SlideShare une entreprise Scribd logo

Kernel Pool

Télécharger en tant que ODP, PDF
G
guest215c4e
Santé & MédecineBusiness
1  sur  73
[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Population People who write exploits People who write Windows overflows People who write Windows Kernel Pool Overflows
Other considerations ,[object Object],[object Object],[object Object]
Diversity increases QA costs dramatically
Addresses May Vary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Kernel Pool vs. Userland Heap ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Kernel Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Pools Definitions ,[object Object],[object Object],[object Object],[object Object],[object Object]
Non Paged Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Paged Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Paged Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nt!_POOL_DESCRIPTOR ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Pool Descriptor ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ListHeads 0 1 2 3 4 511 ... 8 bytes 24 bytes 24 bytes 32 bytes 24 bytes Each chunk of data is preceded by a 8 byte header structure
nt!_POOL_HEADER ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Chunk Header ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Free Chunk Header ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Lookaside Lists ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nt!_GENERAL_LOOKASIDE ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
nt!MmNonPagedPoolFreeListHead ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Allocation Summary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Allocation Algorithm nt!ExAllocatePoolWithTag (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Allocation Algorithm nt!ExAllocatePoolWithTag (2/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Free Chunk Splitting ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Splitting Schema Free Chunk Free Chunk Free Chunk Free Chunk Free chunk at the beginning of a page, allocated chunk goes at the front Otherwise, allocated chunk goes at the end
Free Summary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Free Algorithm nt!ExFreePoolWithTag (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simplified Free Algorithm nt!ExFreePoolWithTag (2/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Merging Schema Free Chunk Busy Chunk Free Chunk Free Chunk Free Chunk Free Chunk Chunk being freed Merge #1 Merge #2
[object Object]
Pool BugChecks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
BugCheck Example
Some BugCheck Conditions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploitable Overflows? ,[object Object],[object Object],[object Object]
Kernel Pool Unlink ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Notations Our chunk Chunk we overflow Overflow Potential list entry depending on chunk type Kernel Pool Overflow Header Next Header List Entry
Different Write4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Write4 on Merge with Next Case #1 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploit Case #1 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Write4 on Merge with Previous Case #2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploit Case #2 (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Exploit Case #2 (2/2) ,[object Object],[object Object],[object Object],[object Object],Header Next Header Header Overflow List Entry Overflow PreviousSize of next chunk Merge Next Header Fake Header
ListHeads Write4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ListHeads Illustrated (1/3) ListHeads[n] Flinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
ListHeads Illustrated (1/3) ListHeads[n] Blinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
ListHeads Illustrated (2/3) ListHeads[n] Free Chunk Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; Allocation of size n unlinks ListHeads[n]  Flink Flink Blink Flink Blink Flink Blink
ListHeads Illustrated (3/3) ListHeads[n] Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; ⇦ might AV Allocation of size n unlinks ListHeads[n]  Flink ListHeads[n]  Flink is now under our control! Flink Blink Flink Blink
MMFREE_POOL_ENTRY Write4 ,[object Object],[object Object],[object Object],[object Object],[object Object]
What? Where? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Some Ideas Non Exhaustive ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Write4 into the Kernel ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Edx points to something we control Jmp edx being 2 bytes long, we can pick the upper 2 so that the write4 doesn't trigger an access violation
Fixing the Kernel Pool ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
History ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
IGMPv3 Membership Queries RFC 3376 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability ,[object Object],[object Object],[object Object],⇦ Failed!
Trigger ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Issues (1/2) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Issues (2/2) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Solutions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Dirty Way 256<(n%0x10000)*4+8<4080 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Why would it work? ... ... 0x14 byte buffers Kernel Pool is filled with n 0x14 byte buffers Buffer closest to our allocated buffer is the 1 st one to be copied and freed Requires a “carpet” of ~13000 contiguous 0x14 byte buffers (not too hard) Our buffer will be allocated before those (we pretty much exhausted all the free chunks) Overflow
Clean Way (0x10000-(n%0x10000))*4=8 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
Conclusion ,[object Object],[object Object],[object Object]
NUMA ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Literature ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object]

Recommandé

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Execution
ExecutionExecution
Execution
Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 

Recommandé

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Execution
ExecutionExecution
Execution
Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
CODE BLUE
 
Socket Programming In Python
Socket Programming In PythonSocket Programming In Python
Socket Programming In Python
didip
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
Viller Hsiao
 
In-Memory Evolution in Apache Spark
In-Memory Evolution in Apache SparkIn-Memory Evolution in Apache Spark
In-Memory Evolution in Apache Spark
Kazuaki Ishizaki
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
CODE BLUE
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
amiable_indian
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
Eduardo Otubo
 
Intercloud interoperability
Intercloud interoperabilityIntercloud interoperability
Intercloud interoperability
Sam Johnston
 
TTI2008
TTI2008TTI2008
TTI2008
nancymac22
 

Contenu connexe

Tendances

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
CODE BLUE
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 

Tendances (20)

Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
 
Socket Programming In Python
Socket Programming In PythonSocket Programming In Python
Socket Programming In Python
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
In-Memory Evolution in Apache Spark
In-Memory Evolution in Apache SparkIn-Memory Evolution in Apache Spark
In-Memory Evolution in Apache Spark
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
 

En vedette

Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩
skxnqui
 
香港六合彩|六合彩
香港六合彩|六合彩香港六合彩|六合彩
香港六合彩|六合彩
qlpcnnb
 
六合彩|香港六合彩
六合彩|香港六合彩六合彩|香港六合彩
六合彩|香港六合彩
skxnqui
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
skxnqui
 
香港六合彩>六合彩
香港六合彩>六合彩香港六合彩>六合彩
香港六合彩>六合彩
qlpcnnb
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
qlpcnnb
 

En vedette (19)

Intercloud interoperability
Intercloud interoperabilityIntercloud interoperability
Intercloud interoperability
 
TTI2008
TTI2008TTI2008
TTI2008
 
blackray profile
blackray profileblackray profile
blackray profile
 
Sysadmin.Ie Memorandum And Articles Of Association
Sysadmin.Ie Memorandum And Articles Of AssociationSysadmin.Ie Memorandum And Articles Of Association
Sysadmin.Ie Memorandum And Articles Of Association
 
Zurich FLOSS and IT geeks — Open Cloud Initiative and demo
Zurich FLOSS and IT geeks — Open Cloud Initiative and demoZurich FLOSS and IT geeks — Open Cloud Initiative and demo
Zurich FLOSS and IT geeks — Open Cloud Initiative and demo
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 
Simple Workload and Application Portability (SWAP) for Cloud Computing
Simple Workload and Application Portability (SWAP) for Cloud ComputingSimple Workload and Application Portability (SWAP) for Cloud Computing
Simple Workload and Application Portability (SWAP) for Cloud Computing
 
23ae communication skills
23ae communication skills23ae communication skills
23ae communication skills
 
Jamie Louis Simon vs Twitter et al
Jamie Louis Simon vs Twitter et alJamie Louis Simon vs Twitter et al
Jamie Louis Simon vs Twitter et al
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩
 
香港六合彩|六合彩
香港六合彩|六合彩香港六合彩|六合彩
香港六合彩|六合彩
 
六合彩|香港六合彩
六合彩|香港六合彩六合彩|香港六合彩
六合彩|香港六合彩
 
fxxcwl
fxxcwlfxxcwl
fxxcwl
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
香港六合彩>六合彩
香港六合彩>六合彩香港六合彩>六合彩
香港六合彩>六合彩
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
 
Базовая формула дизайн-мышления
Базовая формула дизайн-мышленияБазовая формула дизайн-мышления
Базовая формула дизайн-мышления
 
Toma de decisiones
Toma de decisionesToma de decisiones
Toma de decisiones
 
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованияхКогда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
Когда стоит забыть о дизайн-мышлении и вспомнить о дизайн-исследованиях
 

Similaire à Kernel Pool

Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
Oracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruthOracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruth
Xavier Davias
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensics
viaForensics
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case study
DefconRussia
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
christinemaritza
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区
yiditushe
 

Similaire à Kernel Pool (20)

Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.ppt
 
Oracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruthOracle b tree index internals - rebuilding the thruth
Oracle b tree index internals - rebuilding the thruth
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensics
 
Sql server scalability fundamentals
Sql server scalability fundamentalsSql server scalability fundamentals
Sql server scalability fundamentals
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case study
 
Database Sizing
Database SizingDatabase Sizing
Database Sizing
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
 
Debunking myths about_redo_ppt
Debunking myths about_redo_pptDebunking myths about_redo_ppt
Debunking myths about_redo_ppt
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区扩展世界上最大的图片Blog社区
扩展世界上最大的图片Blog社区
 

Dernier

(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
Taniya Sharma
 
Call Girls Haridwar Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Haridwar Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Haridwar Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Haridwar Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...
Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...
Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...
narwatsonia7
 
Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...
Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...
Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...
astropune
 
Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...
Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...
Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...
Dipal Arora
 
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...
♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...
♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...
astropune
 
Top Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any Time
Top Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any TimeTop Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any Time
Top Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any Time
Call Girls Delhi
 
Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...
Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...
Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...
aartirawatdelhi
 
VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋
VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋
VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋
TANUJA PANDEY
 
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Call Girls in Nagpur High Profile
 
Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...
Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...
Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...
narwatsonia7
 
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
Call Girls Gwalior Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Gwalior Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
Call Girls Kochi Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kochi Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Kochi Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kochi Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
Call Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...
💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...
💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...
Taniya Sharma
 
Call Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
narwatsonia7
 

Dernier (20)

(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
 
Call Girls Haridwar Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Haridwar Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Haridwar Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Haridwar Just Call 8250077686 Top Class Call Girl Service Available
 
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
 
Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...
Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...
Bangalore Call Girls Nelamangala Number 9332606886 Meetin With Bangalore Esc...
 
Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...
Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...
Best Rate (Hyderabad) Call Girls Jahanuma ⟟ 8250192130 ⟟ High Class Call Girl...
 
Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...
Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...
Best Rate (Patna ) Call Girls Patna ⟟ 8617370543 ⟟ High Class Call Girl In 5 ...
 
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
 
♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...
♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...
♛VVIP Hyderabad Call Girls Chintalkunta🖕7001035870🖕Riya Kappor Top Call Girl ...
 
Top Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any Time
Top Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any TimeTop Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any Time
Top Quality Call Girl Service Kalyanpur 6378878445 Available Call Girls Any Time
 
Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...
Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...
Night 7k to 12k Navi Mumbai Call Girl Photo 👉 BOOK NOW 9833363713 👈 ♀️ night ...
 
VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋
VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋
VIP Hyderabad Call Girls Bahadurpally 7877925207 ₹5000 To 25K With AC Room 💚😋
 
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
 
Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...
Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...
Top Rated Bangalore Call Girls Mg Road ⟟ 9332606886 ⟟ Call Me For Genuine S...
 
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
 
Call Girls Gwalior Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Gwalior Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 9907093804 Top Class Call Girl Service Available
 
Call Girls Kochi Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kochi Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Kochi Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kochi Just Call 8250077686 Top Class Call Girl Service Available
 
Call Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 8250077686 Top Class Call Girl Service Available
 
💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...
💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...
💎VVIP Kolkata Call Girls Parganas🩱7001035870🩱Independent Girl ( Ac Rooms Avai...
 
Call Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 8250077686 Top Class Call Girl Service Available
 
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
 

Kernel Pool

  • 1.
  • 2.
  • 3.
  • 4.
  • 5. Population People who write exploits People who write Windows overflows People who write Windows Kernel Pool Overflows
  • 6.
  • 7. Diversity increases QA costs dramatically
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. ListHeads 0 1 2 3 4 511 ... 8 bytes 24 bytes 24 bytes 32 bytes 24 bytes Each chunk of data is preceded by a 8 byte header structure
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Splitting Schema Free Chunk Free Chunk Free Chunk Free Chunk Free chunk at the beginning of a page, allocated chunk goes at the front Otherwise, allocated chunk goes at the end
  • 31.
  • 32.
  • 33.
  • 34. Merging Schema Free Chunk Busy Chunk Free Chunk Free Chunk Free Chunk Free Chunk Chunk being freed Merge #1 Merge #2
  • 35.
  • 36.
  • 38.
  • 39.
  • 40.
  • 41. Notations Our chunk Chunk we overflow Overflow Potential list entry depending on chunk type Kernel Pool Overflow Header Next Header List Entry
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49. ListHeads Illustrated (1/3) ListHeads[n] Flinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
  • 50. ListHeads Illustrated (1/3) ListHeads[n] Blinks Free Chunk Free Chunk Free Chunk : Overflowed list entry Flink Blink Flink Blink Flink Blink Flink Blink
  • 51. ListHeads Illustrated (2/3) ListHeads[n] Free Chunk Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; Allocation of size n unlinks ListHeads[n]  Flink Flink Blink Flink Blink Flink Blink
  • 52. ListHeads Illustrated (3/3) ListHeads[n] Free Chunk PLIST_ENTRY b,f; f=ListHeads[n]  Flink  Flink; b=ListHeads[n]  Flink  Blink; b  Flink=f; f  Blink=b; ⇦ might AV Allocation of size n unlinks ListHeads[n]  Flink ListHeads[n]  Flink is now under our control! Flink Blink Flink Blink
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67. Why would it work? ... ... 0x14 byte buffers Kernel Pool is filled with n 0x14 byte buffers Buffer closest to our allocated buffer is the 1 st one to be copied and freed Requires a “carpet” of ~13000 contiguous 0x14 byte buffers (not too hard) Our buffer will be allocated before those (we pretty much exhausted all the free chunks) Overflow
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.