Module Rex::Payloads::Win32::Kernel::Stager
In: lib/rex/payloads/win32/kernel/stager.rb

Stagers are responsible for reading in another payload and executing it. The reading in of the payload may actually be as simple as copying it to another location. The executing of it may be done either directly or indirectly.

Methods

_run_only_in_win32proc_stub   sud_syscall_hook  

Public Class methods

sud_syscall_hook(opts = {})

XP SP2/2K3 SP1 ONLY

Returns a kernel-mode stager that transitions from r0 to r3 by placing code in an unused portion of SharedUserData and then pointing the SystemCall attribute to that unused portion. This has the effect of causing the custom code to be called every time a user-mode process tries to make a system call. The returned payload also checks to make sure that it‘s running in the context of lsass before actually running the embedded payload.

Protected Class methods

_run_only_in_win32proc_stub(append = '', opts = {})

This stub is used by stagers to check to see if the code is running in the context of a user-mode system process. By default, this process is lsass.exe. If it isn‘t, it runs the code specified by append. Otherwise, it jumps past that code and into what should be the expected r3 payload to execute. This stub also makes sure that the payload does not run more than once.

[Validate]