The vulnerability exists in the Windows graphics driver win32kfull.sys. When win32kfull!NtUserCreateWindowEx is called to create a window with tagWND→cbWndExtra≠0, the function calls win32kfull!xxxClientAllocWindowClassExtraBytes to callback the user-mode function user32.dll!__xxxClientAllocWindowClassExtraBytes for memory allocation. An attacker can hook this user-mode function and call ntdll!NtCallbackReturn to return an arbitrary value to the kernel. When tagWND→flag contains the 0x800 flag, this return value is treated as an offset relative to the kernel desktop heap base address. A user-mode call to NtUserConsoleControl can modify tagWND→flag to include 0x800, causing the return value to be used directly for heap memory addressing, triggering an out-of-bounds memory access. Through out-of-bounds read/write, an attacker can copy the SYSTEM process token to the current process to achieve privilege escalation.

Issues encountered during the CVE-2021-40449 UAF research process.

The main content of this article is translated from: https://theevilbit.github.io/posts/a_simple_protection_against_hmvalidatehandle_technique/

Looking at win32k exploitation techniques in recent years, the HMValidateHandle technique is used almost everywhere. I had an idea about how to prevent this type of exploitation, and this article discusses it.

Malware and attackers commonly use scheduled tasks as their persistence mechanism.

From a threat detection perspective, understanding how scheduled tasks run and are created, as well as the processes associated with them, is essential.

Additionally, this article investigates and explores an undisclosed scheduled task hiding technique.

Learning stack overflow and shellcode through hands-on examples. (Notes from a long time ago — pretty outdated, take it or leave it.)

Process memory is like a palace in the dark — it’s hard to see what’s inside directly; you can only explore it corner by corner. This time I explore how C++ data structures are represented in memory, primarily summarized from ‘C++ Disassembly and Reverse Analysis’, with floating-point content from Chapter 2 of ‘Computer Systems: A Programmer’s Perspective’.

Challenge Description

This is Challenge #9 “Nine-Layered Demonic Tower” from the Kanxue.TSRC 2017 CTF Autumn Competition: Challenge Link

MD5 of the exe file: b8b6bfe47a9c40117e2c6bbd5839f198