Windows SMEP Bypass

U=S
Nicolas A. Economou
Enrique E. Nissim

PA G E
 Schedule
- Reviewing Modern Kernel Protections
- Introducing SMEP
- Windows SMEP bypass techniques – Part 1
- Windows Paging Mechanism
- Windows SMEP bypass techniques – Part 2
- DEMO
- Conclusions

PA G E 2
 Reviewing Modern Protections
- DEP/NX: is a security feature included in modern operating
systems. It marks areas of memory as either "executable" or
"nonexecutable".

- NonPagedPoolNX: new type of pool introduced in Windows 8

- KASLR: Address-space layout randomization (ASLR) is a well-

known technique to make exploits harder by placing various
objects at random, rather than fixed, memory addresses.

- NULL Dereference Protection: cannot alloc the null page.

PA G E 3
 Reviewing Modern Protections
- Integrity Levels: call restrictions for applications running in
low integrity level – since Windows 8.1.

- KMCS: Kernel-mode software must be digitally signed to be

loaded on x64-based versions of Windows Vista and later
versions of the Windows family of operating systems.

- KPP: Kernel Patch Protection (informally known as

PatchGuard): is a feature of x64 editions of Windows that
prevents patching common structures of the kernel.(Hooking
IDT, SSDT, GDT, LDT is out of the table).

PA G E 4
 Reviewing Modern Protections
- SMAP: allows pages to be protected from supervisor-mode
data accesses. If SMAP = 1, software operating in supervisor
mode cannot access data at linear addresses that are
accessible in user mode.

- SMEP: Supervisor Mode Execution Prevention allows pages to

be protected from supervisor-mode instruction fetches. If
SMEP = 1, software operating in supervisor mode cannot
fetch instructions from linear addresses that are accessible in
user mode.

PA G E 5
 SMEP

PA G E
 What is SMEP?
- Aka: “Supervisor Mode Execution Prevention”

- Detects RING-0 code running in USER SPACE

- Introduced at Intel processors based on the Ivy

Bridge architecture

- Security feature launched in 2011

PA G E 7
 What is SMEP on Windows?
- Enabled by default since Windows 8.0 (32/64
bits)

- Kernel exploit mitigation

- Specially “Local privilege escalation” exploits

must now consider this feature.

PA G E 8
 How does it work?
- Feature enabled by the OS

- Detects ring-0 code running in user space

- User space = Memory space used by applications programs
(stack, heap, code, etc).

- Ring-0 code is used by kernel OSs

- Ring-3 code is used by applications

PA G E 9
 SMEP CPU support
- Desktop processors
- Intel Core: Lastest models of i3, i5, i7
- Intel Pentium: G20X0(T) and G21X0(T)
- Intel Celeron: G1610(T), G1620(T) and G1630

- Server processors
- Intel Xeon: Lastest models of E3, E5, E7
- Intel Pentium: 1403v3 and 1405v2

PA G E 1 0
 SMEP Protection
- We control EIP/RIP = 0x41414141 in Ring-0
- So, we can jump where we want to …
4GB

KERNEL

2GB ?
USER

0
PA G E 1 1
 Windows
SMEP bypass
techniques – Part 1

PA G E
 Option 0: Jumping to user space
- Jump to user space (to my “code”) 4GB

- If (EIP/RIP == USER memory pages) KERNEL

- Page Fault  BSoD
2GB

USER

0
- Error: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY

PA G E 1 3
Option 1 - x86: Jumping to kernel heap

- Jump to kernel data (Heap):

- E.g: “Windows 8.1” 32 bits
- Data allocated in POOL TYPE = 0x21
- 0x21 = NonPagedPoolSession + NonPagedPool = executable!
- SMEP bypass   

http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html

PA G E 1 4
Option 1 - x64: Jumping to kernel heap

- Jump to kernel data (Heap):

- E.g: “Windows 8.1” 64 bits
- Data allocated in POOL TYPE = 0x21
- 0x21 = NonPagedPoolSession + NonPagedPool = NO
executable?

- No longer an option 

PA G E 1 5
 Option 2: ROPing in kernel space
- Jump to kernel code (win32k.sys):
- Get modules addresses with
NtQuerySystemInformation() (only in Medium
Integrity since Windows 8.1)

- If running in Low Integrity we need memory leaks

- You need to write a ROP chain to bypass SMEP

PA G E 1 6
 Option 2: ROPing to Turn off SMEP

- Turn off the bit 20th of the CR4 register

- E.g “mov rax,0xFFFEFFFFF”/ “mov cr4,rax”/”ret“
- Jump to USER SPACE 
- Problem: Restore the CR4 register (PatchGuard!)

- The most well-known technique !

http://blog.ptsecurity.com/2012/09/bypassing-intel-smep-on-
windows-8-x64.html

PA G E 1 7
 Windows Paging
Mechanism

PA G E
 Paging 101
• Paging is a functionality provided by the MMU and used by
the processor to implement virtual memory.
• A virtual address is the one used in processor instructions;
this must be translated into a physical address to actually
refer a memory location.

PA G E 1 9
 Windows Paging x64

PA G E 2 0
 Canonical Addresses
• With 64bits we can address 264 bytes of memory (16 Exabytes).
Current x64 processors however, limit the number of bits to 48, but
instead of simply disallowing bits 48-63, they set them to be equal
to bit 47.

• Attempting to use a non-canonical address causes a Page Fault

exception.

PA G E 2 1
 PxE Structure
63 62:52 51:12 11 10 9 8 7 6 5 4 3 2 1 0
XD I PFN I I I G P D A P P U R P
A C W / /
T D T S W

Interesting fields to know for our purposes:

• R/W: readonly/readwrite
• U/S: if set, the range mapped by the entry is accessible at
CPL3. Otherwise it is only accessible at CPL0.
• XD: if set, instruction fetching is not allowed for the region
mapped by the entry.

PA G E 2 2
 Self-ref Entry
• Entry 0x1ED = 1 1110 1101
• Since bit 47 is 1, all the bits 48-64 must be 1 to be a
valid canonical address

1111 1111 1111 1111 1111 0101 1XXX XXXX

F F F F F 6 8-F 0-F

• Range: 0xFFFFF680’00000000 – 0xFFFFF6FF’FFFFFFFF

PA G E 2 3
 Self-ref Entry
F F F F F 6 8 0 0 0 0 0 0 0 0 0
1111 1111 1111 1111 1111 0101 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000

PML4 PDPT PD PT
0 0 0

1ED

CR3

PA G E 2 4
 Quick Formula

_int64 get_pxe_address(_int64 address)

{
_int64 result = address>>9;
result = result | 0xFFFFF68000000000;
result = result & 0xFFFFF6FFFFFFFFF8;
return result;
}

PA G E 2 5
 Quick Formula

int get_pxe_32(int address) {

int result = address>>9;
result = result | 0xC0000000;
result = result & 0xC07FFFF8;
return result;
}

PA G E 2 7
 Windows
SMEP bypass
techniques – Part 2

PA G E
Option 3: Unprotecting HAL.DLL heap
- Using multiple arbitrary writes (ROPing or not)

- Write shellcode in this area:

- Address - 32 bits = 0xffd00000 (no ASLR)
- Address - 64 bits = 0xffffffff’ffd00000 (no ASLR)

- Turn off the NX bit HAL’s heap

- Overwrite a HAL’s heap function pointer
- Jump to HAL’s heap 
https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit?pli=1

PA G E 2 9
 U=S

PA G E
 Option 4: Deceiving SMEP
- If SMEP detects ring-0 code running in USER
SPACE (USER PAGES)

- If PTE tables are in fixed addresses

- What about changing our USER PAGE to

SUPERVISOR PAGE? … 

PA G E 3 1
 Flipping U/S
- Option 4: “First time somebody mentioned this”
- Conference: NSA - Trusted Computing (2011)
- Speaker: Stephen Fischer

- https://www.ncsi.com/nsatc11/presentations/we
dnesday/emerging_technologies/fischer.pdf
- Slide: 9

PA G E 3 2
 Flipping U/S
- Option 4: “… and then …”
- Blog: Windows 8 Kernel Memory Protections Bypass
- Author: MWR LABS - Jérémy Fetiveau

- https://labs.mwrinfosecurity.com/blog/2014/08/1
5/windows-8-kernel-memory-protections-bypass
- Section: “Modifying Paging Structures“

PA G E 3 3
 Flipping U/S
- Option 4: “… and finally”
- Conference: Infiltrate 2015
- Speaker: Alex Ionescu

- http://www.alex-ionescu.com/infiltrate2015.pdf
- Slides: 69 and 71 …

PA G E 3 4
 A. Ionescu at Infiltrate 2015

We also found the same behavior on our own

so, it’s FALSE !
PA G E 3 5
 A. Ionescu at Infiltrate 2015

PA G E 3 6
 Flipping U/S
- Breaking Rules
PDPT 1 PD 1 PT 1 PAGE 1

S S S U
PML4

U U U S
PDPT 2 PD 2 PT 2 PAGE 2

PA G E 3 7
Mapping a Kernel Page in User Space

4GB

KERNEL

2GB !!!
USER

The processor will not generate an exception!

PA G E 3 8
 Demo time

PA G E
 CVE-2015-5736
- Exploit:
- “Fortinet Antivirus Multiple Vulnerabilities”
(CVE-2015-5736)

- Arbitrary function callback feature?

- Local Privilege escalation

- http://www.coresecurity.com/advisories/forticlien
t-antivirus-multiple-vulnerabilities

PA G E 4 0
 Exploit for CVE-2015-5736
- Target:
- “Windows 10” 64 bits + “Forticlient <= 5.2.3” installed

- Scenario:
- We can’t jump directly to USER SPACE (SMEP!)
- No registers poiting to our DATA!
- The only way, Stack Pivoting to USER SPACE

- Objective:
- Write a ROP chain to avoid SMEP!
- Run our RING-0 code in USER SPACE

PA G E 4 1
 Exploit for CVE-2015-5736
- Vulnerable Driver: FortiShield.sys
- A filesystem filter driver that hooks several
operations -> IRP_MJ_SET_INFORMATION

- IOCTL: 220028h RCX Controllable

PA G E 4 2
 Exploit for CVE-2015-5736
- Arbitrary Callback: Invoked via MoveFileEx()

We control this call

PA G E 4 3
 Exploit for CVE-2015-5736
- Gadget finding:
- Tool: Agafi - https://github.com/CoreSecurity/Agafi
- Trick: Many 64 bit instr. are equal to 32 bit instr.

- Manual search: We found the rest!

- Result: ALL gadgets located in HAL.DLL … 

PA G E 4 4
 ROP in KernelSpace
- Special gadget: Stack Pivoting to user space

thanks AMD !

PA G E 4 5
 ROP in KernelSpace
- Special gadget: Disabling the CPU TLB cache

It refreshes the TLB cache !

PA G E 4 6
 ROP in KernelSpace
- ROPing to “hal.dll” - “Windows 10” 64 bits
HAL + 0x6bf0 Stack Pivoting to USER SPACE
STACK
in
KERNEL SPACE

HAL + 0x668e “pop rdx”

0x63 DIRTY + ACCESSED + R/W + PRESENT
HAL + 0x987e “pop rax”
STACK PTE (MY_ADDR) - 3
in HAL + 0xe2cf “mov [rax], edx”
USER SPACE HAL + 0x15a50 “ret” to Invalidate cache !!!
MY_ADDR “ret” to new kernel address 

PA G E 4 7
 Demo time now

PA G E
 Conclusions
- The PML entry (0x1ed) should be RANDOMIZED
- 256 entries are available for the OS kernel
- Only ~20 entries are used by Windows

- Paging tables (PTs) shouldn’t be in PREDICTABLE VAs

- It can be abused by LOCAL and REMOTE kernel exploits

- Virtualization ?
- Enabled by VSM in Windows 10
- Multiples EPTs (Extended Pages Tables - SLAT) could be a
solution

PA G E 4 9
 Conclusions

- This bypass technique is useful when EIP/RIP is

controllable (directly or via ARB. WRITE)

- Windows SMEP kernel exploit mitigation

- Easily bypassable
- Only useful when we are in Low Integrity Level

PA G E 5 0
 Questions?

PA G E
 Thank You

Enrique Nissim Nicolas Economou

@kiqueNissim @NicoEconomou
enissim@coresecurity.com neconomou@coresecurity.com

PA G E