A binary analysis of CVE-2016-7259: A win32k kernel bug.

Modern OSes have a feature that mitigates the exploitation of stack based buffer overflows. It basically works by writing a "cookie" value before the return address in the stack in the prologue of a function and checking it before the function returns (for further information, see [1] and [2]). This article talks about how this mitigation has been enforced in Windows 8.

In the previous blog post we have seen how the ApiSetSchema was set up during boot time by the system. In this post we’ll see what the structure of the ApiSetSchema is and finally in the next blog post we’ll see how it is used in user-land and kernel-land.

This series of blog posts is about the new dynamic link libraries (DLLs) layout in Windows 6.x operating systems, where functions are now exported by new modules but the real implementation is located elsewhere. Static analysis tools might have problems dealing with this DLL restructuring. This blog post is aimed at presenting what is this new scheme, how it is implemented and how it is possible to leverage it so it can be used by static analysis tools.