A Window into Ring0

Sam Brown presented ‘A Window into Ring0’/‘A chain is only as strong as it’s weakest win32k’ at Securi-Tay and Steelcon 2017.

With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. The talk provided an overview of the Windows kernel mode attack surface and how to interact with it. It then went on to cover the tools available for finding bugs in Windows kernel mode code and drivers as well as highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed.

The talk also covered common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM. Finally the talk walked through exploiting CVE-2016-7255 on modern 64 bit versions of Windows.

The accompanying source code can be found on Github and recordings of the talk have been uploaded from both Steelcon and Securi-Tay.