Home / Series / Chaos Communication Congress / Aired Order / Season 35 / Episode 39

Exploiting Kernel Memory Corruptions on Microsoft Windows 10 RedStone 5

This talk is about new challenges in exploiting kernel memory corruptions on brand new Microsoft Windows RedStone 5. Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel. Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions. Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1 Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation. Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless. But Microsoft left unprotected optional headers that gave born to DKOOHM technique. Sadly enough, Microsoft introduced brand new Kernel Memory Allocator on Windows 10 RS5 leaving current pool memory manipulation techniques useless. This talk presents new techniques of exploiting kernel memory corruptions on Windows 10 RS5.

English
  • Originally Aired December 27, 2018
  • Runtime 60 minutes
  • Production Code 9903
  • Created December 27, 2018 by
    Administrator admin
  • Modified December 27, 2018 by
    Administrator admin
Name Type Role
Nikita Tarakanov Director