Since the release of Windows 10 and especially in the Anniversary and Creators Updates, Microsoft has continued to introduce exploit mitigations to the Windows kernel. These include full scale KASLR and blocking kernel pointer leaks.
This presentation picks up the mantle and reviews the powerful read and write kernel primitives that can still be leveraged despite the most recent hardening mitigations. The presented techniques include abusing the kernel-mode Window and Bitmap objects, which Microsoft has attempted to lock down several times. Doing so will present a generic approach to leveraging write-what-where vulnerabilities.
A stable and precise kernel exploit must be able to overcome KASLR, most often using kernel driver leaks. I will disclose several previously unknown KASLR bypasses in Windows 10 Creators Update. Obtaining kernel-mode code execution on Windows has become more difficult with the randomization of Page Table entries. I will show how a generic de-randomization of the Page Table entries can be performed through dynamic reverse engineering. Additionally, I will present an entirely different method which makes the usage of Page Table entries obsolete. This method allocates an arbitrary size piece of executable kernel pool memory and transfers code execution to it through hijacked system calls