Windows Exploit Engineering Foundation
4200€ | 30th of September to the 3rd of October 2024 | Espace Vinci, Rue des Jeuneurs, Paris, France
This class is meant to show the approach an exploit developer or bug hunter should take in attacking a previously unknown component in the Windows kernel. The training is primarily focused around labs to teach the students what it takes to exploit a real-world vulnerability. This class focuses on exploiting CVE-2018-8611 on Windows 10 x64 1809 (RS5), a complex race condition that leads to a use-after-free on the non-paged kernel pool. The vulnerability is in the Kernel Transaction Manager (KTM) driver (tm.sys), a component that has not received much public scrutiny. Even though students will learn a lot about the KTM component, we focus on our approach for analyzing this component as a new kernel component that we had no prior knowledge about. The methodology can be reused for any other unknown kernel components a student may encounter in the future. We do not specifically focus on tricks or techniques for bypassing specific Windows versions mitigations, but rather on the thought process behind exploring functionality to find useful unmitigated code paths and also abusing the bug in ways that allow to build powerful primitives that would facilitate mitigation bypasses. The tools/VM we provide during this training are generic and can be reused after the class to assist exploiting other Windows kernel vulnerabilities.
Objectives of the training
Setup an efficient Windows kernel debugging environment
Modern reverse engineering and binary patch diffing
How to approach exploiting a vulnerability on a previously unknown target
Step-by-step real-world Windows kernel exploit on Windows 10 1809 (RS5) x64
The trainer
Who will run this training?
Cedric
Halbronn
NCC Group
@saidelike
Cedric Halbronn is a security researcher in NCC Group’s Exploit Development Group. He has been exploiting lots of different targets over the past 15+ years. At NCC Group, he has published some work related to Windows kernel, Linux kernel, Cisco ASA, printers, NAS, etc.
Syllabus
What will we do?
Agenda
Part 1: Debug environment
- VMWare
- WinDbg
- Ghidra
- ret-sync
- Visual Studio
- Lab: Debug environment setup
Part 2: Binary diffing Microsoft updates
- Tools of the trade
- Efficient use of the IDA/Ghidra decompiler to analyze the root cause
- Lab: Basic binary diffing
Part 3: Kernel Transaction Manager (KTM) basics
- KTM objects and APIs
- KTM internals
- Use of public tools for finding data
- Lab: KTM experimentation
Part 4: Understanding CVE-2018-8611
- Root cause vs effect
- Planning exploitation strategy
- Tools of the trade
- Lab: Better binary diffing
- Lab: Reaching vulnerable code
- Lab: Triggering CVE-2018-8611 in a debugger
Part 5: Exploitation techniques
- Bypassing mitigations
- Windows non-paged pool manipulation
- Lab: Bad vs good feng shui
- Lab: Getting controlled UAF in a debugger
Part 6: More exploitation techniques
- Winning the race without a debugger
- Exploitation strategies
- Lab: Debugging tricks and race win detection
- Lab: Discovering a kernel leak
- Lab: Restoring cleaned execution
Part 7: How to escalate privileges
- Write primitive and privilege escalation strategy
- Lab: Arbitrary read and write primitives with write 0 and PreviousMode primitive
- Lab: Privilege escalation
- Arbitrary increment primitive and PreviousMode limitations
- Lab: Arbitrary read and write primitives with increment primitive
Pre-requisites
- Comfortable with x86/x64 assembly and reversing it
- C knowledge (reading/writing)
- Comfortable with disassemblers/decompilers (IDA, Ghidra, etc) and debuggers (WinDbg, x64dbg, gdb, etc)
- Familiarity with memory corruption exploitation on any OS
- Windows kernel internals basic knowledge
Hardware/Software Requirements
- Base OS: Windows (recommended) or Linux
- VMware virtualisation software
- At least 80GB of free disk space
- At least 8GB of RAM
- 2 VMs will be provided: debugger/development VM and target/vulnerable VM (the host can be used instead of the debugger VM if Windows-based)