Reverse Engineering Windows AFD.sys

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/32819 (DOI)

Publisher

REcon

Release Date

2015

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure will begin where MSDN ends and our first stop along the way is with an IOCTL to AFD.sys, or the awkwardly named ancillary function driver. This driver is of particular interest because it is so widely used and yet most people that use it do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox Google Project Zero looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1. Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL’s and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.

Speech

Text

Image

00:00

Computer fileComputer networkService-oriented architectureProcess (computing)VolumenvisualisierungWindows RegistryConfiguration spacePrice indexGraphical user interfaceLogic programmingError messageException handlingSystem programmingWebDAVMathematical optimizationInternetworkingClient (computing)Kernel (computing)MereologyDevice driverRule of inferenceFunction (mathematics)CuboidCASE <Informatik>Computer programmingEscape characterQuicksortOffice suiteSoftware bugInformationDevice driverInternet forumEndliche ModelltheorieSet (mathematics)KettenkomplexCategory of beingBlogDefault (computer science)Vulnerability (computing)Mathematical analysisStatement (computer science)Numbering schemeTorusDemosceneComputer programmingNetwork socketComputer architecturePoint (geometry)Projective planeLevel (video gaming)Window functionVisualization (computer graphics)Address spaceMotion captureTwitterSocket-SchnittstelleMultiplication signWordReverse engineeringCartesian coordinate systemElectronic mailing listLine (geometry)Reading (process)FlagRing (mathematics)MathematicsSystem callToken ringFile systemLatent heatMobile appFirst-order logicComputational fluid dynamicsPerfect groupSoftware frameworkNeuroinformatikComplex (psychology)DiagramCommunications protocolNavigationBitAverageAsynchronous Transfer ModeEmailSurfaceComputer fontRaw image formatNP-hardDifferent (Kate Ryan album)TelecommunicationStorage area networkModulare ProgrammierungFuzzy logicWeb 2.0Computer animation

08:06

System callAsynchronous Transfer ModeWindow functionDevice driverNetwork socketLatent heatKernel (computing)Communications protocolMultiplication signAddress spaceDifferent (Kate Ryan album)MathematicsServer (computing)InformationElectronic mailing listTable (information)Client (computing)MultiplicationTranslation (relic)Level (video gaming)Function (mathematics)Open setStructured programmingNumberType theoryGreatest elementComputer fileComplete metric spaceStreaming mediaSymbol tableCASE <Informatik>outputDevice driverTelecommunicationBuffer solutionRaw image formatFlagInformation securityAbstractionWrapper (data mining)PlastikkarteCodeComputer networkEvent horizonGame controllerRevision controlSemiconductor memoryVulnerability (computing)Configuration spaceLetterpress printingRootMathematical analysisString (computer science)Windows RegistryNetwork topologyKey (cryptography)Reading (process)DebuggerPointer (computer programming)BijectionSet (mathematics)Service (economics)Virtual machineComputer architectureComputing platformInternet service providerDefault (computer science)BitWeb crawlerFlow separationSystem administratorAreaTupleWordRoutingCellular automatonSocket-SchnittstelleArchaeological field surveyMusical ensembleReverse engineeringSocial classOnline helpQuicksortWaveletSelf-organizationPRINCE2Parameter (computer programming)Tracing (software)Context awarenessPlanningComputer animation

16:12

RoutingOrder (biology)Kernel (computing)Core dumpMathematical analysisCondition numberBlogBuffer solutionException handlingWeb pageScaling (geometry)Boundary value problemLibrary (computing)System callNetwork socketCodeHypermediaFunction (mathematics)BijectionLevel (video gaming)Price indexRight anglePointer (computer programming)AutomationScripting languageDevice driverBitAsynchronous Transfer ModeDevice driverBuffer overflowMultiplication signPerimeterData managementProper mapWindow functionSoftware bugDigital photographyQuicksortFeedbackDisk read-and-write headIntegerCASE <Informatik>Forcing (mathematics)Projective planeData structureMereologyLimit (category theory)Group actionArmSoftware frameworkPhysical lawFocus (optics)Object-oriented programmingReal-time operating systemMessage passingLattice (order)Operator (mathematics)Vulnerability (computing)HTTP cookieDataflowInstance (computer science)Process (computing)Symbol tableSet (mathematics)Context awarenessPoint (geometry)InformationDifferent (Kate Ryan album)Stack (abstract data type)CompilerLengthCoroutineInformation securityCartesian coordinate systemLine (geometry)Goodness of fitPOKEFlow separationThread (computing)TelecommunicationOpen sourceDebuggerSingle-precision floating-point formatKeyboard shortcutFuzzy logicControl flowFluid staticsNumberStorage area networkPrinciple of maximum entropyClassical physicsResource allocationComputer animation

24:18

Computer animation

Transcript: English(auto-generated)