SlideShare a Scribd company logo

Windows Internals: fuzzing, hijacking and weaponizing kernel objects

Nullbyte Security Conference
Nullbyte Security Conference

Advanced Threats are rising in the Windows 10 environment, where sophisticated attack vectors are being used to evade threat detection tools and extract privileged data from the user. This talk presents a collection of tools and techniques developed after reverse engineering and playing with Windows interfaces, aim to evade detection system (A/V or A/C) and to escalate kernel privileges.

Technology
1 of 35
Download to read offline
Windows Internals: fuzzing, hijacking and weaponizing Ot´avio Augusto A. Silva at NullByte 5a. Ed. 10 Nov. 2018 Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 1 / 35
Agenda 1 Introduction Context Overview 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 2 / 35
1 Introduction Context Overview 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 3 / 35
Introduction In the last episode... What is Windows 10? It’s a Windows... means retro-compatibility. New approach in a hybrid kernel. Sanitized “sandboxes” for systems process and “critical user process”. Enforced security behavior that were optional until Windows 8.1. More obscure (Nt/Sys) internals. TPM1-2 (Trusted Platform Mode), Device Guard etc. Forced Updates A lot of new features were added to ensure that the user will not screw (less) with the system. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 4 / 35
Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 5 / 35
Overview Device Guard Whitelists parts of kernel code with Code Integrity (CI). Restrict Windows to only authorized apps from Windows Store. Also restrict execution only for signed with Microsoft Certificate exe. Memory is hardened against attacks through the use of Hypervisor Code Integrity (HVCI). Applies Virtualization Based Security (VBS),using Hyper-V. Those restrictions were never planned to a standard user, who remains executing files brought from the Internet. Using the regular Win/NtApia a WinAPI is documented and open for directly calls. NtApi is what WinAPI “uses” internally. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 6 / 35
Overview Virtualization Based Security (VBS) “VBS uses software and hardware enforced mechanisms to create an isolated, hypervisor-restricted, specialized subsystem for storing, securing, transferring, and operating other sensitive subsystems and data.” Uses Model Specific Registers (MSRs) to, among other things, enable Secure Virtual Machine Enable (SVME) bits (aka. Hyper-V with smaller scale virtualization). Using: CPU virtualization extensions; Intel VT or AMD-V. Input–Output Memory Management Units; such as VT-d or AMD-IOV. Second Level Address Translation. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 7 / 35
Recap: User-level attacks Abusing Windows internals Forwarding symbol resolution to a later stage in the execution, to avoid user-side API hooking. Ex.:NtOpenProcess symbol in ntdll.dll. Manual mapping a DLL, doing the work of a loader to inject code Thread hijacking an external process’s thread to execute code (thread I.P to code cave). Sum it :) Injecting a rogue DLL onto another process by hijacking one of its threads and directly mapping the DLL in the process memory. KiInjectora? a https://github.com/otavioarj/KiInjector Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 8 / 35
Overview Protected Process Light(PPL) What is PPL? Kernel “flag”a into EPROCESS struct. Protection that avoids user handles to it; System permission isolation (can’t touch it). Apply code integrity; only loads/runs signed code after launching; PE32/+ to process. A device driver must flag a process (service) as PPL, it also claim the level of code signing (3rd/MS). No code injection, DLL hijacking etc. right? Let’s make a tour into Win10’s process hierarchy and “isolation”. a W10 build ≥ 15063 added in kernel code sign check Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 9 / 35
Protected Process Light(PPL) Is by all means an anti-malware enchantment added into Windows 8.1 to protected system process and “special” services (likely A/V and DRM). Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 10 / 35
Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 11 / 35
Overview Win LPE? UACMe: https://github.com/hfiref0x/UACME Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 12 / 35
Overview Make an assurance: Windows UAC can be bypassed. So what an Admin CAN’T do? All the security mechanism listed before are just there to restrain the Admin. Why? Rootkit. MS reinforce its kernel isolation and control so hard, that A/V can’t hook ANY kernel mechanism anymore. KPP scene... Kernel Patch Protection A.k.a Patch Guard, added in x64 editions of Windows(XP), to enforce restrictions on what structures d.drivers cannot modify. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 13 / 35
Kernel Patch Protection It works by periodically checking protected system structures in the kernel have not been modified. Avoid modify/use: system service tables. the interrupt descriptor table. the global descriptor table. use kernel stacks not allocated by the kernel. write code within the kernel, HAL or NDIS kernel libs. Thus it doesn’t offer any protection against one d.driver patching another. It relies on security by obscurity and misleading symbol, using a mutate algorithm to deploy into memorya a out of kernel phy. memory Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 14 / 35
1 Introduction 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 15 / 35
Kernel - Attacks Ender game Even with Admin access, a user can’t mess with kernel. Unless he have a W10 kernel 0day, which cost ALOT. Suppose one wants pretty hard to manipulate a protected process(PLLa), e.g A/V, A/C, DRM. He have to build a kernel module and buy a certificate from MS. a https://github.com/Mattiwatti/PPLKiller Windows 10 have Signed Driver Enforcement... A/V,A/C and DRM software usually check loaded drivera against a remote chain of trust. No local certificate addition. a They also checks debug boot and some old version of vul. d.d Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 16 / 35
Attacks RE-Starting the game :) Direct Kernel Object Manipulation (DKom): a.k.a touch the kernel trough user level, by hitting some trust entity, e.g. device driver. DKom isn’t the unique way to manipulate a protected process, handle stealing is easier and faster (one doesn’t need to R.E a device driver...). But DKom always work, and trough kernel is cool :) It relies on the manipulation of some kind of d.driver interface with the kernel; usually trough I/O control (known as IOCTL). Manipulation by a flaw in the d.driver, or permission (wrong) management in the device/end-point within user level. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 17 / 35
Attacks Windows drivers have an important interface with userlevel: I/O Request Packets (IRPs). IRPs are sent to a driver when a particular operation occurs on the driver’s device object, e.g: DeviceDDevice. The end interfaces which IRPs are sent: Major Functions as open/close, read/write, and I/O control (IOCTL). This interface is created at DriverEntry with IoCreateDevice and then linked (user-kernel services) with IoCreateSymbolicLink. Then the rest is a list of pointers to (Major Func.) that executes inside the kernel; kernel interface visible into user level? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 18 / 35
Devices? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 19 / 35
ACLs? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 20 / 35
Attacks Many d.driver doesn’t register restrict ACL for its device endpoint, meaning that unprivileged user can access it; privilege escalation at least.... Or simply a d.driver have a flaw that can be exploited to manipulate kernel pages,phy. memory or even d.driver pointers! Kernel arbitrary code execution. Dkom usually demands that the exploit implements some kernel function to operates the kernel object through d.d functions. Example: d.d have a function that allows one to read cr3 register, allowing access to page directory and so, memory pages to be iterated through d.d functions ;) Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 21 / 35
Attacks We have a lot famous examples: Capcom.sys: has an ioctl that disables SMEP (Supervisor Mode Execution Protection Enable)a and calls a provided function pointer (shell code?!), and sets SMEP back. ASMMAP.sys: ioctls that map or unmap to the calling process’ address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions. WinNT/Turla VBoxDrv.sys: a set of ioctl and “magic word” for VBox d.d API, that allows to read kernel symbols tabled and write to specific regions (DSE)b. a If set, execution of code in a higher ring generates a fault, KPPable. b Driver Signature Enforcement. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 22 / 35
Attacks My contribution :P CVE2018-8060 and 2018-8061 for HWiNFO AMD64 Kernel driver version 8.98 and lower, which allows unprivileged user to send IOCTL to device driver. Dispatching IOCTL 0x85FE2608 with in-buffer containing a physical memory address, size and a virtual memory address, results in the driver mapping the physical memory and reading it, copying its content to the virtual address.a a Poc: https://github.com/otavioarj/SIOCtl Basically if a company made d.d for control it’s product using “proprietary API”, you probably got a new d.d IOCTL approach; bad practices is pretty common. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 23 / 35
1 Introduction 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 24 / 35
Old 0day All the d.d with flaws listed here were exploited and widely spread. But continues to work!! One can right now download a vulnerable Nvidia d.d, even without a Nvidia GPU, and exploit it to manipulate the kernel; an “old 0day” still usable. Remember how? MS automatically sign OEM d.d; no code review!! OEM uses the same certificate for multiples d.d; no vulnerable d.d will have its certificate revoked! Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 25 / 35
Old 0day Mitigations It’s not always a double rainbow: some A/Vs blocks old d.d which isn’t used anymore; only CPUID and Process Hacker were blocked testing in Avast, Avira and AVG :) A/C and DMR were more aggressive, they doesn’t care if you’re using a old d.d, if they d.d loads and detects a blacklisted d.d loaded; unload itself and alarm a user service. some A/Ca uses high sophisticated approach; uses ObRegisterCallbacks of Windows’s kernel API, to check for rogue d.d. a BattlEye, Lord of Bans What about hutting your own d.d IOCTL 0day? Might work :) Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 26 / 35
1 Introduction 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 27 / 35
D.D 0day hunt Be advised, it’s simply a R.E task. Bunch of senseless code, assembly and a lot of pain. Any debug which can read Windows Driver Dev. Kit symbols can be used; I recommend IDA Pro or x64dbg :). We are interested only into d.d which creates an IO device, so this cut some fat from analysis; hunt first of all IoCreateDevice. There is no need to escalate permissions, so IO devices with wrong/inefficients permissions will not be a thing. Winobj can be used to locate devices created with bad ACL; a.k.a privilege escalation approach Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 28 / 35
Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 29 / 35
Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 30 / 35
D.D 0day hunt So what? IOCTLs code usually are clear when R.E:“cmp register, IOCTL”. Provide enough data to follow the right flux, and you can trigger/reach d.d operations Mostly all IOCTL moves kernel memory (virtual) to another k.memory; likely a memncpy. Lazy? What about a fuzzer capable of find IOCTL from a d.d, detect its mode of operationa with a timed and guided test case tunning, including output analysis? a METHOD BUFFERED, X DIRECT or NEITHER Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 31 / 35
https://github.com/otavioarj/SIOCTLBF Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 32 / 35
Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 33 / 35
Demo Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 34 / 35
Questions? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 35 / 35

Recommended

Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Killzone's AI: Dynamic Procedural Tactics
Killzone's AI: Dynamic Procedural TacticsKillzone's AI: Dynamic Procedural Tactics
Killzone's AI: Dynamic Procedural TacticsGuerrilla
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
Spring Caches with Protocol Buffers
Spring Caches with Protocol BuffersSpring Caches with Protocol Buffers
Spring Caches with Protocol BuffersVMware Tanzu
 
Killzone Shadow Fall Demo Postmortem
Killzone Shadow Fall Demo PostmortemKillzone Shadow Fall Demo Postmortem
Killzone Shadow Fall Demo PostmortemGuerrilla
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 

Recommended

Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Killzone's AI: Dynamic Procedural Tactics
Killzone's AI: Dynamic Procedural TacticsKillzone's AI: Dynamic Procedural Tactics
Killzone's AI: Dynamic Procedural TacticsGuerrilla
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
Spring Caches with Protocol Buffers
Spring Caches with Protocol BuffersSpring Caches with Protocol Buffers
Spring Caches with Protocol BuffersVMware Tanzu
 
Killzone Shadow Fall Demo Postmortem
Killzone Shadow Fall Demo PostmortemKillzone Shadow Fall Demo Postmortem
Killzone Shadow Fall Demo PostmortemGuerrilla
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareC4Media
 
Udev for Device Management in Linux
Udev for Device Management in Linux Udev for Device Management in Linux
Udev for Device Management in Linux Deepak Soundararajan
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Unity - Internals: memory and performance
Unity - Internals: memory and performanceUnity - Internals: memory and performance
Unity - Internals: memory and performanceCodemotion
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netYan Vugenfirer
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introductionzenixls2
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
ELF(executable and linkable format)
ELF(executable and linkable format)ELF(executable and linkable format)
ELF(executable and linkable format)Seungha Son
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
HITCON駭客戰隊與CTF經驗分享
HITCON駭客戰隊與CTF經驗分享HITCON駭客戰隊與CTF經驗分享
HITCON駭客戰隊與CTF經驗分享Alan Lee
 
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019Unity Technologies
 
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022HostedbyConfluent
 
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) David Salz
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals哲豪 康哲豪
 
Introduction to DPDK RIB library
Introduction to DPDK RIB libraryIntroduction to DPDK RIB library
Introduction to DPDK RIB libraryГлеб Хохлов
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 

More Related Content

What's hot

XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareC4Media
 
Udev for Device Management in Linux
Udev for Device Management in Linux Udev for Device Management in Linux
Udev for Device Management in Linux Deepak Soundararajan
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Unity - Internals: memory and performance
Unity - Internals: memory and performanceUnity - Internals: memory and performance
Unity - Internals: memory and performanceCodemotion
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netYan Vugenfirer
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introductionzenixls2
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
ELF(executable and linkable format)
ELF(executable and linkable format)ELF(executable and linkable format)
ELF(executable and linkable format)Seungha Son
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
HITCON駭客戰隊與CTF經驗分享
HITCON駭客戰隊與CTF經驗分享HITCON駭客戰隊與CTF經驗分享
HITCON駭客戰隊與CTF經驗分享Alan Lee
 
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019Unity Technologies
 
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022HostedbyConfluent
 
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) David Salz
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals哲豪 康哲豪
 

What's hot (20)

XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
 
Udev for Device Management in Linux
Udev for Device Management in Linux Udev for Device Management in Linux
Udev for Device Management in Linux
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Unity - Internals: memory and performance
Unity - Internals: memory and performanceUnity - Internals: memory and performance
Unity - Internals: memory and performance
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
ELF(executable and linkable format)
ELF(executable and linkable format)ELF(executable and linkable format)
ELF(executable and linkable format)
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
HITCON駭客戰隊與CTF經驗分享
HITCON駭客戰隊與CTF經驗分享HITCON駭客戰隊與CTF經驗分享
HITCON駭客戰隊與CTF經驗分享
 
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
Blending gameplay and storytelling with Timeline – Unite Copenhagen 2019
 
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
Introducing KRaft: Kafka Without Zookeeper With Colin McCabe | Current 2022
 
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
 
Introduction to DPDK RIB library
Introduction to DPDK RIB libraryIntroduction to DPDK RIB library
Introduction to DPDK RIB library
 

Similar to Windows Internals: fuzzing, hijacking and weaponizing kernel objects

Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
Achieving maximum performance in microsoft vdi environments - Jeff Stokes
Achieving maximum performance in microsoft vdi environments - Jeff StokesAchieving maximum performance in microsoft vdi environments - Jeff Stokes
Achieving maximum performance in microsoft vdi environments - Jeff StokesJeff Stokes
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelHardway Hou
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebula Project
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...Dmytro Korzhevin
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Codemotion
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 

Similar to Windows Internals: fuzzing, hijacking and weaponizing kernel objects (20)

Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Achieving maximum performance in microsoft vdi environments - Jeff Stokes
Achieving maximum performance in microsoft vdi environments - Jeff StokesAchieving maximum performance in microsoft vdi environments - Jeff Stokes
Achieving maximum performance in microsoft vdi environments - Jeff Stokes
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock Kernel
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
Vxcon 2016
Vxcon 2016Vxcon 2016
Vxcon 2016
 
Os Selbak
Os SelbakOs Selbak
Os Selbak
 
zyz
zyzzyz
zyz
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
Windows CE
Windows CEWindows CE
Windows CE
 

More from Nullbyte Security Conference

Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"Nullbyte Security Conference
 
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSDRootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSDNullbyte Security Conference
 
How i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwordsHow i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwordsNullbyte Security Conference
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXNullbyte Security Conference
 

More from Nullbyte Security Conference (14)

Speeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorallSpeeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorall
 
Gitminer 2.0 - Advance Search on Github
Gitminer 2.0 - Advance Search on GithubGitminer 2.0 - Advance Search on Github
Gitminer 2.0 - Advance Search on Github
 
Automatizando o abuso de repositórios expostos
Automatizando o abuso de repositórios expostosAutomatizando o abuso de repositórios expostos
Automatizando o abuso de repositórios expostos
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
 
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later years
 
Muito além do alert() em ataques web client side
Muito além do alert() em ataques web client sideMuito além do alert() em ataques web client side
Muito além do alert() em ataques web client side
 
Cabra Arretado Aperriando o WordPress
Cabra Arretado Aperriando o WordPressCabra Arretado Aperriando o WordPress
Cabra Arretado Aperriando o WordPress
 
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSDRootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
 
How i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwordsHow i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwords
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaX
 
All your binaries are belong to us
All your binaries are belong to usAll your binaries are belong to us
All your binaries are belong to us
 

Recently uploaded

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»QADay
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsVlad Stirbu
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 

Recently uploaded (20)

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 

Windows Internals: fuzzing, hijacking and weaponizing kernel objects

  • 1. Windows Internals: fuzzing, hijacking and weaponizing Ot´avio Augusto A. Silva at NullByte 5a. Ed. 10 Nov. 2018 Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 1 / 35
  • 2. Agenda 1 Introduction Context Overview 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 2 / 35
  • 3. 1 Introduction Context Overview 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 3 / 35
  • 4. Introduction In the last episode... What is Windows 10? It’s a Windows... means retro-compatibility. New approach in a hybrid kernel. Sanitized “sandboxes” for systems process and “critical user process”. Enforced security behavior that were optional until Windows 8.1. More obscure (Nt/Sys) internals. TPM1-2 (Trusted Platform Mode), Device Guard etc. Forced Updates A lot of new features were added to ensure that the user will not screw (less) with the system. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 4 / 35
  • 5. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 5 / 35
  • 6. Overview Device Guard Whitelists parts of kernel code with Code Integrity (CI). Restrict Windows to only authorized apps from Windows Store. Also restrict execution only for signed with Microsoft Certificate exe. Memory is hardened against attacks through the use of Hypervisor Code Integrity (HVCI). Applies Virtualization Based Security (VBS),using Hyper-V. Those restrictions were never planned to a standard user, who remains executing files brought from the Internet. Using the regular Win/NtApia a WinAPI is documented and open for directly calls. NtApi is what WinAPI “uses” internally. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 6 / 35
  • 7. Overview Virtualization Based Security (VBS) “VBS uses software and hardware enforced mechanisms to create an isolated, hypervisor-restricted, specialized subsystem for storing, securing, transferring, and operating other sensitive subsystems and data.” Uses Model Specific Registers (MSRs) to, among other things, enable Secure Virtual Machine Enable (SVME) bits (aka. Hyper-V with smaller scale virtualization). Using: CPU virtualization extensions; Intel VT or AMD-V. Input–Output Memory Management Units; such as VT-d or AMD-IOV. Second Level Address Translation. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 7 / 35
  • 8. Recap: User-level attacks Abusing Windows internals Forwarding symbol resolution to a later stage in the execution, to avoid user-side API hooking. Ex.:NtOpenProcess symbol in ntdll.dll. Manual mapping a DLL, doing the work of a loader to inject code Thread hijacking an external process’s thread to execute code (thread I.P to code cave). Sum it :) Injecting a rogue DLL onto another process by hijacking one of its threads and directly mapping the DLL in the process memory. KiInjectora? a https://github.com/otavioarj/KiInjector Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 8 / 35
  • 9. Overview Protected Process Light(PPL) What is PPL? Kernel “flag”a into EPROCESS struct. Protection that avoids user handles to it; System permission isolation (can’t touch it). Apply code integrity; only loads/runs signed code after launching; PE32/+ to process. A device driver must flag a process (service) as PPL, it also claim the level of code signing (3rd/MS). No code injection, DLL hijacking etc. right? Let’s make a tour into Win10’s process hierarchy and “isolation”. a W10 build ≥ 15063 added in kernel code sign check Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 9 / 35
  • 10. Protected Process Light(PPL) Is by all means an anti-malware enchantment added into Windows 8.1 to protected system process and “special” services (likely A/V and DRM). Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 10 / 35
  • 11. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 11 / 35
  • 12. Overview Win LPE? UACMe: https://github.com/hfiref0x/UACME Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 12 / 35
  • 13. Overview Make an assurance: Windows UAC can be bypassed. So what an Admin CAN’T do? All the security mechanism listed before are just there to restrain the Admin. Why? Rootkit. MS reinforce its kernel isolation and control so hard, that A/V can’t hook ANY kernel mechanism anymore. KPP scene... Kernel Patch Protection A.k.a Patch Guard, added in x64 editions of Windows(XP), to enforce restrictions on what structures d.drivers cannot modify. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 13 / 35
  • 14. Kernel Patch Protection It works by periodically checking protected system structures in the kernel have not been modified. Avoid modify/use: system service tables. the interrupt descriptor table. the global descriptor table. use kernel stacks not allocated by the kernel. write code within the kernel, HAL or NDIS kernel libs. Thus it doesn’t offer any protection against one d.driver patching another. It relies on security by obscurity and misleading symbol, using a mutate algorithm to deploy into memorya a out of kernel phy. memory Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 14 / 35
  • 15. 1 Introduction 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 15 / 35
  • 16. Kernel - Attacks Ender game Even with Admin access, a user can’t mess with kernel. Unless he have a W10 kernel 0day, which cost ALOT. Suppose one wants pretty hard to manipulate a protected process(PLLa), e.g A/V, A/C, DRM. He have to build a kernel module and buy a certificate from MS. a https://github.com/Mattiwatti/PPLKiller Windows 10 have Signed Driver Enforcement... A/V,A/C and DRM software usually check loaded drivera against a remote chain of trust. No local certificate addition. a They also checks debug boot and some old version of vul. d.d Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 16 / 35
  • 17. Attacks RE-Starting the game :) Direct Kernel Object Manipulation (DKom): a.k.a touch the kernel trough user level, by hitting some trust entity, e.g. device driver. DKom isn’t the unique way to manipulate a protected process, handle stealing is easier and faster (one doesn’t need to R.E a device driver...). But DKom always work, and trough kernel is cool :) It relies on the manipulation of some kind of d.driver interface with the kernel; usually trough I/O control (known as IOCTL). Manipulation by a flaw in the d.driver, or permission (wrong) management in the device/end-point within user level. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 17 / 35
  • 18. Attacks Windows drivers have an important interface with userlevel: I/O Request Packets (IRPs). IRPs are sent to a driver when a particular operation occurs on the driver’s device object, e.g: DeviceDDevice. The end interfaces which IRPs are sent: Major Functions as open/close, read/write, and I/O control (IOCTL). This interface is created at DriverEntry with IoCreateDevice and then linked (user-kernel services) with IoCreateSymbolicLink. Then the rest is a list of pointers to (Major Func.) that executes inside the kernel; kernel interface visible into user level? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 18 / 35
  • 19. Devices? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 19 / 35
  • 20. ACLs? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 20 / 35
  • 21. Attacks Many d.driver doesn’t register restrict ACL for its device endpoint, meaning that unprivileged user can access it; privilege escalation at least.... Or simply a d.driver have a flaw that can be exploited to manipulate kernel pages,phy. memory or even d.driver pointers! Kernel arbitrary code execution. Dkom usually demands that the exploit implements some kernel function to operates the kernel object through d.d functions. Example: d.d have a function that allows one to read cr3 register, allowing access to page directory and so, memory pages to be iterated through d.d functions ;) Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 21 / 35
  • 22. Attacks We have a lot famous examples: Capcom.sys: has an ioctl that disables SMEP (Supervisor Mode Execution Protection Enable)a and calls a provided function pointer (shell code?!), and sets SMEP back. ASMMAP.sys: ioctls that map or unmap to the calling process’ address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions. WinNT/Turla VBoxDrv.sys: a set of ioctl and “magic word” for VBox d.d API, that allows to read kernel symbols tabled and write to specific regions (DSE)b. a If set, execution of code in a higher ring generates a fault, KPPable. b Driver Signature Enforcement. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 22 / 35
  • 23. Attacks My contribution :P CVE2018-8060 and 2018-8061 for HWiNFO AMD64 Kernel driver version 8.98 and lower, which allows unprivileged user to send IOCTL to device driver. Dispatching IOCTL 0x85FE2608 with in-buffer containing a physical memory address, size and a virtual memory address, results in the driver mapping the physical memory and reading it, copying its content to the virtual address.a a Poc: https://github.com/otavioarj/SIOCtl Basically if a company made d.d for control it’s product using “proprietary API”, you probably got a new d.d IOCTL approach; bad practices is pretty common. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 23 / 35
  • 24. 1 Introduction 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 24 / 35
  • 25. Old 0day All the d.d with flaws listed here were exploited and widely spread. But continues to work!! One can right now download a vulnerable Nvidia d.d, even without a Nvidia GPU, and exploit it to manipulate the kernel; an “old 0day” still usable. Remember how? MS automatically sign OEM d.d; no code review!! OEM uses the same certificate for multiples d.d; no vulnerable d.d will have its certificate revoked! Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 25 / 35
  • 26. Old 0day Mitigations It’s not always a double rainbow: some A/Vs blocks old d.d which isn’t used anymore; only CPUID and Process Hacker were blocked testing in Avast, Avira and AVG :) A/C and DMR were more aggressive, they doesn’t care if you’re using a old d.d, if they d.d loads and detects a blacklisted d.d loaded; unload itself and alarm a user service. some A/Ca uses high sophisticated approach; uses ObRegisterCallbacks of Windows’s kernel API, to check for rogue d.d. a BattlEye, Lord of Bans What about hutting your own d.d IOCTL 0day? Might work :) Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 26 / 35
  • 27. 1 Introduction 2 Kernel - Attacks 3 Old 0day 4 D.D 0day hunt Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 27 / 35
  • 28. D.D 0day hunt Be advised, it’s simply a R.E task. Bunch of senseless code, assembly and a lot of pain. Any debug which can read Windows Driver Dev. Kit symbols can be used; I recommend IDA Pro or x64dbg :). We are interested only into d.d which creates an IO device, so this cut some fat from analysis; hunt first of all IoCreateDevice. There is no need to escalate permissions, so IO devices with wrong/inefficients permissions will not be a thing. Winobj can be used to locate devices created with bad ACL; a.k.a privilege escalation approach Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 28 / 35
  • 29. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 29 / 35
  • 30. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 30 / 35
  • 31. D.D 0day hunt So what? IOCTLs code usually are clear when R.E:“cmp register, IOCTL”. Provide enough data to follow the right flux, and you can trigger/reach d.d operations Mostly all IOCTL moves kernel memory (virtual) to another k.memory; likely a memncpy. Lazy? What about a fuzzer capable of find IOCTL from a d.d, detect its mode of operationa with a timed and guided test case tunning, including output analysis? a METHOD BUFFERED, X DIRECT or NEITHER Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 31 / 35
  • 32. https://github.com/otavioarj/SIOCTLBF Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 32 / 35
  • 33. Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 33 / 35
  • 34. Demo Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 34 / 35
  • 35. Questions? Ot´avio Augusto A. Silva (LASCA-Unicamp) Windows Internals 10 Nov. 2018 35 / 35