The Last Generic Win32K KASLR Defeat in Windows

Explore the intricacies of Windows kernel security in this 55-minute conference talk from Recon 2019. Delve into the last generic Win32K KASLR (Kernel Address Space Layout Randomization) defeat in Windows, presented by Alex Ionescu. Gain insights into the two heaps and leaks in user32!gSharedInfo and PEB, as well as GdiSharedHandleTable and TEB. Examine the Win32Clientinfo and changes implemented in RS4. Investigate the Segment Heap and the bug that keeps the heap header mapped. Discover novel use cases, including breaking the CRC segment heap cookie and retrieving additional pointers. Consider the potential for Local Privilege Escalation (LPE) through ARW. Conclude with an assessment of the current state of KASLR in Windows, enhancing your understanding of kernel security mechanisms and vulnerabilities.