Full visibility of a Windows Kernel Bug with Timeless Analysis (CVE-2018-8410)

Mar 26, 2019
by Mathieu
Categories: Technical -
Tags: Reverse Engineering - Windows Kernel - Scripts - CVE - Demo - REVEN -

One of the situations where REVEN (aka Tetrane) really shines is digging into undocumented kernel mechanisms, especially in cases where WinDBG abstracts information away from the user.

In the following video, we will analyze a reference counting bug in the Windows Kernel (CVE-2018-8410 published by Google Project Zero) and try to understand what actually happens in the proof of concept.

This will require following reference counters using the memory history view, a bit of exploration in REVEN’s GUI, and then using a custom Python script to extract various pieces of information. The report we build will clarify an unexpected behavior (previously described by Alex Ionescu on his blog) and explain how each of the proof of concept’s syscalls contribute to the final state of the object.

Next post: Windows boot from UEFI to kernel
Previous post: Updated Analysis of PatchGuard on Microsoft Windows 10 RS4