Security Researcher
This class is meant to show the approach an exploit developer or bug hunter should take in attacking a previously unknown component in the Windows kernel. The training is primarily focused around labs to teach the students what it takes to exploit a real-world vulnerability.
This class focuses on exploiting CVE-2018-8611 on Windows 10 x64 1809 (RS5), a complex race condition that leads to a use-after-free on the non-paged kernel pool. The vulnerability is in the Kernel Transaction Manager (KTM) driver (tm.sys), a component that has not received much public scrutiny.
Students will be able to put their new knowledge into practice by exploiting other vulnerabilities in KTM on Windows 11 x64 (CVE-2024-43570 and CVE-2024-43535).
Even though students will learn a lot about the KTM component, we focus on our approach for analyzing this component as a new kernel component that we had no prior knowledge about. The methodology can be reused for any other unknown kernel components a student may encounter in the future. We do not specifically focus on tricks or techniques for bypassing specific Windows versions mitigations. Instead, we teach you the thought process behind exploring functionality to find your own techniques to abuse the bug in ways that allow to build powerful primitives that would facilitate mitigation bypasses.
“Give a (wo)man a mitigation bypass and you feed them for an exploit. Teach a (wo)man to find their own bypasses and you feed them for a lifetime.”
The tools/VM we provide during this training are generic and can be reused after the class to assist exploiting other Windows kernel vulnerabilities.
Hey, I’m Cedric Halbronn (X:@saidelike and Mastodon:@saidelike) - security researcher specialised in vulnerability research and exploit development with over 15+ years experience. I have been targeting lots of different software and hardware: Android, iPhone, Windows, Linux, SOHO devices, HP iLO, etc. with a focus on reliability and usability in real world situations. I won Pwn2Own in 2021 and 2022. I have been speaking at many security conferences (OffensiveCon, Hexacon, RECon, HITB). I am the founder of EZSecLab and the maintainer of the “Windows Kernel Exploitation: Becoming an Advanced Exploit Developer” training.
POC Conference is made possible thanks to the support of our sponsors. Their continued partnership has played a vital role in sustaining and growing POC over the years. We sincerely thank them for their contribution.
