Explore the intricacies of the Windows kernel pool in this 39-minute Black Hat conference talk. Delve into the recent changes to the Windows kernel pool structure, transitioning from simple, easily readable designs to a more complex architecture. Examine how these modifications impact assumptions, exploits, tools, and debugger extensions. Investigate the potential new attack surfaces that may have emerged as a result of these changes. Learn about kernel APIs, pre-RS5 structures, RS5 structures, size considerations, segment contexts, heap page segments, ranges, LFH buckets, and exploitation techniques. Discover the implemented mitigations, benefits of the new design, and the concept of the Secure Pool. Gain insights into pool analysis tools and their applications in this evolving landscape of Windows kernel security.
Windows Heap-backed Pool - The Good, the Bad, and the Encoded
Overview
Syllabus
Introduction
What is the kernel pool
Kernel APIs
Before RS5
RS5 Structure
Size Matters
Seg Context
Seg Segments
Heap Page Segment
Ranges
LFH vs
LFH buckets
Exploitation
Mitigations
Benefits
The Secure Pool
Pool Analysis Tools
Conclusion
Taught by
Black Hat
