SlideShare a Scribd company logo

Windows Kernel Vulnerabilities: Exploring the NDIS Attack Surface

N
nitayart

This document summarizes a presentation about finding vulnerabilities in the Windows kernel network stack. It discusses how exploiting complex and uncommon features like IPv6 packet fragmentation can lead to vulnerabilities. Specifically, it describes CVE-2014-9383, a remote code execution vulnerability discovered in a Bitdefender NDIS filter driver through an IPv6 packet defragmentation bug. The presentation outlines techniques for kernel bug hunting such as intercepting packets and overwriting packet data buffers to cause memory overflows. It also notes tools that can help with reverse engineering NDIS drivers like NDISaster.

Technology
1 of 57
Download to read offline
Windows Kernel, the final frontier Our mission: to explore strange new attack surfaces, to seek out new bugs and new 0-days. To boldly go where (almost) no security researcher has gone before
NDIS PACKET OF DEATH TURNING WINDOWS’ COMPLEXITY AGAINST ITSELF NITAY ARTENSTEIN CHECK POINT
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
USS WINTERPRISE PACKET FLOW USERlAND KERNEL bridge / APPLICATION NETWORK CARD WINSOCK API WINSOCK KERNEL ?
KERNEL NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER
Filter Drivers • Handle all packets, regardless of configuration • Massive attack surface • Small, easy to reverse engineer “Being stuck in the middle is not THAT bad!”
KERNEL NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER SECURiTY
 1. Third party code
KERNEL NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER SECURiTY
 2. Too much complexity
NETWORK DRIVER INTERFACE SPECIFICATION NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER NDIS SECURiTY
 3. API quality
The Windows network driver layers absolutely horrendous messes of conflicting layers of backward-compatible cruft emotional trauma the Windows network stack 🙀
Hostile Programming Environments • Bad API design • Complicated memory management • Inadequate documentation • No helper functions “They said kernel programming is good money”
NETWORK DRIVER INTERFACE SPECIFICATION NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER NDIS SECURiTY
 1. Third party code 2. Too much complexity 3. API quality
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
FACEOFF GOOD EVIL
KeAcquireSpinLockRaiseToSynch KeBreakinBreakpoint KeEnterKernelDebugger KeFlushWriteBuffer KeGetBugMessageText KeRaiseIrqlToSynchLevel KeRemoveByKeyDeviceQueueIfBusy KeSetTimeUpdateNotifyRoutine IoAcquireCancelSpinLock IoAcquireRemoveLock IoAcquireRemoveLockEx IoAdjustPagingPathCount IoAllocateAdapterChannel IoAllocateController IoAllocateDriverObjectExtension IoAllocateErrorLogEntry IoAllocateIrp IoAllocateMdl IoAllocateWorkItem IoAssignArcName IoAssignResources IoAttachDevice IoAttachDeviceByPointer IoAttachDeviceToDeviceStack IoBuildAsynchronousFsdRequest IoBuildDeviceIoControlRequest IoBuildPartialMdl IoBuildSynchronousFsdRequest IoCallDriver IoCancelIrp IoCheckShareAccess IoCheckShareAccessEx IoCompleteRequest IoConnectInterrupt IoConnectInterruptEx IoCopyCurrentIrpStackLocationToNext IoCreateController IoCreateDevice IoCreateDeviceSecure […] KERNEL API 1000+ Functions NdisAcquireReadWriteLock NdisAcquireSpinLock NdisAdjustBufferLength NdisAllocateBuffer NdisAllocateBufferPool NdisAllocateFromBlockPool NdisAllocateFromNPagedLookasideList NdisAllocateMemory NdisAllocateMemoryWithTag NdisAllocatePacket NdisAllocatePacketPool NdisAllocatePacketPoolEx NdisAllocateSpinLock NdisAnsiStringToUnicodeString NdisBufferLength NDIS_BUFFER_LINKAGE NDIS_BUFFER_TO_SPAN_PAGES NdisBufferVirtualAddress NdisBufferVirtualAddressSafe NdisChainBufferAtBack NdisChainBufferAtFront NdisCloseConfiguration NdisCloseFile NdisCopyBuffer NdisCopyFromPacketToPacket NdisCreateBlockPool NdisDeleteNPagedLookasideList NdisDestroyBlockPool NdisDprAcquireSpinLock NdisDprAllocatePacket NdisDprFreePacket NdisDprReleaseSpinLock NdisEqualMemory NdisEqualString NdisEqualUnicodeString NdisFillMemory NdisFlushBuffer NdisFreeBuffer NdisFreeBufferPool […] NDIS 5 500+ Functions MiniportCheckForHangEx MiniportDevicePnPEventNotify MiniportDriverUnload MiniportInitializeEx MiniportHaltEx MiniportPause MiniportResetEx MiniportRestart MiniportSetOptions MiniportShutdownEx NdisMDeregisterMiniportDriver NdisMGetDeviceProperty NdisMNetPnPEvent NdisMPauseComplete NdisMQueryAdapterInstanceName NdisMRegisterMiniportDriver NdisMRemoveMiniport NdisMResetComplete NdisMResetMiniport NdisMRestartComplete NdisMSetMiniportAttributes NdisMAllocateSharedMemory NdisMFreeSharedMemory NdisGetPhysicalAddressHigh NdisGetPhysicalAddressLow NdisSetPhysicalAddressHigh NdisSetPhysicalAddressLow NdisGetSharedDataAlignment NdisRegisterProtocolDriver NdisDeregisterProtocolDriver NdisOpenAdapterEx NdisCompleteBindAdapterEx NdisCloseAdapterEx NdisCompleteUnbindAdapterEx NdisUnbindAdapter NdisCompleteNetPnPEvent NdisQueryAdapterInstanceName NdisQueryBindInstanceName NdisReEnumerateProtocolBindings […] NDIS 6 500+ Functions
FIRST ATTACK: PACKET CONFUSION GOOD EVIL
FIRST ATTACK: PACKET CONFUSION GOOD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER PACKET PACKET PACKET PACKET TASK: INTERCEPT PACKET, INSPECT CONTENTS
NdisDprAllocatePacket(&Status, &MyPacket, pAdapt->RecvPacketPoolHandle); NDIS_PACKET_FIRST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_FIRST_NDIS_BUFFER(Packet); NDIS_PACKET_LAST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_LAST_NDIS_BUFFER(Packet); // Inspect packet here NdisMIndicateReceivePacket(pAdapt->MiniportHandle, &MyPacket, 1); FIRST ATTACK: PACKET CONFUSION GOOD
FIRST ATTACK: PACKET CONFUSION GOOD [The receive function] the received data as soon as it is copied system performance. Instead, the driver must
NdisDprAllocatePacket(&Status, &MyPacket, pAdapt->RecvPacketPoolHandle); NDIS_PACKET_FIRST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_FIRST_NDIS_BUFFER(Packet); NDIS_PACKET_LAST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_LAST_NDIS_BUFFER(Packet); pPersistentData.Packet = MyPacket; QueueForLaterProcessing(pPersistentData); NdisMIndicateReceivePacket(pAdapt->MiniportHandle, &MyPacket, 1); FIRST ATTACK: PACKET CONFUSION GOOD
FIRST ATTACK: PACKET CONFUSION EVIL API DOCUMENTATION SAMPLE CODE STACKOVERFLOW.COM SITES FROM THE 90’s
FIRST ATTACK: PACKET CONFUSION If we need to queue this packet we will also have to copy over the per-packet information. This is because data is available only for the duration of this receive indication call EVIL
FIRST ATTACK: PACKET CONFUSION EVIL PACKET METADATA BUFFER PACKET METADATA BUFFER PACKET METADATA BUFFER ATTACKER CONTROLLED PACKET SIZE
if (NDIS_GET_PACKET_HEADER_SIZE(Packet) BufferSize) { memcpy( Buffer, PacketBuffer, NDIS_GET_PACKET_HEADER_SIZE(Packet) ); } FIRST ATTACK: PACKET CONFUSION GOOD EVIL 40 1337
GOOD EVIL 0 1 “Much, MUCH better than a green rubber lizard”
SECOND ATTACK: PACKET OVERWRITE GOOD EVIL
SECOND ATTACK: PACKET OVERWRITE GOOD PACKET DATA TASK: APPEND DATA TO END OF PACKET BUFFER BUFFER BUFFER
SECOND ATTACK: PACKET OVERWRITE GOOD BUFFER END OF PACKET DATA
SECOND ATTACK: PACKET OVERWRITE EVIL API DOCUMENTATION SAMPLE CODE Remove all MDLs [memory buffers] from the end of the chain, where the last byte of the MDL isn’t part of the packet buffer
SECOND ATTACK: PACKET OVERWRITE EVIL BUFFER END OF PACKET BUFFER IN USE
BUFFER END OF PACKET BUFFER IN USE EVILGOOD DATA SECOND ATTACK: PACKET OVERWRITE
GOOD EVIL 0 2 “Thank God that hairy chests are acceptable in the 60s”
THIRD ATTACK: death by protocol GOOD EVIL
THIRD ATTACK: death by protocol TASK: DEFRAGMENT IPv6 PACKETS GOOD
KeAcquireSpinLockRaiseToSynch KeBreakinBreakpoint KeEnterKernelDebugger KeFlushWriteBuffer KeGetBugMessageText KeRaiseIrqlToSynchLevel KeRemoveByKeyDeviceQueueIfBusy KeSetTimeUpdateNotifyRoutine IoAcquireCancelSpinLock IoAcquireRemoveLock IoAcquireRemoveLockEx IoAdjustPagingPathCount IoAllocateAdapterChannel IoAllocateController IoAllocateDriverObjectExtension IoAllocateErrorLogEntry IoAllocateIrp IoAllocateMdl IoAllocateWorkItem IoAssignArcName IoAssignResources IoAttachDevice IoAttachDeviceByPointer IoAttachDeviceToDeviceStack IoBuildAsynchronousFsdRequest IoBuildDeviceIoControlRequest IoBuildPartialMdl IoBuildSynchronousFsdRequest IoCallDriver IoCancelIrp IoCheckShareAccess IoCheckShareAccessEx IoCompleteRequest IoConnectInterrupt IoConnectInterruptEx IoCopyCurrentIrpStackLocationToNext IoCreateController IoCreateDevice IoCreateDeviceSecure […] KERNEL API 1000+ Functions NdisAcquireReadWriteLock NdisAcquireSpinLock NdisAdjustBufferLength NdisAllocateBuffer NdisAllocateBufferPool NdisAllocateFromBlockPool NdisAllocateFromNPagedLookasideList NdisAllocateMemory NdisAllocateMemoryWithTag NdisAllocatePacket NdisAllocatePacketPool NdisAllocatePacketPoolEx NdisAllocateSpinLock NdisAnsiStringToUnicodeString NdisBufferLength NDIS_BUFFER_LINKAGE NDIS_BUFFER_TO_SPAN_PAGES NdisBufferVirtualAddress NdisBufferVirtualAddressSafe NdisChainBufferAtBack NdisChainBufferAtFront NdisCloseConfiguration NdisCloseFile NdisCopyBuffer NdisCopyFromPacketToPacket NdisCreateBlockPool NdisDeleteNPagedLookasideList NdisDestroyBlockPool NdisDprAcquireSpinLock NdisDprAllocatePacket NdisDprFreePacket NdisDprReleaseSpinLock NdisEqualMemory NdisEqualString NdisEqualUnicodeString NdisFillMemory NdisFlushBuffer NdisFreeBuffer NdisFreeBufferPool […] NDIS 6 500+ Functions PROTOCOL HELPERS 0 Functions “No worries Spock, I got all the RFCs in my head”
THIRD ATTACK: death by protocol GOOD RFC 2460 (IPv6) RFC 790 (IPv4) RFC 791 (IPv4) RFC 826 (ARP) RFC 1034 (DNS) RFC 768 (UDP) RFC 793 (TCP) RFC 792 (ICMP)
GOOD EVIL 0 3 “I keep this around for when Spock is not on board”
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
PREMISE: 1. MORE COMPLEXITY == MORE BUGS 2. EDGE CASES ARE THE MOST DIFFICULT TO TEST CONCLUSION: LOOK FOR BUGS IN COMPLICATED AND UNCOMMON USE CASES BUG HUNTING 101 EVIL
A Word About IPv6 • Insanely complicated protocol • Nobody’s using it • Has isoteric features that REALLY nobody uses • NDIS drivers still have to support those features “Anybody order pizza?”
BONUS: YOU GET TO SET THE SIZE OF THE EXTENSION HEADER SECURiTY
 1. Complicated!
RFC 2460 A node may use the IPv6 Fragment header to fragment the packet at the source and have it reassembled at the destination. However, is discouraged EVIL SECURiTY
 2. Unused!
About CVE-2014-9383 • RCE vulnerability in Bitdefender NDIS filter driver • Patched last month • Disclaimer: No ASLR bypass (requires another vuln) • Another disclaimer: Statistical attack, works 50% of the time “Next time Iet me write a Linux driver”
CVE-2014-9383 EVILGOOD PACKET DEFRAGMENTED PACKET TASK: DEFRAGMENT IPv6 PACKETS
CVE-2014-9383 EVILGOOD Buffer 1 Buffer 2 SIZE CALCULATION: HEADERS ARBITRARY SIZE HDR HDR HDR HDR OVERFLOW MAXSIZE
CVE-2014-9383 EVILGOOD EXPLOITABILITY PACKET OBJECT FUNCTION POINTERS OVERFLOWED BUFFER
MergedPacket = ExAllocatePoolWithTag(0, MAX_HEADER_SIZE + BufSize1 + Bufsize2, ‘ TAG’); HeaderSize = CalculateHeaderSize(Packet1); memcpy(MergedPacket, Packet1, HeaderSize); Packet1 += HeaderSize; memcpy(MergedPacket, Packet1, BufSize1); memcpy(MergedPacket, Packet2, BufSize2);GOOD EVIL CVE-2014-9383
“Damn, we’ve exhausted our special effects budget on the previous memes”
Bonus: DIY with NDISaster • Identifies the main handler functions in NDIS drivers • Generates a Windbg script for packet capture • Incorporates the output from Windbag back to IDA • Identifies the main functions per protocol • Still no support for NDIS 6!
github.com/nitayart/NDISaster QUESTIONS?
THANK YOU

Recommended

Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)Emertxe Information Technologies Pvt Ltd
 
Platform Drivers
Platform DriversPlatform Drivers
Platform DriversSysPlay eLearning Academy for You
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototypingYan Vugenfirer
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 

Recommended

Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)Emertxe Information Technologies Pvt Ltd
 
Platform Drivers
Platform DriversPlatform Drivers
Platform DriversSysPlay eLearning Academy for You
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototypingYan Vugenfirer
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introductionzenixls2
 
U boot-boot-flow
U boot-boot-flowU boot-boot-flow
U boot-boot-flowBabuSubashChandar Chandra Mohan
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modulesdibyajyotig
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
Network Drivers
Network DriversNetwork Drivers
Network DriversAnil Kumar Pugalia
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingStephan Cadene
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performanceStephen Hemminger
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 

More Related Content

What's hot

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introductionzenixls2
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modulesdibyajyotig
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingStephan Cadene
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 

What's hot (20)

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
 
U boot-boot-flow
U boot-boot-flowU boot-boot-flow
U boot-boot-flow
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modules
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
 
Network Drivers
Network DriversNetwork Drivers
Network Drivers
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zun
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performance
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 

Similar to Windows Kernel Vulnerabilities: Exploring the NDIS Attack Surface

MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesXavier Vello
 
Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)flagsolutions
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)Tim N
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
 
Wireless Hacking Talk
Wireless Hacking TalkWireless Hacking Talk
Wireless Hacking TalkMario B.
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2William Stewart
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)Alexandre Borges
 
Security as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Appsenlamp
 
Rust: Reach Further
Rust: Reach FurtherRust: Reach Further
Rust: Reach Furthernikomatsakis
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Introducing MQTT
Introducing MQTTIntroducing MQTT
Introducing MQTTAndy Piper
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackQAware GmbH
 

Similar to Windows Kernel Vulnerabilities: Exploring the NDIS Attack Surface (20)

MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
Strange security mitigations
Strange security mitigationsStrange security mitigations
Strange security mitigations
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challenges
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
 
Wireless Hacking Talk
Wireless Hacking TalkWireless Hacking Talk
Wireless Hacking Talk
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
 
Security as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Apps
 
Rust: Reach Further
Rust: Reach FurtherRust: Reach Further
Rust: Reach Further
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
 
Introducing MQTT
Introducing MQTTIntroducing MQTT
Introducing MQTT
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Windows Kernel Vulnerabilities: Exploring the NDIS Attack Surface