SlideShare a Scribd company logo

Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one

Artem I. Baranov
Artem I. Baranov

This document provides an overview of kernel pointer leaks that can occur in the Windows kernel. It discusses several ways that kernel addresses can be disclosed through Windows APIs, including module base addresses from NtQuerySystemInformation, kernel object addresses from various tracing and debugging APIs, and physical memory information leaks from the SuperFetch subsystem. The document serves to motivate further hardening of kernel address space layout randomization defenses in Windows.

Technology
1 of 44
Download to read offline
© 2012 CrowdStrike, Inc. All rights reserved. I Got 99 Problem But a Kernel Pointer Ain’t One There’s an info leak party at Ring 0 Alex Ionescu, Chief Architect @aionescu Recon 2013 alex@crowdstrike.com
Bio ■ Reverse engineered Windows kernel since 1999 ■ Lead kernel developer for ReactOS Project ■ Co-author of Windows Internals 5th and 6th Edition ■ Founded Winsider Seminars & Solutions Inc., to provide services and Windows Internals training for enterprise/government ■ Interned at Apple for a few years (Core Platform Team) ■ Now Chief Architect at CrowdStrike
Introduction
Outline ■ Introduction ■ Motivation and Previous Work ■ Old School API Leaks ■ System Design Leaks ■ Tracing/Debugging API Leaks ■ System Memory Leaks ■ SuperFetch Leaks ■ Conclusion
Motivation ■ Making Spender (grsecurity) troll really hard ■ “Kernel ASLR has never been broken by anyone I know” ■ Got a really well thought out article in response
Motivation (seriously) ■ Windows has been making a decent job of improving their ASLR in Windows 8 ■ And newer protections are yet to come ■ Guessing of user-mode addresses now requires bypassing: ■ High Entropy ASLR ■ Top-down and Bottom-up Anonymous Memory Randomization ■ Heap Allocation Order Randomization ■ …etc… ■ But Kernel ASLR remains a big problem ■ As part of a local exploit, too much information is present/given away on the system to the attacker ■ Disparate papers/presentations exist on this issue
Previous Work ■ Too many to list them all ■ Matthew Jurczyk, Tavis Ormandy, Tarjei Mandt & the other usual suspects
Old School API Leaks
You Want… Module Base Addresses? ■ NtQuerySystemInformation ■ Class: SystemModuleInformation ■ NEW Class: SystemModuleInformationEx ■ Return type is RTL_PROCESS_MODULES with ■ RTL_PROCESS_MODULE_INFORMATION ■ RTL_PROCESS_MODULE_INFORMATION_EX ■ EX Adds Checksum, TimeStamp, and Original Base ■ Before Windows 8, could also be used to query user-mode libraries
You Want… All Kernel Object Addresses? ■ NtQuerySystemInformation ■ Class: SystemObjectInformation ■ Return type is SYSTEM_OBJECT_INFORMATION ■ Contains ■ PVOID of the Kernel Object Address ■ PEPROCESS of the Kernel Object Creator ■ Requires the object type/system to enable “Maintain Type List”
You Want… Named Kernel Object Addresses? ■ NtQuerySystemInformation ■ Class: SystemHandleInformation ■ NEW Class: SystemHandleInformationEx ■ Return type ■ SYSTEM_HANDLE_INFORMATION(_EX) ■ Contains ■ PVOID of the Kernel Object Address ■ HANDLE value in the process ■ Only returns 16-bit handles and PIDs – must use Ex version
You Want… Kernel Lock Addresses? ■ NtQuerySystemInformation ■ Class: SystemLockInformation ■ Return type ■ RTL_PROCESS_LOCKS with ■ RTL_PROCESS_LOCK_INFORMATION ■ Contains ■ PVOID of the Kernel Resource ■ PVOID of Kernel Thread Owner
You Want… Kernel Stack Addresses? ■ NtQuerySystemInformation ■ Class: SystemExtendedProcessInformation ■ Return type ■ SYSTEM_EXTENDED_THREAD_INFORMATION ■ Contains ■ PVOID of the Kernel Stack Base and Kernel Stack Limit ■ PVOID of the TEB
You Want… Kernel Pool Addresses? ■ NtQuerySystemInformation ■ Class: SystemBigPoolInformation ■ Return type ■ SYSTEM_BIGPOOL_INFORMATION with ■ SYSTEM_BIGPOOL_ENTRY ■ Contains ■ PVOID of the Kernel Pool Address (if > 4KB) (“Big”) ■ And Tag
System Design Leaks
Selectors and Descriptors ■ GDT and IDT are required pieces of any x86-based processor design ■ GDT highly deprecated in x64 ■ Address of the GDT and IDT is stored in GDTR and IDTR ■ CPU instruction exists to retrieve this (SGDT/SIDT) ■ It’s not privileged! ■ Additionally, entries in the GDT can be dumped on 32-bit Windows ■ 32-bit Windows has support for LDT, and implements API for querying it ■ But if no LDT is present, GDT is dumped instead ■ Use NtQueryInformationThread (ThreadDescriptorTableEntry) ■ Reveals three TSS addresses, and KPCR address ■ Does not work on 64-bit because no LDT is supported
ARM Software Thread ID Registers ■ Modern ARM processors implement TLS registers that can be used by operating system developers ■ Similar to fs/gs on x86/x64 ■ Three are currently defined in the Cortex-A9 architecture ■ TPIDRURW (User Read Write) ■ TPIDRURO (User Read Only) ■ TPIDRPRW (Privileged Read Write) ■ Windows 8 on ARM (Windows RT) uses these registers, as seen in the public header files ■ RURW -> TEB ■ RPRW -> KPCR ■ RURO -> KTHREAD!
ACPI Table Data ■ DevicePhysicalMemory was accessible up until Windows Server 2003 SP1 in order to dump contents of RAM as desired ■ Functionality was removed, but replaced with new API for ■ ACPI, SMBIOS, and 0xC0000->0xE0000 memory access ■ NtQuerySystemInformation ■ Class: SystemFirmwareTableInformation ■ Use SYSTEM_FIRMWARE_TABLE_INFORMATION ■ Tables can store physical (RAM) addresses to devices and EFI
Trap Handler Leaks ■ Worked with a lot of these while writing ReactOS… ■ As an optimization, the kernel does not always build an SEH frame during certain operations ■ Such as a system call ■ Instead, the page fault handler recognizes if the exception came from one such optimized location ■ And does correct exception handling back to user-mode ■ However, this is based on reading the EIP! ■ Playing guessing games with the EIP can reveal kernel addresses based on the exception generated ■ “j00ru” also discovered that some of these checks make crazy assumptions about other registers -> can cause crashes
Memory-Based Leaks
Win32k Shared Memory Regions ■ Two “heaps” are implemented by the window management system ■ Session Heap (contains the object handle table) ■ Desktop Heap (contains the objects themselves) ■ To get session heap: user32!gSharedInfo ■ aheList -> Session Heap Start (handle table) ■ ulSharedDelta  Difference between user and kernel ■ To get desktop heap: TEB->Win32ClientInfo ■ pvDesktopBase  Desktop Heap Start ■ ulClientDelta  Difference between user and kernel
Win32k Objects ■ Win32k Window Manager Handle Entries contain ■ PVOID of the Win32k Object (many/most are mapped in user-space) ■ PVOID of the NT Kernel Object owner (PETHREAD and/or PEPROCESS) ■ Other structures are tagDESKTOPINFO, tagSHAREDINFO, tagCLIENTTHREADINFO, tagDISPLAYINFO, tagSERVERINFO ■ These leak addresses of pointers inside kernel mode memory as well as things like mouse cursor position, last keys states… ■ The objects themselves contain many pointers to NT objects/addreses
HAL Heap ■ When the HAL initializes extremely early in the boot process, it does not have access to any memory management functionality ■ The boot loader, HAL, and kernel’s memory manager all collaborate to define a region of memory reserved for the HAL ■ 0xFFD00000->0xFFFFFFFF is for the HAL (even on x64) ■ !halpte shows current mappings on x86 ■ hal!HalpHeapStart shows start of the heap ■ Used to store ACPI tables, as well as all the HAL Objects on Windows 8
Tracing/Debugging API Leaks
Trace-Based ETW/WMI Leaks ■ The kernel has extensive tracing performed through either legacy Windows Management Instrumentation (WMI) or Event Tracing for Windows (ETW) ■ The relevant (documented) APIs are ■ StartTrace ■ ProcessTrace ■ Many of these come from “MSNT_SystemTrace” ■ See http://msdn.microsoft.com/en- us/library/windows/desktop/aa364083(v=vs.85).aspx ■ System Profiling Privilege is required
You Want… Kernel Process Pointers? ■ ETW “Crimson” Provider ■ Or Legacy WMI ■ PERF_PROC ■ Return type ■ WMI_PROCESS_INFORMATION ■ Contains ■ PVOID of the Kernel Object Address (“UniqueProcessKey”) ■ PVOID of the Process Page Directory (“DirectoryTableBase”)
You Want… Kernel Thread Pointers? ■ ETW “Crimson” Provider ■ Or Legacy WMI ■ PERF_THREAD ■ Return type ■ WMI_EXTENDED_THREAD_INFORMATION ■ Contains ■ PVOID of the Kernel Stack Base and Stack Limit ■ PVOID of the Kernel Start Address
You Want… Kernel Spinlock Addresses? ■ ETW “Crimson” Provider ■ PERF_SPINLOCK ■ Return type ■ WMI_SPINLOCK ■ Contains ■ PVOID of the Kernel Spinlock Address ■ PVOID of the Kernel Caller Address ■ And if Address is DPC or ISR
You Want… Kernel Resource Addresses? ■ ETW “Crimson” Provider ■ PERF_RESOURCE ■ Return type ■ WMI_RESOURCE ■ Contains ■ PVOID of the Kernel Resource Address
You Want… Kernel IRP and File Object Addresses? ■ ETW “Crimson” Provider ■ PERF_FILENAME ■ EVENT_TRACE_FLAG_DISK_IO ■ Return type ■ WMI_DISKIO_READWRITE ■ PERFINFO_FILE_INFORMATION/FILE_READ_WRITE ■ Contains ■ PVOID of the IRP ■ PVOID of the FILE_OBJECT
You Want… Kernel Page Fault Addresses? ■ ETW “Crimson” Provider ■ PERF_ALL_FAULTS ■ Return type ■ WMI_PAGE_FAULT ■ Contains ■ PVOID of the Fault Address ■ PVOID of the Program Counter
And there’s more… ■ DPC/ISR Tracing reveals the kernel pointer of every interrupt and DPC handler ■ Image Load Tracing reveals kernel base address of every kernel module ■ Pool Tracing reveals kernel address of every pool allocation ■ Even non-big ones ■ New Windows 8 Object/handle-based Notifications ■ Leak the Kernel Object Pointer (and handle)
Triage Dumps ■ NtSystemDebugControl was a goldmine API in Windows XP ■ Allowed complete Ring 0 control from Ring 3 ■ In Server 2003 SP1, almost all commands were disabled ■ A driver, kldbgdrv.sys is used by WinDBG instead ■ Calls KdSystemDebugControl, which checks if /DEBUG is active ■ In Vista, a new command was added, and allowed even without being in /DEBUG mode ■ SYSDBG_COMMAND::SysDbgGetTriageDump ■ Debug Privilege is required
What’s in a Triage Dump? ■ A typical crash dump header ■ KPCR, KPRCB, KUSER_SHARED_DATA, DPC Queues, Timer Table, etc… ■ Information on the process that was selected for the dump ■ PEPROCESS structure and relevant fields ■ Information on all the threads part of the process selected ■ PETHREAD structure and relevant fields ■ APC queue, pending IRPs, and wait queues ■ Kernel Stack Trace and Context ■ And then Win32k “callback“ gets called… ■ Dumps all tagTHREADINFO + tagPROCESSINFO ■ Dumps all global variables!
SuperFetch API Leaks
What’s SuperFetch? ■ System component that tracks usage patterns and activities across one or multiple users on the machine ■ Application Launch ■ System Power Transitions ■ User Session Transitions ■ Also tracks usage ■ All File I/O ■ All Page Faults ■ Builds predictive database of application launches (Markov chain) and informs memory manager of priorities that each page should be given in memory and in the cache ■ Based on usage patterns over periods of up to 6 months
SuperFetch API ■ SuperFetch lives in user-mode! ■ sysmain.dll service inside one of the hosts ■ How does it track all page faults and File I/O ■ Partially through IOCTLs to FileInfo driver ■ Partially through undocumented API ■ NtQuerySystemInformation ■ Class: SystemSuperfetchInformation ■ Implements a variety of subclasses…
SuperFetch Information Subclasses ■ SUPERFETCH_INFORMATION must be the buffer passed in ■ SUPERFETCH_INFORMATION_CLASS determines the operation ■ Query all “sources” ■ Dump memory lists ■ Dump PFN database and page usages ■ ~12 total queries in Win7, ~20 in Win8 ■ Need version number (45 on Windows 7) ■ Need “magic password” (‘Chuk’) ■ Need System Profile privilege
SuperFetch Information Leaks ■ Querying for all sources will dump all PEPROCESS pointers ■ Querying for the trace (if you don’t race with the actual SuperFetch service, or if you disable it) will dump file object pointers, virtual addresses, and program counters ■ But the real deal is querying the PFN database! ■ PFN Database contains information on every physical page on the system and its usage ■ A few years ago, I wrote a tool to dump this… ■ Now there’s RAMMap
Conclusion
Key Takeaways ■ Unlike certain platforms such as iOS/OS X where kernel information disclosures seem to be taken rather seriously (even the GDT/IDT is aliased to prevent leaking the kernel base address!), Windows has a rather liberal policy toward kernel pointers ■ Not quite as bad as Linux, however. Microsoft does care. ■ Why don’t they “fix” these? ■ Most of the times, the answer is app compatibility ■ Other times, it’s developer support/requests ■ However, requiring admin rights across the board for such system- level APIs may hit the right balance ■ That’s not enough for DRM/Surface environments, however
Further Reading ■ The NDK (Native Development Kit) is a header kit that I maintain which has the closest possible undocumented structure definitions ■ Even “j00ru” used old/incorrect/unknown structures in his papers  ■ NDK was built with information from PDBs, ASSERTs (before NT_ASSERT), private PDB (yep… the Windows 8 ones are still on the symbol server….) and .h leaks over the years, etc… ■ *NO* source code leak/etc material used. ■ J00ru’s blog and most recent talks at CONFidence 2013 and Syscan 2013
QA ■ Greetz/shouts to: j00ru, msuiche, lilhoser
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one

Recommended

Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringPositive Hack Days
 
the windows opereting system
the windows opereting systemthe windows opereting system
the windows opereting systemЮсуф Сатторов
 
Earhart
EarhartEarhart
Earhartsiam hossain
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overviewLinaro
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 

Recommended

Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringPositive Hack Days
 
the windows opereting system
the windows opereting systemthe windows opereting system
the windows opereting systemЮсуф Сатторов
 
Earhart
EarhartEarhart
Earhartsiam hossain
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overviewLinaro
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 
AFPS_2011
AFPS_2011AFPS_2011
AFPS_2011Rajorshi Ghosh Choudhury
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
Unix::Statgrab
Unix::StatgrabUnix::Statgrab
Unix::StatgrabJens Rehsack
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti PolymorphismTakahiro Haruyama
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式艾鍗科技
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysisHimanshu0734
 
PE File Format
PE File FormatPE File Format
PE File Formatn|u - The Open Security Community
 
Solr a.b-ab
Solr a.b-abSolr a.b-ab
Solr a.b-abhero_of_the_day
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
 
How a cpu works
How a cpu worksHow a cpu works
How a cpu worksJbspherefreak
 
Perl for System Automation - 01 Advanced File Processing
Perl for System Automation - 01 Advanced File ProcessingPerl for System Automation - 01 Advanced File Processing
Perl for System Automation - 01 Advanced File ProcessingDanairat Thanabodithammachari
 
Araisininthesun
AraisininthesunAraisininthesun
Araisininthesunstacylsd
 
Villasangiuliano
VillasangiulianoVillasangiuliano
Villasangiulianoserafina66
 

More Related Content

What's hot

Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式艾鍗科技
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysisHimanshu0734
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
 
Perl for System Automation - 01 Advanced File Processing
Perl for System Automation - 01 Advanced File ProcessingPerl for System Automation - 01 Advanced File Processing
Perl for System Automation - 01 Advanced File ProcessingDanairat Thanabodithammachari
 

What's hot (20)

AFPS_2011
AFPS_2011AFPS_2011
AFPS_2011
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
Unix::Statgrab
Unix::StatgrabUnix::Statgrab
Unix::Statgrab
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti Polymorphism
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugX
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
 
Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysis
 
PE File Format
PE File FormatPE File Format
PE File Format
 
Solr a.b-ab
Solr a.b-abSolr a.b-ab
Solr a.b-ab
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
 
How a cpu works
How a cpu worksHow a cpu works
How a cpu works
 
Perl for System Automation - 01 Advanced File Processing
Perl for System Automation - 01 Advanced File ProcessingPerl for System Automation - 01 Advanced File Processing
Perl for System Automation - 01 Advanced File Processing
 

Viewers also liked

Araisininthesun
AraisininthesunAraisininthesun
Araisininthesunstacylsd
 
Villasangiuliano
VillasangiulianoVillasangiuliano
Villasangiulianoserafina66
 
Productos coco channel
Productos coco channelProductos coco channel
Productos coco channelSrta Ponce
 
Ds dunia sains dan teknologi tahun 1 bt
Ds dunia sains dan teknologi tahun 1 btDs dunia sains dan teknologi tahun 1 bt
Ds dunia sains dan teknologi tahun 1 btValar Mathi
 
ラジオに未来はあるのか
ラジオに未来はあるのかラジオに未来はあるのか
ラジオに未来はあるのかikoha
 
Author's garden gala invitation for fb
Author's garden gala invitation for fbAuthor's garden gala invitation for fb
Author's garden gala invitation for fbswimsusan
 
Cultura pugliese (comenius)
Cultura pugliese (comenius)Cultura pugliese (comenius)
Cultura pugliese (comenius)serafina66
 
Productos coco channel
Productos coco channelProductos coco channel
Productos coco channelSrta Ponce
 
情報処理論 課題
情報処理論 課題情報処理論 課題
情報処理論 課題Masanori Abe
 
ラジオに未来はあるのか
ラジオに未来はあるのかラジオに未来はあるのか
ラジオに未来はあるのかikoha
 
Author's garden gala invitation for fb
Author's garden gala invitation for fbAuthor's garden gala invitation for fb
Author's garden gala invitation for fbswimsusan
 
Dokumen standard bahasa tamil sjkt tahap 1
Dokumen standard bahasa tamil sjkt tahap 1Dokumen standard bahasa tamil sjkt tahap 1
Dokumen standard bahasa tamil sjkt tahap 1Valar Mathi
 
博士論文(井筒耕平,2012)
博士論文(井筒耕平,2012)博士論文(井筒耕平,2012)
博士論文(井筒耕平,2012)sonraku Inc.
 
How apple can read your i messages
How apple can read your i messagesHow apple can read your i messages
How apple can read your i messagesArtem I. Baranov
 
Araisininthesun student notes
Araisininthesun student notesAraisininthesun student notes
Araisininthesun student notesstacylsd
 
28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru
28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru
28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guruRatih Ginarti
 

Viewers also liked (19)

Araisininthesun
AraisininthesunAraisininthesun
Araisininthesun
 
Villasangiuliano
VillasangiulianoVillasangiuliano
Villasangiuliano
 
Productos coco channel
Productos coco channelProductos coco channel
Productos coco channel
 
Ds dunia sains dan teknologi tahun 1 bt
Ds dunia sains dan teknologi tahun 1 btDs dunia sains dan teknologi tahun 1 bt
Ds dunia sains dan teknologi tahun 1 bt
 
ラジオに未来はあるのか
ラジオに未来はあるのかラジオに未来はあるのか
ラジオに未来はあるのか
 
Author's garden gala invitation for fb
Author's garden gala invitation for fbAuthor's garden gala invitation for fb
Author's garden gala invitation for fb
 
Ppt koko
Ppt kokoPpt koko
Ppt koko
 
Cultura pugliese (comenius)
Cultura pugliese (comenius)Cultura pugliese (comenius)
Cultura pugliese (comenius)
 
Carnevale
CarnevaleCarnevale
Carnevale
 
Productos coco channel
Productos coco channelProductos coco channel
Productos coco channel
 
情報処理論 課題
情報処理論 課題情報処理論 課題
情報処理論 課題
 
ラジオに未来はあるのか
ラジオに未来はあるのかラジオに未来はあるのか
ラジオに未来はあるのか
 
Author's garden gala invitation for fb
Author's garden gala invitation for fbAuthor's garden gala invitation for fb
Author's garden gala invitation for fb
 
Dokumen standard bahasa tamil sjkt tahap 1
Dokumen standard bahasa tamil sjkt tahap 1Dokumen standard bahasa tamil sjkt tahap 1
Dokumen standard bahasa tamil sjkt tahap 1
 
博士論文(井筒耕平,2012)
博士論文(井筒耕平,2012)博士論文(井筒耕平,2012)
博士論文(井筒耕平,2012)
 
How apple can read your i messages
How apple can read your i messagesHow apple can read your i messages
How apple can read your i messages
 
Araisininthesun student notes
Araisininthesun student notesAraisininthesun student notes
Araisininthesun student notes
 
ArcServe UDP
ArcServe UDPArcServe UDP
ArcServe UDP
 
28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru
28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru
28526777 makalah-kompetensi-guru-dalam-meningkatkan-profesionalisme-guru
 

Similar to Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one

Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Peter Tröger
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10mark-smith
 
Operating Systems 1 (7/12) - Threads
Operating Systems 1 (7/12) - ThreadsOperating Systems 1 (7/12) - Threads
Operating Systems 1 (7/12) - ThreadsPeter Tröger
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike ArchitecturePeter Milne
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!Linaro
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh Naik
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Linux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureLinux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureNeil Armstrong
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 

Similar to Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one (20)

Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10
 
Operating Systems 1 (7/12) - Threads
Operating Systems 1 (7/12) - ThreadsOperating Systems 1 (7/12) - Threads
Operating Systems 1 (7/12) - Threads
 
LINUX Device Drivers
LINUX Device DriversLINUX Device Drivers
LINUX Device Drivers
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike Architecture
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
02-OS-review.pptx
02-OS-review.pptx02-OS-review.pptx
02-OS-review.pptx
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
 
Windows XP operating system
Windows XP operating systemWindows XP operating system
Windows XP operating system
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
Linux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, futureLinux Conference Australia 2018 : Device Tree, past, present, future
Linux Conference Australia 2018 : Device Tree, past, present, future
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one

  • 1. © 2012 CrowdStrike, Inc. All rights reserved. I Got 99 Problem But a Kernel Pointer Ain’t One There’s an info leak party at Ring 0 Alex Ionescu, Chief Architect @aionescu Recon 2013 alex@crowdstrike.com
  • 2. Bio ■ Reverse engineered Windows kernel since 1999 ■ Lead kernel developer for ReactOS Project ■ Co-author of Windows Internals 5th and 6th Edition ■ Founded Winsider Seminars & Solutions Inc., to provide services and Windows Internals training for enterprise/government ■ Interned at Apple for a few years (Core Platform Team) ■ Now Chief Architect at CrowdStrike
  • 4. Outline ■ Introduction ■ Motivation and Previous Work ■ Old School API Leaks ■ System Design Leaks ■ Tracing/Debugging API Leaks ■ System Memory Leaks ■ SuperFetch Leaks ■ Conclusion
  • 5. Motivation ■ Making Spender (grsecurity) troll really hard ■ “Kernel ASLR has never been broken by anyone I know” ■ Got a really well thought out article in response
  • 6. Motivation (seriously) ■ Windows has been making a decent job of improving their ASLR in Windows 8 ■ And newer protections are yet to come ■ Guessing of user-mode addresses now requires bypassing: ■ High Entropy ASLR ■ Top-down and Bottom-up Anonymous Memory Randomization ■ Heap Allocation Order Randomization ■ …etc… ■ But Kernel ASLR remains a big problem ■ As part of a local exploit, too much information is present/given away on the system to the attacker ■ Disparate papers/presentations exist on this issue
  • 7. Previous Work ■ Too many to list them all ■ Matthew Jurczyk, Tavis Ormandy, Tarjei Mandt & the other usual suspects
  • 9. You Want… Module Base Addresses? ■ NtQuerySystemInformation ■ Class: SystemModuleInformation ■ NEW Class: SystemModuleInformationEx ■ Return type is RTL_PROCESS_MODULES with ■ RTL_PROCESS_MODULE_INFORMATION ■ RTL_PROCESS_MODULE_INFORMATION_EX ■ EX Adds Checksum, TimeStamp, and Original Base ■ Before Windows 8, could also be used to query user-mode libraries
  • 10. You Want… All Kernel Object Addresses? ■ NtQuerySystemInformation ■ Class: SystemObjectInformation ■ Return type is SYSTEM_OBJECT_INFORMATION ■ Contains ■ PVOID of the Kernel Object Address ■ PEPROCESS of the Kernel Object Creator ■ Requires the object type/system to enable “Maintain Type List”
  • 11. You Want… Named Kernel Object Addresses? ■ NtQuerySystemInformation ■ Class: SystemHandleInformation ■ NEW Class: SystemHandleInformationEx ■ Return type ■ SYSTEM_HANDLE_INFORMATION(_EX) ■ Contains ■ PVOID of the Kernel Object Address ■ HANDLE value in the process ■ Only returns 16-bit handles and PIDs – must use Ex version
  • 12. You Want… Kernel Lock Addresses? ■ NtQuerySystemInformation ■ Class: SystemLockInformation ■ Return type ■ RTL_PROCESS_LOCKS with ■ RTL_PROCESS_LOCK_INFORMATION ■ Contains ■ PVOID of the Kernel Resource ■ PVOID of Kernel Thread Owner
  • 13. You Want… Kernel Stack Addresses? ■ NtQuerySystemInformation ■ Class: SystemExtendedProcessInformation ■ Return type ■ SYSTEM_EXTENDED_THREAD_INFORMATION ■ Contains ■ PVOID of the Kernel Stack Base and Kernel Stack Limit ■ PVOID of the TEB
  • 14. You Want… Kernel Pool Addresses? ■ NtQuerySystemInformation ■ Class: SystemBigPoolInformation ■ Return type ■ SYSTEM_BIGPOOL_INFORMATION with ■ SYSTEM_BIGPOOL_ENTRY ■ Contains ■ PVOID of the Kernel Pool Address (if > 4KB) (“Big”) ■ And Tag
  • 16. Selectors and Descriptors ■ GDT and IDT are required pieces of any x86-based processor design ■ GDT highly deprecated in x64 ■ Address of the GDT and IDT is stored in GDTR and IDTR ■ CPU instruction exists to retrieve this (SGDT/SIDT) ■ It’s not privileged! ■ Additionally, entries in the GDT can be dumped on 32-bit Windows ■ 32-bit Windows has support for LDT, and implements API for querying it ■ But if no LDT is present, GDT is dumped instead ■ Use NtQueryInformationThread (ThreadDescriptorTableEntry) ■ Reveals three TSS addresses, and KPCR address ■ Does not work on 64-bit because no LDT is supported
  • 17. ARM Software Thread ID Registers ■ Modern ARM processors implement TLS registers that can be used by operating system developers ■ Similar to fs/gs on x86/x64 ■ Three are currently defined in the Cortex-A9 architecture ■ TPIDRURW (User Read Write) ■ TPIDRURO (User Read Only) ■ TPIDRPRW (Privileged Read Write) ■ Windows 8 on ARM (Windows RT) uses these registers, as seen in the public header files ■ RURW -> TEB ■ RPRW -> KPCR ■ RURO -> KTHREAD!
  • 18. ACPI Table Data ■ DevicePhysicalMemory was accessible up until Windows Server 2003 SP1 in order to dump contents of RAM as desired ■ Functionality was removed, but replaced with new API for ■ ACPI, SMBIOS, and 0xC0000->0xE0000 memory access ■ NtQuerySystemInformation ■ Class: SystemFirmwareTableInformation ■ Use SYSTEM_FIRMWARE_TABLE_INFORMATION ■ Tables can store physical (RAM) addresses to devices and EFI
  • 19. Trap Handler Leaks ■ Worked with a lot of these while writing ReactOS… ■ As an optimization, the kernel does not always build an SEH frame during certain operations ■ Such as a system call ■ Instead, the page fault handler recognizes if the exception came from one such optimized location ■ And does correct exception handling back to user-mode ■ However, this is based on reading the EIP! ■ Playing guessing games with the EIP can reveal kernel addresses based on the exception generated ■ “j00ru” also discovered that some of these checks make crazy assumptions about other registers -> can cause crashes
  • 21. Win32k Shared Memory Regions ■ Two “heaps” are implemented by the window management system ■ Session Heap (contains the object handle table) ■ Desktop Heap (contains the objects themselves) ■ To get session heap: user32!gSharedInfo ■ aheList -> Session Heap Start (handle table) ■ ulSharedDelta  Difference between user and kernel ■ To get desktop heap: TEB->Win32ClientInfo ■ pvDesktopBase  Desktop Heap Start ■ ulClientDelta  Difference between user and kernel
  • 22. Win32k Objects ■ Win32k Window Manager Handle Entries contain ■ PVOID of the Win32k Object (many/most are mapped in user-space) ■ PVOID of the NT Kernel Object owner (PETHREAD and/or PEPROCESS) ■ Other structures are tagDESKTOPINFO, tagSHAREDINFO, tagCLIENTTHREADINFO, tagDISPLAYINFO, tagSERVERINFO ■ These leak addresses of pointers inside kernel mode memory as well as things like mouse cursor position, last keys states… ■ The objects themselves contain many pointers to NT objects/addreses
  • 23. HAL Heap ■ When the HAL initializes extremely early in the boot process, it does not have access to any memory management functionality ■ The boot loader, HAL, and kernel’s memory manager all collaborate to define a region of memory reserved for the HAL ■ 0xFFD00000->0xFFFFFFFF is for the HAL (even on x64) ■ !halpte shows current mappings on x86 ■ hal!HalpHeapStart shows start of the heap ■ Used to store ACPI tables, as well as all the HAL Objects on Windows 8
  • 25. Trace-Based ETW/WMI Leaks ■ The kernel has extensive tracing performed through either legacy Windows Management Instrumentation (WMI) or Event Tracing for Windows (ETW) ■ The relevant (documented) APIs are ■ StartTrace ■ ProcessTrace ■ Many of these come from “MSNT_SystemTrace” ■ See http://msdn.microsoft.com/en- us/library/windows/desktop/aa364083(v=vs.85).aspx ■ System Profiling Privilege is required
  • 26. You Want… Kernel Process Pointers? ■ ETW “Crimson” Provider ■ Or Legacy WMI ■ PERF_PROC ■ Return type ■ WMI_PROCESS_INFORMATION ■ Contains ■ PVOID of the Kernel Object Address (“UniqueProcessKey”) ■ PVOID of the Process Page Directory (“DirectoryTableBase”)
  • 27. You Want… Kernel Thread Pointers? ■ ETW “Crimson” Provider ■ Or Legacy WMI ■ PERF_THREAD ■ Return type ■ WMI_EXTENDED_THREAD_INFORMATION ■ Contains ■ PVOID of the Kernel Stack Base and Stack Limit ■ PVOID of the Kernel Start Address
  • 28. You Want… Kernel Spinlock Addresses? ■ ETW “Crimson” Provider ■ PERF_SPINLOCK ■ Return type ■ WMI_SPINLOCK ■ Contains ■ PVOID of the Kernel Spinlock Address ■ PVOID of the Kernel Caller Address ■ And if Address is DPC or ISR
  • 29. You Want… Kernel Resource Addresses? ■ ETW “Crimson” Provider ■ PERF_RESOURCE ■ Return type ■ WMI_RESOURCE ■ Contains ■ PVOID of the Kernel Resource Address
  • 30. You Want… Kernel IRP and File Object Addresses? ■ ETW “Crimson” Provider ■ PERF_FILENAME ■ EVENT_TRACE_FLAG_DISK_IO ■ Return type ■ WMI_DISKIO_READWRITE ■ PERFINFO_FILE_INFORMATION/FILE_READ_WRITE ■ Contains ■ PVOID of the IRP ■ PVOID of the FILE_OBJECT
  • 31. You Want… Kernel Page Fault Addresses? ■ ETW “Crimson” Provider ■ PERF_ALL_FAULTS ■ Return type ■ WMI_PAGE_FAULT ■ Contains ■ PVOID of the Fault Address ■ PVOID of the Program Counter
  • 32. And there’s more… ■ DPC/ISR Tracing reveals the kernel pointer of every interrupt and DPC handler ■ Image Load Tracing reveals kernel base address of every kernel module ■ Pool Tracing reveals kernel address of every pool allocation ■ Even non-big ones ■ New Windows 8 Object/handle-based Notifications ■ Leak the Kernel Object Pointer (and handle)
  • 33. Triage Dumps ■ NtSystemDebugControl was a goldmine API in Windows XP ■ Allowed complete Ring 0 control from Ring 3 ■ In Server 2003 SP1, almost all commands were disabled ■ A driver, kldbgdrv.sys is used by WinDBG instead ■ Calls KdSystemDebugControl, which checks if /DEBUG is active ■ In Vista, a new command was added, and allowed even without being in /DEBUG mode ■ SYSDBG_COMMAND::SysDbgGetTriageDump ■ Debug Privilege is required
  • 34. What’s in a Triage Dump? ■ A typical crash dump header ■ KPCR, KPRCB, KUSER_SHARED_DATA, DPC Queues, Timer Table, etc… ■ Information on the process that was selected for the dump ■ PEPROCESS structure and relevant fields ■ Information on all the threads part of the process selected ■ PETHREAD structure and relevant fields ■ APC queue, pending IRPs, and wait queues ■ Kernel Stack Trace and Context ■ And then Win32k “callback“ gets called… ■ Dumps all tagTHREADINFO + tagPROCESSINFO ■ Dumps all global variables!
  • 36. What’s SuperFetch? ■ System component that tracks usage patterns and activities across one or multiple users on the machine ■ Application Launch ■ System Power Transitions ■ User Session Transitions ■ Also tracks usage ■ All File I/O ■ All Page Faults ■ Builds predictive database of application launches (Markov chain) and informs memory manager of priorities that each page should be given in memory and in the cache ■ Based on usage patterns over periods of up to 6 months
  • 37. SuperFetch API ■ SuperFetch lives in user-mode! ■ sysmain.dll service inside one of the hosts ■ How does it track all page faults and File I/O ■ Partially through IOCTLs to FileInfo driver ■ Partially through undocumented API ■ NtQuerySystemInformation ■ Class: SystemSuperfetchInformation ■ Implements a variety of subclasses…
  • 38. SuperFetch Information Subclasses ■ SUPERFETCH_INFORMATION must be the buffer passed in ■ SUPERFETCH_INFORMATION_CLASS determines the operation ■ Query all “sources” ■ Dump memory lists ■ Dump PFN database and page usages ■ ~12 total queries in Win7, ~20 in Win8 ■ Need version number (45 on Windows 7) ■ Need “magic password” (‘Chuk’) ■ Need System Profile privilege
  • 39. SuperFetch Information Leaks ■ Querying for all sources will dump all PEPROCESS pointers ■ Querying for the trace (if you don’t race with the actual SuperFetch service, or if you disable it) will dump file object pointers, virtual addresses, and program counters ■ But the real deal is querying the PFN database! ■ PFN Database contains information on every physical page on the system and its usage ■ A few years ago, I wrote a tool to dump this… ■ Now there’s RAMMap
  • 41. Key Takeaways ■ Unlike certain platforms such as iOS/OS X where kernel information disclosures seem to be taken rather seriously (even the GDT/IDT is aliased to prevent leaking the kernel base address!), Windows has a rather liberal policy toward kernel pointers ■ Not quite as bad as Linux, however. Microsoft does care. ■ Why don’t they “fix” these? ■ Most of the times, the answer is app compatibility ■ Other times, it’s developer support/requests ■ However, requiring admin rights across the board for such system- level APIs may hit the right balance ■ That’s not enough for DRM/Surface environments, however
  • 42. Further Reading ■ The NDK (Native Development Kit) is a header kit that I maintain which has the closest possible undocumented structure definitions ■ Even “j00ru” used old/incorrect/unknown structures in his papers  ■ NDK was built with information from PDBs, ASSERTs (before NT_ASSERT), private PDB (yep… the Windows 8 ones are still on the symbol server….) and .h leaks over the years, etc… ■ *NO* source code leak/etc material used. ■ J00ru’s blog and most recent talks at CONFidence 2013 and Syscan 2013
  • 43. QA ■ Greetz/shouts to: j00ru, msuiche, lilhoser