Turns out you can use unnamed shared mem without having a handle open to the filemapping: You create a shared memory (anonymous, backed by paging) file mapping object share the handle to the filemapping through duplicatehandle, open your file mapping views and then close all handles to the file mapping. The clue here is you can still use the shared memory as long as there are still file views open. If you do this, you will have the basis for an undetected ipc method (for usermode ofc). Pretty nice exploit
@itf_ph3r0x41
Жыл бұрын
If you want to achieve comms though, you will need some kind of synchronization object to control the access. I tried implementing a spinlock in the shared memory space, but failed due to not being able to properly instantiate the object in shared memory. After a bit of reading I figured out that you need to use custom allocators, to be able to instantiate objects in shared memory...
@zodiacon
Жыл бұрын
You just need a mutex.
@itf_ph3r0x41
Жыл бұрын
@@zodiacon Yeah that was the solution that worked for me, but it has the downside of relying on the OS for that/having an opened handle to a mutex object (although I think a handle to a synchronization object is probably rarely used as a detection vector)
Пікірлер: 5