a look inside the windows kernel
play

A look inside the Windows Kernel CVE-2011-1237 Evolution from XP - PowerPoint PPT Presentation

Dec 25, 2022 •577 likes •1.55k views

A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013 Plan A look inside the

  1. A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013

  2. Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 1 Introduction Evolution from XP to 8 CVE-2013-3660 Conclusion

  3. Introduction A look inside the Windows Kernel Bruno Pujos What this talk is about? Introduction • Security of the Windows Kernel Basics of Windows Kernel • Presentation of some exploits CVE-2011-1237 • What changed in the security of the kernel, since Evolution from XP to 8 Windows NT 5.1 (Windows XP) CVE-2013-3660 Conclusion Motivation for attacking the kernel • Sandbox bypassing • Full access to everything • The fun

  4. Plan A look inside the Windows Kernel Bruno Pujos Introduction 1 Introduction Basics of Windows Kernel Basics of Windows Kernel 2 CVE-2011-1237 Evolution from XP to 8 CVE-2011-1237 3 CVE-2013-3660 Conclusion Evolution from XP to 8 4 CVE-2013-3660 5 Conclusion 6

  5. Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 2 Basics of Windows Kernel Evolution from XP to 8 CVE-2013-3660 Conclusion

  6. Basics of Windows Kernel A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660 Conclusion

  7. HAL A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • HAL : The hardware abstraction layer (hal.dll) Kernel CVE-2011-1237 • ”a layer of software that deals directly with your Evolution from XP computer hardware.” (msdn) to 8 CVE-2013-3660 • Layer for suporting different hardware with the same Conclusion software • HalDispatchTable : holds the addresses of a few HAL routines

  8. Win32k.sys A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel • Kernel mode driver CVE-2011-1237 Evolution from XP • Introduce in NT 4.0 for performance reason to 8 • Two parts : CVE-2013-3660 Conclusion • The Graphics Device Interface (GDI) • The Window Manager

  9. User objects A look inside the Windows Kernel Bruno Pujos Introduction • User entities (Windows, menu, keyboard layout. . . ) Basics of Windows • Managed by the Window Manager Kernel CVE-2011-1237 • Represented by a handle Evolution from XP • Handle table keeps track of each user object to 8 CVE-2013-3660 • The address of the object Conclusion • The type of the object • A flag • The owner and a wUniq value

  10. User objects A look inside the Windows Kernel Bruno Pujos Introduction • User entities (Windows, menu, keyboard layout. . . ) Basics of Windows • Managed by the Window Manager Kernel CVE-2011-1237 • Represented by a handle Evolution from XP • Handle table keeps track of each user object to 8 CVE-2013-3660 • The address of the object Conclusion • The type of the object • A flag • The owner and a wUniq value

  11. User objects A look inside the Windows Kernel • User entities (Windows, menu, keyboard layout. . . ) Bruno Pujos • Managed by the Window Manager Introduction • Represented by a handle Basics of Windows Kernel • Handle table keeps track of each user object CVE-2011-1237 • The address of the object Evolution from XP to 8 • The type of the object CVE-2013-3660 • A flag Conclusion • The owner and a wUniq value

  12. User-Mode Callback A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • A way to communicate between kernel and user: Kernel CVE-2011-1237 • access to some structures in user mode Evolution from XP • used to support hooking to 8 • . . . CVE-2013-3660 • CBT-Hook: receive notifications from windows Conclusion • WindowProc: callback function wich processes the messages sent to a window

  13. User-Mode Callback A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • A way to communicate between kernel and user: Kernel CVE-2011-1237 • access to some structures in user mode Evolution from XP • used to support hooking to 8 • . . . CVE-2013-3660 • CBT-Hook: receive notifications from windows Conclusion • WindowProc: callback function wich processes the messages sent to a window

  14. Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 3 CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660 Conclusion

  15. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  16. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  17. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  18. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  19. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  20. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

CSCE Intro to Computer Systems System Programming in Windows System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles Processes, Jobs, Threads Synchronization Kernel Objects Whenever you want to

416 views • 13 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon,

Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon,

CPSC-663: Real-Time Systems Windows NT/2000 and Real-Time Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon, Russinovich, Microsoft Programming Series) Real-Time Systems and Microsoft Windows NT

208 views • 8 slides
Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @ ZeroNights E.0x02 November 2012 PS C:\Users\j00ru> whoami nt authority\system Microsoft Windows internals fanboy Also into reverse

976 views • 80 slides
Kernel Implementations I 15 January 2019 OSU CSE 1 So, Whats Inside the Computer?

Kernel Implementations I 15 January 2019 OSU CSE 1 So, Whats Inside the Computer?

Kernel Implementations I 15 January 2019 OSU CSE 1 So, Whats Inside the Computer? Consider any popular video game, e.g., Nintendo Wii bowling Are there bowling balls and bowling pins inside the game consoles computer? 15

681 views • 27 slides
Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating systems internals Exploit mitigations

2.17k views • 100 slides
Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru" Jurczyk ZeroNights 2013 E.0x03 Moscow, Russia Introduction Mateusz j00ru Jurczyk Information Security Engineer @ Extremely into Windows

1.11k views • 110 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged OS kernel Windows Embedded 8.1 Windows Embedded 8 Converged app model Windows 10 Windows Embedded 8.1 Windows Embedded 8 Handheld Handheld

792 views • 29 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel

Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel

Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel @zer0mem @long123king Windows kernel research at Windows kernel research at KeenLab, Tencent KeenLab, Tencent pwn2own winner (2015

1.12k views • 52 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel developer(Windows/Linux/Own)/Microarchitecture geek (Intel)/Security Researcher (Lenovo, Microsoft, Mysql, Python etc.)/ Software Engineer Architect/Hardware Engineer (FPGA, ASIC,

300 views • 12 slides
Basic External Memory Data Structures Zorieh Soltani Yazd University Fall-1389 Zorieh Soltani

Basic External Memory Data Structures Zorieh Soltani Yazd University Fall-1389 Zorieh Soltani

Basic External Memory Data Structures Zorieh Soltani Yazd University Fall-1389 Zorieh Soltani (Yazd University) Basic External Memory Data Structures Fall-1389 1 / 50 Content 2.3 B-trees 2.4 Hashing Based Dictionaries 2.5 Dynamization

2.26k views • 127 slides
INF5110 Compiler Construction Symbol tables Spring 2016 1 / 43 Outline 1. Symbol tables

INF5110 Compiler Construction Symbol tables Spring 2016 1 / 43 Outline 1. Symbol tables

INF5110 Compiler Construction Symbol tables Spring 2016 1 / 43 Outline 1. Symbol tables Introduction Symbol table design an interface Implementing symbol tables Block-structure, scoping, binding, name-space organization Symbol tables

1.09k views • 41 slides
IMPROVING THE ROOT INTERPRETER Javier Lpez-Gmez <jalopezg@inf.uc3m.es> A CS PhD. student

IMPROVING THE ROOT INTERPRETER Javier Lpez-Gmez <jalopezg@inf.uc3m.es> A CS PhD. student

a.k.a. Cling September 29, 2019 Computer Architecture and Technology Area, University Carlos III of Madrid IMPROVING THE ROOT INTERPRETER Javier Lpez-Gmez <jalopezg@inf.uc3m.es> A CS PhD. student @ARCOS UC3M (Computer Architecture

515 views • 28 slides
Lecture 8: Dictionaries and Hash Tables Instructor: Saravanan Thirumuruganathan CSE 5311

Lecture 8: Dictionaries and Hash Tables Instructor: Saravanan Thirumuruganathan CSE 5311

Lecture 8: Dictionaries and Hash Tables Instructor: Saravanan Thirumuruganathan CSE 5311 Saravanan Thirumuruganathan Outline 1 Dictionaries 2 Hashing 3 Hash Tables 4 Briefly, DHTs and Bloom filters CSE 5311 Saravanan Thirumuruganathan

860 views • 63 slides
Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the

Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the

Chaining Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the undesired state and the desired state are too far apart. Usually when the undesired state is a stuck state where there is no

596 views • 8 slides
Linked List Implementation Data-structure-palooza Introduction to Markov Chaining Checkout

Linked List Implementation Data-structure-palooza Introduction to Markov Chaining Checkout

Linked List Implementation Data-structure-palooza Introduction to Markov Chaining Checkout LinkedLists project from SVN Understanding the engineering trade-offs when storing data Efficient ways to store data based on how well use it

512 views • 25 slides
Databases and keys Integer keys A database stores records with various attributes. Lets make

Databases and keys Integer keys A database stores records with various attributes. Lets make

CS206 CS206 Databases and keys Integer keys A database stores records with various attributes. Lets make a keyed table of all the students in the class, with the student number as the key. The database can be represented as a table, where

96 views • 5 slides
Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data parallelism in programming problems Hardware provides SIMD instructions Cray-1 vector instructions, Intel/AMD SSE/AVX, ARM Neon/SVE vmulpd %ymm2,

377 views • 10 slides

More recommend