Jump to content


Photo
- - - - -

Windows Kernel Source Code


  • Please log in to reply
16 replies to this topic

#1 lattera

lattera

    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 22 March 2010 - 01:46 PM

The source code for Windows Server 2003 has been leaked (not posting links to keep this thread legit). Anyone in the mood to toy around with it? I can host a dedicated Win2k3 VM for hacking up the kernel. Any ideas of things to try? For one, I'd like to start auditing the code for vulns. Win2k3 is still very popular.

#2 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 22 March 2010 - 02:25 PM

The source code for Windows Server 2003 has been leaked (not posting links to keep this thread legit). Anyone in the mood to toy around with it? I can host a dedicated Win2k3 VM for hacking up the kernel. Any ideas of things to try? For one, I'd like to start auditing the code for vulns. Win2k3 is still very popular.

Eh, really? As in the entire 2K3 source code? I haven't heard about this yet. Or are you talking about snippets? This would be very serious as 2k3 is more popular than 2k8...in installed base that is...my company and my own Windows setup (have two setups Windows based server and a Linux based server) use 2k3.

Can you post some news links regarding this? This should be national news if what you are saying is true. The security at M$ on their source code makes the NSA look like chumps. No one at any one time has access to the entire code base. There are many security measures to protect against this.

I have no doubt that certain intelligence agencies have spent a lot of time disassembling the source for all of M$'s warez...I have no doubt that every reputable agency has recreated the source for XP by now...but for M$ to have such a breach in their campus that allowed the entire source for 2k3 to be leaked is astounding.


#3 lattera

lattera

    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 22 March 2010 - 02:35 PM

I'd rather not post links, but it can be found via a popular hacker mailing list. It's the Windows Research Kernel, meant for academic study and downloadable only by MSDN Academic Alliance Administrators (professors). The source code is only the Win2k3 kernel source code and can be compiled and installed on any Win2k3 x86/64 box.

edit[0]: Added one word.

Edited by lattera, 22 March 2010 - 02:39 PM.


#4 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 22 March 2010 - 02:37 PM

Just some precisions, it isn't that much of a "leak", it's actually made available to a restricted number of people (university teachers, but not students if I understand correctly) through MSDN Academic Alliance. Here's the official page:

Windows Research Kernel

The "leak" is just this download being shared without restriction on the internet through unofficial channels.

The WRK packages core Windows XP x64 and Windows Server 2003 SP1 kernel source code with an environment for building and testing experimental versions of the Windows kernel for use in teaching and research.

The WRK includes the source for:

Processes
Threads
LPC
Virtual memory
Scheduler
Object manager
I/O manager
Synchronization
Worker threads
Kernel heap manager
Other core Windows (NTOS) kernel functionality
The WRK is useful in design projects that allow your students to explore operating system (OS) principles using the Windows kernel sources. It facilitates the building of experiments and projects based on modifying the Windows kernel, enabling advanced teaching and research that promote better understanding of the Windows architecture and implementation.



#5 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 22 March 2010 - 02:48 PM

Yeah thanks...I'm aware of this program we have it at my school...lattera was playing the tease :p

This is not Windows Server 2k3 by a long shot...it is just implementing the Windows core kernel from a computer science perspective. Hopefully as everyone knows Linux and Windows basic kernel's use different concepts to create an OS...such as how they manage RAM and queue processes to name but a very few. These are what you get to play with. Still fun to play with...

There is nothing secret about this or illegal...I would post a link to my own copy but out of respect for the board I won't since the moderators believe it unwise.


#6 lattera

lattera

    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 22 March 2010 - 02:51 PM

Yeah thanks...I'm aware of this program we have it at my school...lattera was playing the tease :p

This is not Windows Server 2k3 by a long shot...it is just implementing the Windows core kernel from a computer science perspective. Hopefully as everyone knows Linux and Windows basic kernel's use different concepts to create an OS...such as how they manage RAM and queue processes to name but a very few. These are what you get to play with. Still fun to play with...

There is nothing secret about this or illegal...I would post a link to my own copy but out of respect for the board I won't since the moderators believe it unwise.


It's an actual, production copy of the kernel and can be installed on current Win2k3 hosts.

Here's a screenshot of a forums posting detailing how to install the kernel.

Attached File  2010-03-22_install_wrk.PNG   38.29KB   61 downloads

#7 jfalcon

jfalcon

    Hakker addict

  • Agents of the Revolution
  • 595 posts
  • Location:Living within the ether

Posted 22 March 2010 - 03:48 PM

Does anyone know if it explodes when it's faced with Driver Signing? I'm sure Microsoft does things to the kernel to make sure that the kernel that's being installed is "blessed" by Microsoft. Otherwise this would be one massive rootkit.

#8 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 22 March 2010 - 05:17 PM

Does anyone know if it explodes when it's faced with Driver Signing? I'm sure Microsoft does things to the kernel to make sure that the kernel that's being installed is "blessed" by Microsoft. Otherwise this would be one massive rootkit.


From the blog posts, it appears that a custom kernel can be built and used. True, one could try replacing the kernel with one containing a rootkit. Hum, wouldn't that be a great project idea?

#9 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 23 March 2010 - 06:04 AM

Does anyone know if it explodes when it's faced with Driver Signing? I'm sure Microsoft does things to the kernel to make sure that the kernel that's being installed is "blessed" by Microsoft. Otherwise this would be one massive rootkit.

See that's the thing here...when I say you have access to the kernel from a Computer Science perspective I meant it...that is you only are looking at how it manages fundamental OS processes such as how it handles RAM management...for instance Linux manages system memory using LRU while Windows uses FIFO. This is not the entire OS by far. Windows 2k3 uses a microkernel (they would call it a hybrid but that is an argument for another day) which is why M$ can even give this out...this research kernel which is the core kernel for Windows 2k3 is very,very basic and only handles basic OS functions that you learn in your OS class in school or if you read a real OS book (from a computer science perspective).

So to directly answer your question, it won't explode from Driver Signing since Windows 2k3's core kernel doesn't handle driver signing. That is handled by the other juicer aspects of the OS that you don't get the source for.

Aghaster posted a list of what you get...and you get just that...those are all fundamental processes of an OS in general.

Now what would be cool is to rebuild the Windows kernel to operate like a Linux kernel and see if it is slower or faster...so to use the memory example we would convert Windows memory manager from FIFO to LRU...


It's an actual, production copy of the kernel and can be installed on current Win2k3 hosts.

I know, that's cool and all...but my point was this isn't the entire OS. Still neat to play with though and depending on how much you can play around with the security descriptors for processes and files can be quite enjoyable.

#10 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 23 March 2010 - 11:57 AM


Does anyone know if it explodes when it's faced with Driver Signing? I'm sure Microsoft does things to the kernel to make sure that the kernel that's being installed is "blessed" by Microsoft. Otherwise this would be one massive rootkit.

See that's the thing here...when I say you have access to the kernel from a Computer Science perspective I meant it...that is you only are looking at how it manages fundamental OS processes such as how it handles RAM management...for instance Linux manages system memory using LRU while Windows uses FIFO. This is not the entire OS by far. Windows 2k3 uses a microkernel (they would call it a hybrid but that is an argument for another day) which is why M$ can even give this out...this research kernel which is the core kernel for Windows 2k3 is very,very basic and only handles basic OS functions that you learn in your OS class in school or if you read a real OS book (from a computer science perspective).

So to directly answer your question, it won't explode from Driver Signing since Windows 2k3's core kernel doesn't handle driver signing. That is handled by the other juicer aspects of the OS that you don't get the source for.

Aghaster posted a list of what you get...and you get just that...those are all fundamental processes of an OS in general.

Now what would be cool is to rebuild the Windows kernel to operate like a Linux kernel and see if it is slower or faster...so to use the memory example we would convert Windows memory manager from FIFO to LRU...


It's an actual, production copy of the kernel and can be installed on current Win2k3 hosts.

I know, that's cool and all...but my point was this isn't the entire OS. Still neat to play with though and depending on how much you can play around with the security descriptors for processes and files can be quite enjoyable.


The name "Windows Research Kernel" says it all: it really is just the bare minimum to see the operating system concepts you learned in a operating systems course applied in Windows compared to other OSes. While it's really nice to be able to build your own Windows kernel, I do agree that it's not that much after all. Windows is composed of much more components than its microkernel. I would really really like to see, for instance, the source code for the terminal server and also for the remote desktop client. I think it's partially written as drivers / system services, from what I've read in Microsoft articles. Still, having the source for the kernel, but they're still not very generous with the license they've chosen to release it. I don't mind if it's non-free software, but the number of people who can access it is very limited. The license says you can create derivative works but they may only be shared with other people having access to the source code, which is not a lot of people. This really is a toy to play with... you won't really do much without all the numerous components of the Windows operating system.

#11 jfalcon

jfalcon

    Hakker addict

  • Agents of the Revolution
  • 595 posts
  • Location:Living within the ether

Posted 23 March 2010 - 06:46 PM

But even a microkernel at some point begins to talk to the outside world. Otherwise it's an entropic environment.

My thinking is that if it only has code for the kernel, then someone could either write their own I/O driver to talk to the devices or search out older examples of "leaked" code (Win2k or even NT4 source) and create their own Frankenstein of a windows platform.

But yeah, my fear in this would be someone making a patched microkernel that could replace the main kernel that ignores instruction patterns for say... ACL lists, passwords, encryption... or sniffs instructions and if it matches a set, calls to a trojan driver to start doing NSA stuff on you... sort of like that farce of a movie "The Net". (Click on a icon and walk through a back door)

It would be odd if the entire world were like that... multi-teraflop quantum processors with encryption that would baffle god itself have loopholes that can be bypassed with a whim.

The flipside of this is that you could make a hardware dongled version of windows pretty easily.

#12 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 23 March 2010 - 08:07 PM

But even a microkernel at some point begins to talk to the outside world. Otherwise it's an entropic environment.

My thinking is that if it only has code for the kernel, then someone could either write their own I/O driver to talk to the devices or search out older examples of "leaked" code (Win2k or even NT4 source) and create their own Frankenstein of a windows platform.

But yeah, my fear in this would be someone making a patched microkernel that could replace the main kernel that ignores instruction patterns for say... ACL lists, passwords, encryption... or sniffs instructions and if it matches a set, calls to a trojan driver to start doing NSA stuff on you... sort of like that farce of a movie "The Net". (Click on a icon and walk through a back door)

It would be odd if the entire world were like that... multi-teraflop quantum processors with encryption that would baffle god itself have loopholes that can be bypassed with a whim.

The flipside of this is that you could make a hardware dongled version of windows pretty easily.

Good ideas...

You reminded me of another difference between Linux and Windows...Linux sees every device as a file whereas Windows views it as an object as in the Object oriented sense of the term...so hacking a Windows micro kernel through a device is analogous to hacking Java's VM inside Java code (and not the obvious file overwrite but literally using the Java programming language in such a way to cause the interpreter to re-write itself or take control of the actual VM; that is, like creating a sequence, series of loops, general commands that for some reason exploit the VM through the VM-internally). When you play with a device in Windows you are basically making calls to an object and that object is in system memory being processed like any other variable you would code for a program...this completely deflects it from the internal kernel processes.

It would be interesting to test out the kernel like you say and inputting malicious code in order to see how windows actually does defend itself against such and attack. There must be hash values associated with "trusted" components vs altered but that is only an assumption...M$ and other big corpos do some of the dumbest things though so you never know until you try!


#13 jfalcon

jfalcon

    Hakker addict

  • Agents of the Revolution
  • 595 posts
  • Location:Living within the ether

Posted 23 March 2010 - 09:51 PM

It would be interesting to test out the kernel like you say and inputting malicious code in order to see how windows actually does defend itself against such and attack. There must be hash values associated with "trusted" components vs altered but that is only an assumption...M$ and other big corpos do some of the dumbest things though so you never know until you try!


I'm sure there have to be in newer version of windows. Many security researchers (some even at Microsoft) have categorized driver rootkits as being a vulnerability to ring 0+1. That's why Microsoft went to the "Signed" model of drivers. In Vista, Win2k8 and Windows 7 they added another layer of abstraction called the "Windows Driver Foundation" which is supposed to provide a thin layer of protection between the kernel and a kernel mode driver.

http://en.wikipedia....iver_Foundation

#14 NT AUTHORITY

NT AUTHORITY

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 17 June 2010 - 10:23 AM

But even a microkernel at some point begins to talk to the outside world. Otherwise it's an entropic environment.

My thinking is that if it only has code for the kernel, then someone could either write their own I/O driver to talk to the devices or search out older examples of "leaked" code (Win2k or even NT4 source) and create their own Frankenstein of a windows platform.

But yeah, my fear in this would be someone making a patched microkernel that could replace the main kernel that ignores instruction patterns for say... ACL lists, passwords, encryption... or sniffs instructions and if it matches a set, calls to a trojan driver to start doing NSA stuff on you... sort of like that farce of a movie "The Net". (Click on a icon and walk through a back door)

It would be odd if the entire world were like that... multi-teraflop quantum processors with encryption that would baffle god itself have loopholes that can be bypassed with a whim.

The flipside of this is that you could make a hardware dongled version of windows pretty easily.


YES. Your thinking is correct. And you are correct. It is correct to say both that this is a production/RTM/complete version of the 2k3 NT kernel AND a computer science theoretical only version; but at the end of the day the simple answer is YES. It builds in a (derived) RAZZLE/DAZZLE/WDK/DDK/VC++DOS build environment AND it outputs NTOSKRNL.EXE which can then be used to DIRECTLY AND COMPLETELY replace/file-overwrite/slip-stream/patch/pre-install-by-WAIK+WINPE; ie: either way you look at it YOU GET NTOSKRNL.EXE WITH WHATEVER CODE WRITTEN IN IT (including your rootkit/custom code) AND IT WILL WORK. Because this is RING 0 the entire system is yours. In fact: if you look at how NTLDR/OSLOADER+NTDETECT (or even EFI/DEC-ALPHA/MAC systems) boot up --> there is a lot of initialzation done before the actual "system process" and/or "idle thread" and/or "worker threads" are created. This includes the actual creation of the object manager and the HAL and CPU code as well as 'DOS' switches that are passed to NTOSKRNL.EXE in command line fashion. But yes: WINDOWS/NT sees everything as OBJECTS. And to do this it must create an OBJECT ORIENTED ENVIRONMENT (OBJECT MANAGER) first. THEN it creates the SYSTEM PROCESS and flows on from there. Also look at SINGULARITY: this bootstraps up the .NET (C#) FRAMEWORK and COMMON LANGUAGE RUNTIME/INFRASTRUCTURE and BYTECODE-INTERPRETER/MANAGEMENT and then allows a 'MANAGED' KERNEL (C# WRITTEN/.NET) TO EXECUTE. Very interesting concepts. Put these two together and think: imagine a NTOSKRNL.EXE that had it's object manager hacked so that it 'SAW' the objects of other machine's (IE: other enumerated system's object manager tree is fleshed out along with registry by loader/strapper/kernel and pooled) and then THE FINAL SERVER MACHINE OF - SAY - TEN MACHINES - (the first nine are SLAVES whose objects are 'donated' and who run nothing but NTOSKRNL.EXE and HAL+DRIVERS) ---> [THE FINAL SERVER...] gets all these objects (RAM, DEVICES, FILES, DRIVERS, PROCESSES, MEMORY, ADDRESS, INTERRUPTS, PROCESSORS, ETC). and maybe in a NUMA fashion or TERMINAL-SERVER (\Windows ? \Sessions ? \Winsta* \Global \??) merge-multiple-sessions-and-object_trees TYPE FASHION: gives a SINGLE SYSTEM IMAGE SUPER WINDOWS ???
You could definetley get there. Just look at AZURE. But anyway: yes: the ultimate goal here is to
FIRST CREATE A NTOSKRNL.EXE THAT CAN REPLACE THE REAL FILE ON ANY RTM/RETAIL/STANDARD SERVER 2003 DISTRIBUTION AND DO THE FOLLOWING: THE BEST BACKDOOR/FULL CONTROL/ULTIMATE WOULD BASICALLY BE THIS: TO BE ABLE TO LIVE DEBUG+DISASSEMBLE+SEND-SYSTEM-CALLS DIRECTLY. THIS IS HOW IT WILL BE DONE: PUT CODE INTO NTOSKRNL.EXE BEFORE SYSTEM PROCESS IS EVEN CREATED. COULD EVEN DO THINGS BEFORE THE 'PROCESS' AND 'THREAD' AND 'PROCESSOR' CONCEPTS (OBJECTS) ARE EVEN DEFINED... NO HASHING OR CRYPTOGRAPHY OR EVEN TRUSTED PLATFORM MODULE (UNLESS SPECIFICALLY DESIGNED TO TARGET THIS FILE - BUT JUST LOOK AT THE V1-XBOX !) COULD GET AROUND THIS BECAUSE NTOSKRNL.EXE ***IS THE OS*** ITSELF !!! SO YOU CAN DEFINE EXACTLY WHAT CRYPTO/HASHING/NSA-STYLE-STUFF EVEN MEANS !!! THE CPU/SYSTEM/FIRMWARE ARE 'BLANK' SO TO SPEAK. AND IN RESPECT TO THE SOURCE TREE NOT BEING THE FULL CODE OF WINDOWS 2003 WELL ***IT IS*** FOR ALL INTENTS AND PURPOSES AND THE OTHER CODE IS NOT MISSING BUT JUST PARTIALLY PRE-COMPILED INTO .OBJ FILES WHICH ARE MORE SYMBOLIC THAN ANY DEBUG FILES SO IT IS ***VERY*** EASY TO DISASSEMBLE AND GET FULL CODE; NOT TO MENTION IF YOU COMBINE RESEARCH KERNEL WITH LEAKED NT4, WIN2K, AND TINYKRNL (tinykrnl.org), and MSDOS-leaks, and BIOS-leaks, and even some REACTOS and EFI/BIOS; YES YOU ARE THERE ! ESPECIALLY NT4+WIN2K+WRK ! JUST LOOK AT THE CODE IN NT4 TREE ! IT IS MORE THAN COMPLETE; MAYBE A BIT MESSY; BUT IT HAS ALL THE BOOT-CODE AND INIT CODE (NTOS) AND EVEN SHELL; EVERYTHING TO THIS DAY IS BASED ON THAT \private\ntos\ TREE IN SOME WAY... THANKS stevewo !!!!!!!!!!! ANYWAY: THE ULTIMATE WILL BE THIS: USING TECH/CONCEPT/VIRT







HERE







But even a microkernel at some point begins to talk to the outside world. Otherwise it's an entropic environment.

My thinking is that if it only has code for the kernel, then someone could either write their own I/O driver to talk to the devices or search out older examples of "leaked" code (Win2k or even NT4 source) and create their own Frankenstein of a windows platform.

But yeah, my fear in this would be someone making a patched microkernel that could replace the main kernel that ignores instruction patterns for say... ACL lists, passwords, encryption... or sniffs instructions and if it matches a set, calls to a trojan driver to start doing NSA stuff on you... sort of like that farce of a movie "The Net". (Click on a icon and walk through a back door)

It would be odd if the entire world were like that... multi-teraflop quantum processors with encryption that would baffle god itself have loopholes that can be bypassed with a whim.

The flipside of this is that you could make a hardware dongled version of windows pretty easily.


YES. Your thinking is correct. And you are correct. It is correct to say both that this is a production/RTM/complete version of the 2k3 NT kernel AND a computer science theoretical only version; but at the end of the day the simple answer is YES. It builds in a (derived) RAZZLE/DAZZLE/WDK/DDK/VC++DOS build environment AND it outputs NTOSKRNL.EXE which can then be used to DIRECTLY AND COMPLETELY replace/file-overwrite/slip-stream/patch/pre-install-by-WAIK+WINPE; ie: either way you look at it YOU GET NTOSKRNL.EXE WITH WHATEVER CODE WRITTEN IN IT (including your rootkit/custom code) AND IT WILL WORK. Because this is RING 0 the entire system is yours. In fact: if you look at how NTLDR/OSLOADER+NTDETECT (or even EFI/DEC-ALPHA/MAC systems) boot up --> there is a lot of initialzation done before the actual "system process" and/or "idle thread" and/or "worker threads" are created. This includes the actual creation of the object manager and the HAL and CPU code as well as 'DOS' switches that are passed to NTOSKRNL.EXE in command line fashion. But yes: WINDOWS/NT sees everything as OBJECTS. And to do this it must create an OBJECT ORIENTED ENVIRONMENT (OBJECT MANAGER) first. THEN it creates the SYSTEM PROCESS and flows on from there. Also look at SINGULARITY: this bootstraps up the .NET (C#) FRAMEWORK and COMMON LANGUAGE RUNTIME/INFRASTRUCTURE and BYTECODE-INTERPRETER/MANAGEMENT and then allows a 'MANAGED' KERNEL (C# WRITTEN/.NET) TO EXECUTE. Very interesting concepts. Put these two together and think: imagine a NTOSKRNL.EXE that had it's object manager hacked so that it 'SAW' the objects of other machine's (IE: other enumerated system's object manager tree is fleshed out along with registry by loader/strapper/kernel and pooled) and then THE FINAL SERVER MACHINE OF - SAY - TEN MACHINES - (the first nine are SLAVES whose objects are 'donated' and who run nothing but NTOSKRNL.EXE and HAL+DRIVERS) ---> [THE FINAL SERVER...] gets all these objects (RAM, DEVICES, FILES, DRIVERS, PROCESSES, MEMORY, ADDRESS, INTERRUPTS, PROCESSORS, ETC). and maybe in a NUMA fashion or TERMINAL-SERVER (\Windows ? \Sessions ? \Winsta* \Global \??) merge-multiple-sessions-and-object_trees TYPE FASHION: gives a SINGLE SYSTEM IMAGE SUPER WINDOWS ???
You could definetley get there. Just look at AZURE. But anyway: yes: the ultimate goal here is to
FIRST CREATE A NTOSKRNL.EXE THAT CAN REPLACE THE REAL FILE ON ANY RTM/RETAIL/STANDARD SERVER 2003 DISTRIBUTION AND DO THE FOLLOWING: THE BEST BACKDOOR/FULL CONTROL/ULTIMATE WOULD BASICALLY BE THIS: TO BE ABLE TO LIVE DEBUG+DISASSEMBLE+SEND-SYSTEM-CALLS DIRECTLY. THIS IS HOW IT WILL BE DONE: PUT CODE INTO NTOSKRNL.EXE BEFORE SYSTEM PROCESS IS EVEN CREATED. COULD EVEN DO THINGS BEFORE THE 'PROCESS' AND 'THREAD' AND 'PROCESSOR' CONCEPTS (OBJECTS) ARE EVEN DEFINED... NO HASHING OR CRYPTOGRAPHY OR EVEN TRUSTED PLATFORM MODULE (UNLESS SPECIFICALLY DESIGNED TO TARGET THIS FILE - BUT JUST LOOK AT THE V1-XBOX !) COULD GET AROUND THIS BECAUSE NTOSKRNL.EXE ***IS THE OS*** ITSELF !!! SO YOU CAN DEFINE EXACTLY WHAT CRYPTO/HASHING/NSA-STYLE-STUFF EVEN MEANS !!! THE CPU/SYSTEM/FIRMWARE ARE 'BLANK' SO TO SPEAK. AND IN RESPECT TO THE SOURCE TREE NOT BEING THE FULL CODE OF WINDOWS 2003 WELL ***IT IS*** FOR ALL INTENTS AND PURPOSES AND THE OTHER CODE IS NOT MISSING BUT JUST PARTIALLY PRE-COMPILED INTO .OBJ FILES WHICH ARE MORE SYMBOLIC THAN ANY DEBUG FILES SO IT IS ***VERY*** EASY TO DISASSEMBLE AND GET FULL CODE; NOT TO MENTION IF YOU COMBINE RESEARCH KERNEL WITH LEAKED NT4, WIN2K, AND TINYKRNL (tinykrnl.org), and MSDOS-leaks, and BIOS-leaks, and even some REACTOS and EFI/BIOS; YES YOU ARE THERE ! ESPECIALLY NT4+WIN2K+WRK ! JUST LOOK AT THE CODE IN NT4 TREE ! IT IS MORE THAN COMPLETE; MAYBE A BIT MESSY; BUT IT HAS ALL THE BOOT-CODE AND INIT CODE (NTOS) AND EVEN SHELL; EVERYTHING TO THIS DAY IS BASED ON THAT \private\ntos\ TREE IN SOME WAY... THANKS stevewo !!!!!!!!!!! ANYWAY: THE ULTIMATE WILL BE THIS: USING TECH/CONCEPT/VIRTUALIZING THAT PRODUCTS LIKE HYPER-V DO; OR MAYBE JUST PATCHING INTERRUPT TABLES/SYSCALL LOOKUP TABLES; WHATEVER; BUT SIMPLY DO/GET TO HERE: MAKE - SAY - A SERIAL PORT OR USB PORT - OR PCI CARD (THINK: ROOT BUS/ACPI/HAL/ROOT DEVICE/OPT-ROM ?)
THAT 'MAPS' EITHER THE SYSTEM-IDLE-THREAD (LOOP/THREAD ZERO) OR THE HYPERCRITICAL WORKER THREAD OR THE ORIGINAL 'SYSTEM *PROCESS*' THREAD (WHICH BECOMES THE ZERO-PAGE-THREAD DURING PHASE 0/PHASE 1 OF NTOSKRNL.EXE EXECUTIVE INITIALIZATION) = INTO A STACK DUMPER/COLLECTOR ! IE: IMAGINE THIS HERE: HAVING A SEPERATE (2ND) REMOTE (OR LOCAL) COMPUTER RUNNING WHATEVER (HYPER-TERMINAL OR DEBUG OR *THE BUILD ENVIRONMENT ITSELF: THAT YOU BUILT THIS NTOSKRNL.EXE IN !) AND YOU COULD LITERALLY JUST TYPE ExpInitializeExecutive AND PRESS ENTER; THEN IT LITERALLY WILL INTERRUPT THE TARGET MACHINE (BY PERHAPS FORCING A HIGH/POWER-FAIL/NON-MASKABLE-INTERRUPT ABOVE ALL ELSE = NOT SOFT) AND THEN WHATEVER YOU TYPED IS LITERALLY PLACED AT THE TOP OF THE STACK (IN HEX/BINARY/MACHINE-CODE/ASM @ SYSCALL) .... AND IT JUST HAPPENS !!! OR YOU COULD MAKE THE MACHINE - DURING INITIALIZATION - IE: DURING PHASE-0 AFTER SYSTEM PROCESS IS CREATED BUT BEFORE EXECUTIVE/IO-MANAGER IS FULLY DONE - AND OVERRIDE THE DETECTED/REGISTRY SETTINGS AND MAKE/CREATE/ENUMERATE A (VIRTUAL/PSUEDO OR REAL) EXTERNAL 2ND PROCESSOR. IE: NUMA SYSTEMS HAVE THESE 'EXTERNAL' CACHE COHERENT CPUs. LOOK AT 'AMD HORUS' ETC ETC. SO: IF YOU PUT CODE INTO NTOSKRNL.EXE THAT MAKES IT THINK THERE IS ANOTHER CPU ON 'X' BUS/WHEREEVER THEN YOU CAN LITERALLY SEND SYSTEM CALLS FROM A 2ND COMPUTER - FROM HYPERTERMINAL OR DOS ETC - AND THEN BY A SERIAL PORT - COM1 - IT WILL INTERRUPT THE REAL SINGLE CPU ON TARGET - WITH THE INTERPROCESORR INTERRUPT - AND MAKE IT THINK THAT IT'S BROTHER/SISTER IS PASSING WORK... EASY ....
OR EVEN MODIFY THE MULTIPROCESSOR SPINLOCK CODE -> SO THAT THE MACHINE - WHEN ENTERING A CRITICAL GLOBAL SECTION - DUMPS ALL SYSTEM CONTENTS TO A SPECIAL AREA OF RAM (WHICH IS EXTERNAL BY PCI/USB). SO; IMAGINE PUTTING CODE INTO NTOSKRNL.EXE THAT 'FORCES' IT TO KEEP ALL OF NTOSKRNL.EXE + HAL + DRIVERS + DEBUG CODE/KDCOM IN PHYSICAL RAM ALWAYS: BUT THEN YOU MAKE THIS MEMORY EXTERNAL; BUT IN SUCH A WAY THAT THE ADDRESSING IS NOT CHANGED; YOU JUST RE-MAP THE REAL PHYSICAL LOCATIONS TO THE EXTERNAL RAM CHIPS OR WHATEVER YOU ARE USING; COULD EVEN USE FLASH AND PSUEDO-PAGE... OR YOU COULD MAKE A USB-KEY-DONGLE-FULL-COMPUTER AND INSTEAD OF THE 'SECOND PROCESSOR' AS MENTIONED ABOVE BEING 'VIRTUAL' --> YOU COULD MAKE A SUPER-WINDOWS-SYSTEM THAT DID THIS: IMAGINE A WINDOWS THAT CLUSTERED UP COMPLETELY --> ALLOWING YOU TO JUST ADD PROCESSORS AND MAKE THEM APPEAR LOCAL --> IE: IMAGINE WRITING CODE AND PUTTING IT IN NTOSKRNL.EXE SO THAT YOU COULD HAVE A PCI CARD WHICH BRANCHED OUT TO AN EXTERNAL SUPER BOARD; THIS BOARD JUST HAVING MANY MANY MANY PCI-SLOTS OR WHATEVER; AND IN EACH YOU CAN SLOT IN A BLADE. COULD EVEN USE A DEVICE LIKE THAT LINUX USB KEY FIREWALL FROM ISRAEL (WILL THINK OF NAME AND RE-POST); AND THIS IS WHERE IT REALLY DOES BECOME GOOD; TRULY ROOTKIT; IMAGINE A USB KEY THAT YOU COULD INSERT ON ANY WIN2K3 (OR WINDOWS XP) MACHINE AND IT SIMPLY TURNED OFF SFC AND INSTALLED (PATCHED/OVER-WRITES) NTOSKRNL.EXE [PREFERABBLY IN NTFS-MANIPULATING WAY SO SIZE APPEARS SAME; AND-OR USING BIOS/FIRMWARE OR MICROCODE/UPDATE.SYS HACKS SO THAT FREE FLASH NVRAM/BIOS-ROM OR CPU DIE ITSELF CAN HOLD PARTS IF NOT ALL OF OUR KERNEL AND EVERY BOOT IT PATCHES THE REAL FILE SECRETLY - OR DIVERTS EXECUTION]. THAT IS THE ULTIMATE. IT OVERWRITES THE KERNEL AND THEN USING 3G/UMTS/WCDMA WIRELESS INTERNET (AND SIM CARD ON YOGGIE/3G-MODEM HYBRID) [IT IS CALLED YOGGIE - THE ISRAEL USB KEY THING] IT ALLOWS THE MACHINE TO CONNECT TO OUR BOTNET... FULL CONTROL !!!
BUT THE POINT IS REALLY THIS: YOU NEED TO SOMEHOW BE ABLE TO DIRECTLY EXECUTE YOUR COMMANDS AND ***TRANSPARENTLY AND UN-INTERFERINGLY*** EXPLORE THE TARGET SYSTEM WITHOUT DETECTION. SO; YOU MUST DIVERT NTOSKRNL.EXE CODE OUT TO SEPERATE PHYSICAL RAM - OR FORCE SOME SORT OF USB-KEY-PAGING - AS IF OTHERWISE DONE - YOU MUST SEND AN INTERRUPT OR OTHER STIMULUS; EVEN IF BEING A 2ND PROCESSOR... BUT: IF YOU JUST PAGE/MOVE/FORCE NT KERNEL CODE AND SPECIFICALLY THE SYSTEM THREAD/PROCESS ITSELF - AND IT'S STACK/MODULES; IN SYSCALL+RAW FORMAT; THEN WHATEVER YOU TYPE ON OTHER SYSTEM CAN JUST BE OVER-WRITTEN AND PLACED INTO GLOBAL SYSTEM MEMORY WITHOUT THE SPINLOCKING; SO THAT NO DETECTION CAN EVEN OCCURR; IE: YOU ARE JUST LITERALLY WRITING OVER PHYSICAL MEMORY KERNEL LOCATIONS WITHOUT ANY VIOLATION BECAUSE YOU ARE NOT USING THAT SYSTEM TO DO IT IN THE FIRST PLACE !!! PERFECT !!! BUT I BELIEVE IT IS GOOD ENOUGH TO JUST DO IT BY CREATING A VIRTUAL/PSUEDO (OR 'REAL') 2ND PROCESSOR AND HAVE THIS ON A USB-KEY/EXTERNAL [WITH IT'S OWN MEMORY] AND MAYBE DEDICATE THIS CPU TO THE KERNEL: IE: MAKE WINDOWS INTO A ASSYMETRIC MULTIPROCESSING OS: WITH THE 'EXTERNAL' (USB-KEY/PCI) CPU BEING THE KERNEL/OS/'RING-0'/'CPU-0'/DEFAULT THEN THE ACTUAL MACHINE'S RAM AND CPU = USERMODE ONLY. THAT WAY YOU HAVE FULL CONTROL AND CAN JUST DIRECT INJECT/VIOLATE (WITH NO BSOD) MEMORY LOCATIONS BY BURNING.
ANYWAY - ENOUGH SAID. THIS SAME CODE AND SAME TECHNIQUES/IDEAS COULD HAVE BEEN USED YEARS AGO TOO: TO GET WINDOWS-XP (OR ANY NT) WORKING ON THE XBOX-1. I MEAN: IT WAS NOT THAT HARD TO DO REALLY: ALL THAT IT WOULD HAVE TAKEN WAS SOMEONE TO RE-WRITE NTLDR AND NTDETECT (OR CREATE A VIRTUAL EFI FIRMWARE AS .XBE 'GAME' AND THEN HAVE EFILDR TAKE OVER) AND EXCLUDE THE PCI BUS SCANNING AND RELIANCE ON BIOS.
BUT THAT IS FOR ANOTHER THREAD. RIGHT HERE; RIGHT NOW; I JUST WANT TO FIND SOME DECENT PEOPLE WHO 'THINK' AND ARE UP FOR IT; I MEAN; WHO CAN CODE AND WHO KNOW WHAT THEY ARE TALKING ABOUT TRULY ! ANYONE INTERESTED IN FORMING A PROJECT TO CREATE AN NTOSKRNL.EXE SUPER ROOTKIT IN ANYWAY AT ALL ?
IF SO PLEASE EMAIL securityintelligenceconsulting@gmail.com - I HAVE ALL THE SOURCE CODE MENTIONED.
I ALSO HAVE WORKED (AND AM STILL RIGHT NOW) FOR MICROSOFT AND MICROSOFT ENTITIES AND THEIR DIRECT CONTRACTORS/CONTRACTEES; INCLUDING GOVERNMENT+MILITARY; AND NOT ONLY HAVE INTERNAL INTELLIGENCE BUT HAVE ACCESS TO THE FULL SOURCE CODE UNDER GOVERNMENT-SHARED-SOURCE LICENCES + NDA + SECRECY. BUT --> I WILL ONLY GO DOWN THAT ROAD ONCE A PROJECT HAS BEEN ESTABLISHED AND WE ARE GETTING SOMEWHERE !!!
IE: IF WE START GETTING SOMETHING WORKING WITH WRK+NT4+WIN2K+OTHERS/ETC CODE THEN - WELL - YES - YES - YES: I WILL 'BORROW'/'GET'/'OBTAIN' THE ENTIRE 2003 AND 2008 AND HYPERV AND AZURE AND .NET CLI/ETC SOURCECODE; I WILL GIVE THIS OUT ONLY TO PEOPLE WHO HELP GET THIS PROJECT UNDERWAY; RIGHT NOW; LET'S JUST DO IT. PS: THAT MULTI-TERAFLOP COMPUTER YOU SPEAK OF ABOVE WILL SOON BE: ALONG WITH BRAIN-IN-A-VAT VIRTUAL REALITY / MIND_UPLOADING AND THE SINGULARITY/FRANK J.TIPLER'S (PHYSICS OF IMMORTALITY) = OMEGA-POINT.

#15 NT AUTHORITY

NT AUTHORITY

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 17 June 2010 - 10:42 AM

But even a microkernel at some point begins to talk to the outside world. Otherwise it's an entropic environment.

My thinking is that if it only has code for the kernel, then someone could either write their own I/O driver to talk to the devices or search out older examples of "leaked" code (Win2k or even NT4 source) and create their own Frankenstein of a windows platform.

But yeah, my fear in this would be someone making a patched microkernel that could replace the main kernel that ignores instruction patterns for say... ACL lists, passwords, encryption... or sniffs instructions and if it matches a set, calls to a trojan driver to start doing NSA stuff on you... sort of like that farce of a movie "The Net". (Click on a icon and walk through a back door)

It would be odd if the entire world were like that... multi-teraflop quantum processors with encryption that would baffle god itself have loopholes that can be bypassed with a whim.

The flipside of this is that you could make a hardware dongled version of windows pretty easily.


PERFECT ! Ok. This is long and messy and I have posted it twice (this is cleaner/editied/proper version YOU ARE READING RIGHT NOW: see below full description on my rootkit concept - my other post diverts off where it says 'HERE' but this post keeps going and explains properly so please re-read this whole thread - THANKS).

Anyway - the answer is YES; your thinking is correct. And you are correct. It is correct to say both that this is a production/RTM/complete version of the 2k3 NT kernel AND a computer science theoretical only version; but at the end of the day the simple answer is YES. It builds in a (derived) RAZZLE/DAZZLE/WDK/DDK/VC++DOS build environment AND it outputs NTOSKRNL.EXE which can then be used to DIRECTLY AND COMPLETELY replace/file-overwrite/slip-stream/patch/pre-install-by-WAIK+WINPE; ie: either way you look at it YOU GET NTOSKRNL.EXE WITH WHATEVER CODE WRITTEN IN IT (including your rootkit/custom code) AND IT WILL WORK.

Because this is RING 0 the entire system is yours. In fact: if you look at how NTLDR/OSLOADER+NTDETECT (or even EFI/DEC-ALPHA/MAC systems) boot up --> there is a lot of initialzation done before the actual "system process" and/or "idle thread" and/or "worker threads" are created. This includes the actual creation of the object manager and the HAL and CPU code as well as 'DOS' switches that are passed to NTOSKRNL.EXE in command line fashion. But yes: WINDOWS/NT sees everything as OBJECTS. And to do this it must create an OBJECT ORIENTED ENVIRONMENT (OBJECT MANAGER) first.

THEN it creates the SYSTEM PROCESS and flows on from there. Also look at SINGULARITY: this bootstraps up the .NET (C#) FRAMEWORK and COMMON LANGUAGE RUNTIME/INFRASTRUCTURE and BYTECODE-INTERPRETER/MANAGEMENT and then allows a 'MANAGED' KERNEL (C# WRITTEN/.NET) TO EXECUTE. Very interesting concepts. Put these two together and think: imagine a NTOSKRNL.EXE that had it's object manager hacked so that it 'SAW' the objects of other machine's (IE: other enumerated system's object manager tree is fleshed out along with registry by loader/strapper/kernel and pooled) and then THE FINAL SERVER MACHINE OF - SAY - TEN MACHINES - (the first nine are SLAVES whose objects are 'donated' and who run nothing but NTOSKRNL.EXE and HAL+DRIVERS) --->

[THE FINAL SERVER...] gets all these objects (RAM, DEVICES, FILES, DRIVERS, PROCESSES, MEMORY, ADDRESS, INTERRUPTS, PROCESSORS, ETC). and maybe in a NUMA fashion or TERMINAL-SERVER (\Windows ? \Sessions ? \Winsta* \Global \??) merge-multiple-sessions-and-object_trees TYPE FASHION: gives a SINGLE SYSTEM IMAGE SUPER WINDOWS ???

You could definetley get there. Where there is a will there is a way. Let's get started !!!

I will PAY people to do this; a team who can code and who will code and who prodcue a working NTOSKRNL.EXE rootkit !!! Name your price TEAMS !!! We have the money...

Anyway:

Just look at AZURE. When it comes to SINGLE SYTEM IMAGE.

Moving on though...

The ultimate goal here is to:

FIRST CREATE A NTOSKRNL.EXE THAT CAN REPLACE THE REAL FILE ON ANY RTM/RETAIL/STANDARD SERVER 2003 DISTRIBUTION AND DO THE FOLLOWING.

THE BEST BACKDOOR/FULL CONTROL/ULTIMATE WOULD BASICALLY BE THIS:

TO BE ABLE TO LIVE DEBUG+DISASSEMBLE+SEND-SYSTEM-CALLS DIRECTLY. THIS IS HOW IT WILL BE DONE: PUT CODE INTO NTOSKRNL.EXE BEFORE SYSTEM PROCESS IS EVEN CREATED.

COULD EVEN DO THINGS BEFORE THE 'PROCESS' AND 'THREAD' AND 'PROCESSOR' CONCEPTS (OBJECTS) ARE EVEN DEFINED...

NO HASHING OR CRYPTOGRAPHY OR EVEN TRUSTED PLATFORM MODULE (UNLESS SPECIFICALLY DESIGNED TO TARGET THIS FILE - BUT JUST LOOK AT THE V1-XBOX !) COULD GET AROUND THIS BECAUSE NTOSKRNL.EXE ***IS THE OS*** ITSELF !!! SO YOU CAN DEFINE EXACTLY WHAT CRYPTO/HASHING/NSA-STYLE-STUFF EVEN MEANS !!! THE CPU/SYSTEM/FIRMWARE ARE 'BLANK' SO TO SPEAK.

AND IN RESPECT TO THE SOURCE TREE NOT BEING THE FULL CODE OF WINDOWS 2003 WELL ***IT IS*** FOR ALL INTENTS AND PURPOSES AND THE OTHER CODE IS NOT MISSING BUT JUST PARTIALLY PRE-COMPILED INTO .OBJ FILES WHICH ARE MORE SYMBOLIC THAN ANY DEBUG FILES SO IT IS ***VERY*** EASY TO DISASSEMBLE AND GET FULL CODE.

IF YOU COMBINE RESEARCH KERNEL WITH LEAKED NT4, WIN2K, AND TINYKRNL (tinykrnl.org), and MSDOS-leaks, and BIOS-leaks, and even some REACTOS and EFI/BIOS; YES YOU ARE THERE ! ESPECIALLY NT4+WIN2K+WRK ! JUST LOOK AT THE CODE IN NT4 TREE ! IT IS MORE THAN COMPLETE; MAYBE A BIT MESSY; BUT IT HAS ALL THE BOOT-CODE AND INIT CODE (NTOS) AND EVEN SHELL. and VIRTUAL DOS MACHINE and SOFTPC.NEW !!! VPC !!!

EVERYTHING TO THIS DAY IS BASED ON THAT \private\ntos\ TREE IN SOME WAY...

THANKS stevewo !!!!!!!!!!!

SO...

THE ULTIMATE WILL BE THIS:

USING TECH/CONCEPT/VIRTUALIZING THAT PRODUCTS LIKE HYPER-V DO.

OR MAYBE JUST PATCHING INTERRUPT TABLES/SYSCALL LOOKUP TABLES; WHATEVER; BUT SIMPLY DO/GET TO HERE: MAKE - SAY - A SERIAL PORT OR USB PORT - OR PCI CARD (THINK: ROOT BUS/ACPI/HAL/ROOT DEVICE/OPT-ROM ?)
THAT 'MAPS' EITHER THE SYSTEM-IDLE-THREAD (LOOP/THREAD ZERO) OR THE HYPERCRITICAL WORKER THREAD OR THE ORIGINAL 'SYSTEM *PROCESS*' THREAD (WHICH BECOMES THE ZERO-PAGE-THREAD DURING PHASE 0/PHASE 1 OF NTOSKRNL.EXE EXECUTIVE INITIALIZATION) = INTO A STACK DUMPER/COLLECTOR !

IE: IMAGINE THIS HERE:

HAVING A SEPERATE (2ND) REMOTE (OR LOCAL) COMPUTER RUNNING WHATEVER (HYPER-TERMINAL OR DEBUG OR *THE BUILD ENVIRONMENT ITSELF: THAT YOU BUILT THIS NTOSKRNL.EXE IN !) AND YOU COULD LITERALLY JUST TYPE ExpInitializeExecutive AND PRESS ENTER; THEN IT LITERALLY WILL INTERRUPT THE TARGET MACHINE (BY PERHAPS FORCING A HIGH/POWER-FAIL/NON-MASKABLE-INTERRUPT ABOVE ALL ELSE = NOT SOFT) AND THEN WHATEVER YOU TYPED IS LITERALLY PLACED AT THE TOP OF THE STACK (IN HEX/BINARY/MACHINE-CODE/ASM @ SYSCALL) ....

AND IT JUST HAPPENS !!! TYPE + ENTER !!! EXECUTED !!! (OR-OVERWRITTEN-TO-PHYSICAL-EXTERNALIZED-RAM*)

YOU COULD MAKE THE MACHINE, DURING INITIALIZATION, IE: DURING PHASE-0 AFTER SYSTEM PROCESS IS CREATED BUT BEFORE EXECUTIVE/IO-MANAGER IS FULLY DONE, TO 'THINK' IT HAS EXTRA PROCESSORS...

JUST ADD CODE (XEN ? VM ? QEMU ? KE ? NUMA-HAL ?) THAT OVERRIDES THE DETECTED AND REGISTRY SET SETTINGS AND MAKE/CREATE/ENUMERATE A (VIRTUAL/PSUEDO OR REAL) EXTERNAL 2ND PROCESSOR.

IE: NUMA SYSTEMS HAVE THESE 'EXTERNAL' CACHE COHERENT CPUs. LOOK AT 'AMD HORUS' ETC ETC. SO: IF YOU PUT CODE INTO NTOSKRNL.EXE THAT MAKES IT THINK THERE IS ANOTHER CPU ON 'X' BUS/WHEREEVER THEN YOU CAN LITERALLY SEND SYSTEM CALLS FROM A 2ND COMPUTER - FROM HYPERTERMINAL OR DOS ETC.. OR BUILD ENV ....

BY A SERIAL PORT - COM1 - IT WILL INTERRUPT THE REAL SINGLE CPU ON TARGET - WITH THE INTERPROCESORR INTERRUPT - AND MAKE IT THINK THAT IT'S BROTHER/SISTER IS PASSING WORK... EASY ....
OR EVEN MODIFY THE MULTIPROCESSOR SPINLOCK CODE -> SO THAT THE MACHINE - WHEN ENTERING A CRITICAL GLOBAL SECTION - DUMPS ALL SYSTEM CONTENTS TO A SPECIAL AREA OF RAM (WHICH IS EXTERNAL BY PCI/USB).

IMAGINE PUTTING CODE INTO NTOSKRNL.EXE THAT 'FORCES' IT TO KEEP ALL OF NTOSKRNL.EXE + HAL + DRIVERS + DEBUG CODE/KDCOM IN PHYSICAL RAM ALWAYS: BUT THEN YOU MAKE THIS MEMORY EXTERNAL; BUT IN SUCH A WAY THAT THE ADDRESSING IS NOT CHANGED; YOU JUST RE-MAP THE REAL PHYSICAL LOCATIONS TO THE EXTERNAL RAM CHIPS OR WHATEVER YOU ARE USING; COULD EVEN USE FLASH AND PSUEDO-PAGE... OR YOU COULD MAKE A USB-KEY-DONGLE-FULL-COMPUTER AND INSTEAD OF THE 'SECOND PROCESSOR' AS MENTIONED ABOVE BEING 'VIRTUAL' --> YOU COULD MAKE A SUPER-WINDOWS-SYSTEM THAT DID THIS...

IMAGINE A WINDOWS THAT CLUSTERED UP COMPLETELY --> ALLOWING YOU TO JUST ADD PROCESSORS AND MAKE THEM APPEAR LOCAL --> IE: IMAGINE WRITING CODE AND PUTTING IT IN NTOSKRNL.EXE SO THAT YOU COULD HAVE A PCI CARD WHICH BRANCHED OUT TO AN EXTERNAL SUPER BOARD; THIS BOARD JUST HAVING MANY MANY MANY PCI-SLOTS OR WHATEVER; AND IN EACH YOU CAN SLOT IN A BLADE. COULD EVEN USE A DEVICE LIKE THAT LINUX USB KEY FIREWALL FROM ISRAEL (WILL THINK OF NAME AND RE-POST); AND THIS IS WHERE IT REALLY DOES BECOME GOOD.

TRULY ROOTKIT.

HOLYGRAIL.

IMAGINE A USB KEY THAT YOU COULD INSERT ON ANY WIN2K3 (OR WINDOWS XP) MACHINE AND IT SIMPLY TURNED OFF SFC AND INSTALLED (PATCHED/OVER-WRITES) NTOSKRNL.EXE [PREFERABBLY IN NTFS-MANIPULATING WAY SO SIZE APPEARS SAME; AND-OR USING BIOS/FIRMWARE OR MICROCODE/UPDATE.SYS HACKS SO THAT FREE FLASH NVRAM/BIOS-ROM OR CPU DIE ITSELF CAN HOLD PARTS IF NOT ALL OF OUR KERNEL AND EVERY BOOT IT PATCHES THE REAL FILE SECRETLY - OR DIVERTS EXECUTION].

THAT IS THE ULTIMATE.

IT OVERWRITES THE KERNEL AND THEN USING 3G/UMTS/WCDMA WIRELESS INTERNET (AND SIM CARD ON YOGGIE/3G-MODEM HYBRID) [IT IS CALLED YOGGIE - THE ISRAEL USB KEY THING] IT ALLOWS THE MACHINE TO CONNECT TO OUR BOTNET... FULL CONTROL !!!
BUT THE POINT IS REALLY THIS: YOU NEED TO SOMEHOW BE ABLE TO DIRECTLY EXECUTE YOUR COMMANDS AND ***TRANSPARENTLY AND UN-INTERFERINGLY*** EXPLORE THE TARGET SYSTEM WITHOUT DETECTION. SO; YOU MUST DIVERT NTOSKRNL.EXE CODE OUT TO SEPERATE PHYSICAL RAM - OR FORCE SOME SORT OF USB-KEY-PAGING - AS IF OTHERWISE DONE - YOU MUST SEND AN INTERRUPT OR OTHER STIMULUS; EVEN IF BEING A 2ND PROCESSOR... BUT: IF YOU JUST PAGE/MOVE/FORCE NT KERNEL CODE AND SPECIFICALLY THE SYSTEM THREAD/PROCESS ITSELF - AND IT'S STACK/MODULES; IN SYSCALL+RAW FORMAT; THEN WHATEVER YOU TYPE ON OTHER SYSTEM CAN JUST BE OVER-WRITTEN AND PLACED INTO GLOBAL SYSTEM MEMORY WITHOUT THE SPINLOCKING; SO THAT NO DETECTION CAN EVEN OCCURR; IE: YOU ARE JUST LITERALLY WRITING OVER PHYSICAL MEMORY KERNEL LOCATIONS WITHOUT ANY VIOLATION BECAUSE YOU ARE NOT USING THAT SYSTEM TO DO IT IN THE FIRST PLACE !!!

PERFECT !!!

BUT I BELIEVE IT IS GOOD ENOUGH TO JUST DO IT BY CREATING A VIRTUAL/PSUEDO (OR 'REAL') 2ND PROCESSOR AND HAVE THIS ON A USB-KEY/EXTERNAL [WITH IT'S OWN MEMORY] AND MAYBE DEDICATE THIS CPU TO THE KERNEL: IE: MAKE WINDOWS INTO A ASSYMETRIC MULTIPROCESSING OS: WITH THE 'EXTERNAL' (USB-KEY/PCI) CPU BEING THE KERNEL/OS/'RING-0'/'CPU-0'/DEFAULT THEN THE ACTUAL MACHINE'S RAM AND CPU = USERMODE ONLY. THAT WAY YOU HAVE FULL CONTROL AND CAN JUST DIRECT INJECT/VIOLATE (WITH NO BSOD) MEMORY LOCATIONS BY BURNING.

ANYWAY - ENOUGH SAID. THIS SAME CODE AND SAME TECHNIQUES/IDEAS COULD HAVE BEEN USED YEARS AGO TOO: TO GET WINDOWS-XP (OR ANY NT) WORKING ON THE XBOX-1. I MEAN: IT WAS NOT THAT HARD TO DO REALLY: ALL THAT IT WOULD HAVE TAKEN WAS SOMEONE TO RE-WRITE NTLDR AND NTDETECT (OR CREATE A VIRTUAL EFI FIRMWARE AS .XBE 'GAME' AND THEN HAVE EFILDR TAKE OVER) AND EXCLUDE THE PCI BUS SCANNING AND RELIANCE ON BIOS.
BUT THAT IS FOR ANOTHER THREAD. RIGHT HERE; RIGHT NOW; I JUST WANT TO FIND SOME DECENT PEOPLE WHO 'THINK' AND ARE UP FOR IT; I MEAN; WHO CAN CODE AND WHO KNOW WHAT THEY ARE TALKING ABOUT TRULY !

ANYONE INTERESTED IN FORMING A PROJECT TO CREATE AN NTOSKRNL.EXE SUPER ROOTKIT IN ANYWAY AT ALL ?


IF SO PLEASE EMAIL securityintelligenceconsulting@gmail.com - I HAVE ALL THE SOURCE CODE MENTIONED.
I ALSO HAVE WORKED (AND AM STILL RIGHT NOW) FOR MICROSOFT AND MICROSOFT ENTITIES AND THEIR DIRECT CONTRACTORS/CONTRACTEES; INCLUDING GOVERNMENT+MILITARY; AND NOT ONLY HAVE INTERNAL INTELLIGENCE BUT HAVE ACCESS TO THE FULL SOURCE CODE UNDER GOVERNMENT-SHARED-SOURCE LICENCES + NDA + SECRECY. BUT -->

I WILL ONLY GO DOWN THAT ROAD ONCE A PROJECT HAS BEEN ESTABLISHED AND WE ARE GETTING SOMEWHERE !!!

IE: IF WE START GETTING SOMETHING WORKING WITH WRK+NT4+WIN2K+OTHERS/ETC CODE THEN - WELL - YES - YES -

YES: I WILL 'BORROW'/'GET'/'OBTAIN' THE ENTIRE 2003 AND 2008 AND HYPERV AND AZURE AND .NET CLI/ETC SOURCECODE; I WILL GIVE THIS OUT ONLY TO PEOPLE WHO HELP GET THIS PROJECT UNDERWAY; RIGHT NOW; LET'S JUST DO IT. PS: THAT MULTI-TERAFLOP COMPUTER YOU SPEAK OF ABOVE WILL SOON BE: ALONG WITH BRAIN-IN-A-VAT VIRTUAL REALITY / MIND_UPLOADING AND THE SINGULARITY/FRANK J.TIPLER'S OMEGAPOINT.

#16 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 24 June 2010 - 02:34 AM

You require Valium, sir.

#17 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 28 September 2010 - 04:00 PM

I'd rather not post links, but it can be found via a popular hacker mailing list. It's the Windows Research Kernel, meant for academic study and downloadable only by MSDN Academic Alliance Administrators (professors). The source code is only the Win2k3 kernel source code and can be compiled and installed on any Win2k3 x86/64 box.
edit[0]: Added one word.


Thanks for the info. I actually didn't know about this program. This will help in my R&D. The current best approach to building usable secure systems is running most stuff in a Linux VM and security-critical functionality directly on top of the isolation kernel. Examples abound: MILS kernels, INTEGRITY Padded Cell, LynxSecure w/ Linux, OKL4 w/ OK Linux, PikeOS, Nizza Security Architecture, and Turaya Desktop. Those are my favorites. Sure you can use Intel VT, but it's added complexity in already buggy hardware. I prefer to just paravirtualize a legacy OS layer and then use the information flow assurance of the underlying microkernel to prevent unauthorized data access. Windows wasn't an option for paravirtualization because I had no source code. Thanks to the leak, we might be able to see what's feasible with Windows. Even if I can paravirtualize the kernel API, we would still have to make sure existing source code could simply be recompiled to use it. Would need Microsoft's cooperation on that, esp. for the driver framework.

Their cooperation seems unlikely. They intend to create competing offerings. We'll probably have to continue using Intel VT and custom drivers and support software for Windows boxes. Just using Linux as our main legacy API. Maybe a direct Wine port to one of the microkernel platforms would be a partial solution. What do you guys think? For now, I'll probably look into the Windows source code for purposes of extending security, integrity or availability. For instance, I might be able to port SecVisor to the Windows kernel to prevent unwanted kernel modifications. Might insert an AppArmor style monitoring system that builds a profile of accesses between objects, turn that into a security policy, and then extend the Windows kernel with capability-based, mandatory access control to support the security policy (on a restricted set of apps, RHEL SELinux style). So, I doubt a paravirt Windows port will happen, but we might still be able to use this code to improve security of the Windows platform.

Academia has produced so many useful security technologies over the past decade. Windows has only benefited from a few: NX; static driver verification; Mandatory Integrity Control. If more academics had the source code, they might have given Windows admins more options. Microsoft should ease their restrictions, esp. as their core kernel is hardly a trade secret or main competing advantage. It actually sucks compared to the likes of INTEGRITY, QNX or PikeOS. They should just go ahead and release it under a LGPL-like license so others could improve it for them (and us). Just the core kernel that is.




BinRev is hosted by the great people at Lunarpages!