Jump to content
Nytro

Windows 8 Heap Internals

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Windows 8 Heap Internals

Contents
Introduction .................................................................................................................................................. 4
Overview ....................................................................................................................................................... 4
Prior Works ................................................................................................................................................... 5
Prerequisites ................................................................................................................................................. 5
User Land .................................................................................................................................................. 5
Kernel Land ............................................................................................................................................... 5
Terminology .................................................................................................................................................. 6
User Land Heap Manager ............................................................................................................................. 7
Data Structures ......................................................................................................................................... 7
_HEAP (HeapBase) ................................................................................................................................ 7
_LFH_HEAP (Heap?>FrontEndHeap) ..................................................................................................... 8
_HEAP_LOCAL_DATA (Heap?>FrontEndHeap?>LocalData) ................................................................... 9
_HEAP_LOCAL_SEGMENT_INFO (Heap?>LFH?>SegmentInfoArrays[] / AffinitizedInfoArrays[]) .......... 9
_HEAP_SUBSEGMENT (Heap?>LFH?>InfoArrays[]?>ActiveSubsegment) ............................................ 10
_HEAP_USERDATA_HEADER (Heap?>LFH?>InfoArrays[]?>ActiveSubsegment?>UserBlocks) ............. 11
_RTL_BITMAP (Heap?>LFH?>InfoArrays[]?>ActiveSubsegment?>UserBlocks?>Bitmap) ..................... 12
_HEAP_ENTRY ..................................................................................................................................... 12
Architecture ............................................................................................................................................ 13
Algorithms ?? Allocation .......................................................................................................................... 15
Intermediate ....................................................................................................................................... 15
BackEnd ............................................................................................................................................... 18
Front End ............................................................................................................................................. 25
Algorithms – Freeing ............................................................................................................................... 37
Intermediate ....................................................................................................................................... 37
BackEnd ............................................................................................................................................... 40
FrontEnd .............................................................................................................................................. 44
Security Mechanisms .............................................................................................................................. 47
_HEAP Handle Protection ................................................................................................................... 47
Virtual Memory Randomization .......................................................................................................... 48
FrontEnd Activation ............................................................................................................................ 49
FrontEnd Allocation ............................................................................................................................ 50
Fast Fail ............................................................................................................................................... 52
Guard Pages ........................................................................................................................................ 53
Arbitrary Free ...................................................................................................................................... 56
Exception Handling ............................................................................................................................. 57
Exploitation Tactics ................................................................................................................................. 58
Bitmap Flipping 2.0 ............................................................................................................................. 58
_HEAP_USERDATA_HEADER Attack .................................................................................................... 60
User Land Conclusion .............................................................................................................................. 62
Kernel Pool Allocator .................................................................................................................................. 63
Fundamentals ......................................................................................................................................... 63
Pool Types ........................................................................................................................................... 63
Pool Descriptor ................................................................................................................................... 63
Pool Header ......................................................................................................................................... 64
Windows 8 Enhancements ..................................................................................................................... 66
Non?Executable (NX) Non?Paged Pool ................................................................................................ 66
Kernel Pool Cookie .............................................................................................................................. 69
Attack Mitigations ................................................................................................................................... 75
Process Pointer Encoding .................................................................................................................... 75
Lookaside Cookie ................................................................................................................................ 76
Cache Aligned Allocation Cookie ........................................................................................................ 77
Safe (Un)linking ................................................................................................................................... 78
PoolIndex Validation ........................................................................................................................... 79
Summary ............................................................................................................................................. 80
Block Size Attacks .................................................................................................................................... 82
Block Size Attack ................................................................................................................................. 82
Split Fragment Attack .......................................................................................................................... 83
Kernel Land Conclusion ........................................................................................................................... 85
Thanks ......................................................................................................................................................... 85
Bibliography ................................................................................................................................................ 86

Download:

http://t.co/uOgkjkj4

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...