LPE vulnerabilities exploitation on Windows 10 Anniversary Update
25.03.2017 Views
Share Embed Flag

LPE vulnerabilities exploitation on Windows 10 Anniversary Update

eJwXM6v

eJwXM6v

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
ale.sp.brazil

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

USER structures/data allocated <strong>on</strong> GDI pool<br />

• Some user objects are allocated <strong>on</strong> GDI pool, but they are not al<strong>on</strong>e!<br />

• There are many user structures allocated <strong>on</strong> GDI pool (tagPOPUPMENU,<br />

tagWND.pTransform, tagSBTRACK …). We can get their addresses by<br />

reading object’s c<strong>on</strong>tent from desktop heap (as USER objects c<strong>on</strong>tain<br />

pointers to this structures).<br />

• We found, that tagCLS.lpszMenuName (see previous slide) allocated <strong>on</strong> GDI<br />

pool.<br />

• This tagCLS field represents WNDCLASSEX.lpszMenuName (UNICODE).<br />

• We can easily allocate it by RegisterClass and free by UnregisterClass.<br />

• Also we can c<strong>on</strong>trol size of this allocati<strong>on</strong>.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!