DEP/ASLR bypass without ROP/JIT - Yu Yang - CanSecWest

More documents

Recommendations

Info

Background What is <strong>DEP</strong> and <strong>ASLR</strong> ?
SharedUserData 0:000> d SharedUserData 7ffe0000 00000000 0f99a027 1d8a8d7d 000003a8 ....'...}....... 7ffe0010 000003a8 c90280d4 01cdd689 01cdd689 ................ 7ffe0020 f1dcc000 ffffffbc ffffffbc 86648664 ............d.d. 7ffe0030 003a0043 0057005c 006e0069 006f0064 C.:.\.W.i.n.d.o. 7ffe0040 00730077 00000000 00000000 00000000 w.s............. 7ffe0050 00000000 00000000 00000000 00000000 ................ 7ffe0060 00000000 00000000 00000000 00000000 ................ 7ffe0070 00000000 00000000 00000000 00000000 ................ SharedUserData is always fixed in 0x7ffe0000 from Windows NT 4 to Windows 8 #define MM_SHARED_USER_DATA_VA 0x7FFE0000 From nti386.h and ntamd64.h in Microsoft WRK source code
Page 1 and 2: DEP/ASLR bypass without ROP/JIT Yan
Page 3: Who am I Researcher @NSFOCUS Securi
Page 7 and 8: On x86 Windows: SharedUserData->Sys
Page 9 and 10: Example: MS08-078 ]]> eax
Page 11 and 12: eax=0c0c11db Example: MS08-078 msht
Page 13 and 14: Good news and bad news ☺ Totally
Page 15 and 16: SharedUserData->Wow64SharedInformat
Page 17 and 18: LdrHotPatchRoutine struct HotPatchB
Page 19 and 20: function funcB() { document.execCom
Page 21 and 22: Example: MS12-063 eax=00000000 ebx=
Page 23 and 24: Example: MS13-008 function CVE-2012
Page 25 and 26: Example: MS13-008 eax=41414141 ebx=
Page 27 and 28: Example: MS13-008 MS13-008 Demo
Page 29 and 30: Good news and bad news ☺ Totally
Page 31 and 32: Defense Why it can bypass EMET 3.5
Page 33 and 34: Off topic How to defend against unk
Page 35: Q & A

DEP/ASLR bypass without ROP/JIT - Yu Yang - CanSecWest

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?