If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.
Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.
Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1
Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation.
Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless.
But Microsoft left unprotected optional headers that gave born to DKOOHM technique.
Sadly enough, Microsoft introduced brand new Kernel Memory Allocator on Windows 10 RS5 leaving current pool memory manipulation techniques useless.
This talk presents new techniques of exploiting kernel memory corruptions on Windows 10 RS5.