Home » Tags

post_exploitation

Delaying Kernel Payloads by Hijacking KTIMERs & KDPCs (Part 2)

In this two part blog post series we present KTIMER hijacking, a novel post-exploitation technique that delays the execution of kernel-mode payloads. In the first part whe focussed on Windows 11 timer internals and deferred procedure calls and showed that we can hijack KTIMER and KDCP objects to delay the execution of a function pointer. This second part focusses on implementing these findings in a proof of concept, illustrating the delay in execution of a kernel-mode payload. ...

September 30, 2023 · 22 min · Gerr.re

Delaying Kernel Payloads by Hijacking KTIMERs & KDPCs (Part 1)

In this two part blog post series we present KTIMER hijacking, a novel post-exploitation technique that delays the execution of kernel-mode payloads. This first part will focus on Windows 11 timer internals and deferred procedure calls and how we can hijack KTIMER and KDCP objects to delay the execution of a function pointer. The second part focusses on implementing these findings in a proof of concept, illustrating the delay in execution of a kernel-mode payload. ...

September 15, 2023 · 9 min · Gerr.re