Nick Sampanis

Windows 10 RS2/RS3 GDI Data-Only Exploitation Tales


On Windows 10 there is a continuous development and adoption of kernel memory corruption mitigations. This has resulted in a race to data-only attack methodologies, mainly by abusing kernel objects. In the past, the Win32k subsystem has been targeted extensively for developing such attack techniques, as it constitutes one of the most complicated and interesting surfaces of the Windows kernel. Specifically, GDI objects (such as bitmaps, palettes, and others) have been used to develop exploitation primitives and techniques.

However, since the Windows 10 anniversary update, the GDI manager has changed a lot. This presentation will focus on analyzing the absolute latest GDI manager architecture, and a new mitigation that it has introduced to stop the existing known data-only exploitation primitives. Although there is a public technique for bypassing this mitigation, it has a major shortcoming(leads to a deadlock). We will explain how this problem can be avoided, making the known bypass technique applicable in real exploitation scenarios. Moreover, we will introduce a new bypass technique, along with a fully working heap memory corruption exploit for Windows 10 RS2/RS3. We will conclude our talk with a detailed methodology on how to look for new Win32k data-only exploitation primitives, keeping in mind that we also need to bypass the new Win32k filtering mitigation.



Nikos Sampanis is a computer security researcher at CENSUS S.A. His main research interests include reverse engineering, vulnerability research, and exploit development, particularly for the Windows kernel. In his free time he enjoys to work on the same subjects as his day job.