6 comments

[ 13.9 ms ] story [ 176 ms ] thread
Is it correct to assume the VDM component will be removed by almost any virus scanner before tools like PTM become an option for malicious programs?
This part was great...

" the VirtualAlloc’ed page tables can be paged to disk themselves and thus when paged back into physical memory they will most likely be allocated in a new physical page. However, this has proven to be an insignificant issue after suspending the working set manager thread which is responsible for paging virtual memory to disk. "

"..it can be used with VDM to leverage arbitrary kernel execution without the need of VDM’s vulnerable driver being loaded into the kernel."

I don't quite get this part, it seems like a contradiction? It relies on VDM but VDM doesn't need to be loaded?

It sounds like you need to run VDM once to expose the page tables to user space, but then you can unload it and just continue only using PTM.
It means that you only need the vulnerable driver to be loaded once, rather than being loaded continuously. Useful for getting past anticheats I guess.
ah yes breaking the working set manager to cheat in video games. Nice one xerox