BugTraq
[Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper) Sep 17 2012 04:00PM
noreply ptsecurity ru
Intel SMEP overview and partial bypass on Windows 8 (whitepaper).

"
<...>
It is natural to conclude that if you can?t store your shellcode in the user-mode, you have to find a way to store it somewhere in the kernel space. The most obvious solution is using windows objects such as WinAPI (Events, Timers, Sections etc) or GDI (Brushes, DCs etc). They are accessed indirectly from the user-mode via WinAPI that uses system calls. The point is that the object body is kept in the kernel and somehow some object fields can be modified from the user-mode, so an attacker can transfer the needed shellcode bytes from the user-mode memory to the kernel-mode.
<...>
"

-----[ Full details ]
---[ Blog

http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypas
s.html

---[ Whitepapers

English version (PDF):
http://www.ptsecurity.com/download/SMEP_overview_and_partial_bypass_on_W
indows_8.pdf

Russian version (PDF):
http://www.ptsecurity.ru/download/Technology_Overview_Intel_SMEP_and_par
tial_bypass_on_Windows_8.pdf

Thx!

---------------------------------
AShishkin[at]ptsecurity[dot]ru

http://www.ptsecurity.com
http://blog.ptsecurity.com
http://www.phdays.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus