Windows 10 Segment Heap Internals
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the internals of Windows 10 Segment Heap in this 42-minute Black Hat conference talk by Mark Vincent Yason. Dive deep into the architecture, configuration, and security mechanisms of this native heap used in Windows app processes and Microsoft Edge. Learn about backend page range descriptors, variable size allocations, low fragmentation heap, and various security features like heap address randomization and guard pages. Gain insights into exploiting memory corruption vulnerabilities, demonstrated through a case study of the Microsoft WinRT PDF library (CVE-2016-0117). Understand the implications for reliable exploit development in Edge components and dependencies using Segment Heap.
Syllabus
Intro
Agenda: Windows 10 Segment Heap
Architecture
Configuration
Edge Content Process Heaps
Backend Page Range Descriptors Example
Backend Free Tree
Variable Size (VS) Allocation
VS Subsegment
VS Block Header
VS Free Tree
VS Allocation and Freeing
Low Fragmentation Heap (LFH)
LFH Buckets
LFH Affinity Slots
LFH Block Bitmap
LFH Allocation and Freeing
Internals: Summary
Heap Address Randomization
Guard Pages
Function Pointer Encoding
VS Block Sizes Encoding
LFH Allocation Randomization
WinRT PDF: PostScript Operand Stack
Free Blocks Coalescing
Case Study: Summary
Conclusion
Taught by
Black Hat
Related Courses
Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security ChipBlack Hat via YouTube Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube