Reverse Engineering Windows AFD.sys - Steven Vittitoe (Circle City Con 2015 Videose 2015) (Hacking Illustrated Series InfoSec Tutorial Videos)
Reverse Engineering Windows AFD.sys
Steven Vittitoe

Circle City Con 2015

What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure begins where MSDN ends and our first stop along the way is an IOCTL to AFD.sys, or the awkwardly named Ancillary Function Driver. This driver is of particular interest because it is so widely used and yet most people do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox I've looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1. Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL?s and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.

Bio: Steven Vittitoe is a researcher with Google Project Zero where he focuses on making zero days hard. He has ten years of experience breaking software but has only recently been encouraged to speak publicly about his work. He started the Samurai CTF team three years ago and engages in competitive hacking every chance he gets.

Back to Circle City Con 2015 Videos list



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek