SlideShare a Scribd company logo

Kernel Pool

Download as ODP, PDF
G
guest215c4e

The document discusses the Windows kernel pool and how it can be exploited. It provides an overview of the kernel pool structures like pool descriptors and lookaside lists. It describes the allocation and freeing algorithms, including splitting and merging of chunks. It then gives an example of exploiting a kernel pool overflow bug, MS08-001, by overwriting structures in the pool to achieve code execution.

Health & MedicineBusiness
1 of 73
[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Population People who write exploits People who write Windows overflows People who write Windows Kernel Pool Overflows
Other considerations ,[object Object],[object Object],[object Object]
Diversity increases QA costs dramatically
Addresses May Vary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Kernel Pool vs. Userland Heap ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Kernel Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Pools Definitions ,[object Object],[object Object],[object Object],[object Object],[object Object]
Non Paged Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Paged Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Paged Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nt!_POOL_DESCRIPTOR ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Pool Descriptor ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ListHeads 0 1 2 3 4 511 ... 8 bytes 24 bytes 24 bytes 32 bytes 24 bytes Each chunk of data is preceded by a 8 byte header structure
nt!_POOL_HEADER ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Chunk Header ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Free Chunk Header ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Lookaside Lists ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nt!_GENERAL_LOOKASIDE ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nt!MmNonPagedPoolFreeListHead ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Allocation Summary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Allocation Algorithm nt!ExAllocatePoolWithTag (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Allocation Algorithm nt!ExAllocatePoolWithTag (2/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Free Chunk Splitting ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Splitting Schema Free Chunk Free Chunk Free Chunk Free Chunk Free chunk at the beginning of a page, allocated chunk goes at the front Otherwise, allocated chunk goes at the end
Free Summary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Free Algorithm nt!ExFreePoolWithTag (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Free Algorithm nt!ExFreePoolWithTag (2/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Merging Schema Free Chunk Busy Chunk Free Chunk Free Chunk Free Chunk Free Chunk Chunk being freed Merge #1 Merge #2
[object Object]
Pool BugChecks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
BugCheck Example
Some BugCheck Conditions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploitable Overflows? ,[object Object],[object Object],[object Object]
Kernel Pool Unlink ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Notations Our chunk Chunk we overflow Overflow Potential list entry depending on chunk type Kernel Pool Overflow Header Next Header List Entry
Different Write4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Write4 on Merge with Next Case #1 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploit Case #1 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Write4 on Merge with Previous Case #2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploit Case #2 (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploit Case #2 (2/2) ,[object Object],[object Object],[object Object],[object Object],Header Next Header Header Overflow List Entry Overflow PreviousSize of next chunk Merge Next Header Fake Header
ListHeads Write4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ListHeads Illustrated (1/3) ListHeads[n] Flinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
ListHeads Illustrated (1/3) ListHeads[n] Blinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
ListHeads Illustrated (2/3) ListHeads[n] Free Chunk Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; Allocation of size n unlinks ListHeads[n]  Flink Flink Blink Flink Blink Flink Blink
ListHeads Illustrated (3/3) ListHeads[n] Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; ⇦ might AV Allocation of size n unlinks ListHeads[n]  Flink ListHeads[n]  Flink is now under our control! Flink Blink Flink Blink
MMFREE_POOL_ENTRY Write4 ,[object Object],[object Object],[object Object],[object Object],[object Object]
What? Where? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Some Ideas Non Exhaustive ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Write4 into the Kernel ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Edx points to something we control Jmp edx being 2 bytes long, we can pick the upper 2 so that the write4 doesn't trigger an access violation
Fixing the Kernel Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
History ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
IGMPv3 Membership Queries RFC 3376 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability ,[object Object],[object Object],[object Object],⇦ Failed!
Trigger ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Issues (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Issues (2/2) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Solutions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Dirty Way 256<(n%0x10000)*4+8<4080 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Why would it work? ... ... 0x14 byte buffers Kernel Pool is filled with n 0x14 byte buffers Buffer closest to our allocated buffer is the 1 st one to be copied and freed Requires a “carpet” of ~13000 contiguous 0x14 byte buffers (not too hard) Our buffer will be allocated before those (we pretty much exhausted all the free chunks) Overflow
Clean Way (0x10000-(n%0x10000))*4=8 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Conclusion ,[object Object],[object Object],[object Object]
NUMA ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Literature ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object]

Recommended

Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 

Recommended

Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
x86
x86x86
x86Wei-Bo Chen
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platformDataWorks Summit/Hadoop Summit
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
How to Analyze and Tune MySQL Queries for Better Performance
How to Analyze and Tune MySQL Queries for Better PerformanceHow to Analyze and Tune MySQL Queries for Better Performance
How to Analyze and Tune MySQL Queries for Better Performanceoysteing
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Intercloud interoperability
Intercloud interoperabilityIntercloud interoperability
Intercloud interoperabilitySam Johnston
 
TTI2008
TTI2008TTI2008
TTI2008nancymac22
 

More Related Content

What's hot

Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
How to Analyze and Tune MySQL Queries for Better Performance
How to Analyze and Tune MySQL Queries for Better PerformanceHow to Analyze and Tune MySQL Queries for Better Performance
How to Analyze and Tune MySQL Queries for Better Performanceoysteing
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 

What's hot (20)

Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
x86
x86x86
x86
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platform
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
How to Analyze and Tune MySQL Queries for Better Performance
How to Analyze and Tune MySQL Queries for Better PerformanceHow to Analyze and Tune MySQL Queries for Better Performance
How to Analyze and Tune MySQL Queries for Better Performance
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 

Viewers also liked

Intercloud interoperability
Intercloud interoperabilityIntercloud interoperability
Intercloud interoperabilitySam Johnston
 
blackray profile
blackray profileblackray profile
blackray profileblackray
 
Sysadmin.Ie Memorandum And Articles Of Association
Sysadmin.Ie Memorandum And Articles Of AssociationSysadmin.Ie Memorandum And Articles Of Association
Sysadmin.Ie Memorandum And Articles Of AssociationSam Johnston
 
Zurich FLOSS and IT geeks — Open Cloud Initiative and demo
Zurich FLOSS and IT geeks — Open Cloud Initiative and demoZurich FLOSS and IT geeks — Open Cloud Initiative and demo
Zurich FLOSS and IT geeks — Open Cloud Initiative and demoSam Johnston
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Idguest215c4e
 
Simple Workload and Application Portability (SWAP) for Cloud Computing
Simple Workload and Application Portability (SWAP) for Cloud ComputingSimple Workload and Application Portability (SWAP) for Cloud Computing
Simple Workload and Application Portability (SWAP) for Cloud ComputingSam Johnston
 
23ae communication skills
23ae communication skills23ae communication skills
23ae communication skillsMohammadsalem
 
Jamie Louis Simon vs Twitter et al
Jamie Louis Simon vs Twitter et alJamie Louis Simon vs Twitter et al
Jamie Louis Simon vs Twitter et alSam Johnston
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩skxnqui
 
香港六合彩|六合彩
香港六合彩|六合彩香港六合彩|六合彩
香港六合彩|六合彩qlpcnnb
 
六合彩|香港六合彩
六合彩|香港六合彩六合彩|香港六合彩
六合彩|香港六合彩skxnqui
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩skxnqui
 
香港六合彩>六合彩
香港六合彩>六合彩香港六合彩>六合彩
香港六合彩>六合彩qlpcnnb
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩qlpcnnb
 
Базовая формула дизайн-мышления
Базовая формула дизайн-мышленияБазовая формула дизайн-мышления
Базовая формула дизайн-мышленияLumiknows Consultancy
 
Toma de decisiones
Toma de decisionesToma de decisiones
Toma de decisionesrociosoto
 
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованияхКогда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованияхLumiknows Consultancy
 

Viewers also liked (19)

Intercloud interoperability
Intercloud interoperabilityIntercloud interoperability
Intercloud interoperability
 
TTI2008
TTI2008TTI2008
TTI2008
 
blackray profile
blackray profileblackray profile
blackray profile
 
Sysadmin.Ie Memorandum And Articles Of Association
Sysadmin.Ie Memorandum And Articles Of AssociationSysadmin.Ie Memorandum And Articles Of Association
Sysadmin.Ie Memorandum And Articles Of Association
 
Zurich FLOSS and IT geeks — Open Cloud Initiative and demo
Zurich FLOSS and IT geeks — Open Cloud Initiative and demoZurich FLOSS and IT geeks — Open Cloud Initiative and demo
Zurich FLOSS and IT geeks — Open Cloud Initiative and demo
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 
Simple Workload and Application Portability (SWAP) for Cloud Computing
Simple Workload and Application Portability (SWAP) for Cloud ComputingSimple Workload and Application Portability (SWAP) for Cloud Computing
Simple Workload and Application Portability (SWAP) for Cloud Computing
 
23ae communication skills
23ae communication skills23ae communication skills
23ae communication skills
 
Jamie Louis Simon vs Twitter et al
Jamie Louis Simon vs Twitter et alJamie Louis Simon vs Twitter et al
Jamie Louis Simon vs Twitter et al
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩
 
香港六合彩|六合彩
香港六合彩|六合彩香港六合彩|六合彩
香港六合彩|六合彩
 
六合彩|香港六合彩
六合彩|香港六合彩六合彩|香港六合彩
六合彩|香港六合彩
 
fxxcwl
fxxcwlfxxcwl
fxxcwl
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
香港六合彩>六合彩
香港六合彩>六合彩香港六合彩>六合彩
香港六合彩>六合彩
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
 
Базовая формула дизайн-мышления
Базовая формула дизайн-мышленияБазовая формула дизайн-мышления
Базовая формула дизайн-мышления
 
Toma de decisiones
Toma de decisionesToma de decisiones
Toma de decisiones
 
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованияхКогда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
 

Similar to Kernel Pool

D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptdamesmith
 
Oracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruthOracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruthXavier Davias
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensicsviaForensics
 
Sql server scalability fundamentals
Sql server scalability fundamentalsSql server scalability fundamentals
Sql server scalability fundamentalsChris Adkin
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyDefconRussia
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxchristinemaritza
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeFelipe Prado
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
 
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Weiai Wayne Xu
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryPVS-Studio
 
Debunking myths about_redo_ppt
Debunking myths about_redo_pptDebunking myths about_redo_ppt
Debunking myths about_redo_pptRiyaj Shamsudeen
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区yiditushe
 
Fotolog: Scaling the World's Largest Photo Blogging Community
Fotolog: Scaling the World's Largest Photo Blogging CommunityFotolog: Scaling the World's Largest Photo Blogging Community
Fotolog: Scaling the World's Largest Photo Blogging Communityfarhan "Frank"​ mashraqi
 
Oracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cacheOracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cacheKyle Hailey
 

Similar to Kernel Pool (20)

D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.ppt
 
Oracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruthOracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruth
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensics
 
Sql server scalability fundamentals
Sql server scalability fundamentalsSql server scalability fundamentals
Sql server scalability fundamentals
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case study
 
Database Sizing
Database SizingDatabase Sizing
Database Sizing
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
 
Debunking myths about_redo_ppt
Debunking myths about_redo_pptDebunking myths about_redo_ppt
Debunking myths about_redo_ppt
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区
 
Fotolog: Scaling the World's Largest Photo Blogging Community
Fotolog: Scaling the World's Largest Photo Blogging CommunityFotolog: Scaling the World's Largest Photo Blogging Community
Fotolog: Scaling the World's Largest Photo Blogging Community
 
Oracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cacheOracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cache
 

Recently uploaded

Impact of cancers therapies on the loss in cardiac function, myocardial fffic...
Impact of cancers therapies on the loss in cardiac function, myocardial fffic...Impact of cancers therapies on the loss in cardiac function, myocardial fffic...
Impact of cancers therapies on the loss in cardiac function, myocardial fffic...Catherine Liao
 
linearity concept of significance, standard deviation, chi square test, stude...
linearity concept of significance, standard deviation, chi square test, stude...linearity concept of significance, standard deviation, chi square test, stude...
linearity concept of significance, standard deviation, chi square test, stude...KavyasriPuttamreddy
 
Young at heart: Cardiovascular health stations to empower healthy lifestyle b...
Young at heart: Cardiovascular health stations to empower healthy lifestyle b...Young at heart: Cardiovascular health stations to empower healthy lifestyle b...
Young at heart: Cardiovascular health stations to empower healthy lifestyle b...Catherine Liao
 
Evaluation of antidepressant activity of clitoris ternatea in animals
Evaluation of antidepressant activity of clitoris ternatea in animalsEvaluation of antidepressant activity of clitoris ternatea in animals
Evaluation of antidepressant activity of clitoris ternatea in animalsShweta
 
Mastering Wealth: A Path to Financial Freedom
Mastering Wealth: A Path to Financial FreedomMastering Wealth: A Path to Financial Freedom
Mastering Wealth: A Path to Financial FreedomFatimaMary4
 
Report Back from SGO 2024: What’s the Latest in Cervical Cancer?
Report Back from SGO 2024: What’s the Latest in Cervical Cancer?Report Back from SGO 2024: What’s the Latest in Cervical Cancer?
Report Back from SGO 2024: What’s the Latest in Cervical Cancer?bkling
 
Temporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptx
Temporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptxTemporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptx
Temporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptxDr. Rabia Inam Gandapore
 
Presentació "Advancing Emergency Medicine Education through Virtual Reality"
Presentació "Advancing Emergency Medicine Education through Virtual Reality"Presentació "Advancing Emergency Medicine Education through Virtual Reality"
Presentació "Advancing Emergency Medicine Education through Virtual Reality"Badalona Serveis Assistencials
 
Fundamental of Radiobiology -SABBU.pptx
Fundamental of Radiobiology -SABBU.pptxFundamental of Radiobiology -SABBU.pptx
Fundamental of Radiobiology -SABBU.pptxSabbu Khatoon
 
Is preeclampsia and spontaneous preterm delivery associate with vascular and ...
Is preeclampsia and spontaneous preterm delivery associate with vascular and ...Is preeclampsia and spontaneous preterm delivery associate with vascular and ...
Is preeclampsia and spontaneous preterm delivery associate with vascular and ...Catherine Liao
 
Effects of vaping e-cigarettes on arterial health
Effects of vaping e-cigarettes on arterial healthEffects of vaping e-cigarettes on arterial health
Effects of vaping e-cigarettes on arterial healthCatherine Liao
 
PT MANAGEMENT OF URINARY INCONTINENCE.pptx
PT MANAGEMENT OF URINARY INCONTINENCE.pptxPT MANAGEMENT OF URINARY INCONTINENCE.pptx
PT MANAGEMENT OF URINARY INCONTINENCE.pptxdrtabassum4
 
HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...
HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...
HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...GL Anaacs
 
Multiple sclerosis diet.230524.ppt3.pptx
Multiple sclerosis diet.230524.ppt3.pptxMultiple sclerosis diet.230524.ppt3.pptx
Multiple sclerosis diet.230524.ppt3.pptxMeenakshiGursamy
 
Alcohol_Dr. Jeenal Mistry MD Pharmacology.pdf
Alcohol_Dr. Jeenal Mistry MD Pharmacology.pdfAlcohol_Dr. Jeenal Mistry MD Pharmacology.pdf
Alcohol_Dr. Jeenal Mistry MD Pharmacology.pdfDr Jeenal Mistry
 
How to Give Better Lectures: Some Tips for Doctors
How to Give Better Lectures: Some Tips for DoctorsHow to Give Better Lectures: Some Tips for Doctors
How to Give Better Lectures: Some Tips for DoctorsLanceCatedral
 
Relationship between vascular system disfunction, neurofluid flow and Alzheim...
Relationship between vascular system disfunction, neurofluid flow and Alzheim...Relationship between vascular system disfunction, neurofluid flow and Alzheim...
Relationship between vascular system disfunction, neurofluid flow and Alzheim...Catherine Liao
 
Aptopadesha Pramana / Pariksha: The Verbal Testimony
Aptopadesha Pramana / Pariksha: The Verbal TestimonyAptopadesha Pramana / Pariksha: The Verbal Testimony
Aptopadesha Pramana / Pariksha: The Verbal TestimonyDr KHALID B.M
 
Surat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model Safe
Surat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model SafeSurat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model Safe
Surat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model SafeSavita Shen $i11
 
TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...
TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...
TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...kevinkariuki227
 

Recently uploaded (20)

Impact of cancers therapies on the loss in cardiac function, myocardial fffic...
Impact of cancers therapies on the loss in cardiac function, myocardial fffic...Impact of cancers therapies on the loss in cardiac function, myocardial fffic...
Impact of cancers therapies on the loss in cardiac function, myocardial fffic...
 
linearity concept of significance, standard deviation, chi square test, stude...
linearity concept of significance, standard deviation, chi square test, stude...linearity concept of significance, standard deviation, chi square test, stude...
linearity concept of significance, standard deviation, chi square test, stude...
 
Young at heart: Cardiovascular health stations to empower healthy lifestyle b...
Young at heart: Cardiovascular health stations to empower healthy lifestyle b...Young at heart: Cardiovascular health stations to empower healthy lifestyle b...
Young at heart: Cardiovascular health stations to empower healthy lifestyle b...
 
Evaluation of antidepressant activity of clitoris ternatea in animals
Evaluation of antidepressant activity of clitoris ternatea in animalsEvaluation of antidepressant activity of clitoris ternatea in animals
Evaluation of antidepressant activity of clitoris ternatea in animals
 
Mastering Wealth: A Path to Financial Freedom
Mastering Wealth: A Path to Financial FreedomMastering Wealth: A Path to Financial Freedom
Mastering Wealth: A Path to Financial Freedom
 
Report Back from SGO 2024: What’s the Latest in Cervical Cancer?
Report Back from SGO 2024: What’s the Latest in Cervical Cancer?Report Back from SGO 2024: What’s the Latest in Cervical Cancer?
Report Back from SGO 2024: What’s the Latest in Cervical Cancer?
 
Temporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptx
Temporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptxTemporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptx
Temporal, Infratemporal & Pterygopalatine BY Dr.RIG.pptx
 
Presentació "Advancing Emergency Medicine Education through Virtual Reality"
Presentació "Advancing Emergency Medicine Education through Virtual Reality"Presentació "Advancing Emergency Medicine Education through Virtual Reality"
Presentació "Advancing Emergency Medicine Education through Virtual Reality"
 
Fundamental of Radiobiology -SABBU.pptx
Fundamental of Radiobiology -SABBU.pptxFundamental of Radiobiology -SABBU.pptx
Fundamental of Radiobiology -SABBU.pptx
 
Is preeclampsia and spontaneous preterm delivery associate with vascular and ...
Is preeclampsia and spontaneous preterm delivery associate with vascular and ...Is preeclampsia and spontaneous preterm delivery associate with vascular and ...
Is preeclampsia and spontaneous preterm delivery associate with vascular and ...
 
Effects of vaping e-cigarettes on arterial health
Effects of vaping e-cigarettes on arterial healthEffects of vaping e-cigarettes on arterial health
Effects of vaping e-cigarettes on arterial health
 
PT MANAGEMENT OF URINARY INCONTINENCE.pptx
PT MANAGEMENT OF URINARY INCONTINENCE.pptxPT MANAGEMENT OF URINARY INCONTINENCE.pptx
PT MANAGEMENT OF URINARY INCONTINENCE.pptx
 
HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...
HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...
HOT NEW PRODUCT! BIG SALES FAST SHIPPING NOW FROM CHINA!! EU KU DB BK substit...
 
Multiple sclerosis diet.230524.ppt3.pptx
Multiple sclerosis diet.230524.ppt3.pptxMultiple sclerosis diet.230524.ppt3.pptx
Multiple sclerosis diet.230524.ppt3.pptx
 
Alcohol_Dr. Jeenal Mistry MD Pharmacology.pdf
Alcohol_Dr. Jeenal Mistry MD Pharmacology.pdfAlcohol_Dr. Jeenal Mistry MD Pharmacology.pdf
Alcohol_Dr. Jeenal Mistry MD Pharmacology.pdf
 
How to Give Better Lectures: Some Tips for Doctors
How to Give Better Lectures: Some Tips for DoctorsHow to Give Better Lectures: Some Tips for Doctors
How to Give Better Lectures: Some Tips for Doctors
 
Relationship between vascular system disfunction, neurofluid flow and Alzheim...
Relationship between vascular system disfunction, neurofluid flow and Alzheim...Relationship between vascular system disfunction, neurofluid flow and Alzheim...
Relationship between vascular system disfunction, neurofluid flow and Alzheim...
 
Aptopadesha Pramana / Pariksha: The Verbal Testimony
Aptopadesha Pramana / Pariksha: The Verbal TestimonyAptopadesha Pramana / Pariksha: The Verbal Testimony
Aptopadesha Pramana / Pariksha: The Verbal Testimony
 
Surat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model Safe
Surat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model SafeSurat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model Safe
Surat @ℂall @Girls ꧁❤8527049040❤꧂@ℂall @Girls Service Vip Top Model Safe
 
TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...
TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...
TEST BANK For Williams' Essentials of Nutrition and Diet Therapy, 13th Editio...
 

Kernel Pool

  • 1.
  • 2.
  • 3.
  • 4.
  • 5. Population People who write exploits People who write Windows overflows People who write Windows Kernel Pool Overflows
  • 6.
  • 7. Diversity increases QA costs dramatically
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. ListHeads 0 1 2 3 4 511 ... 8 bytes 24 bytes 24 bytes 32 bytes 24 bytes Each chunk of data is preceded by a 8 byte header structure
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Splitting Schema Free Chunk Free Chunk Free Chunk Free Chunk Free chunk at the beginning of a page, allocated chunk goes at the front Otherwise, allocated chunk goes at the end
  • 31.
  • 32.
  • 33.
  • 34. Merging Schema Free Chunk Busy Chunk Free Chunk Free Chunk Free Chunk Free Chunk Chunk being freed Merge #1 Merge #2
  • 35.
  • 36.
  • 38.
  • 39.
  • 40.
  • 41. Notations Our chunk Chunk we overflow Overflow Potential list entry depending on chunk type Kernel Pool Overflow Header Next Header List Entry
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49. ListHeads Illustrated (1/3) ListHeads[n] Flinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
  • 50. ListHeads Illustrated (1/3) ListHeads[n] Blinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
  • 51. ListHeads Illustrated (2/3) ListHeads[n] Free Chunk Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; Allocation of size n unlinks ListHeads[n]  Flink Flink Blink Flink Blink Flink Blink
  • 52. ListHeads Illustrated (3/3) ListHeads[n] Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; ⇦ might AV Allocation of size n unlinks ListHeads[n]  Flink ListHeads[n]  Flink is now under our control! Flink Blink Flink Blink
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67. Why would it work? ... ... 0x14 byte buffers Kernel Pool is filled with n 0x14 byte buffers Buffer closest to our allocated buffer is the 1 st one to be copied and freed Requires a “carpet” of ~13000 contiguous 0x14 byte buffers (not too hard) Our buffer will be allocated before those (we pretty much exhausted all the free chunks) Overflow
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.