#byovd
2 pages tagged with "byovd"
infosec
- KovaPlusFltr.sys: an unprivileged kernel stack overflow in the ROCCAT Kova[+] HID filter driver โ glaurung surfaced an unbounded ioctl copy in a 2010 ROCCAT gaming-mouse filter driver: an attacker-controlled length copied into a fixed 3000-byte kernel stack buffer with no upper bound and no /GS cookie, overwriting the saved return address. unprivileged with a controlled kernel write, but reachable only when the Kova[+] mouse is present, which we reproduced in qemu by emulating the hardware the driver expects.
- live kernel-debugging windows drivers in qemu from linux (no windbg, no whpx, no exdi) โ a working recipe for breakpointing windows kernel drivers running in a qemu/kvm guest, driven entirely from a linux host over the qemu gdbstub. it sidesteps the usual windbg-over-kdnet/exdi and whpx pain: gdb attaches to the gdbstub directly, base+rva is resolved without pdbs, and the single rule that fixes "symbols resolve but my breakpoint never hits" is hardware breakpoints only. ends with a real captured ring-0 saved-rip overwrite.