Windows Heap-backed Pool: The Good, the Bad, and the Encoded

Presented at Black Hat USA 2021, Aug. 5, 2021, 1:30 p.m. (40 minutes)

For decades, the Windows kernel pool remained the same, using simple structures that were easy to read, parse and search for, but recently this all changed, with a new and complex design that breaks assumptions and exploits, and of course, tools and debugger extensions.

This new design modernizes the kernel pool and makes it significantly more efficient. Additionally, it has significant security implications - both good and bad. Major code changes break a lot of existing code and might make future pool-related exploits more difficult, or in some cases nearly impossible to write.

But could this open up a whole new attack surface as well?

Presenters:

• Yarden Shafir - Software Engineer, CrowdStrike
  Yarden Shafir is a Software Engineer at Crowdstrike, working on EDR features, and a consultant for Winsider Seminars & Solutions Inc., co-teaching security trainings. Previously, she worked at SentinelOne as a security researcher and QA engineer. Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as CET internals, extension host hooking and kernel exploit mitigations. Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#windows-heap-backed-pool-the-good-the-bad-and-the-encoded-23482
• https://www.blackhat.com/us-21/briefings/schedule/#windows-heap-backed-pool-the-good-the-bad-and-the-encoded-234821624997360

Similar Presentations:

• HushCon East 2023 / You're Soaking In It: Life as a Lifeguard in the Internet Archive Community Pool
• Black Hat USA 2014 / Data-Only Pwning Microsoft Windows Kernel: Exploitation of Kernel Pool Overflows on Microsoft Windows 8.1
• BSidesLV 2019 / BSidesLV Pool Party