Jump to content
Nytro

Advanced Heap Manipulation in Windows 8

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Advanced Heap Manipulation in Windows 8

Zhenhua(Eric) Liu

zhliu@fortinet.com

VERSION 1.0

Contents
ABSTRACT ...................................................................................................................................................... 3
Prior Works ................................................................................................................................................... 4
Introduction .................................................................................................................................................. 5
Sandbox ..................................................................................................................................................... 5
Windows 8 Kernel Exploit mitigation improvements ............................................................................... 5
Heap feng shui and Windows 8 ................................................................................................................ 6
What Feng shui really is ............................................................................................................................ 7
What’s left? ............................................................................................................................................... 7
Uninitialized memory reference ........................................................................................................... 7
Application specific attacks ................................................................................................................... 7
Custom Memory Allocator .................................................................................................................... 8
The future ................................................................................................................................................. 8
Quick View of the Idea .................................................................................................................................. 9
Basics ......................................................................................................................................................... 9
Freelists ................................................................................................................................................. 9
Three ways could write into the FreeLists .......................................................................................... 10
Allocation Search ................................................................................................................................ 10
Splitting Pool Chunks process ............................................................................................................. 11
The Mandatory Search Technique .......................................................................................................... 12
Kernel Pool .................................................................................................................................................. 14
Implementation in Kernel Pool ............................................................................................................... 15
Basics ................................................................................................................................................... 15
Reliability Notes .................................................................................................................................. 17
Putting It All Together ......................................................................................................................... 21
User Heap .................................................................................................................................................... 22
Implementation in User Heap ................................................................................................................. 22
Applicable circumstance ..................................................................................................................... 25
Prerequisites ....................................................................................................................................... 25
The simple idea ................................................................................................................................... 26
Practices in User heap ............................................................................................................................. 28
A practical attack on _HEAP_USERDATA_HEADER ............................................................................. 28
Uninitialized memory reference ......................................................................................................... 29
Practical heap determining in IE 10 .................................................................................................... 29
Conclusion ................................................................................................................................................... 31
Acknowledgements ..................................................................................................................................... 31
Bibliography ................................................................................................................................................ 32
Attacking _HEAP_USERDATA_HEADER Source Code.................................................................................. 33

Download:

https://media.blackhat.com/eu-13/briefings/Liu/bh-eu-13-liu-advanced-heap-WP.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...