BlueHat IL 2025 - Yarden Shafir - Look, Ma—No Privileges! How Windows Gives You Kernel Pointers... скачать в хорошем качестве

BlueHat IL 2025 - Yarden Shafir - Look, Ma—No Privileges! How Windows Gives You Kernel Pointers...

Look, Ma—No Privileges! How Windows Gives You Kernel Pointers (Even When It Shouldn’t) ASLR (Address Space Load Randomization) and KASLR are some of the older security mitigations and have been standard in operating systems for years. All Windows kernel addresses have been fully randomized since Windows 10, even including the writeable shared user data page in Windows 11. But this doesn’t mean there aren’t ways to bypass KASLR. Many, many ways, which have been documented extensively in the past. Microsoft made an effort to limit those kernel address disclosures, first to processes running at Medium integrity level or higher, and most recently only to processes running with SeDebugPrivilege. This last addition breaks many of the commonly used exploits and techniques, putting Windows kernel exploit devs in a difficult position. But of course, not all is lost, because Windows comes to the rescue in provides kernel pointers in new and surprising places, like event logs! But those should be restricted to privileges processes only…. Or should they? There is more than one way to interact with event logs, and they do not all conform to the same security restrictions. This allows even low integrity level processes to access leaked kernel pointers, and opens the door to other interesting research areas.