Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018....
Transcript of Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018....
![Page 1: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/1.jpg)
MakeLoadLibraryGreat Again
Yunhai Zhang
![Page 2: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/2.jpg)
Who am I
Researcher of NSFOCUS Security Team
Focus on Exploit Detection and Prevention
Winner of Microsoft Mitigation Bypass Bounty: 2014-2017
![Page 3: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/3.jpg)
Why talk about load library
It will be convenient in exploit if desired library can be load
Some mitigations are bypassed naturallyDEP
ACG
Some mitigations can be bypassed with the help of the libraryCFG
No need to write shellcode in assembly
![Page 4: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/4.jpg)
How to load arbitrary library
It is trivial once “read-write anywhere” is obtainedvar arr = new Array();var obj = GetObjAddress(arr);var vftable = alloc(0x100);Write(obj, vftable);Write(vftable + 0x7c, LoadLibrary);lpFileName in arr;
![Page 5: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/5.jpg)
Where to load library from
The top choice is UNC paths
It still works in IE even on the latest Windows 10 release
![Page 6: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/6.jpg)
![Page 7: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/7.jpg)
Where to load library from
The top choice is UNC paths
It dose not work in Microsoft Edge
![Page 8: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/8.jpg)
Mitigation in Windows 10 TH1
Control Flow Guard - CFG
![Page 9: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/9.jpg)
Mitigation in Windows 10 TH1
Control Flow Guard - CFG
In TH1 only EnableControlFlowGuard is enabled
![Page 10: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/10.jpg)
Mitigation in Windows 10 TH1
CFG did not mitigate load library related exploit
KERNELBASE!LoadLibraryW is always a valid target
![Page 11: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/11.jpg)
Mitigation in Windows 10 TH1
AppContainer Isolation
![Page 12: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/12.jpg)
Mitigation in Windows 10 TH1
How Network Isolation works
LdrLoadDll
LdrpLoadDll
LdrpLoadDllInternal
LdrpFastpthReloadedDll LdrpProcessWork
LdrpMapDllFullPath
LdrpResolveDllName
LdrpGetNtPathFromDosPath
NtQueryAttributesFile
LdrpMapDllNtFileName
NtOpenFile NtCreateSection LdrpMapDllWithSectionHandle
LdrpMinimalMapModule
NtMapViewOfSection0xC0000201 STATUS_NETWORK_OPEN_RESTRICTION
![Page 13: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/13.jpg)
Mitigation in Windows 10 TH1
How Network Isolation works
nt!NtQueryAttributesFile
nt!ObOpenObjectByNameEx
nt!ObpLookupObjectName
nt!IopParseDevice
nt!IofCallDriver
…mrxsmb!MRxSm
bFsdDispatchrdbss!RxFsdDisp
atchrdbss!RxFsdCom
monDispatchrdbss!RxCommo
nDevFCBIoCtl
rdbss!RxPrefixClaim
rdbss!RxFindOrConstructVirtualNetRootWithRetry
rdbss!RxFindOrConstructVirtualN
etRoot
rdbss!RxCheckForNetworkOpen
Restrictions
![Page 14: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/14.jpg)
Mitigation in Windows 10 TH1
How Network Isolation works
…
![Page 15: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/15.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
Microsoft Edge will cache web content
![Page 16: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/16.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
However, PE files only trigger download
![Page 17: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/17.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
The action is determined by HTTP Content-Type headertext/html => cache
application/x-msdownload => download
![Page 18: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/18.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
Set Content-Type to text/html will make PE files be cached
![Page 19: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/19.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
Set Content-Type to text/html will make PE files be cached
![Page 20: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/20.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
LoadLibrary expect a .dll or .exe file but not mandatory
![Page 21: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/21.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
Where is the cached file
C:\Users\test\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache
![Page 22: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/22.jpg)
Exploit in Windows 10 TH1
Deliver arbitrary file to local
Read the path from memory
CIFrameElement CMarkup CHtmCtx CHtmInfo cached file path
![Page 23: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/23.jpg)
Mitigation in Windows 10 TH2
Image Load Policy
![Page 24: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/24.jpg)
Mitigation in Windows 10 TH2
Image Load Policy
In TH2 only NoRemoteImages is enabled
![Page 25: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/25.jpg)
Mitigation in Windows 10 TH2
How NoRemoteImages works
LdrLoadDll
LdrpLoadDll
LdrpLoadDllInternal
LdrpFastpthReloadedDll LdrpProcessWork
LdrpMapDllFullPath
LdrpResolveDllName
LdrpGetNtPathFromDosPath
NtQueryAttributesFile
LdrpMapDllNtFileName
NtOpenFile NtCreateSection LdrpMapDllWithSectionHandle
LdrpMinimalMapModule
NtMapViewOfSection
0xC0000022 STATUS_ACCESS_DENIED
![Page 26: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/26.jpg)
Mitigation in Windows 10 TH2
How NoRemoteImages works
nt!NtMapViewOfSection nt!MiMapViewOfSection nt!MiMapViewOfImageSection nt!MiAllowImageMap
![Page 27: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/27.jpg)
Mitigation in Windows 10 TH2
How NoRemoteImages works
RemoteImageFileObject | RemoteDataFileObject
AuditProhibitRemoteImageMap
![Page 28: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/28.jpg)
Mitigation in Windows 10 TH2
Signature Policy - CIG
![Page 29: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/29.jpg)
Mitigation in Windows 10 TH2
How CIG works
LdrLoadDll
LdrpLoadDll
LdrpLoadDllInternal
LdrpFastpthReloadedDll LdrpProcessWork
LdrpMapDllFullPath
LdrpResolveDllName
LdrpGetNtPathFromDosPath
NtQueryAttributesFile
LdrpMapDllNtFileName
NtOpenFile NtCreateSection LdrpMapDllWithSectionHandle
LdrpMinimalMapModule
NtMapViewOfSection
0xC0000428 STATUS_INVALID_IMAGE_HASH
![Page 30: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/30.jpg)
Mitigation in Windows 10 TH2
How CIG works
nt!NtCreateSection nt!MmCreateSection nt!MiCreateSectionnt!MiCreateImageOr
DataSection
nt!MiCreateNewSection
nt!MiValidateSectionSigningPolicy
nt!MiValidateSectionCreate
nt!SeValidateImageHeader
CI!CiValidateImageHeader
CI!CipValidateImageHash
CI!CipValidateFileHash
![Page 31: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/31.jpg)
Mitigation in Windows 10 TH2
How CIG works
CipCalculateImageHash
![Page 32: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/32.jpg)
Exploit in Windows 10 TH2
Microsoft signed library can still be loaded
.net Native Image has a RWX .xdata section
![Page 33: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/33.jpg)
Mitigation in Windows 10 RS1
Dynamic Code Policy - ACG
![Page 34: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/34.jpg)
Mitigation in Windows 10 RS1
How ACG works
LdrLoadDll
LdrpLoadDll
LdrpLoadDllInternal
LdrpFastpthReloadedDll LdrpProcessWork
LdrpMapDllFullPath
LdrpResolveDllName
LdrpGetNtPathFromDosPath
NtQueryAttributesFile
LdrpMapDllNtFileName
NtOpenFile NtCreateSection LdrpMapDllWithSectionHandle
LdrpMinimalMapModule
NtMapViewOfSection
0xC0000604 STATUS_DYNAMIC_CODE_BLOCKED
![Page 35: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/35.jpg)
Mitigation in Windows 10 RS1
How ACG works
nt!NtMapViewOfSection nt!MiMapViewOfSection
![Page 36: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/36.jpg)
Mitigation in Windows 10 RS1
How ACG works
Image
DisableDynamicCode ThreadOptOut
Executable
![Page 37: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/37.jpg)
Mitigation in Windows 10 RS1
How ACG works
nt!NtMapViewOfSection nt!MiMapViewOfSection nt!MiMapViewOfImageSection
![Page 38: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/38.jpg)
Mitigation in Windows 10 RS1
How ACG works
RWX
![Page 39: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/39.jpg)
Exploit in Windows 10 RS1
In RS1 ACG is enabled with AllowThreadOptOut
![Page 40: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/40.jpg)
Exploit in Windows 10 RS1
Microsoft Edge will hook VirtualAlloc for ACG Lockdown
![Page 41: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/41.jpg)
Exploit in Windows 10 RS1
ACG will be optout temporarily in the hook
![Page 42: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/42.jpg)
Exploit in Windows 10 RS1
mf.dll will allocate a RWX page at initialization
![Page 43: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/43.jpg)
Mitigation in Windows 10 RS2
Dynamic Code Policy – ACG
In RS2 ACG is enabled without AllowThreadOptOut
![Page 44: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/44.jpg)
Exploit in Windows 10 RS2
The system call functions in ntdll.dll are almost the same
![Page 45: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/45.jpg)
Exploit in Windows 10 RS2
The Syscall ID may change between versions
![Page 46: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/46.jpg)
Exploit in Windows 10 RS2
Load an old version of ntdll.dll to get a valid NtContinue
ntdll.dll version 6.3.9600.17936
ntdll.dll version 10.0.15063.0
![Page 47: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/47.jpg)
Mitigation in Windows 10 RS3
Image Load Policy
In RS3 NoLowMandatoryLabelImages is enabled
![Page 48: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/48.jpg)
Mitigation in Windows 10 RS3
How NoLowMandatoryLabelImages works
LdrLoadDll
LdrpLoadDll
LdrpLoadDllInternal
LdrpFastpthReloadedDll LdrpProcessWork
LdrpMapDllFullPath
LdrpResolveDllName
LdrpGetNtPathFromDosPath
NtQueryAttributesFile
LdrpMapDllNtFileName
NtOpenFile NtCreateSection LdrpMapDllWithSectionHandle
LdrpMinimalMapModule
NtMapViewOfSection
0xC0000022 STATUS_ACCESS_DENIED
![Page 49: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/49.jpg)
Mitigation in Windows 10 RS3
How NoLowMandatoryLabelImages works
nt!NtMapViewOfSection nt!MiMapViewOfSection nt!MiMapViewOfImageSection nt!MiAllowImageMap
![Page 50: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/50.jpg)
Mitigation in Windows 10 RS3
How NoLowMandatoryLabelImages works
![Page 51: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/51.jpg)
Mitigation in Windows 10 RS3
How NoLowMandatoryLabelImages works
![Page 52: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/52.jpg)
Exploit in Windows 10 RS3
In RS3 CFG StrictMode is still not enabled
![Page 53: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/53.jpg)
Exploit in Windows 10 RS3
CFG unenlightened library can still be loaded
![Page 54: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/54.jpg)
![Page 55: Make LoadLibrary Great Again - Power Of Communitypowerofcommunity.net/poc2017/yunhai.pdf · 2018. 1. 9. · KERNELBASE!LoadLibraryW is always a valid target. Mitigation in Windows](https://reader033.fdocuments.us/reader033/viewer/2022060516/5ff9de1ef3f4766bfd5c301f/html5/thumbnails/55.jpg)
Q & A