I fell into a Ring0 of Fire: Windows Kernel Shellcode

I thank you for coming into burning green zero fire very poor John have fun but we're still with it so who am i if you guys don't know I'm experienced old over desecurity great way to work if you guys it now I'll take the boy wise it's important really not important it kind of depends on what you trying to get acid if I can't I can't look again if I'm if you're like a red team or something like that and you want to know what happens to be pulsing total exploit GB is right across your fingers this might be important to the main objective of talk was to go give you guys know via blacks that happen to Colonel States

whenever you're making the curl exploit so basically how I look could happen we're going to go or four different ground layer structures the KDC are FARC be you ready process then we're going to jump into the three different kinds of a colonel soga that you're going to find every much the three dots created pretty much encompass the entirety of soaker there you can find out there we got the token feeling shelter that I've created specifically for the top and we're going to go to that we're going to have a deep dive on that and a bunch and walk through it and finally we got a lot demonstration all windows kind of seems so dumb windows peril data structures I

include this picture because they're not exactly the most moral thing to go for the robot or bring the tops on the roof like so before I can talk about different data servers that we're going to have we need to kind of discuss what a day in scripture is in the first place so I definition to steal away of organized data in a computer so that way can be used efficiently I kind of created two divers here so that we can get an idea of what after all the obstruction call the flight so Alan does most of years interviewing a person and you're going to find things with your eyes the colors are the personality X

which one music as you imagine personality you can excel upon digital book so that once do actually what's going to be an event structure with mass after that you get simple intervener - Trinity integers and sex being character so for using Billy for instance Billy hearing doubly live personalities funny that once you know blended structure which is this line personality this is a humors are you think there's no jokes you find those people think that they'd also feel about the village my second point years old is this result so joining straight into jumping straight into some of the different internal data structures we got to keep in CR which is the pearl process of control region it was

basically contained first CPU information that the kernel and hardware abstraction you players used to just managers reviews the most part the KPRC be is actually the kernel process control block which is essentially an extension of the K PCR at those things like I'm included in the diagram you these aren't the entire structures but it just looks a bit the things that you'll find them so if you've ever used a program like cpuid I just pulled our information and brings it back to you you it actually just makes my nose function calls to the structure old information back so that way you can believe review it

our so the next instructions we're going to have are the key thread the e process Riveter basically they're both the same thing but just in different contexts one thing context of a thread one context of a process basically what they hold is they hold a there's one structure for every single running thread and one structure for every single running trumpet system so anytime you fire a new process one of these new problems created sort of the curl statement it just holds different information that the current keeps maintain the process the e profit structure has over a little bit of the only starting to that completely relevant to the feeling shell code so there's three different kinds of

kernel shell code that I think three general categories that you're going to find every must encompass all the different payloads that you'll find out there the first one is going to be rooted installation which this can happen in many different ways but essentially what you're trying to do is source of have executable that's going to start stabili and still be as well to thank time you don't really see too much anymore because there's a lot of protections in place to kind of prevent stuff like this like new kids you don't really see more because if you move pretty much effectively if it's destroyed that if you're not ready to contribute at this point time than you

have way behind ii want you to be executing an arbitrary user look Nayla so agile applying shortly whatever you're manually react so go first up like this it's a lot easier sometimes you call an alternative execute something like that's funding a new process is doing something like that it's much more tedious to meticulous that is created manually in the kernel so you would just call it alternative process and the third one which we're going to go over today is going to be elevating user mode process which is essentially stealing a token from a high priority profits shoving it into a low priority process a low privileged process and go over to the next so the something of the

decorated for today actually it was creating intimidating once you look at it but hopefully what I like to do is break it down in such a way that it provides full technical information on the methodology I want your created as well as articulating the information clearly for people that don't believe the stuff if it is so quick break down I broke down into thicket of assumptions of what's going to happen throughout the process the first one the most difficult one to get through hopefully I'm included enough for everybody to understand it but the reversing if you didn't perform data structures ultimately get to any process and as any process is basically just a structure that open

I've never run across a machine line system basically we're going to do is we're in Traverse every single running key profit structure to ultimately 5 pi/4 and some of you guys don't know a PFD for is it's actually the system processable the system model access token then we're going to steal and usually now we're going to have pollen system which basically scripts that soaking that I was talking about that system of life that's okay put it in the source usable later then we're going to go to find team D so whenever I start the initial exploit ice bomb an alternative man prop and we dynamically shell that baby into silica so we're going to stay all the running process

again with for our command prompt and we're till downtown CMD which basically just overrides the token value that we stole from the system process with the Quinta system level access token and the final function is going to be returned which is basically just exiting cleanly from the kernel and not loose pending the system so quick visual and what's going to happen isn't you to be the star function in society we'll go over it piece by piece but essentially what can happen is we're gonna start in the kpr or the KDC are just to the kprc-tv and then jump Decatur it from there we're going to jump that you process and will traverse every single running

across the structure tab looking for PID for so what's the goal of the start function just like I said is Herbert various internal stressors ultimately in the DS process structure the route that we're going to take a comedic ABC are to the KPRC v2k thread ultimately ended up in a process and there actually is a reason that we started the KGC ours actually starts at the same callable location across all windows operating systems going all the way back to XD so we're creating if you're craig she'll go to this kind of stuff wave at the XP days following campus a methodology that you would out at sea and window 17 so a 64-bit operating systems looking when

we're going to be attacked today and it always starts at gs70 x which sounds have an intimidating but it's basically just as you see it on the screen it says yes as europe and 32-bit operating system to start step that ii do of x so this is output i want to go through this just for the start function from the start button this is output straight from a kernel debugger just as you would see it basically what i'm doing here i'm jumping to the structure of the KTR so that said earlier the cake the KPRC be so at one day attack the k VAR fcd actually starts so we get the first instruction with the started GS 0 which

are 188 X down from that mean that the current thread which is a pointer to taper at which were trying to do that so just a quick visual on what's actually happening we're jumping from the kpc are jumping to the KR p cg k p or CD and then jumping again through it so now we finally want to get to the e processing structures so once we get in here we've got a pointer to a thread and i'll 226 down I should also mention that some results that's change depending on operating system that you're on all the kernel structures are different going all the way back so you can dynamically generate these depending on how stable

you want to exploit a visa that they offer work so this one we're doing here 220 X then you've got a pot that starts remember and that gives you a pointer to take offense so we're we have so we were at cake bread at 228 student you have a process structure member and that gives us a pointer to the K process point of view the part of my - I wish I would've made an M slide to a library of this so decay process is actually embedded structure with any provenance and it starts at 0 has a flow system identity process so inadvertently from getting at a pointer rough or a takeoff of pointer we have a tea process point

that is s so the final step in the start function is traversing all the processes right so once we get to e process if you see that to F 0 to X n we have what's called active process links and that is a list entry kernel structure essentially that if you got two programmers you know and have an Indian explained ruthless just the building luckless a little inclusive basically just an array that's now that one can use block of memory so think of it like Cynthia rating being one spot of memory has to be all over the place I think it kind of like connecting the dots and they all know where each other are those s what's going to happen is

you're going to have a back point kinda forward links at that point to each other and I kind of gets a little bit more clear during the special so if you'll see here at the bottom you got a link and a few links that support link in the back leg and if you look like if you were start at the middle process and you wanted to go back to the first process you follow the be link which is just a memory address and if you want to go to the next one you can follow Portland especially how we jump through all the running processes so just one quick recap with a whole firestorm function if you get

through this possibility and pretty easy you're going to start the KBC are just the KPRC be just cake bread give me process and I jumped through all the run across the snow machine so the second function is going to be five system so as I said basically what we're going to do is we're going to be looking for prophesizing for so we're going to span all those going processes on the machine find the one that CIA for district quick visual work and a half we're in jeopardy every single one says probability for now it's not it was an X process just prop 34 does not the prosthetic Orion is and we're going to go down to the next

question which is gives you valve system so within the across the structure there's a token value at 358 necks in 358 hexane contains the token which the process is running in complexes so for prop 34 the user that's why I get contacted in the authority system which is the high level local user you can have on machine so once we do that basically what we're going to do is we're going to show this to a register and RCF in this page without going into too much assembly or anything like that just think of a register as a storage space so we're going to show that value in the stores and then we're going to use it to later

so then as I said whenever I first start the initial exploit o'clock main problem we dynamically dump that bus ID into our shell code basically what we're going to do here if we're going to do the same exact thing we didn't want on the system process but we're going to be looking for our actual command prompt so just like the other picture is just the process ID of our main file how not to go on pipian see actually kind of it and then you've got finally we found and prop so essentially what we're going to do here is we're going to take that value that we had an RCS that's some access token we're going to shove it

into the command prompt that we currently have so essentially what should happen here is we take that system value we showed it overwrite it actually are a little privilege token and hopefully we have a system level that's an anthem so the final function which is returned which I kind of just put in here for technical details somebody was trying to recreate this methodology later down the road this is usually the most difficult part of creating the so code just because the stacks not usually in the right place whenever you're trying to return it if you return to an incorrect look and then you're going to just blue screen machine and all your progress WS are over and really really hang on the

buck for a for an exploit developer so together with live demonstration essentially what we're going to do here is we're going to use a utility called OS our loader which will dynamically have a handle to shove a driver into memory and the drivers at birth is exploit for words actually found out this I'm not sure if you work any of you guys are familiar with this but whenever you play the new Street Fighter game they ship this new driver and banana cheese so obviously what happens is whenever they made this really great idea to as soon as you enter into the driver it disabled well protections Ronson code and then re-enable protection somebody actually discovers a

stack of age of stack overflow on that so you don't even have to worry about protections or anything like this in this case so I would exploit that utilizes that same exact shell code it makes me will had to do is I just went through the the driver and shoved it into Carlos so if you can see right now I do Who am I just a love privilege user just regular user but if I run the the exploit what you can see here is you guys the very first thing which is most important once I've gone over is going to be on a new command prompt with a specific process ID that will show dynamically into the shell code you got

various other things that you need to interact with a driver so anytime you make any kind of request to the driver through a device idle control function and you need to get a handle on the driver before you do that so that's what the second part is the third part is actually using virtual Alec it's a Windows named Josh that you can allocate space within the kernel and that's where I actually set my shell code we do this buffer overflow which redirect traffic to the shell code especially what happens so if everything works perfectly we didn't blue stream so hopefully if I do who am i right here we're running in the business authority and that's going

to pretty much be it just in take the life of a fail and then we have and I learned

actually at this point there really is not so if you get in the kernel space you pretty much that free rein to do whatever you want there is some protections in Windows 10 again to jumping straight back so typically if there was if this rather than disable protection prom code and then re-enable protected after one job I would have had have done some alternative stuff to get memory or get so code into kernel space because we have a new protection cold snap which basically doesn't allow you to jump from curl space straight to user land with thank you email in a bikini Oh II met actually in this case it would but as you probably know that they've

actually just continued protect like support for that kind of stuff so I'm not sure actually I further they just extended it do but there are some pretty well-known bypasses for that kind of stuff none that I've had a devil with personally yet but end up kind of course I know that there's a how happen touch touch home thank you