BATTLE OF SKM AND IUM
blackhat2015
blackhat2015
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SKM</strong> FUNCTION LAYOUT<br />
• Similar to NTOS, <strong>SKM</strong> has different modules that handle various parts of its mechanisms<br />
• Ke (Ki), Etw, Rtl, Dbg, Se appear as the usual suspects<br />
• Ium is the <strong>IUM</strong> secure system call interface<br />
• Nt/Zw is the <strong>SKM</strong> system call interface<br />
• Nk are the NTOS normal mode system call stubs<br />
• Shvl, Skob, Skmm(Skmi), Ske(Ski), Skps are the <strong>SKM</strong> counterparts of the respective NT interfaces<br />
• Sk are generic Secure Kernel helpers/functions used by various parts of the kernel (catchall prefix)<br />
• It also exports certain functions mainly for CNG.SYS to load correctly<br />
• Most will immediately bugcheck if called, as CNG.SYS is not expected to call most of these<br />
• But, those that begin with Sk are exported for <strong>SKM</strong> Modules (Pool, Locks, Objects)<br />
• CNG.SYS detects if it’s running in <strong>SKM</strong>, and will call these routines instead of the NTOS ones<br />
• A few Rtl, Etw, and CRT functions are exposed as well