0% found this document useful (0 votes)

52 views265 pages

Windows Kernel Exploitation

The document provides an overview of Windows Kernel Internals, detailing its architecture, debugging techniques, and various exploitation methods. It covers key concepts such as privilege rings, memory management, and common vulnerabilities like buffer overflows and race conditions. Additionally, it discusses mitigation strategies and changes introduced in Windows 10 compared to previous versions.

Uploaded by

aditya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

52 views265 pages

Windows Kernel Exploitation

Uploaded by

aditya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 265

Windows Kernel

Vulnerability
root@hacksys:~/#
Agenda
Agenda
Agenda
Agenda
Windows Internals?
Setup
Kernel Debugging

Windows Kernel Debugging

Lab Time
Setup
Debugging Symbols

Windows Kernel Debugging

Lab Time
Windows
NT
Architecture
Windows Internals
System Processes Services Applications Environment Subsystems

Service Control
Manager Windows
Local Security Task Manager
Authority Explorer
Winlogon Service Host User
Application
User
Mode Wininit Print Spooler SUA

Subsystem DLLs Windows DLLs

System NTDLL.DLL
Threads

Kernel
Mode
System Service Dispatcher

(kernel mode callable interfaces) Windows

USER,
I/O Manager GDI

Advanced Local
Configuration
Play Manager

Procedure
Reference

Processes
Manager

Manager

Manager
Plug and

Memory
Monitor

Security

Copyright © Microsoft Corporation

Object

Power
Cache

Call
Device &
Graphics
File System Drivers
Drivers

Kernel

Hardware Abstraction Layer (HAL)

Hardware
Windows NT Architecture
Executive

Windows Internals
Executive
Kernel Core

Windows Internals
Kernel Core
Function
Prefixes

Windows Internals
Function Prefixes

Prefix Kernel Component

Cm Configuration Manager
Ex Executive
Hal Hardware Abstraction Layer
Io I/O Manager
Ke Kernel Core
Mm Memory Manager
Ob Object Manager
Po Power Manager
Tm Transaction Manager
Nt and Zw Native System Services
Hardware
Abstraction Layer

Windows Internals
Hardware Abstraction Layer
Privilege
Rings

Windows Internals
Ring -1: Virtual Machine
Ring 3 Extensions (VMX)
User Mode Ring -2: System
Least Privileged Ring 2 Management Mode (SMM)

Ring 1

Not Used

Ring 0 Not Used

Kernel Mode
Most Privileged
Privilege Rings
Privilege Rings
Virtual
Address Space

Memory Management
Virtual Address Space
Virtual Address Space – x86
Virtual Address Space – x64
Virtual Address Space
Copy on Write
Copy on Write
Lab Time
Objects
and
Handles
Windows Internals
Objects and Handles
Interrupt

Windows Internals
Interrupt
Interrupt Control Flow
0
2
3

Peripheral Device Controller CPU Interrupt

Controller
n

CPU Interrupt
Service Table

ISR Address Read from device

Raise IRQL
Spin Lock
Grab Spinlock Acknowledge-
Interrupt
Dispatch
Code Drop Spinlock
Request DPC
Lower IRQL

Interrupt Object
KiInterruptDispatch Driver ISR
Key
Data Structures

Windows Internals
nt!_LIST_ENTRY
nt!_LIST_ENTRY
nt!_KPCR
nt!_KPCR
nt!_EPROCESS
nt!_EPROCESS
nt!_DRIVER_OBJECT
nt!_DRIVER_OBJECT
nt!_DRIVER_OBJECT
nt!_OBJECT_HEADER
nt!_OBJECT_HEADER
nt!_EX_FAST_REF
nt!_EX_FAST_REF
Lab Time
Kernel
Stack

Memory Management
Kernel Stack
Memory
Pool

Memory Management
Memory Pool
Memory Pool
Memory Pool
Pool
Internals

Memory Management
Pool Internals
Pool Internals
nt!_POOL_HEADER
nt!_POOL_HEADER
LookAsideList
LookAsideList
ListHeads
Allocation Pattern
ListHeads - Coalescing
User Mode
vs
Privileged Mode
Why to Attack Kernel?
User Mode vs Privileged Mode
User Mode
Exploit
Mitigation
Why to Attack Kernel?
User Mode Exploit Mitigation
I/O Manager
Data
Structures
Windows Driver Basics
nt!_IRP
Lab Time
I/O
Request Packet

Windows Driver Basics

I/O Request Packet
I/O
Control Code

Windows Driver Basics

I/O Control Code
Data
Buffering

Windows Driver Basics

Data Buffering
Buffered I/O
Buffered I/O
Direct I/O
Direct I/O (P I/O)
Neither I/O
IOCTL
Fuzzing

Fuzzing Windows Kernel

Special Pool
Special Pool – Memory allocation
Special Pool
Crash Violation Analysis
Crash Violation Analysis
Bug Detection
Lab Time
Stack
Buffer Overflow

Exploitation
Stack Buffer Overflow

M
XXXX
S
E
*DEST T
M
O *SOURCE A
R C
Y LENGTH K

W BUFFER[4] G
R R
I EBP O
T W
E
RET T
H
MAIN'S
Stack Buffer Overflow

M
XXXX
S
E
*DEST T
M
O *SOURCE A
R C
Y LENGTH K

W AAAA G
R R
I BBBB O
T W
E
CCCC T
H
MAIN'S
Lab Time
Stack
Buffer Overflow GS

Exploitation
Stack Buffer Overflow GS
Stack Buffer Overflow GS

M
*DEST
S
E
*SOURCE T
M
O LENGTH A
R C
Y BUFFER[4] K

W COOKIE G
R R
I EBP O
T W
E
RET T
H
EXC HANDLER
Stack Buffer Overflow GS

M
*DEST
S
E
*SOURCE T
M
O LENGTH A
R C
Y AAAA K

W
FAIL
BBBB G
R R
I CCCC O
T W
E
DDDD T
H
EXC HANDLER
Stack Buffer Overflow GS - Exploitation
Lab Time
Arbitrary
Memory
Overwrite
Exploitation
Arbitrary Memory Overwrite
Arbitrary Memory Overwrite Dilemma

reg reg
reg const-value

inc reg
dec reg
Exploit Arbitrary Memory Overwrite
Exploit Arbitrary Memory Overwrite
Exploit Arbitrary Memory Overwrite
Exploit Arbitrary Memory Overwrite
Exploit Arbitrary Memory Overwrite
Lab Time
Pool
Overflow

Exploitation
Pool Overflow
Pool Overflow
Pool Overflow – TypeIndex
Pool Overflow – TypeIndex
Lab Time
Use after Free

Exploitation
Use after Free
Use after Free - Exploitation
Use after Free - Exploitation
Use after Free - Exploitation
Use after Free - Exploitation
Use after Free - Exploitation
Use after Free - Exploitation
Use after Free Dilemma
Lab Time
Uninitialized
Stack
Variable
Exploitation
Uninitialized Stack Variable
Spot the
Bug

Uninitialized Stack Variable

UninitializedStackVariable.Callback();
Under the
Hood

Uninitialized Stack Variable

void FunctionA(void) {
ESP
char buffer[20] = { 0 };
memset(buffer, 0x41, sizeof(buffer)); AAAA
} S
AAAA T
void FunctionB(void) {
int magic = 0x42424242; AAAA A
void (*callback)(); C
char buffer[4] = { 0 }; AAAA K
memset(buffer, 0x43, sizeof(buffer));
AAAA G
callback(); R
}
EBP O
W
void main(void) {
FunctionA(); RET T
FunctionB(); H
} MAIN'S
void FunctionA(void) {
char buffer[20] = { 0 };
memset(buffer, 0x41, sizeof(buffer)); 0x43
} S
sizeof(buffer) T
void FunctionB(void) { ESP
int magic = 0x42424242; CCCC A
void (*callback)(); C
char buffer[4] = { 0 }; AAAA K
memset(buffer, 0x43, sizeof(buffer));
BBBB G
callback(); R
}
EBP O
W
void main(void) {
FunctionA(); RET T
FunctionB(); H
} MAIN'S
void FunctionA(void) {
char buffer[20] = { 0 };
memset(buffer, 0x41, sizeof(buffer)); 0x43
} S
sizeof(buffer) T
void FunctionB(void) {
int magic = 0x42424242; CCCC A
void (*callback)(); C
char buffer[4] = { 0 }; EIP AAAA K
memset(buffer, 0x43, sizeof(buffer));
BBBB G
callback(); R
}
EBP O
W
void main(void) {
FunctionA(); RET T
FunctionB(); H
} MAIN'S
Exploitation
Challenges

Uninitialized Stack Variable

Exploitation Challenges
Exploitation
Strategy

Uninitialized Stack Variable

Exploitation Strategy
Demo
Uninitialized
Heap
Variable
Exploitation
Spot the
Bug

Uninitialized Heap Variable

UninitializedHeapVariable->Callback();
Under the
Hood

Uninitialized Heap Variable

void FunctionA(void) {
void *buffer = ExAllocatePool(PagedPool,
100);
memset(buffer, 0x41, 100);
ExFreePool(buffer);
}