[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

[Simon Clubley]

On 2014-09-23, Johnny Billquist <bqt at softjar.se> wrote:
> On 2014-09-23 16:10, David Froble wrote:
>> Johnny Billquist wrote:
>>>
>>> *How* do you get the x86 code running in kernel mode, without
>>> involving the OS at all???
>>>
>>
>> I'm not some asshole hacker.  I haven't given it much thought.  If I
>> could answer your question, I'd be maybe 90% of the way to write malware
>> to do just what I've suggested.
>>
>> Your attitude of "that can't be done" is much appreciated by the hackers.
>
> Or maybe I'm right. You know, in general it helps to understand the 
> topic before making claims. :-)
>

I already posted one conceptual way in which this could be done and that
was to have something like a buffer overflow occur within a kernel mode
module; the example I gave was some TCP/IP component which might suffer
from some VMS specific or common mode vulnerability.

In this example, the data in the buffer would be executed as code and as
VMS is a monolithic kernel all the peripheral address space is mapped in
while in kernel mode.

This means the code would basically be running as bare metal code while
in fully privileged kernel mode and could do whatever it wanted to the
attached peripherals.

If the code was VMS aware, it could further hook itself into some VMS
kernel module.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world