Leaking Windows Kernel Pointers

More documents

Recommendations

Info

Userland Callbacks – How do they work? ntdll!KiUserCallbackDispatcher Uses the callback ID as an index Function table located in the TIB User32 initialization points it to user32!apfnDispatch Call the callback handler 8 Copyright 2016 Trend Micro Inc.
Userland Callbacks – How do they work? Call user32!XyCallbackReturn once done with handler This function never returns Performs an “int 0x2b” back into the kernel Calls ntoskrnl!KiCallbackReturn per ntoskrnl!IDT Could also sysenter or “int 0x2e” back Just need to use ID for NtCallbackReturn 9 Copyright 2016 Trend Micro Inc.
Page 1 and 2: Leaking Windows Kernel Pointers WAN
Page 3 and 4: What am I talking about? Kernel poi
Page 5 and 6: Userland Callbacks 5 Copyright 2016
Page 7: Userland Callbacks - How do they wo
Page 11 and 12: Window Objects and Messages 11 Copy
Page 13 and 14: CVE-2015-0094 13 Copyright 2016 Tre
Page 15 and 16: CVE-2015-0094 - The vulnerability W
Page 17 and 18: CVE-2015-0094 - The vulnerability W
Page 19 and 20: CVE-2015-0094 - The vulnerability 1
Page 23 and 24: CVE-2015-0094 - The plan Create a W
Page 25 and 26: CVE-2015-0094 - The PoC 25 Copyrigh
Page 29 and 30: CVE-2015-0094 - The Patch 29 Copyri
Page 31 and 32: CVE-2015-1680 - The vulnerability N
Page 33 and 34: CVE-2015-1680 - The vulnerability N
Page 37 and 38: CVE-2015-1680 - The plan Force an e
Page 41: Questions? 41 Copyright 2016 Trend

Leaking Windows Kernel Pointers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?