#HITB2018AMS

In the past few years, data only kernel exploitation has been on the rise, since 2011 abusing and attacking Desktop heap objects, to gain a higher exploit primitives, was seen in many exploits. Moving forward to 2015 the focus has changed to GDI subsystem, and the discovery of the GDI Bitmaps objects, abuse, as well as in 2017 the GDI Palettes object abuse technique was released at DefCon 25, all of these techniques aim to, gain arbitrary/relative kernel memory read/write, to further the exploit chain.

In this talk we will focus on some of the discovered techniques and objects, and how we were able using Type Isolation released in RS4 to mitigate those exploitation techniques.

===

Saif is a security engineer in the Microsoft Security Response Center’s Vulnerability & Mitigations team. He has a keen interest in exploit development and sharing everything he learns. He spends his time doing vulnerability research against Microsoft products and understanding new exploitation techniques and their real world applications.

Previous Talks and Publications:

Defcon 25 Demystifying Windows kernel Exploitation By Abusing GDI objects (https://www.defcon.org/html/defcon-25...)
Macro-less Code Exec in MSWord: https://sensepost.com/blog/2017/macro...
Defcon 23 Extending Fuzzing Grammars to Exploit Unexplored Code Paths in Modern Web Browsers: (https://www.defcon.org/html/defcon-23...)
Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects (https://sensepost.com/blog/2017/explo...)
BlackHat USA 2016 Arsenal presenting DET (https://www.blackhat.com/us-16/presen...)
PowerShell, C-Sharp, DDE and MS16-032 The Power Within (https://sensepost.com/blog/2016/power...)
Exploits, tutorials and vulnerabilities: Exploit-db (https://www.exploit-db.com/author/?a=..., packetstorm (https://packetstormsecurity.com/files...) and my own site containing Linux Exploitation tutorials (http://www.elsherei.com/).

---

Ian Kronquist enjoys working at the confluence of systems programming and security, building mitigations for Windows kernel vulnerabilities at Microsoft. He previously worked on a hypervisor designed to detect and stop malware at an antivirus startup called Barkly Protects in Boston, Massachusetts. Ian graduated from Oregon State University with a BS in Computer Science, and spent his college years working at the OSU Open Source Lab. Ian has traveled throughout Europe and Asia and spent a year studying the Turkish language and folk music in Southern Turkey.