Windows Kernel Trap Handler and NTVDM Vulnerabilities – Case Study (ZeroNights 2013)


  • Language: English
  • Conference: ZeroNights
  • Location: Moscow, Russia
  • Date: November 2013
  • Speaker(s): Mateusz ‘j00ru’ Jurczyk



The trust in the security of client applications widely used nowadays is slowly but surely moving towards relying on the solid posture of operating system kernels, with mitigation mechanism such as sandboxing or Mandatory Access Control becoming of more and more importance. While ring-0 security research is continuously gaining in popularity among the security community, the enormously large scope of the kernel attack surface makes it effectively impossible to cover the entirety of security threats with manual auditing. In this presentation, we will highlight several interesting kernel-mode flaws discovered through both automatic and manual techniques and recently fixed by Microsoft, including their corresponding exploitation techniques and working demonstration exploits. The issues explained during the talk involve low-level CPU mechanisms such as x86 trap handling, as well as support for 16-bit DOS programs implemented by Microsoft at the very core layer of the kernel.