HEVD kernel vulnerability training-with Windows play-bug warning-the black bar safety net

For this training of the research study will kernel vulnerability principle, the use of the way, under Windows many common data structures have a preliminary understanding, from the open Ring0 gate.
HEVD project address: https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
For the kernel vulnerability to get started, I recommend the entry-way is HEVD -> CVE-2014-4113 -> MS15-061, the first one is the training, after the two is the actual environment of the vulnerability. Feeling in Ring0 it is too interesting by constantly being 吊打, constantly climbing up） up!
The Windows in the high version, take more protective measures to prevent the exploit, which let the attack becomes more and more interesting, many protective restrictions make a lot of exploit becomes difficult, in this article, I will address the HEVD of an arbitrary memory read write vulnerability, the use of Cn33liz a Trojan to complete the attack and analysis of the entire process.
This attack has a protagonist, and that is Bitmap, this paper mainly analyzes the latest Win10 version and Win8, the Bitmap in the end how strong the power.
! [](/Article/UploadPic/2017-3/201731154415927. png? www. myhack58. com)
In this article, I will first briefly introduce the Bitmap, the latest Win10 the KASLR mechanism, the Bitmap impact, as well as how to use the Accelerator Table to bypass KASLR it. Next I will share how to use the SetBitmap and GetBitmap to complete the attack, and the attack of the main character, _SURFOBJ a key structure pvScan0 it. Then I will share Win10 in some doubt, may is the pits, anyway still have some doubts on the inside, next, I will combine my idol MJ0011 in HITCON last about Win8 security features of the speech, the move Win8, take a look at the Bitmap Super-lethal, as well as these security features protection mechanism. At the end I will put me in Win10 and in Win8 under the experimental source code Release, This source code contains against Win10 and Win8 the protective mechanisms of some process, is based on the Cn33liz large cattle of the source code rewritten. Hereinafter, all the tests are based on my rewrite of the source code is completed, the corresponding comment in the source code, The changes to the source code Rush is also beautiful enough, hope everyone sea connotation. Because many times re-commissioning, the address has changed, you can combine text together with a research study.
As used herein, the original source code of the project address: https://github.com/Cn33liz/HSEVD-ArbitraryOverwriteGDI
About this vulnerability causes, I will not in detail explain, HackSys team of Github projects with detailed instructions, This arbitrary write vulnerability that can be to the specified address is written into the specified value, but not the write address and write the content of a legality check. The test environment is the latest version of Win10 is.
! [](/Article/UploadPic/2017-3/201731154415628. png? www. myhack58. com)

With Win10 play–CreateBitmap and KASLR
I before that article HEVD of the share, in Windows 7 below is completed, in Win7 the following, we have a lot of freedom, can be to the many special location, structure, writing shellcode, and the kernel configuration is complete shellcode execution. But in Win10, increasing the vast number of restrictions and a greater use becomes difficult, the shellcode seems to become less feasible.
And in FuzzySecurity also referred to the data attack, in the numerous restrictions, the Bitmap gives us a great convenience, such a means of attack power is very strong, very interesting.
In Windows 10, We need to get the Bitmap of the kernel address, and then use the Bitmap this _SURFOBJ structure of a special member variables to complete the attack, that is behind us to be mentioned pvScan0 it.
In prior version of Win10, it is possible by a special structure GdiSharedHandleTable to get the Bitmap of the kernel object address. This GdiSharedHandleTable is PEB structure body of a structure. And stored inside of the content is a GDICELL64 structure. On the old version of Win10 in the use of GdiSharedHandleTable how to get the Bitmap and attack I will not elaborate, at the end of the article, I will give a very good technical article, which details this attack.
In the new version of Win10, fix up this method, GdiSharedHandleTable get the address, is no longer a valid pkernelAddress, that is to say, even if we pass this way and createbitmap handle to get an address, however, is not true pkernelAddress, of course, our protagonist pvScan0 also incorrect.
kd> dt @$PEB nt! _PEB GdiSharedHandleTable //
+0x0f8 GdiSharedHandleTable : 0x0000000000e00000 Void kd> db 0x0000000000e00000+0x0b69*0x18 L8
0000000000e111d8 69 0b c2 ff ff ff ff ff i....... kd> dd ffffffffffc20b69 ffffffffffc20b69??? ??? ??? ???
kd> dd ffff9f9683d01000
ffff9f9683d01000 270501ac 00000000 00000000 00000000 ffff9f9683d01010 00000000 00000000 00000000 00000000
You can see that in by GdiSharedHandleTable get the Bitmap of the kernel address is the one to open up the kernel space and the real Bitmap the kernel address differ. At this time, gSharedInfo appeared, this gSharedInfo is a very classic structure, in many kernel exploitation have appeared, which which contains the the kernel structure, we can use it to get the kernel table, and then by calculating the offset get kernel object address.
To solve this problem is to use the AcceleratorTable accelerating the key table, I before a kernel vulnerability debugging notes bis debug the CVE-2015-2546 is to use the accelerator key of the table, producing a stability of the memory cavity, the continuous application release the memory, until the two application released AccleratorTable the kernel handles the same, and then apply the same size of the bitmap, so that we can obtain a GDI object, and then pass this object phead is pkernelAddress it.
! [](/Article/UploadPic/2017-3/201731154415203. png? www. myhack58. com)
How to get? In this handleentry has a aheList, which contains a phead object, it is a pointer to the pkerneladdress. Take a look at gSharedInfo address, where I don’t know why, the feeling may be Win10 a lot win32k structure of the body opaque, not see tagSharedInfo the structure of the body, feeling like being hidden.
kd> ? user32! gsharedinfo //get gsharedinfo address value
Evaluate expression: 140725741012608 = 00007ffd`43cdc680

[1] [2] [3] [4] [5] [6] [7] [8] [9] next