DEP/ASLR bypass without ROP/JIT - Yu Yang - CanSecWest

More documents

Recommendations

Info

struct _KUSER_SHARED_DATA: 0:000> dt _KUSER_SHARED_DATA 0x7ffe0000 +0x000 TickCountLowDeprecated : 0 +0x004 TickCountMultiplier : 0xf99a027 +0x008 InterruptTime : _KSYSTEM_TIME +0x014 SystemTime : _KSYSTEM_TIME +0x020 TimeZoneBias : _KSYSTEM_TIME +0x02c ImageNumberLow : 0x14c +0x02e ImageNumberHigh : 0x14c +0x030 NtSystemRoot : [260] "C:\ Windows“ … SharedUserData
On x86 Windows: SharedUserData->SystemCall 0:000> dt _KUSER_SHARED_DATA SystemCall 0x7ffe0000 +0x300 SystemCall : 0x76f75e70 0x7ffe0300 is always point to KiFastSystemCall: 0:000> uf poi(0x7ffe0300) ntdll!KiFastSystemCall: 76f75e70 8bd4 mov edx,esp 76f75e72 0f34 sysenter 76f75e74 c3 ret
Page 1 and 2: DEP/ASLR bypass without ROP/JIT Yan
Page 3 and 4: Who am I Researcher @NSFOCUS Securi
Page 5: SharedUserData 0:000> d SharedUserD
Page 9 and 10: Example: MS08-078 ]]> eax
Page 11 and 12: eax=0c0c11db Example: MS08-078 msht
Page 13 and 14: Good news and bad news ☺ Totally
Page 15 and 16: SharedUserData->Wow64SharedInformat
Page 17 and 18: LdrHotPatchRoutine struct HotPatchB
Page 19 and 20: function funcB() { document.execCom
Page 21 and 22: Example: MS12-063 eax=00000000 ebx=
Page 23 and 24: Example: MS13-008 function CVE-2012
Page 25 and 26: Example: MS13-008 eax=41414141 ebx=
Page 27 and 28: Example: MS13-008 MS13-008 Demo
Page 29 and 30: Good news and bad news ☺ Totally
Page 31 and 32: Defense Why it can bypass EMET 3.5
Page 33 and 34: Off topic How to defend against unk
Page 35: Q & A

DEP/ASLR bypass without ROP/JIT - Yu Yang - CanSecWest

Create successful ePaper yourself

Delete template?

Save as template?