Windows内核利用技术深度解析<\/h1>

1. 令牌(Token)提权技术<\/h2>

1.1 基本原理<\/h3>
Windows进程的访问权限由令牌(Token)控制，存储在EPROCESS结构的Token字段中。通过将System进程的Token替换到目标进程的EPROCESS结构中，可以实现提权。<\/p>

1.2 关键实现步骤<\/h3>

定位System进程和目标进程的EPROCESS结构<\/li>
获取System进程的Token值<\/li>
修改目标进程EPROCESS中的Token字段<\/li>

注意Token在EPROCESS中的偏移量随Windows版本变化(如1809版本偏移为0x360)<\/li> <\/ol>

1.3 Token结构特点<\/h3>
Token是一个_EX_FAST_REF结构，由于内存对齐要求，指向内核对象的指针最低4位总是0。<\/p>

2. PreviousMode利用技术<\/h2>

2.1 PreviousMode作用机制<\/h3>

UserMode(1): 进行地址验证，防止用户态写入内核内存<\/li>

KernelMode(0): 跳过地址验证，允许任意内核内存写入<\/li> <\/ul>

2.2 利用条件<\/h3>
需要能够修改KTHREAD结构中的PreviousMode字段，将其从UserMode改为KernelMode。<\/p>

3. Windows内核池利用技术<\/h2>

3.1 池分配基础<\/h3>

主要分配函数：<\/p>

void<\/span> *<\/span>ExAllocatePoolWithTag<\/span>(POOL_TYPE PoolType, size_t NumberOfBytes, unsigned<\/span> int<\/span> Tag);
<\/span><\/span>void<\/span> ExFreePoolWithTag<\/span>(void<\/span> *<\/span>P, unsigned<\/span> int<\/span> Tag);
<\/span><\/span><\/code><\/pre>3.2 POOL_TYPE类型<\/h3>



类型<\/th>
值<\/th>
描述<\/th>
<\/tr>
<\/thead>


NonPagedPool<\/td>
0<\/td>
不可分页内存<\/td>
<\/tr>

PagedPool<\/td>
1<\/td>
可分页内存<\/td>
<\/tr>

NonPagedPoolMustSucceed<\/td>
2<\/td>
必须成功分配<\/td>
<\/tr>

NonPagedPoolCacheAligned<\/td>
4<\/td>
缓存对齐的非分页池<\/td>
<\/tr>

PoolQuota<\/td>
8<\/td>
使用配额机制<\/td>
<\/tr>

NonPagedPoolNx<\/td>
0x200<\/td>
不可执行的非分页池<\/td>
<\/tr>
<\/tbody>
<\/table>
3.3 POOL_HEADER结构<\/h3>
struct<\/span> POOL_HEADER {
<\/span><\/span>    char<\/span> PreviousSize;    \/\/ 前一个块大小\/16
<\/span><\/span><\/span><\/span>    char<\/span> PoolIndex;        \/\/ PoolDescriptor数组索引
<\/span><\/span><\/span><\/span>    char<\/span> BlockSize;        \/\/ 当前块大小\/16
<\/span><\/span><\/span><\/span>    char<\/span> PoolType;         \/\/ 池类型信息
<\/span><\/span><\/span><\/span>    int<\/span> PoolTag;           \/\/ 池标签
<\/span><\/span><\/span><\/span>    Ptr64 ProcessBilled;   \/\/ 指向分配进程的KPROCESS指针
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.4 利用技术演变<\/h3>

Win7及之前<\/strong>：覆盖ProcessBilled指针实现任意指针解引用<\/li>
Win8引入<\/strong>：ExpPoolQuotaCookie保护机制，验证KPROCESS指针有效性<\/li>
Win10 19H1后<\/strong>：引入Segment Heap，改变了POOL_HEADER利用方式<\/li>
<\/ol>
4. Segment Heap利用技术<\/h2>
4.1 段堆后端类型<\/h3>

Segment Backend<\/strong>：分配128KB-7GB内存块<\/li>
Variable Size Backend<\/strong>：分配512B-128KB内存块<\/li>
Low Fragmentation Heap Backend<\/strong>：分配1B-512B内存块<\/li>
Large Alloc<\/strong>：超大内存分配<\/li>
<\/ol>
4.2 关键结构<\/h3>

_SEGMENT_HEAP<\/code>：段堆主结构<\/li>
_HEAP_PAGE_SEGMENT<\/code>：段头结构<\/li>
_HEAP_PAGE_RANGE_DESCRIPTOR<\/code>：页范围描述符<\/li>
<\/ul>
4.3 幽灵块(Ghost Chunk)技术<\/h3>

通过堆溢出修改下一个块的POOL_HEADER<\/li>
设置PoolType中的CacheAligned位<\/li>
控制PreviousSize字段指向伪造块<\/li>
在合法块中间创建虚假块(幽灵块)<\/li>
<\/ol>
4.4 利用步骤<\/h3>

堆喷创建合适的内存布局<\/li>
触发漏洞覆盖POOL_HEADER<\/li>
创建幽灵块实现UAF<\/li>
通过管道属性操作实现任意读写<\/li>
<\/ol>
5. I\/O Ring利用技术<\/h2>
5.1 I\/O Ring基本结构<\/h3>
typedef<\/span> struct<\/span> _IORING_OBJECT {
<\/span><\/span>    USHORT Type;
<\/span><\/span>    USHORT Size;
<\/span><\/span>    NT_IORING_INFO Info;
<\/span><\/span>    PSECTION SectionObject;
<\/span><\/span>    PVOID KernelMappedBase;
<\/span><\/span>    PMDL Mdl;
<\/span><\/span>    PVOID MdlMappedBase;
<\/span><\/span>    ULONG_PTR ViewSize;
<\/span><\/span>    ULONG SubmitInProgress;
<\/span><\/span>    PVOID IoRingEntryLock;
<\/span><\/span>    PVOID EntriesCompleted;
<\/span><\/span>    PVOID EntriesSubmitted;
<\/span><\/span>    KEVENT RingEvent;
<\/span><\/span>    PVOID EntriesPending;
<\/span><\/span>    ULONG BuffersRegistered;
<\/span><\/span>    PIORING_BUFFER_INFO BufferArray;  \/\/ RegBuffers
<\/span><\/span><\/span><\/span>    ULONG FilesRegistered;
<\/span><\/span>    PHANDLE FileHandleArray;
<\/span><\/span>} IORING_OBJECT;
<\/span><\/span><\/code><\/pre>5.2 利用原理<\/h3>

通过漏洞覆盖IoRing->RegBuffers指向伪造缓冲区数组<\/li>
使用伪造数组指定内核地址进行读写<\/li>
22H2后需要使用IOP_MC_BUFFER_ENTRY结构<\/li>
<\/ol>
5.3 IOP_MC_BUFFER_ENTRY结构<\/h3>
typedef<\/span> struct<\/span> _IOP_MC_BUFFER_ENTRY {
<\/span><\/span>    USHORT Type;
<\/span><\/span>    USHORT Reserved;
<\/span><\/span>    ULONG Size;
<\/span><\/span>    ULONG ReferenceCount;
<\/span><\/span>    ULONG Flags;
<\/span><\/span>    _LIST_ENTRY GlobalDataLink;
<\/span><\/span>    PVOID Address;        \/\/ 目标地址
<\/span><\/span><\/span><\/span>    ULONG Length;         \/\/ 长度
<\/span><\/span><\/span><\/span>    CHAR AccessMode;
<\/span><\/span>    ULONG MdlRef;
<\/span><\/span>    struct<\/span> _MDL*<\/span> Mdl;
<\/span><\/span>    KEVENT MdlRundownEvent;
<\/span><\/span>    PULONG64 PfnArray;
<\/span><\/span>    BYTE PageNodes[1<\/span>];
<\/span><\/span>} IOP_MC_BUFFER_ENTRY;
<\/span><\/span><\/code><\/pre>5.4 典型利用流程(CVE-2023-21768)<\/h3>

创建I\/O Ring和命名管道<\/li>
获取I\/O Ring对象地址<\/li>
覆盖RegBuffers和RegBuffersCount<\/li>
构造伪造的IOP_MC_BUFFER_ENTRY数组<\/li>
通过BuildIoRingReadFile\/BuildIoRingWriteFile进行内核读写<\/li>
替换目标进程Token实现提权<\/li>
<\/ol>
6. 防御机制与绕过技术<\/h2>
6.1 主要防御机制<\/h3>

ExpPoolQuotaCookie：保护ProcessBilled指针<\/li>
NonPagedPoolNx：不可执行内存保护<\/li>
Segment Heap：改变内存管理方式<\/li>
22H2的IOP_MC_BUFFER_ENTRY：更严格的缓冲区验证<\/li>
<\/ol>
6.2 绕过技术<\/h3>

利用PoolType中的CacheAligned位<\/li>
通过幽灵块实现UAF<\/li>
结合管道属性操作实现任意读写<\/li>
使用I\/O Ring机制实现内核内存操作<\/li>
<\/ol>
7. 实用工具与技术<\/h2>
7.1 关键API<\/h3>

NtQuerySystemInformation<\/code>：获取系统信息(如SystemBigPoolInformation)<\/li>
NtFsControlFile<\/code>：操作管道属性<\/li>
CreateIoRing<\/code>：创建I\/O Ring<\/li>
BuildIoRingReadFile<\/code>\/BuildIoRingWriteFile<\/code>：I\/O Ring读写操作<\/li>
<\/ol>
7.2 调试命令<\/h3>

dt nt!_EPROCESS<\/code>：查看EPROCESS结构<\/li>
dt nt!_SEGMENT_HEAP<\/code>：查看段堆结构<\/li>
dt nt!_HEAP_SEG_CONTEXT<\/code>：查看段后端上下文<\/li>
<\/ol>
8. 总结与趋势<\/h2>
Windows内核利用技术随着防御机制的增强而不断演进：<\/p>

从直接的Token替换到复杂的池利用<\/li>
从简单的堆溢出到幽灵块技术<\/li>
从传统的池操作到I\/O Ring等新机制利用<\/li>
利用原语从任意读写发展为更精细的内存操作<\/li>
<\/ol>
未来内核利用可能会更多关注：<\/p>

新引入的内核子系统<\/li>
硬件特性与内核的交互<\/li>
虚拟化环境下的内核行为<\/li>
跨进程\/跨会话的内核对象操作<\/li>
<\/ol>

类型<\/th>	值<\/th>	描述<\/th> <\/tr> <\/thead>
NonPagedPool<\/td>	0<\/td>	不可分页内存<\/td> <\/tr>
PagedPool<\/td>	1<\/td>	可分页内存<\/td> <\/tr>
NonPagedPoolMustSucceed<\/td>	2<\/td>	必须成功分配<\/td> <\/tr>
NonPagedPoolCacheAligned<\/td>	4<\/td>	缓存对齐的非分页池<\/td> <\/tr>
PoolQuota<\/td>	8<\/td>	使用配额机制<\/td> <\/tr>
NonPagedPoolNx<\/td>	0x200<\/td>	不可执行的非分页池<\/td> <\/tr> <\/tbody> <\/table> 3.3 POOL_HEADER结构<\/h3> struct<\/span> POOL_HEADER { <\/span><\/span> char<\/span> PreviousSize; \/\/ 前一个块大小\/16 <\/span><\/span><\/span><\/span> char<\/span> PoolIndex; \/\/ PoolDescriptor数组索引 <\/span><\/span><\/span><\/span> char<\/span> BlockSize; \/\/ 当前块大小\/16 <\/span><\/span><\/span><\/span> char<\/span> PoolType; \/\/ 池类型信息 <\/span><\/span><\/span><\/span> int<\/span> PoolTag; \/\/ 池标签 <\/span><\/span><\/span><\/span> Ptr64 ProcessBilled; \/\/ 指向分配进程的KPROCESS指针 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>3.4 利用技术演变<\/h3> Win7及之前<\/strong>：覆盖ProcessBilled指针实现任意指针解引用<\/li> Win8引入<\/strong>：ExpPoolQuotaCookie保护机制，验证KPROCESS指针有效性<\/li> Win10 19H1后<\/strong>：引入Segment Heap，改变了POOL_HEADER利用方式<\/li> <\/ol> 4. Segment Heap利用技术<\/h2> 4.1 段堆后端类型<\/h3> Segment Backend<\/strong>：分配128KB-7GB内存块<\/li> Variable Size Backend<\/strong>：分配512B-128KB内存块<\/li> Low Fragmentation Heap Backend<\/strong>：分配1B-512B内存块<\/li> Large Alloc<\/strong>：超大内存分配<\/li> <\/ol> 4.2 关键结构<\/h3> _SEGMENT_HEAP<\/code>：段堆主结构<\/li> _HEAP_PAGE_SEGMENT<\/code>：段头结构<\/li> _HEAP_PAGE_RANGE_DESCRIPTOR<\/code>：页范围描述符<\/li> <\/ul> 4.3 幽灵块(Ghost Chunk)技术<\/h3> 通过堆溢出修改下一个块的POOL_HEADER<\/li> 设置PoolType中的CacheAligned位<\/li> 控制PreviousSize字段指向伪造块<\/li> 在合法块中间创建虚假块(幽灵块)<\/li> <\/ol> 4.4 利用步骤<\/h3> 堆喷创建合适的内存布局<\/li> 触发漏洞覆盖POOL_HEADER<\/li> 创建幽灵块实现UAF<\/li> 通过管道属性操作实现任意读写<\/li> <\/ol> 5. I\/O Ring利用技术<\/h2> 5.1 I\/O Ring基本结构<\/h3> typedef<\/span> struct<\/span> _IORING_OBJECT { <\/span><\/span> USHORT Type; <\/span><\/span> USHORT Size; <\/span><\/span> NT_IORING_INFO Info; <\/span><\/span> PSECTION SectionObject; <\/span><\/span> PVOID KernelMappedBase; <\/span><\/span> PMDL Mdl; <\/span><\/span> PVOID MdlMappedBase; <\/span><\/span> ULONG_PTR ViewSize; <\/span><\/span> ULONG SubmitInProgress; <\/span><\/span> PVOID IoRingEntryLock; <\/span><\/span> PVOID EntriesCompleted; <\/span><\/span> PVOID EntriesSubmitted; <\/span><\/span> KEVENT RingEvent; <\/span><\/span> PVOID EntriesPending; <\/span><\/span> ULONG BuffersRegistered; <\/span><\/span> PIORING_BUFFER_INFO BufferArray; \/\/ RegBuffers <\/span><\/span><\/span><\/span> ULONG FilesRegistered; <\/span><\/span> PHANDLE FileHandleArray; <\/span><\/span>} IORING_OBJECT; <\/span><\/span><\/code><\/pre>5.2 利用原理<\/h3> 通过漏洞覆盖IoRing->RegBuffers指向伪造缓冲区数组<\/li> 使用伪造数组指定内核地址进行读写<\/li> 22H2后需要使用IOP_MC_BUFFER_ENTRY结构<\/li> <\/ol> 5.3 IOP_MC_BUFFER_ENTRY结构<\/h3> typedef<\/span> struct<\/span> _IOP_MC_BUFFER_ENTRY { <\/span><\/span> USHORT Type; <\/span><\/span> USHORT Reserved; <\/span><\/span> ULONG Size; <\/span><\/span> ULONG ReferenceCount; <\/span><\/span> ULONG Flags; <\/span><\/span> _LIST_ENTRY GlobalDataLink; <\/span><\/span> PVOID Address; \/\/ 目标地址 <\/span><\/span><\/span><\/span> ULONG Length; \/\/ 长度 <\/span><\/span><\/span><\/span> CHAR AccessMode; <\/span><\/span> ULONG MdlRef; <\/span><\/span> struct<\/span> _MDL*<\/span> Mdl; <\/span><\/span> KEVENT MdlRundownEvent; <\/span><\/span> PULONG64 PfnArray; <\/span><\/span> BYTE PageNodes[1<\/span>]; <\/span><\/span>} IOP_MC_BUFFER_ENTRY; <\/span><\/span><\/code><\/pre>5.4 典型利用流程(CVE-2023-21768)<\/h3> 创建I\/O Ring和命名管道<\/li> 获取I\/O Ring对象地址<\/li> 覆盖RegBuffers和RegBuffersCount<\/li> 构造伪造的IOP_MC_BUFFER_ENTRY数组<\/li> 通过BuildIoRingReadFile\/BuildIoRingWriteFile进行内核读写<\/li> 替换目标进程Token实现提权<\/li> <\/ol> 6. 防御机制与绕过技术<\/h2> 6.1 主要防御机制<\/h3> ExpPoolQuotaCookie：保护ProcessBilled指针<\/li> NonPagedPoolNx：不可执行内存保护<\/li> Segment Heap：改变内存管理方式<\/li> 22H2的IOP_MC_BUFFER_ENTRY：更严格的缓冲区验证<\/li> <\/ol> 6.2 绕过技术<\/h3> 利用PoolType中的CacheAligned位<\/li> 通过幽灵块实现UAF<\/li> 结合管道属性操作实现任意读写<\/li> 使用I\/O Ring机制实现内核内存操作<\/li> <\/ol> 7. 实用工具与技术<\/h2> 7.1 关键API<\/h3> NtQuerySystemInformation<\/code>：获取系统信息(如SystemBigPoolInformation)<\/li> NtFsControlFile<\/code>：操作管道属性<\/li> CreateIoRing<\/code>：创建I\/O Ring<\/li> BuildIoRingReadFile<\/code>\/BuildIoRingWriteFile<\/code>：I\/O Ring读写操作<\/li> <\/ol> 7.2 调试命令<\/h3> dt nt!_EPROCESS<\/code>：查看EPROCESS结构<\/li> dt nt!_SEGMENT_HEAP<\/code>：查看段堆结构<\/li> dt nt!_HEAP_SEG_CONTEXT<\/code>：查看段后端上下文<\/li> <\/ol> 8. 总结与趋势<\/h2> Windows内核利用技术随着防御机制的增强而不断演进：<\/p> 从直接的Token替换到复杂的池利用<\/li> 从简单的堆溢出到幽灵块技术<\/li> 从传统的池操作到I\/O Ring等新机制利用<\/li> 利用原语从任意读写发展为更精细的内存操作<\/li> <\/ol> 未来内核利用可能会更多关注：<\/p> 新引入的内核子系统<\/li> 硬件特性与内核的交互<\/li> 虚拟化环境下的内核行为<\/li> 跨进程\/跨会话的内核对象操作<\/li> <\/ol>

Windows内核利用技术深度解析<\/h1>

1. 令牌(Token)提权技术<\/h2>

1.1 基本原理<\/h3> Windows进程的访问权限由令牌(Token)控制，存储在EPROCESS结构的Token字段中。通过将System进程的Token替换到目标进程的EPROCESS结构中，可以实现提权。<\/p>

1.3 Token结构特点<\/h3> Token是一个_EX_FAST_REF结构，由于内存对齐要求，指向内核对象的指针最低4位总是0。<\/p>

2. PreviousMode利用技术<\/h2>

2.2 利用条件<\/h3> 需要能够修改KTHREAD结构中的PreviousMode字段，将其从UserMode改为KernelMode。<\/p>

3. Windows内核池利用技术<\/h2>

4. Segment Heap利用技术<\/h2>

5. I\/O Ring利用技术<\/h2>

6. 防御机制与绕过技术<\/h2>

7. 实用工具与技术<\/h2>

1.1 基本原理<\/h3>
Windows进程的访问权限由令牌(Token)控制，存储在EPROCESS结构的Token字段中。通过将System进程的Token替换到目标进程的EPROCESS结构中，可以实现提权。<\/p>

1.3 Token结构特点<\/h3>
Token是一个_EX_FAST_REF结构，由于内存对齐要求，指向内核对象的指针最低4位总是0。<\/p>

2.2 利用条件<\/h3>
需要能够修改KTHREAD结构中的PreviousMode字段，将其从UserMode改为KernelMode。<\/p>