A null pointer vulnerability protection technology to improve the article-vulnerability warning-the black bar safety net

ID MYHACK58:62201566220
Type myhack58
Reporter 佚名
Modified 2015-08-26T00:00:00


In the null pointer vulnerability protection technology-the primary article, we introduced a null pointer and a null pointer vulnerability concept, in this advanced article describes a null pointer use and the corresponding protection mechanisms.

Author: sun Jian slope


1 to improve the article: the null pointer use

1.1 ZwAllocateVirtualMemory basic introduction

1.2 ZwAllocateVirtualMemory function knowledge

1.3 the zero page memory allocation of the instance of win7 vs win8

2 improve: the windows zero page memory protection mechanism

2.1 set up a kernel debugging environment

2.1.1 virtual machine and debugging environment

2.1.2 configuration start windbg

2.2 user mode and kernel mode cross-stack debugging

2.2.1 kernel debugging user-mode programs

2.2.2 user mode into kernel mode

2.3 inverse analysis of the nt! NtAllocateVirtualMemory

2.3.1 NtAllocatevirtualMemory parameters to confirm

2.3.2 find NtAllocatevirtualMemory for zero page memory Safety mechanisms

2.3.3 confirmation NtAllocatevirtualMemory for zero page memory Safety mechanisms

2.3.4 find the kernel in the other of the zero page memory protection function

3 Summary

1 Improve the article: null pointer use

The front of the main introduction to a null pointer some of the concepts and related knowledge, to understand what is a null pointer, for by wild pointers caused a null pointer vulnerability is not today's focus. The next Main for pointing to the zero page memory null pointer vulnerability to do a detailed introduction.

This exploit is mainly focused in two ways:

  1. The use of a NULL pointer.
  2. The use of zero-page memory allocation available memory space

For the first case you can use a NULL pointer to bypass the conditions of the judgment or security certification. Such as X. 0rg null pointer dereference denial of access Vulnerability, CVE-2 0 0 8-0 1 5 3 as Figure comparison of modified patches before and after comparison:


From the code patch can be seen the exploit NULL pointer to change the program flow to trigger the vulnerability.

For the second case, in some cases the zero page memory can also be used, for example, the following two cases:

  1. In windows16 system or windows16 virtual system, The zero page memory can be used; in windows the 3 2-bit system running on a DOS program it will start the NTVDM process, which will be used to zero page memory.
  2. By ZwAllocateVirtualMemory, etc. system calls in the process of allocation of a zero page memory win7 system.

[1] [2] [3] [4] [5] [6] [7] [8] [9] next