BlackHat资料us-14-Tarakanov-Data-Only-Pwning-Microsoft-Windows-Kernel-Exploitation-Of-Kernel-Pool-Overflows-On-Microsoft-Windows-8.1.pdfVIP

Data-only Pwning Microsoft Windows Kernel: Exploitation of Kernel Pool Overflows on Microsoft Windows 8.1 Nikita Tarakanov, 6th of August, BlackHat USA 2014 Las-Vegas, USA Agenda • Introduction • Basic of previous attacks • New idea • Mitigations • QA Introduction • Pool overflow exploitation techniques are quite well studied: from Windows XP/2003 times to Windows 7/8 present • Most of them target Pool internal algos/structures • Microsoft makes Pool overflows exploitation harder and harder • New ideas/techniques should appear! Pool basics Pool Header 32-bits • kd dt nt!_POOL_HEADER • +0x000 PreviousSize : Pos 0, 9 Bits • +0x000 PoolIndex : Pos 9, 7 Bits • +0x002 BlockSize : Pos 0, 9 Bits • +0x002 PoolType : Pos 9, 7 Bits • +0x004 PoolTag : Uint4B • PreviousSize: BlockSize of the preceding chunk • PoolIndex: Index into the associated pool descriptor array • BlockSize: (NumberOfBytes+0xF) 3 • PoolType: Free=0, Allocated=(PoolType|2) • PoolTag: 4 printable characters identifying the code responsible for the allocation Pool Header 64-bits • kd dt nt!_POOL_HEADER • +0x000 PreviousSize : Pos 0, 8 Bits • +0x000 PoolIndex : Pos 8, 8 Bits • +0x000 BlockSize : Pos 16, 8 Bits • +0x000 PoolType : Pos 24, 8 Bits • +0x004 PoolTag : Uint4B • +0x008 ProcessBilled : Ptr64 _EPROCESS • BlockSize: (NumberOfBytes+0x1F) 4 ( 256 ListHeads entries due to 16 byte block size ) • ProcessBilled: Pointer to process object charged for the pool allocation (used in quota management) Free Chunks • If a pool chunk is freed to a pool descriptor ListHeads list, the header is followed by a LINK_ENTRY structure • Pointed to by the ListHeads doubly-linked list • kd dt nt!_LIST_ENTRY • +0x000 Flink : Ptr32 _LIST_ENTRY • +0x004 Blink : Ptr32 _LIST_ENTRY Allocation order Merging Pool Chunks Basic of previous attacks • Pool metadata cor