2019-12-27, 11:30–12:30, Borg
Nowadays, Windows is still the most popular OS used in the world. It's very important for red teams / attackers to maintain the authority after they get into the OS by penetration test. So they need a vulnerability to hide in windows to escalate their account to system privilege.
In this presentation, we will share the methodology about how we started this work to analyze Windows internals. We will explain the inner workings of this technique and how we analyzed ALPC and Component Object Model(COM) in Windows OS. By analyzing historical bugs, we are able to extract their features from multiple vulnerabilities.
We will develop an IDA plugin to analyze the execution path of target interfaces. Through this way we could find out the interface that called the specified sensitive operation.
In fact, we found a large number of vulnerable modules in the ALPC and COM object, which allows the attacker to cross the security boundary and directly access the system.