Exploiting Windows Vista Resource Virtualization — by James Forshaw
Updated: Jun 20, 2020
#IICSG2019 Conference Deep-Tech Track
Day 1 (19 Jun 2019)
@ Breakout Room 1
One of the big changes in Windows Vista was the introduction of UAC. Many Windows applications were written assuming they had complete control over all file and registry locations, by separating our administrators UAC created an application compatibility nightmare. These existing applications would try and write to the Windows folder or HKEY_LOCAL_MACHINE and fail to work correctly or in the worse cases crash. In order to deal with the problem, Microsoft added file and registry virtualization which transparently redirects administrator only registry and file access to user-accessible locations. This code is complex and inevitably have security implications.
This presentation will go into how these virtualization mechanisms work on Windows 10 and explain in detail how I was able to exploit them for local privilege escalation.