystem module (win 32k. sys) * DriverEntry will call Win32UserInitialize function which will call: * InitUIPI (win32k) * RtlQueryElevationFlags (ntoskrnl) * In
http://www.coseinc.com/Vista_UIPI.ppt.pdf

Lecture 11 Example Rootkit
PE-Tools ?Change driver-Currently a DLL, a native executable, and contains imports from kernel libraries (NTOSKRNL.EXE and HAL.DLL)-Change to no DLL, a Windows GUI application, and
http://www.thefengs.com/wuchang/work/courses/cs592/Lecture11.pdf

SANDMAN PROJECT
Headlines of hibernation process. Windows kernel (ntoskrnl. exe) executable creates the hibernation file and write the physical memory dump inside it, when suspend to disk action is
http://sandman.msuiche.net/docs/SandMan_Project.pdf

Rootkits Part 2: A Technical Primer
Windows kernel functions actually reside in ntoskrnl. exe. The file win32k.sys is another kernel-mode component that exists within the Win32 subsystem.
http://www.mcafee.com/us/local_content/white_papers/wp_rootkits_0407.pdf

Screen dumps from device manager
Only registers and stack trace are available Symbol search path is: c: \windows\symbols Executable search path is: Unable to load image \WINDOWS\system 32\ntoskrnl. exe, Win32 error 2
http://forum.comtrol.com/index.php?t=getfile&id=136&rid=

Review Questions
Automated System Recovery (ASR) B. RDISK.EXE C. Enhanced Startup Disk (ESD) D. Emergency Recovery System (ERS) 2. What is the first file used in the boot-up of Windows 2000? A. NTOSKRNL
http://oracle.woddy.net:7777/~hardware/questions/TroubleshootingWinXPOct2006Questions.pdf

SIG^2 Secure Code Study Project
Group in Security and Information Integrity (SIG^2) http://www.security.org.sg The SDT can be referenced using the KeServiceDescriptorTable symbol, which is exported by ntoskrnl.exe.
http://www.security.org.sg/code/SIG2_DefeatingNativeAPIHookers.pdf

Virus Bulletin, September 1999
Viruses can always wait until the Administrator or someone with equivalent rights logs on. Then Bolzano has the chance to patch NTOSKRNL.EXE, the NT kernel, located in the WINNT
http://www.peterszor.com/bolzano.pdf

The Windows 2000 Native API
An interesting property illustrated in Figure 2-1 is that all Win32 API calls are ultimately routed through ntdll.dll, which forwards them to ntoskrnl.exe. The ntdll.dll module is the
http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf

Kernel API Functions
exported by the system modules win32k.sys, ntdll.dll, and ntoskrnl.exe, discussed in Chapter 2. T ABLE B-1. The Windows 2000 Native API FUNCTION NAME INT 2Eh ntdll.Nt*ntdll.Zw*ntoskrnl.Nt
http://undocumented.rawol.com/sbs-w2k-b-kernel-api-functions.pdf

Vboot Kit: Compromising Windows Vista Security
www.nvlabs.in Vista Boot Process(continued) Ñ After user selects a boot entry,It is launched using BmLaunchBootEntry with added switches Ñ Now Winload.exe is loaded,It loads NTOSKRNL
https://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf