Alex Ionescu - Subverting Windows 2003 Service Pack 1 Kernel Integrity Protection

Windows 2003 Service Pack 1 introduces new features into the kernel which protect against previous methods of accessing kernel memory from user mode without the usage of a driver. For example, both the usage of the DevicePhysicalMemory section as well as of the ZwSystemDebugControl APIs has now been completely blocked, meaning that editing kernel memory through physical addresses, installing a callgate or using IDT modifications are not possible methods of violating the ring privilege level.

Unfortunately, it is the authors' belief that many legitimate applications need access to physical memory from user-mode, without the intent of accessing kernel mode memory. Such applications, for example, might need to map the BIOS/Video ROM, or access ACPI tables.

This presentation will detail a method of bypassing one of these new security measures, to give physical access back to user mode applications as well as re-enabling ZwSystemDebugControl, by relying on a previously undiscovered flaw in Windows, accessible only to administrators. A simple solution to this flaw will also be given. As well, this presentation will shed light into the new Win32 APIs exposed in Windows 2003 Service Pack 1 and above, EnumSystemFirmwareTables and GetSystemFirmwareTable, in order to provide hardware manufacturers with a possible way to restore lost functionality of user-mode diagnostic or other programs which accessed device-specific physical memory. Obtaining a SYSTEM primary token, VDM initialization and a new method of transferring from Ring 3 to Ring 0 without the usage of a driver are the main topics which will be discussed.