Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393

tl;dr: We recently discovered a new and quietly released Windows kernel exploitation defence. Exploiting a kernel bug by setting the pointer to the SecurityDescriptor to NULL in the header of a process object running as SYSTEM won’t work from Windows 10 v1607 (Build 14393).  If you want to know why, keep reading.

Download in PDF format.

Note: This article was originally written by Kyriakos Economou (@kyREcon) for Nettitude labs.

Enjoy,
kyREcon

 

Share