https://nesl42.github.io/tags/windows/ 敬渊's Blog Hugo 0.154.5 & FixIt v0.4.3-20260123080729-2a5bd268 zh-CN Thu, 24 Aug 2023 00:00:00 +0000 https://nesl42.github.io/posts/2023-8-scoopthewindows10pool/ Thu, 24 Aug 2023 00:00:00 +0000 https://nesl42.github.io/posts/2023-8-scoopthewindows10pool/ Technology <blockquote> <p>SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf <a href="https://github.com/synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion" target="_blank" rel="external nofollow noopener noreferrer">https://github.com/synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion</a> <a href="https://paper.seebug.org/1743/" target="_blank" rel="external nofollow noopener noreferrer">https://paper.seebug.org/1743/</a></p> <p><a href="https://github.com/cbayet/Exploit-CVE-2017-6008/blob/master/Windows10PoolParty.pdf" target="_blank" rel="external nofollow noopener noreferrer">https://github.com/cbayet/Exploit-CVE-2017-6008/blob/master/Windows10PoolParty.pdf</a></p> </blockquote> <p><strong>摘要</strong>：堆溢出是应用程序中相当常见的漏洞。利用这类漏洞通常依赖于对用于管理堆的基础机制的深入理解。Windows 10 最近改变了其在内核空间中管理堆的方式。本文旨在介绍Windows NT内核中堆机制的最新演变，并介绍针对内核池的新的利用技术。</p> https://nesl42.github.io/posts/2023-8-kernelpoolexploitationonwin7/ Wed, 16 Aug 2023 00:00:00 +0000 https://nesl42.github.io/posts/2023-8-kernelpoolexploitationonwin7/ Technology <blockquote> <p><a href="https://dl.packetstormsecurity.net/papers/general/kernelpool-exploitation.pdf" target="_blank" rel="external nofollow noopener noreferrer">https://dl.packetstormsecurity.net/papers/general/kernelpool-exploitation.pdf</a> <a href="https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf?source=post_page" target="_blank" rel="external nofollow noopener noreferrer">https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf?source=post_page</a> <a href="https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf" target="_blank" rel="external nofollow noopener noreferrer">https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf</a></p> </blockquote> <p><strong>摘要</strong>：在Windows 7中，微软引入了safe unlinking技术来解决影响Windows内核的安全公告日益增多的问题。在从双向链表中删除条目之前，safe unlinking旨在通过验证相邻列表条目的指针来检测内存损坏。因此，攻击者不能轻易地利用通用技术来利用泄漏池溢出或其他泄漏池损坏漏洞。本文中，我们展示了尽管引入了安全措施，Windows 7仍然容易受到通用内核池(kernel pool)攻击的影响。特别是，我们展示了在某些条件下，池分配器可能无法安全地unlink空闲列表条目，从而允许攻击者破坏任意内存。为了防止这些攻击，我们提出了进一步加固和增强内核池安全性的方法。</p> https://nesl42.github.io/posts/2023-8-hevd/ Sat, 12 Aug 2023 00:00:00 +0000 https://nesl42.github.io/posts/2023-8-hevd/ Technology <p>本文记录自己学习HEVD的全过程。</p> <blockquote> <p>差不多全部完成了，还有一些小的问题需要完善，然后还有几篇文没有好好看，挑个时间好好看下</p> <p>就这样吧，待完善的东西以后再说</p> https://nesl42.github.io/posts/2023-7-win-syscalljourney/ Mon, 03 Jul 2023 00:00:00 +0000 https://nesl42.github.io/posts/2023-7-win-syscalljourney/ Technology <p>本文记录一下syscall的“旅程”。</p> <p>这里使用的是<code>win10x64 22H2 19045.3086</code></p> <ul> <li> <p>与其他进程、内存、驱动器或文件系统交互时，使用 <code>Kernel32.dll</code> 中的函数</p> </li> <li> <p>与 Windows GUI 交互，使用的是 <code>user32.dll</code> 和 <code>gdi32.dll</code> 中的函数</p>