This article I will first briefly introduce a Foundation with the Windows kernel pool overflow exploit bugs, flaws, and how to use hybrid kernel object radiation the kernel pool, via a process shrouded TypeIndex order to achieve flaws in the application. 0x01 the first volume In the added complete BlackHat AWE course, I want to study the invention and application of some of the kernel flaws. Just I thought about HackSys Extreme Vulnerable Driver (HEVD) is an exceptionally good refresher object, but deal with me, it is inappropriate. I don't have in the real application, the invention and implementation flaws in applications. Since joining the WHO after the course, I start to slowly open up a Windows kernel device driver fuzzer for. The application of this private fuzzer, I invented this article will be the first volume of the flaws. Such flaws the application of the skills is not new, but a slight shift that makes the attacker nearly can be applied to arbitrary whims of the giant of the pool. This article is important is my own refresher reference, hope can sponsor other people quiz test pool flaws in the application. 0x02 flaws in the first volume In testing some of the SCADA product after, I met a third-party component called WinDriver to. Brief query the visited, my invention this is Jungo's DriverWizard WinDriver of. This product bundle in a plurality of SCADA product, and weekdays is the old version. In the rear of the device, which in the scale of the windows Driver directory of the apparatus to a named wndrvr1240. sys device driver. A schematic of the reverse later, I invented a few IOCTL codes that I will those IOCTL values to pull out my fuzzer configuration file. ! Then, I applied the command-line verifier /volatile /flags 0x1 /adddriver windrvr1240. sys enable special pool, and running my fuzzer that. Ultimate, I invented several applications of the flaws, in particular the above with this: ! The user can control the data stored in[esi+ecx], it is out of bounds to write a kernel pool. Exception perfect! Further introspection, I noticed this exact is a pool overflow, it is via the process loc_4199D8 in the inline copy to manipulate the trigger. ! This copy of reincarnation each time of reincarnation copy of the 8 bytes in a QWORD, and the overflow of a giant 0x460（0x458+0x8 bytes of the head of the buffer. A copy of the giant indirectly by the attacker of the output buffer moderation. Unnecessary integer overflow, the data is not stored in the hidden premises. We can be in 0x004199E8 indirect glimpse, the giant is made by attacker to moderation, from the supplied buffer+0x18 offset. Too easily! 0x03 flaws in the application Now, to the funny premises. A common trick is to object TypeIndex shrouded, such skills once in many places is the first volume, it is at most 6 years ago, is I don't want you too many details. Basically is the application of any kernel object, so that you can be shrouded stored in the _OBJECT_HEADER in TypeIndex。 Past applications of the rare object is the Event object size is 0x40 and the IoCompletionReserve objects giant is 0x60 in. Typical flaws in the application of the following: 1. Application of the giant X of the object the radiation from the pool, fill a page of memory 2. Via the process acquitted the vicinity of the object in the memory page in the“holes”, and trigger the Merge（coalescing to satisfaction with the destination block of the giant（our example is 0x460 it. 3. Assignment and overflow a buffer, hoping to hit a“hole”, the broken ring the next object _OBJECT_HEADER, the ultimate broken ring TypeIndex。 For example, if you overflow the buffer size is 0x200, you should dispatch a bunch of Event objects, and acquitted them 0x8 two objects 0x40*0x8==0x200 in. As promised you will have a“hole”, in which you can dispatch and overflow. Therefore, we need the kernel of the object of the giant's of the pool size of the die number, the modulo remainder is 0 On. Score is some giant means less than satisfied. For example, assume that our pool size is 0x460, then: the ! We are always more than the number. This means that we means less than the structure of a properly let's block the“hole”, we could achieve? There are ways to handle this score. One way is plundered a kernel object, it can be our destination buffer size of the modulus. I spent a bit of time to achieve this, and found 2 other kernel objects: ! However, the giant is useless, since they are not 0x460 modulus. Also spent a little time testing the changes, I'm sure the following modulus can be satisfied: ! Great! 0xa0 to the weight average molecular weight 0x460, what, then we if any ability to get the giant to 0xa0 kernel objects? If we the Event and IoCompletionReserve combination of objects together 0x40+0x60=0xa0）can be achieved. Radiation ! The above-described function of the radial the 50,000 objects. 25,000 Event object and 25,000 IoCompletionReserve object. In the windbg looks abnormal perfect: ! The “holes” ‘IoCo’flag showed a IoCompletionReserve object, while the“Even”marks the performance of an Event object. Watch for our first block offset is 0x60, which is we will be acquitted and the beginning offset. Are we acquitted of several groups of objects, figuring the following: !