際際滷

際際滷Share a Scribd company logo

Windows kernel basic exploit

Download as PPTX, PDF
K
Kyoungseok Yang

Windows Kernel basic exploit technic && Windows Kernel basic hooking technic presented at SSG 000 open seminar 2017.08

1 of 59
Download to read offline
Windows Kernel Exploit Part1 ????? ???
Who Am I ? ????? 15?? ??? ? BoB 6? ??? ?? ? ?? ??? ???? ??? ? ?? ????
?? 1? C Internal 1. Kernel Internal 2. Kernel Hooking 2? C Exploit Skills 1. Hacksys Driver 2. Stack Overflow 3. Stack Overflow GS 4. Arbitrary Write 5. Null Pointer Dereference 6. Recent Windows Mitigation
1? C Internal
Kernel Internal
Kernel Internal ? Kernel Syscall ?? ?? ? int 0x2e ? xp ??? ??? syscall ? ????? ?? interrupt ???? ??? ?? ? SYSENTER ? xp ???? ??? syscall ? int 0x2e?? ?? syscall? ????
Kernel Internal Ntdll.dllKernel32.dll USER level KERNEL level nt!KiFastCallEntry SYSEXIT Native API nt!KiSystemCallExi t SYSENTER (MSR 0x176) ntdll!KiFastSystemCallRet SSDT nt!... nt!... nt!...
MSR register? ? ??? ??? ??? ? ?? ??? control Register ? SYSENTER ???? ???? ?? ??? ????. Code Segment <- MSR 0x174 (IA32_SYSENTER_CS) Stack Segment <- IA32_SYSENTER_CS + 8 EIP Register <- MSR 0x176 (IA32_SYSENTER_EIP) - KiFastCallEntry ESP Register <- MSR 0x175 (IA32_SYSENTER_ESP)
Kernel Hooking ? ???? Kernal Fuzzer? ???? ?? call flow case? ?? ? ??? ?? ? Target ??? ??? ??? ?? ??? ?? ^Kernel syscall ?? ? argument, return value? ?? ? ? ?? ??? ????? ?? ??! ̄
Kernel Hooking ? Kernel Hooking? ?? ?? API ???? ?????, API ??? ???? ? ??! ??? ??? ?? ?? ? ?? : ???? ?? ? ??? ??
? ?? ?????? ?? ??... ? ?10 ?? ???? ?7?? ????? ?? ????? ?? ? ?????... ? Windbg ??? ?? Windows Driver develop
Kernel Hooking C MSR Hooking Ntdll.dllKernel32.dll USER level KERNEL level nt!KiFastCallEntry SYSEXIT nt!KiSystemCallExit DBGPrint argument Hook MSR ntdll!KiFastSystemCallRet SSDT nt!... nt!... nt!... Native API
Kernel Hooking C MSR Hooking 1. rdmsr ???? ?? KiFastCallEntry ?? ?? 2. wrmsr ???? ?? HookFunction ??? MSR Register? ? ? ?? 3. HookFunction??? Argument ??? ?? ??? ? ??? ?? KiFastCallEntry? jmp
Kernel Hooking C MSR Hooking 1. save MSR 176
Kernel Hooking C MSR Hooking 2. write MSR 176
Kernel Hooking C MSR Hooking 3. HookFunction
Kernel Hooking C MSR Hooking Success!
Kernel Hooking ? But how to print return value? ? ntdll!KiFastSystemCallRet? ???? return value? ????! User land?? Dll ??? ?? Copy on Write ??? ?? ?? ???? ? ??? ?? ?? ??? ???? ? ?? nt!KiSystemCallExit? ??? ??!
Kernel Hooking C Inline Hooking
Kernel Hooking C Inline Hooking Ntdll.dllKernel32.dll USER level KERNEL level nt!KiFastCallEntry SYSEXIT nt!KiSystemCallExit DBGPrint argument Hook MSR ntdll!KiFastSystemCallRet DBGPrint return SSDT nt!... nt!... nt!... Native API Inline Hooking
Kernel Hooking C Inline Hooking 1. ?? ??? ??? Inline Hoking ? nt!KiSystemCallExit ?? ??
Kernel Hooking C Inline Hooking 2. nt!KiSystemCallExit? HookedFunction? jmp ?? Inline Hooking? ?
Kernel Hooking C Inline Hooking 3. Inline Hooking? ?? ??? HookedFunction
Kernel Hooking C Inline Hooking Success! but...............................
Kernel Hooking ? ?? ?? ?? ? ????... ? ?? ?? ? ?? ???? ?? ?? ?? ?? ? User land?? ????? ???
??? ???? ??? ?? ??~
2? C Exploit Skills
Windows Integrity ? Windows? ?? ????? ??? ??? ?? ??? ?? ? ? ? UNTRUSTED - Anonymous ? LOW C Everyone, can not access to local resources ? MEDIUM C Authenticated Users ? HIGH C Administrators ? SYSTEM C LocalSystem, LocalService...
HackSysExtremeVulnerableDriver ? Hacksysteam?? ??? ???? ?? ???? ????? ??? ? ? ?? ?? Driver Double Fetch Pool Overflow Use After Free Uninitialized Heap Variable Uninitialized Stack Variable Insecure Kernel Resource Access Stack Overflow Stack Overflow GS Arbitrary Overwrite Null Pointer Dereference Type Confusion Integer Overflow easy hard
HackSysDriver Setting ? ??? ? Virtual KD C VMWare? ????? Windbg? ???? Windows ?? ?? ???? ???? ?? ? ? ? Windbg ? HEVD.sys C hacksys ??? ???? ?? sys ?? ? OSRLOADER C Driver load, unload? ???? ?? ? ?
HackSysDriver Setting ? ?? Windows ????? Windbg? ?? ? ?? ? HEVD.sys ??? ?? ?????? OSRLOADER? ???? ???? ??? ??
HackSysDriver Trigger IN Driver
HackSysDriver Trigger IN User
Input Buffer IRP I/O Manager User Kernel (Driver) IO_STACK_LOCATION HackSysDriver Trigger User -> Driver
Stack Overflow
Stack Overflow
1. ?? ????? EPROCESS ??? ?? Stack Overflow
2. SYSTEM ????? EPROCESS ??? ?? (PID = 4) ... Stack Overflow
3. SYSTEM EPROCESS ????? Token ? ?? ? ? EPROCESS ???? ???? Stack Overflow
Windows 7 has no SMEP. let¨s call user shellcode function. Stack Overflow
Stack Overflow? ??? ?? Stack Overflow GS
Stack Overflow GS
? Stack Cookie ?? ?? ? 1. Stack Cookie leak ? 2. Stack Cookie Failure check ?? ?? ?? EIP register control Stack Overflow GS
Case Userland End Of Stack Segment ... SE handler nSEH ... retn sfp Cookie buffer aaaa ... pop pop ret shellcode ... aaaa aaaa aaaa aaaa Stack Overflow GS
Case Kernelland memory fault exceptions that occur in kernel memory areas are not handled by exception handlers, but only crash the OS. So generate a memory fault exception due to the access of an unmapped page in userland. Stack Overflow GS
Arbitrary Write ? Write What Where
Arbitrary Write ? exploit ?? ?? ?? ??! ? SSDT Overwrite ? Hal Dispatch Table Overwrite ? TokenObject-> Privileges.Enabled Field Overwrite ? Hal Dispatch Table Overwrite? ???? ????!
Arbitrary Write
Arbitrary Write HalDispatchTable HalDispatchTable + 4Token Shellcode NtQueryIntervalProfile KeQueryIntervalProfile Userland Kernalland call NtQueryIntervalProfile
Arbitrary Write ? Hal Dispatch Table ????! ? Windows 7??? ????? NtQuerySystemInformation API? ?? ?? ??? ??? ?? ? ??
Null Pointer Dereference ?
Null Pointer Dereference
Null Pointer Dereference ? ???? ?? 0x00000000 ??? ???? ??? ? ? 0x00000000 ? ??? ??? ??? ??! ? `VirtualAlloc¨, `VirtualAllocEx¨? 0x00001000?? ?? ?? ? undocumented function NTAPI `NtAllocateVirtualMemory¨??
Windows 7 exploitation issue ? Executable NonPagedPool was the default ? Kernel ??? ??? ??? ?? ? ? ?? ? Kernel information leaks were available with NtQuerySystemInformation ? no SMEP, SMAP
Windows 8.1, 10 exploitation issue ? NonPagedPoolNx is the new default ? ??? ??? ???? ???! ? SMEP ? Windows 0xFFFFFFFFFD00448 (HAL Heap) contained a pointer to ntoskrnl.exe ? SIDT instruction leaks address of ntoskrnl.exe pointer (IDTR Register) ? Kernel address leak with GdiSharedHandleTable ? ROP base address ?? ? ??! ? Page Table Entry overwrite can bypass SMEP ? modify U/S flag
Mitigations Windows 10 1607 ? Remove Kernel address leak with GdiSharedHandleTable ? SIDT instruction leaks address of ntoskrnl.exe pointer mitigated ? ??? HAL Heap ???? ? ?? ? Page Table Entry Randomize
Mitigations Windows 10 1703 ? HAL Heap randomized ? now must leak ntoskrnl.exe pointer ? ?? base address ?? ? ??? leak ???
reference ? Hacksys Driver ? ?? https://github.com/hacksysteam/HackSysExtremeVulnerableDriver ? Hacksys Driver ??? https://hshrzd.wordpress.com/2017/06/05/starting-with-windows-kernel- exploitation-part-2/ ? Windows Kernel Architecture Internals - Dave Probert Windows Kernel Architect, Microsoft ? DEFCON-25-Morten-Schenk-Taking-Windows-10-Kernel-Exploitation-to- the-next-level-UPDATED
?????! ks8171235@naver.com

Recommended

Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started
Emertxe Information Technologies Pvt Ltd
?
Android internals
Android internalsAndroid internals
Android internals
Liran Ben Haim
?
Node js for beginners
Node js for beginnersNode js for beginners
Node js for beginners
Arjun Sreekumar
?
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
?
Docker 101
Docker 101Docker 101
Docker 101
L?m ?┐o
?
Quick bcc
Quick bccQuick bcc
Quick bcc
Kyoungseok Yang
?
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
?
[???????] Docker? ??? Gitlab CI/CD ?? ???
[???????] Docker? ??? Gitlab CI/CD ?? ???[???????] Docker? ??? Gitlab CI/CD ?? ???
[???????] Docker? ??? Gitlab CI/CD ?? ???
Ji-Woong Choi
?
Android internals By Rajesh Khetan
Android internals By Rajesh KhetanAndroid internals By Rajesh Khetan
Android internals By Rajesh Khetan
Rajesh Khetan
?
Introduction to jenkins
Introduction to jenkinsIntroduction to jenkins
Introduction to jenkins
Abe Diaz
?
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Edureka!
?
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
?
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakout
Docker, Inc.
?
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
?
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
?
Kotlin - scope functions and collections
Kotlin - scope functions and collectionsKotlin - scope functions and collections
Kotlin - scope functions and collections
Wei-Shen Lu
?
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa
?
Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
?
Containerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container RuntimeContainerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container Runtime
Phil Estes
?
FE? ?? ?? ???? ??? ??
FE? ?? ?? ???? ??? ??FE? ?? ?? ???? ??? ??
FE? ?? ?? ???? ??? ??
Taegon Kim
?
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree
穐親室
?
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
?
Introdu??o ao Spring Framework MVCIntrodu??o ao Spring Framework MVC
Introdu??o ao Spring Framework MVC
Messias Batista
?
Iocp advanced
Iocp advancedIocp advanced
Iocp advanced
Nam Hyeonuk
?
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
?
Kotlin coroutines ?????????
Kotlin coroutines ?????????Kotlin coroutines ?????????
Kotlin coroutines ?????????
Taewoo Kim
?
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
?
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
?
Node.js ??
Node.js ??Node.js ??
Node.js ??
Han Jung Hyun
?
Linux Kernel 101 for Beginner
Linux Kernel 101 for BeginnerLinux Kernel 101 for Beginner
Linux Kernel 101 for Beginner
InfraEngineer
?

More Related Content

What's hot (20)

Android internals By Rajesh Khetan
Android internals By Rajesh KhetanAndroid internals By Rajesh Khetan
Android internals By Rajesh Khetan
Rajesh Khetan
?
Introduction to jenkins
Introduction to jenkinsIntroduction to jenkins
Introduction to jenkins
Abe Diaz
?
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Edureka!
?
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
?
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakout
Docker, Inc.
?
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
?
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
?
Kotlin - scope functions and collections
Kotlin - scope functions and collectionsKotlin - scope functions and collections
Kotlin - scope functions and collections
Wei-Shen Lu
?
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa
?
Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
?
Containerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container RuntimeContainerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container Runtime
Phil Estes
?
FE? ?? ?? ???? ??? ??
FE? ?? ?? ???? ??? ??FE? ?? ?? ???? ??? ??
FE? ?? ?? ???? ??? ??
Taegon Kim
?
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree
穐親室
?
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
?
Introdu??o ao Spring Framework MVCIntrodu??o ao Spring Framework MVC
Introdu??o ao Spring Framework MVC
Messias Batista
?
Iocp advanced
Iocp advancedIocp advanced
Iocp advanced
Nam Hyeonuk
?
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
?
Kotlin coroutines ?????????
Kotlin coroutines ?????????Kotlin coroutines ?????????
Kotlin coroutines ?????????
Taewoo Kim
?
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
?
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
?
Android internals By Rajesh Khetan
Android internals By Rajesh KhetanAndroid internals By Rajesh Khetan
Android internals By Rajesh Khetan
Rajesh Khetan
?
Introduction to jenkins
Introduction to jenkinsIntroduction to jenkins
Introduction to jenkins
Abe Diaz
?
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Edureka!
?
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
?
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakout
Docker, Inc.
?
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
?
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
?
Kotlin - scope functions and collections
Kotlin - scope functions and collectionsKotlin - scope functions and collections
Kotlin - scope functions and collections
Wei-Shen Lu
?
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa
?
Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
?
Containerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container RuntimeContainerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container Runtime
Phil Estes
?
FE? ?? ?? ???? ??? ??
FE? ?? ?? ???? ??? ??FE? ?? ?? ???? ??? ??
FE? ?? ?? ???? ??? ??
Taegon Kim
?
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree
穐親室
?
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
?
Introdu??o ao Spring Framework MVCIntrodu??o ao Spring Framework MVC
Introdu??o ao Spring Framework MVC
Messias Batista
?
Iocp advanced
Iocp advancedIocp advanced
Iocp advanced
Nam Hyeonuk
?
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
?
Kotlin coroutines ?????????
Kotlin coroutines ?????????Kotlin coroutines ?????????
Kotlin coroutines ?????????
Taewoo Kim
?
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
?
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
?

Similar to Windows kernel basic exploit (20)

Node.js ??
Node.js ??Node.js ??
Node.js ??
Han Jung Hyun
?
Linux Kernel 101 for Beginner
Linux Kernel 101 for BeginnerLinux Kernel 101 for Beginner
Linux Kernel 101 for Beginner
InfraEngineer
?
[NDC17] Kubernetes? ???? ??? ????
[NDC17] Kubernetes? ???? ??? ????[NDC17] Kubernetes? ???? ??? ????
[NDC17] Kubernetes? ???? ??? ????
SeungYong Oh
?
[???????]?????? ??? ???? ??
[???????]?????? ??? ???? ??[???????]?????? ??? ???? ??
[???????]?????? ??? ???? ??
Ji-Woong Choi
?
(OCI ????) cloud shell
(OCI ????) cloud shell(OCI ????) cloud shell
(OCI ????) cloud shell
Jay Park
?
[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)
[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)
[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)
NAVER CLOUD PLATFORM???? ???? ???
?
[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???
[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???
[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???
NAVER Engineering
?
?????????? Part 1 - Pod, Deployment, Service
?????????? Part 1 - Pod, Deployment, Service?????????? Part 1 - Pod, Deployment, Service
?????????? Part 1 - Pod, Deployment, Service
Hoyong Lee
?
Pivot3 overview
Pivot3 overviewPivot3 overview
Pivot3 overview
CDIT-HCI
?
kubernetes from beginner to advanced
kubernetes from beginner to advancedkubernetes from beginner to advanced
kubernetes from beginner to advanced
Oracle Korea
?
kubernetes : From beginner to Advanced
kubernetes : From beginner to Advancedkubernetes : From beginner to Advanced
kubernetes : From beginner to Advanced
Inho Kang
?
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migration
ymtech
?
NDC14 ??? ?????? ?? ?? ???? ??/?? ???
NDC14 ??? ?????? ?? ?? ???? ??/?? ???NDC14 ??? ?????? ?? ?? ???? ??/?? ???
NDC14 ??? ?????? ?? ?? ???? ??/?? ???
Jinuk Kim
?
Node.js? ??? Big Data ????
Node.js? ??? Big Data ????Node.js? ??? Big Data ????
Node.js? ??? Big Data ????
ByungJoon Lee
?
C# Game Server
C# Game ServerC# Game Server
C# Game Server
lactrious
?
? ????? ??? ???? ??? ??
? ????? ??? ???? ??? ??? ????? ??? ???? ??? ??
? ????? ??? ???? ??? ??
Nalee Jang
?
????? ?? ?????? ?????(??? ???? ??? ????) - Webinar
????? ?? ?????? ?????(??? ???? ??? ????) - Webinar????? ?? ?????? ?????(??? ???? ??? ????) - Webinar
????? ?? ?????? ?????(??? ???? ??? ????) - Webinar
NAVER CLOUD PLATFORM???? ???? ???
?
[225]yarn ??????? deep learning application cluster ????? ????????
[225]yarn ??????? deep learning application cluster ????? ????????[225]yarn ??????? deep learning application cluster ????? ????????
[225]yarn ??????? deep learning application cluster ????? ????????
NAVER D2
?
[OpenTRS-001] Hotel California
[OpenTRS-001] Hotel California[OpenTRS-001] Hotel California
[OpenTRS-001] Hotel California
Theori
?
An overview of kubernetes & (very) simple live demo
An overview of kubernetes & (very) simple live demoAn overview of kubernetes & (very) simple live demo
An overview of kubernetes & (very) simple live demo
Gwan-Taek Lee
?
Node.js ??
Node.js ??Node.js ??
Node.js ??
Han Jung Hyun
?
Linux Kernel 101 for Beginner
Linux Kernel 101 for BeginnerLinux Kernel 101 for Beginner
Linux Kernel 101 for Beginner
InfraEngineer
?
[NDC17] Kubernetes? ???? ??? ????
[NDC17] Kubernetes? ???? ??? ????[NDC17] Kubernetes? ???? ??? ????
[NDC17] Kubernetes? ???? ??? ????
SeungYong Oh
?
[???????]?????? ??? ???? ??
[???????]?????? ??? ???? ??[???????]?????? ??? ???? ??
[???????]?????? ??? ???? ??
Ji-Woong Choi
?
(OCI ????) cloud shell
(OCI ????) cloud shell(OCI ????) cloud shell
(OCI ????) cloud shell
Jay Park
?
[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)
[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)
[????????] ??? ???? ??? init script ??? ??(??? ???? ??? ????)
NAVER CLOUD PLATFORM???? ???? ???
?
[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???
[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???
[??????????] Contribution, ??? ?? : Apache OpenWhisk ?? ?? - ???
NAVER Engineering
?
?????????? Part 1 - Pod, Deployment, Service
?????????? Part 1 - Pod, Deployment, Service?????????? Part 1 - Pod, Deployment, Service
?????????? Part 1 - Pod, Deployment, Service
Hoyong Lee
?
Pivot3 overview
Pivot3 overviewPivot3 overview
Pivot3 overview
CDIT-HCI
?
kubernetes from beginner to advanced
kubernetes from beginner to advancedkubernetes from beginner to advanced
kubernetes from beginner to advanced
Oracle Korea
?
kubernetes : From beginner to Advanced
kubernetes : From beginner to Advancedkubernetes : From beginner to Advanced
kubernetes : From beginner to Advanced
Inho Kang
?
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migration
ymtech
?
NDC14 ??? ?????? ?? ?? ???? ??/?? ???
NDC14 ??? ?????? ?? ?? ???? ??/?? ???NDC14 ??? ?????? ?? ?? ???? ??/?? ???
NDC14 ??? ?????? ?? ?? ???? ??/?? ???
Jinuk Kim
?
Node.js? ??? Big Data ????
Node.js? ??? Big Data ????Node.js? ??? Big Data ????
Node.js? ??? Big Data ????
ByungJoon Lee
?
C# Game Server
C# Game ServerC# Game Server
C# Game Server
lactrious
?
? ????? ??? ???? ??? ??
? ????? ??? ???? ??? ??? ????? ??? ???? ??? ??
? ????? ??? ???? ??? ??
Nalee Jang
?
????? ?? ?????? ?????(??? ???? ??? ????) - Webinar
????? ?? ?????? ?????(??? ???? ??? ????) - Webinar????? ?? ?????? ?????(??? ???? ??? ????) - Webinar
????? ?? ?????? ?????(??? ???? ??? ????) - Webinar
NAVER CLOUD PLATFORM???? ???? ???
?
[225]yarn ??????? deep learning application cluster ????? ????????
[225]yarn ??????? deep learning application cluster ????? ????????[225]yarn ??????? deep learning application cluster ????? ????????
[225]yarn ??????? deep learning application cluster ????? ????????
NAVER D2
?
[OpenTRS-001] Hotel California
[OpenTRS-001] Hotel California[OpenTRS-001] Hotel California
[OpenTRS-001] Hotel California
Theori
?
An overview of kubernetes & (very) simple live demo
An overview of kubernetes & (very) simple live demoAn overview of kubernetes & (very) simple live demo
An overview of kubernetes & (very) simple live demo
Gwan-Taek Lee
?

Windows kernel basic exploit

  • 2. Who Am I ? ????? 15?? ??? ? BoB 6? ??? ?? ? ?? ??? ???? ??? ? ?? ????
  • 3. ?? 1? C Internal 1. Kernel Internal 2. Kernel Hooking 2? C Exploit Skills 1. Hacksys Driver 2. Stack Overflow 3. Stack Overflow GS 4. Arbitrary Write 5. Null Pointer Dereference 6. Recent Windows Mitigation
  • 6. Kernel Internal ? Kernel Syscall ?? ?? ? int 0x2e ? xp ??? ??? syscall ? ????? ?? interrupt ???? ??? ?? ? SYSENTER ? xp ???? ??? syscall ? int 0x2e?? ?? syscall? ????
  • 7. Kernel Internal Ntdll.dllKernel32.dll USER level KERNEL level nt!KiFastCallEntry SYSEXIT Native API nt!KiSystemCallExi t SYSENTER (MSR 0x176) ntdll!KiFastSystemCallRet SSDT nt!... nt!... nt!...
  • 8. MSR register? ? ??? ??? ??? ? ?? ??? control Register ? SYSENTER ???? ???? ?? ??? ????. Code Segment <- MSR 0x174 (IA32_SYSENTER_CS) Stack Segment <- IA32_SYSENTER_CS + 8 EIP Register <- MSR 0x176 (IA32_SYSENTER_EIP) - KiFastCallEntry ESP Register <- MSR 0x175 (IA32_SYSENTER_ESP)
  • 9. Kernel Hooking ? ???? Kernal Fuzzer? ???? ?? call flow case? ?? ? ??? ?? ? Target ??? ??? ??? ?? ??? ?? ^Kernel syscall ?? ? argument, return value? ?? ? ? ?? ??? ????? ?? ??! ̄
  • 10. Kernel Hooking ? Kernel Hooking? ?? ?? API ???? ?????, API ??? ???? ? ??! ??? ??? ?? ?? ? ?? : ???? ?? ? ??? ??
  • 11. ? ?? ?????? ?? ??... ? ?10 ?? ???? ?7?? ????? ?? ????? ?? ? ?????... ? Windbg ??? ?? Windows Driver develop
  • 12. Kernel Hooking C MSR Hooking Ntdll.dllKernel32.dll USER level KERNEL level nt!KiFastCallEntry SYSEXIT nt!KiSystemCallExit DBGPrint argument Hook MSR ntdll!KiFastSystemCallRet SSDT nt!... nt!... nt!... Native API
  • 13. Kernel Hooking C MSR Hooking 1. rdmsr ???? ?? KiFastCallEntry ?? ?? 2. wrmsr ???? ?? HookFunction ??? MSR Register? ? ? ?? 3. HookFunction??? Argument ??? ?? ??? ? ??? ?? KiFastCallEntry? jmp
  • 14. Kernel Hooking C MSR Hooking 1. save MSR 176
  • 15. Kernel Hooking C MSR Hooking 2. write MSR 176
  • 16. Kernel Hooking C MSR Hooking 3. HookFunction
  • 17. Kernel Hooking C MSR Hooking Success!
  • 18. Kernel Hooking ? But how to print return value? ? ntdll!KiFastSystemCallRet? ???? return value? ????! User land?? Dll ??? ?? Copy on Write ??? ?? ?? ???? ? ??? ?? ?? ??? ???? ? ?? nt!KiSystemCallExit? ??? ??!
  • 19. Kernel Hooking C Inline Hooking
  • 20. Kernel Hooking C Inline Hooking Ntdll.dllKernel32.dll USER level KERNEL level nt!KiFastCallEntry SYSEXIT nt!KiSystemCallExit DBGPrint argument Hook MSR ntdll!KiFastSystemCallRet DBGPrint return SSDT nt!... nt!... nt!... Native API Inline Hooking
  • 21. Kernel Hooking C Inline Hooking 1. ?? ??? ??? Inline Hoking ? nt!KiSystemCallExit ?? ??
  • 22. Kernel Hooking C Inline Hooking 2. nt!KiSystemCallExit? HookedFunction? jmp ?? Inline Hooking? ?
  • 23. Kernel Hooking C Inline Hooking 3. Inline Hooking? ?? ??? HookedFunction
  • 24. Kernel Hooking C Inline Hooking Success! but...............................
  • 25. Kernel Hooking ? ?? ?? ?? ? ????... ? ?? ?? ? ?? ???? ?? ?? ?? ?? ? User land?? ????? ???
  • 27. 2? C Exploit Skills
  • 28. Windows Integrity ? Windows? ?? ????? ??? ??? ?? ??? ?? ? ? ? UNTRUSTED - Anonymous ? LOW C Everyone, can not access to local resources ? MEDIUM C Authenticated Users ? HIGH C Administrators ? SYSTEM C LocalSystem, LocalService...
  • 29. HackSysExtremeVulnerableDriver ? Hacksysteam?? ??? ???? ?? ???? ????? ??? ? ? ?? ?? Driver Double Fetch Pool Overflow Use After Free Uninitialized Heap Variable Uninitialized Stack Variable Insecure Kernel Resource Access Stack Overflow Stack Overflow GS Arbitrary Overwrite Null Pointer Dereference Type Confusion Integer Overflow easy hard
  • 30. HackSysDriver Setting ? ??? ? Virtual KD C VMWare? ????? Windbg? ???? Windows ?? ?? ???? ???? ?? ? ? ? Windbg ? HEVD.sys C hacksys ??? ???? ?? sys ?? ? OSRLOADER C Driver load, unload? ???? ?? ? ?
  • 31. HackSysDriver Setting ? ?? Windows ????? Windbg? ?? ? ?? ? HEVD.sys ??? ?? ?????? OSRLOADER? ???? ???? ??? ??
  • 34. Input Buffer IRP I/O Manager User Kernel (Driver) IO_STACK_LOCATION HackSysDriver Trigger User -> Driver
  • 37. 1. ?? ????? EPROCESS ??? ?? Stack Overflow
  • 38. 2. SYSTEM ????? EPROCESS ??? ?? (PID = 4) ... Stack Overflow
  • 39. 3. SYSTEM EPROCESS ????? Token ? ?? ? ? EPROCESS ???? ???? Stack Overflow
  • 40. Windows 7 has no SMEP. let¨s call user shellcode function. Stack Overflow
  • 41. Stack Overflow? ??? ?? Stack Overflow GS
  • 43. ? Stack Cookie ?? ?? ? 1. Stack Cookie leak ? 2. Stack Cookie Failure check ?? ?? ?? EIP register control Stack Overflow GS
  • 44. Case Userland End Of Stack Segment ... SE handler nSEH ... retn sfp Cookie buffer aaaa ... pop pop ret shellcode ... aaaa aaaa aaaa aaaa Stack Overflow GS
  • 45. Case Kernelland memory fault exceptions that occur in kernel memory areas are not handled by exception handlers, but only crash the OS. So generate a memory fault exception due to the access of an unmapped page in userland. Stack Overflow GS
  • 47. Arbitrary Write ? exploit ?? ?? ?? ??! ? SSDT Overwrite ? Hal Dispatch Table Overwrite ? TokenObject-> Privileges.Enabled Field Overwrite ? Hal Dispatch Table Overwrite? ???? ????!
  • 49. Arbitrary Write HalDispatchTable HalDispatchTable + 4Token Shellcode NtQueryIntervalProfile KeQueryIntervalProfile Userland Kernalland call NtQueryIntervalProfile
  • 50. Arbitrary Write ? Hal Dispatch Table ????! ? Windows 7??? ????? NtQuerySystemInformation API? ?? ?? ??? ??? ?? ? ??
  • 53. Null Pointer Dereference ? ???? ?? 0x00000000 ??? ???? ??? ? ? 0x00000000 ? ??? ??? ??? ??! ? `VirtualAlloc¨, `VirtualAllocEx¨? 0x00001000?? ?? ?? ? undocumented function NTAPI `NtAllocateVirtualMemory¨??
  • 54. Windows 7 exploitation issue ? Executable NonPagedPool was the default ? Kernel ??? ??? ??? ?? ? ? ?? ? Kernel information leaks were available with NtQuerySystemInformation ? no SMEP, SMAP
  • 55. Windows 8.1, 10 exploitation issue ? NonPagedPoolNx is the new default ? ??? ??? ???? ???! ? SMEP ? Windows 0xFFFFFFFFFD00448 (HAL Heap) contained a pointer to ntoskrnl.exe ? SIDT instruction leaks address of ntoskrnl.exe pointer (IDTR Register) ? Kernel address leak with GdiSharedHandleTable ? ROP base address ?? ? ??! ? Page Table Entry overwrite can bypass SMEP ? modify U/S flag
  • 56. Mitigations Windows 10 1607 ? Remove Kernel address leak with GdiSharedHandleTable ? SIDT instruction leaks address of ntoskrnl.exe pointer mitigated ? ??? HAL Heap ???? ? ?? ? Page Table Entry Randomize
  • 57. Mitigations Windows 10 1703 ? HAL Heap randomized ? now must leak ntoskrnl.exe pointer ? ?? base address ?? ? ??? leak ???
  • 58. reference ? Hacksys Driver ? ?? https://github.com/hacksysteam/HackSysExtremeVulnerableDriver ? Hacksys Driver ??? https://hshrzd.wordpress.com/2017/06/05/starting-with-windows-kernel- exploitation-part-2/ ? Windows Kernel Architecture Internals - Dave Probert Windows Kernel Architect, Microsoft ? DEFCON-25-Morten-Schenk-Taking-Windows-10-Kernel-Exploitation-to- the-next-level-UPDATED

Editor's Notes

  • #6: ??? ???? ?? ??, ???, IPC C ???? ? ??? ?? ????, ???? ???, ???, ?, ?? ??? ?? ?? HAL - ??????? PC? ???, CPU, ???? ??? ?? ?? ?? ?? ?, ???? ??? ?? Driver - ?? ??? ??? ??? ???? ????? ?? ?? PNP ???? C ?? ????? ??? ? ?? Legacy ???? C ???? ?? ?? ???? ???? ????? ??? ? ??
  • #27: ??? ?? ??? ???? ?? ???? ?? ????...
  • #30: ? ???? ?? ? Hacksys ? ???? ?? ??, ?? ??(SECURE?? ?)
  • #32: ?? ??? ??? ??? https://hshrzd.wordpress.com/2017/06/05/starting-with-windows-kernel-exploitation-part-2/
  • #33: CTL_CODE C DeviceType(??? ?? ??), Function(??? ??), Method, Access(??)
  • #35: IRP(I/O Request Packet) C I/O ???? ???? ??? DeviceControl ??? ???? I/O ???? ????? ???? IRP? ??? ??? ? ? ???? ??? ????.
AboutCopyright
? 2025 際際滷