{"id":128698,"date":"2023-07-03T00:35:23","date_gmt":"2023-07-03T07:35:23","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=128698"},"modified":"2024-07-30T18:08:21","modified_gmt":"2024-07-31T01:08:21","slug":"win32k-analysis-part-2","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/win32k-analysis-part-2\/","title":{"rendered":"\u30a4\u30f3\u30b5\u30a4\u30c9Win32k\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8: CVE-2022-21882\u3068CVE-2021-1732\u306e\u5206\u6790"},"content":{"rendered":"

<\/a>\u6982\u8981<\/h2>\n

Microsoft Windows\u306b\u304a\u3051\u308b2\u3064\u306e\u985e\u4f3c\u3057\u305f\u7279\u6a29\u6607\u683c\u306e\u8106\u5f31\u6027(CVE-2021-1732\u3068CVE-2022-21882)\u306e\u5831\u544a\u3092\u898b\u305f\u79c1\u305f\u3061\u306f\u3001\u305d\u308c\u305e\u308c\u306b\u95a2\u308f\u308b\u30b3\u30fc\u30c9\u3092\u6df1\u304f\u7406\u89e3\u3059\u308b\u305f\u3081\u3001\u3053\u308c\u3089\u306eCVE\u3092\u5206\u6790\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002\u672c\u7a3f\u306f\u30a4\u30f3\u30b5\u30a4\u30c9Win32k\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8<\/a>\u306e\u7d9a\u7de8\u3067\u3059\u3002\u524d\u7de8\u3067\u306f\u3001CVE-2021-1732<\/a>\u3068CVE-2022-21882<\/a>\u306b\u307e\u3064\u308f\u308b\u554f\u984c\u3092\u63a2\u308b\u305f\u3081\u306e\u80cc\u666f\u60c5\u5831\u3068\u3057\u3066\u3001Win32k\u306e\u5185\u90e8\u3068\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u5168\u822c\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u307e\u3057\u305f\u3002<\/p>\n

\u672c\u7a3f\u3067\u306f\u3001CVE-2021-1732\u3068CVE-2022-21882\u3001\u304a\u3088\u3073\u3053\u308c\u3089\u306eCVE\u306b\u95a2\u9023\u3059\u308b\u6982\u5ff5\u5b9f\u8a3c(PoC)\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u6df1\u6398\u308a\u3057\u3066\u3044\u304d\u307e\u3059\u3002\u3053\u306e2\u3064\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u5206\u6790\u3092\u901a\u3058\u3001\u300cCVE-2021-1732\u306b\u5bfe\u3059\u308b\u4fee\u6b63\u30d7\u30ed\u30b0\u30e9\u30e0\u304cCVE-2022-21882\u306e\u9632\u6b62\u306b\u306f\u4e0d\u5341\u5206\u3067\u3042\u3063\u305f\u7406\u7531\u300d\u3092\u660e\u3089\u304b\u306b\u3057\u307e\u3059\u3002<\/p>\n

\u672c\u9023\u8f09\u3067\u53d6\u308a\u4e0a\u3052\u308b\u8106\u5f31\u6027\u306f\u3001\u3044\u305a\u308c\u3082Cortex XDR\u306eAnti-LPE\u4fdd\u8b77\u30e2\u30b8\u30e5\u30fc\u30eb\u306b\u3088\u308a\u691c\u51fa\u30fb\u30d6\u30ed\u30c3\u30af\u3055\u308c\u307e\u3059\u3002\u3044\u305a\u308c\u306e\u8106\u5f31\u6027\u3082\u3001NT AUTHORITY\\SYSTEM\u306e\u7279\u6a29\u30c8\u30fc\u30af\u30f3\u3092\u73fe\u5728\u306e(\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e)\u30d7\u30ed\u30bb\u30b9\u306e\u305d\u308c\u306b\u30b3\u30d4\u30fc\u3059\u308b\u3053\u3068\u3067\u7279\u6a29\u6607\u683c\u3092\u56f3\u308b\u3001\u30c7\u30fc\u30bf\u30aa\u30f3\u30ea\u30fc\u578b\u306e(\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u30c7\u30fc\u30bf\u5909\u66f4\u306b\u30b3\u30fc\u30c9\u5b9f\u884c\u3092\u5fc5\u8981\u3068\u3057\u306a\u3044\u7a2e\u985e\u306e)\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3067\u3059\u3002Cortex XDR\u306eAnti-LPE\u30e2\u30b8\u30e5\u30fc\u30eb\u306f\u3001\u3053\u306e\u7279\u5b9a\u306e\u7a2e\u985e\u306e\u7279\u6a29\u6607\u683c\u6280\u8853\u3092\u76e3\u8996\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
\u95a2\u9023\u3059\u308bUnit 42\u306e\u30c8\u30d4\u30c3\u30af<\/b><\/td>\nMicrosoft Windows<\/b><\/a>, CVE-2021-1732<\/a>, CVE-2022-21882<\/a><\/strong><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n

<\/a>CVE-2021-1732\u3068CVE-2022-21882\u306e\u5206\u6790<\/h2>\n

\u3053\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306fWin32k\u306e2\u3064\u306ePoC\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3001CVE-2021-1732\u3068CVE-2022-21882\u306b\u3064\u3044\u3066\u8ad6\u3058\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306f\u3044\u305a\u308c\u3082\u3001xxxClientAllocWindowClassExtraBytes<\/span>\u3068NtUserConsoleControl<\/span>\u3092\u60aa\u7528\u3057\u3001\u96a3\u63a5\u3059\u308b\u30a6\u30a3\u30f3\u30c9\u30a6\u306etagWND.cbWndExtra<\/span>\u306e\u30c7\u30fc\u30bf \u30d5\u30a3\u30fc\u30eb\u30c9\u3092\u5927\u304d\u306a\u5024\u306b\u4e0a\u66f8\u304d\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001\u4efb\u610f\u306ewrite\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u53d6\u5f97\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u3082\u306e\u3067\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306f\u3044\u305a\u308c\u3082\u3001\u3053\u306e\u4efb\u610f\u306ewrite\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u4f7f\u3063\u3066\u3001\u96a3\u63a5\u3059\u308b\u30a6\u30a3\u30f3\u30c9\u30a6\u5185\u3067\u507d\u306espmenu<\/span>\u3092\u4f5c\u6210\u3057\u3066\u304b\u3089\u3001GetMenuBarInfo<\/span>\u3092\u4f7f\u3063\u3066\u4efb\u610f\u306eread\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u305d\u3057\u3066\u3001\u3053\u306e\u4efb\u610f\u306eread\/write\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u4f7f\u3044\u3001NT AUTHORITY \\SYSTEM\u30c8\u30fc\u30af\u30f3\u3092\u73fe\u5728\u306e(\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3055\u308c\u305f)\u30d7\u30ed\u30bb\u30b9\u3078\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n

\u3053\u3053\u3067\u306fCVE-2022-21882\u306ePoC\u3092\u8a73\u7d30\u306b\u5206\u6790\u3057\u307e\u3059\u3002CVE-2021-1732\u306b\u3064\u3044\u3066\u306f\u3001CVE-2022-21882\u306e\u5206\u6790\u3092\u9032\u3081\u308b\u306a\u304b\u3067\u9069\u5b9c\u3001\u76f8\u9055\u70b9\u3092\u8aac\u660e\u3059\u308b\u304b\u305f\u3061\u3067\u53d6\u308a\u4e0a\u3052\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001Microsoft\u304cCVE-2021-1732\u306b\u5bfe\u3057\u3066\u30ea\u30ea\u30fc\u30b9\u3057\u305f\u4fee\u6b63\u30d7\u30ed\u30b0\u30e9\u30e0\u304cCVE-2022-21882\u306e\u9632\u6b62\u306b\u4e0d\u5341\u5206\u3067\u3042\u3063\u305f\u7406\u7531\u3092\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n

CVE-2022-21882\u3092\u8ad6\u3058\u308b\u306e\u306b\u6642\u9593\u3092\u5272\u304f\u3053\u3068\u306b\u3057\u305f\u7406\u7531\u306f\u3001CVE-2021-1732\u306b\u3064\u3044\u3066\u306fGoogle<\/a>\u3084DBAPPSecurity Threat Intelligence Center<\/a>\u304c\u8a73\u7d30\u306b\u5206\u6790\u3057\u305f\u30d6\u30ed\u30b0\u304c\u8907\u6570\u3042\u308b\u304b\u3089\u3067\u3059\u3002<\/p>\n

\u3053\u308c\u3089\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3044\u305a\u308c\u3082\u30c7\u30fc\u30bf\u30aa\u30f3\u30ea\u30fc\u578b\u306e\u653b\u6483\u3067\u3059\u3002\u30c7\u30fc\u30bf\u30aa\u30f3\u30ea\u30fc\u653b\u6483\u306e\u5834\u5408\u3001read\/write\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3060\u3051\u3042\u308c\u3070\u653b\u6483\u304c\u3067\u304d\u3001\u653b\u6483\u8005\u304c\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3059\u308b\u30b3\u30fc\u30c9\u306e\u5b9f\u884c\u306f\u5fc5\u8981\u3042\u308a\u307e\u305b\u3093\u3002\u6700\u65b0\u306e\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u306b\u5c0e\u5165\u3055\u308c\u3066\u3044\u308b\u73fe\u4ee3\u7684\u306a\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u9632\u6b62\u7b56\u306f\u56de\u907f\u304c\u96e3\u3057\u3044\u306e\u3067\u3001\u30c7\u30fc\u30bf\u30aa\u30f3\u30ea\u30fc\u578b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u6feb\u7528\u306f\u62e1\u5927\u3057\u3066\u304d\u3066\u3044\u307e\u3059\u3002<\/p>\n

<\/a>CVE-2022-21882\u306e\u6982\u8981<\/strong><\/h3>\n

\u3053\u306e\u8106\u5f31\u6027\u306f\u30012021\u5e7410\u6708\u306b\u958b\u50ac\u3055\u308c\u305f\u5929\u5e9c\u676f\u30cf\u30c3\u30ad\u30f3\u30b0 \u30b3\u30f3\u30c6\u30b9\u30c8<\/a>\u3067\u3001RyeLv\u6c0f(@b2ahex<\/a>)\u304c\u767a\u898b\u3057\u305f\u3082\u306e\u3067\u3059\u3002Microsoft\u306f\u30012022\u5e741\u6708\u306b\u4fee\u6b63\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30ea\u30ea\u30fc\u30b9<\/a>\u3057\u307e\u3057\u305f\u3002CVE-2021-1732\u3068\u306e\u985e\u4f3c\u6027\u304b\u3089\u3059\u308b\u3068\u3001\u82e5\u5e72\u4fee\u6b63\u3059\u308b\u3060\u3051\u3067Windows 10\u306e\u30d0\u30fc\u30b8\u30e7\u30f31709\u304b\u308921H2\u307e\u3067\u304c\u5f71\u97ff\u3092\u53d7\u3051\u3066\u3044\u305f\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n

Microsoft\u306fWindows 11\u7528\u306b\u3082\u540c\u8106\u5f31\u6027\u306b\u5bfe\u5fdc\u3059\u308b\u4fee\u6b63\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30ea\u30ea\u30fc\u30b9\u3057\u3066\u3044\u307e\u3059\u3002\u672c\u7a3f\u3067\u89e3\u6790\u3059\u308bPoC\u306f\u3001Windows 10\u306e\u30d0\u30fc\u30b8\u30e7\u30f321H2\u3067\u30c6\u30b9\u30c8\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

<\/a>\u8106\u5f31\u6027\u306e\u30c8\u30ea\u30ac\u30fc<\/h4>\n

\u6b74\u53f2\u7684\u306b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u4f5c\u8005\u306ftagWND<\/span>\u3084bitmap<\/span>\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u60aa\u7528\u306b\u983c\u3063\u3066read\/write\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u5b9f\u73fe\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u524d\u7a3f\u3067\u8ff0\u3079\u305f\u3088\u3046\u306b\u3001Microsoft\u306f\u3053\u3046\u3057\u305f\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u60aa\u7528\u3057\u3065\u3089\u304f\u3059\u308b\u305f\u3081\u591a\u5927\u306a\u52b4\u529b\u3092\u8cbb\u3084\u3057\u3066\u304d\u307e\u3057\u305f\u3002\u5177\u4f53\u7684\u306b\u306f\u3001Windows 10\u306e\u30d0\u30fc\u30b8\u30e7\u30f3 1703\u304b\u3089\u306f\u3001SetWindowLong<\/span>\u3092\u4f7f\u3063\u305f\u5834\u5408\u3001\u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306e\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30b3\u30d4\u30fc\u5185\u306eExtraBytes<\/span>\u30d5\u30a3\u30fc\u30eb\u30c9\u3060\u3051\u304c\u5909\u66f4\u3055\u308c\u3001\u30ab\u30fc\u30cd\u30eb \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306f\u5909\u66f4\u3055\u308c\u306a\u3044\u3068\u3044\u3046\u5236\u7d04\u304c\u52a0\u308f\u308a\u307e\u3057\u305f\u3002\u305f\u3060\u3057\u3001\u30b3\u30f3\u30bd\u30fc\u30eb \u30a6\u30a3\u30f3\u30c9\u30a6\u3067\u64cd\u4f5c\u3057\u3066\u3044\u308b\u5834\u5408\u306b\u306f\u3053\u306e\u5236\u7d04\u304c\u9069\u7528\u3055\u308c\u307e\u305b\u3093\u3002<\/p>\n

\u305d\u3053\u3067\u3001\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306f2\u3064\u3068\u3082\u3001Windows\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u304c\u60f3\u5b9a\u3057\u306a\u3044\u30bf\u30a4\u30df\u30f3\u30b0\u3067NtUserConsoleControl<\/span>\u3092\u547c\u3073\u51fa\u3059\u3053\u3068\u306b\u3088\u308a\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u4e2d\u306b\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u30b3\u30f3\u30bd\u30fc\u30eb \u30a6\u30a3\u30f3\u30c9\u30a6\u306b\u5909\u63db\u3059\u308b\u3068\u3044\u3046\u65b9\u6cd5\u3067\u3053\u306e\u5236\u7d04\u3092\u304b\u3044\u304f\u3050\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u3046\u3057\u3066\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u30b3\u30f3\u30bd\u30fc\u30eb \u30a6\u30a3\u30f3\u30c9\u30a6\u306b\u5909\u63db\u3057\u305f\u7d50\u679c\u3001\u3053\u306e\u95a2\u6570\u306ftagWND.dwExtraFlag<\/span>\u30de\u30b9\u30af\u306b0x800<\/span>\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001tagWND.pExtraBytes<\/span>\u30d5\u30a3\u30fc\u30eb\u30c9\u306f\u3082\u306f\u3084\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u8868\u3059\u306e\u3067\u306f\u306a\u304f\u30ab\u30fc\u30cd\u30eb\u306b\u5bfe\u3059\u308b\u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u8868\u3059\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n

Windows\u306f\u30a6\u30a3\u30f3\u30c9\u30a6\u7a2e\u5225\u306e\u78ba\u8a8d\u51e6\u7406\u3092\u4f55\u3082\u5165\u308c\u3066\u3044\u306a\u304b\u3063\u305f\u306e\u3067\u3001\u3053\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306b\u5bfe\u3057\u3066SetWindowLong<\/span>\u304c\u547c\u3073\u51fa\u3055\u308c\u308c\u3070\u3001\u30d0\u30fc\u30b8\u30e7\u30f31703\u3088\u308a\u524d\u306eWindows 10\u540c\u69d8\u3001\u30ab\u30fc\u30cd\u30eb \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306b\u5909\u66f4\u304c\u52a0\u3048\u3089\u308c\u3066\u3057\u307e\u3044\u307e\u3059\u3002CVE-2022-21882\u306ePoC\u3092\u901a\u3057\u3067\u773a\u3081\u3066\u3001\u3053\u308c\u304c\u3069\u306e\u3088\u3046\u306b\u5b9f\u73fe\u3055\u308c\u3066\u3044\u308b\u306e\u304b\u3092\u898b\u3066\u307f\u307e\u3057\u3087\u3046\u3002<\/p>\n

<\/a>PoC (Proof of Concept: \u6982\u5ff5\u5b9f\u8a3c)\u306e\u30a6\u30a9\u30fc\u30af\u30b9\u30eb\u30fc<\/h4>\n

\u3067\u306fPoC (\u6982\u5ff5\u5b9f\u8a3c)<\/a>\u3092\u898b\u3066\u3044\u304d\u307e\u3059\u3002\u4ee5\u4e0b\u306b\u7c21\u5358\u306b\u307e\u3068\u3081\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n

    \n
  1. HMValidateHandle<\/span>\u3092\u898b\u3064\u3051\u308b<\/li>\n
  2. NtUserConsoleControl<\/span>\u3001NtCallbackReturn<\/span>\u3092\u30ed\u30fc\u30c9\u3059\u308b<\/li>\n
  3. KernelCallbackTable<\/span>\u3092\u898b\u3064\u3051\u308b\n
      \n
    1. xxxClientAllocWindowClassExtraBytes<\/span>\u3068xxxClientFreeWindowClassExtraBytes<\/span>\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u683c\u7d0d\u3059\u308b<\/li>\n<\/ol>\n<\/li>\n
    2. \u30a6\u30a3\u30f3\u30c9\u30a6 \u30af\u30e9\u30b9\u3092\u3044\u304f\u3064\u304b\u5b9a\u7fa9\u3059\u308b<\/li>\n
    3. \u30d2\u30fc\u30d7 \u30b0\u30eb\u30fc\u30df\u30f3\u30b0\u3092\u884c\u3046\n
        \n
      1. \u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u3044\u304f\u3064\u304b\u4f5c\u6210\u3059\u308b<\/li>\n
      2. HMValidateHandle<\/span>\u3092\u4f7f\u3063\u3066\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u306etagWND<\/span>\u306e\u4f4d\u7f6e\u3092\u6f0f\u3048\u3044\u3055\u305b\u308b<\/li>\n
      3. HMValidateHandle<\/span>\u3092\u4f7f\u3063\u3066\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u306etagWND<\/span>\u306e\u4f4d\u7f6e\u3092\u6f0f\u3048\u3044\u3055\u305b\u308b<\/li>\n<\/ol>\n<\/li>\n
      4. \u30a6\u30a3\u30f3\u30c9\u30a6\u9593\u306e\u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u8a08\u7b97\u3059\u308b<\/li>\n
      5. \u6700\u3082\u4e0b\u4f4d\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u30a2\u30c9\u30ec\u30b9\u3067NtUserConsoleControl<\/span>\u3092\u547c\u3073\u51fa\u3059<\/li>\n
      6. 3\u3064\u3081\u306e(magic)\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u4f5c\u6210\u3059\u308b<\/li>\n
      7. NtUserConsoleControl<\/span>\u3068NtCallbackReturn<\/span>\u3092\u547c\u3073\u51fa\u3059\u60aa\u610f\u306e\u3042\u308b\u30d0\u30fc\u30b8\u30e7\u30f3\u3067xxxClientAllocWindowClassExtraBytes<\/span>\u3092\u30d5\u30c3\u30af\u3057\u3066\u304b\u3089\u6b63\u898f\u306exxxClientAllocWindowClassExtraBytes<\/span>\u306b\u623b\u308b<\/li>\n
      8. NtUserMessageCall<\/span>\u3092\u4f7f\u3063\u3066WndMagic<\/span>\u4e0a\u306e\u30d5\u30c3\u30af\u3055\u308c\u305f\u95a2\u6570\u3092\u30c8\u30ea\u30ac\u30fc\u3059\u308b<\/li>\n
      9. SetWindowLongA<\/span>\u3092\u4f7f\u3063\u3066\u4efb\u610f\u306ewrite\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u4f5c\u6210\u3059\u308b<\/li>\n
      10. SetWindowLongPtrA<\/span>\u3092\u4f7f\u3063\u3066Wnd1<\/span>\u306espmenu<\/span>\u306e\u30ab\u30fc\u30cd\u30eb \u30a2\u30c9\u30ec\u30b9\u3092\u6f0f\u3048\u3044\u3055\u305b\u3001\u305d\u308c\u3092\u507d\u306espmenu<\/span>\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3067\u7f6e\u304d\u63db\u3048\u308b<\/li>\n
      11. \u4efb\u610f\u306eread\/write\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u306b\u3088\u308aSystem\u306e\u30c8\u30fc\u30af\u30f3\u3092\u8907\u88fd\u3059\u308b<\/li>\n
      12. System\u6a29\u9650\u3067\u65b0\u3057\u3044\u30d7\u30ed\u30bb\u30b9\u3092\u4f5c\u6210\u3057\u3066\u5909\u66f4\u3055\u308c\u305f\u30ab\u30fc\u30cd\u30eb\u306e\u5024\u3092\u4fee\u6b63\u3059\u308b<\/li>\n<\/ol>\n

        \u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u3053\u306e\u307e\u3068\u3081\u3092\u30b9\u30c6\u30c3\u30d71\uff5e5\u307e\u3067\u3092\u9806\u306b\u901a\u3057\u3067\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n

        \u7d9a\u304d\u3092\u8aad\u3080 \u27a0 \u30bb\u30af\u30b7\u30e7\u30f3 2 \u2013 \u8a73\u7d30\u5206\u6790\u30b9\u30c6\u30c3\u30d71-5<\/a><\/em><\/strong><\/p>\n

        \u30c8\u30c3\u30d7\u306b\u623b\u308b<\/a><\/em><\/strong><\/p>\n

        <\/p>\n

        <\/a>\u76ee\u6b21<\/h2>\n

        CVE-2022-21882\u306e\u8a73\u7d30\u89e3\u6790<\/a>
        \n        1. HMValidateHandle\u3092\u898b\u3064\u3051\u308b<\/a>
        \n        2. NtUserConsoleControl\u3001NtCallbackReturn\u3092\u30ed\u30fc\u30c9\u3059\u308b<\/a>
        \n        3. KernelCallbackTable\u3092\u898b\u3064\u3051\u3066\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30b3\u30fc\u30eb\u30d0\u30c3\u30afxxxClientAllocWindowClassExtraBytes\u3068xxxClientAllocWindowClassExtraBytes\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u4fdd\u5b58\u3059\u308b<\/a>
        \n        4. \u30a6\u30a3\u30f3\u30c9\u30a6 \u30af\u30e9\u30b9\u3092\u3044\u304f\u3064\u304b\u5b9a\u7fa9\u3059\u308b<\/a>
        \n        5. \u30d2\u30fc\u30d7 \u30b0\u30eb\u30fc\u30df\u30f3\u30b0\u3092\u884c\u3046<\/a><\/p>\n

        <\/a>\u56f3\u8868\u306e\u76ee\u6b21<\/h2>\n

        \u56f31. FindHMValidateHandle\u95a2\u6570\u547c\u3073\u51fa\u3057<\/a>
        \n        \u56f32. IsMenu\u95a2\u6570\u306eIDA\u306b\u3088\u308b\u9006\u30a2\u30bb\u30f3\u30d6\u30eb<\/a>
        \n        \u56f33. FindHMValidateHandle\u306e\u30b3\u30fc\u30c9\u30b9\u30cb\u30da\u30c3\u30c8<\/a>
        \n        \u56f34. PoC 285\uff5e288\u884c\u76ee<\/a>
        \n        \u56f35. PoC 297\uff5e304\u884c\u76ee<\/a>
        \n        \u56f36. WinDbg\u306b\u3088\u308bPEB\u306e\u51fa\u529b<\/a>
        \n        \u56f37. KernelCallbackTable\u306e\u6700\u521d\u306e16\u500b\u306e\u30a8\u30f3\u30c8\u30ea\u30fc<\/a>
        \n        \u56f38. KernelCallbackTable + 0x3d0\u306eWinDbg\u306b\u3088\u308b\u30e1\u30e2\u30ea\u30fc \u30c0\u30f3\u30d7\u3002\u3053\u3053\u306b\u8208\u5473\u306e\u5bfe\u8c61\u3068\u306a\u308b2\u3064\u306e\u95a2\u6570\u304c\u914d\u7f6e\u3055\u308c\u3066\u3044\u308b<\/a>
        \n        \u56f39. PoC 312\uff5e325\u884c\u76ee<\/a>
        \n        \u56f310. \u6700\u521d\u306b\u4f5c\u6210\u3055\u308c\u305f\u30a6\u30a3\u30f3\u30c9\u30a6\u3067HMValidateHandle\u3092\u547c\u3073\u51fa\u3057\u305f\u3068\u304d\u306e\u623b\u308a\u5024<\/a>
        \n        \u56f311. \u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u3068\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9\u3067\u5171\u6709\u3055\u308c\u308btagWND\u69cb\u9020\u4f53\u306e\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9\u306e\u30b3\u30d4\u30fc<\/a><\/p>\n

        <\/a>CVE-2022-21882\u306e\u8a73\u7d30\u89e3\u6790<\/h4>\n
        <\/a>1. HMValidateHandle\u3092\u898b\u3064\u3051\u308b(\u56f31)<\/a><\/h5>\n
        \"\u753b\u50cf1\u306f\u6570\u884c\u306e\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002FindHMValidateHandle\u95a2\u6570\u306b\u5bfe\u3059\u308b\u547c\u3073\u51fa\u3057\u3092\u3057\u3066\u3044\u307e\u3059\u3002
        \u56f31. FindHMValidateHandle<\/span>\u95a2\u6570\u547c\u3073\u51fa\u3057<\/figcaption><\/figure>\n

        \u524d\u8ff0\u306e\u3088\u3046\u306b\u3001\u6b74\u53f2\u7684\u306b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u4f5c\u8005\u306fFindHMValidateHandle<\/span>\u95a2\u6570\u3092\u4f7f\u3063\u3066\u3053\u306e\u95a2\u6570\u306b\u30cf\u30f3\u30c9\u30eb\u3092\u6e21\u3057\u305f\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u30ab\u30fc\u30cd\u30eb \u30a2\u30c9\u30ec\u30b9\u3092\u6f0f\u3048\u3044\u3055\u305b\u3066\u304d\u307e\u3057\u305f\u3002\u3053\u306e\u95a2\u6570\u306e\u95a2\u6570\u30d7\u30ed\u30c8\u30bf\u30a4\u30d7\u306fHMValidateHandle(HANDLE h, BYTE type)<\/span>\u3067\u3059\u3002\u3053\u3053\u3067\u3053\u306e\u30cf\u30f3\u30c9\u30ebh<\/span>\u306f\u3001\u691c\u8a3c\u5bfe\u8c61\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3001type<\/span>\u306f\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u578b(type)\u3092\u8868\u3059\u6570\u5024\u5b9a\u6570\u3067\u3059\u3002<\/p>\n

        \u672c\u7a3f\u3067\u306f\u3053\u306e\u578b\u304c0x001<\/span>\u3068\u3044\u3046\u30a6\u30a3\u30f3\u30c9\u30a6\u578b\u3092\u8868\u3059\u3082\u306e\u3068\u3057\u307e\u3059\u3002Windows 10 \u30d0\u30fc\u30b8\u30e7\u30f3 1803\u4ee5\u964d\u306e\u5834\u5408\u3001\u3053\u308c\u306f\u3001\u6e21\u3055\u308c\u305f\u30a6\u30a3\u30f3\u30c9\u30a6 \u30cf\u30f3\u30c9\u30eb\u3068\u5bfe\u5fdc\u3059\u308btagWND<\/span>\u69cb\u9020\u4f53\u3078\u306e\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3055\u308c\u305f\u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7 \u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u8fd4\u3057\u307e\u3059\u3002<\/p>\n

        HMValidateHandle<\/span>\u306f\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305f\u95a2\u6570\u3067\u306f\u306a\u3044\u306e\u3067\u3001\u5358\u7d14\u306bGetProcAddress<\/span>\u3092\u4f7f\u3063\u3066\u3053\u306e\u95a2\u6570\u3092\u89e3\u6c7a\u3055\u305b\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002\u305d\u3053\u3067\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u4f5c\u8005\u306f\u901a\u5e38User32.dll<\/span>\u5185\u306eIsMenu<\/span>\u95a2\u6570\u3092\u89e3\u6c7a\u3055\u305b\u3001\u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30b3\u30fc\u30c9\u304c\u6700\u521d\u306eE8<\/span>\u30aa\u30da\u30b3\u30fc\u30c9\u3092\u691c\u7d22\u3059\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002\u305d\u306e\u7406\u7531\u306fIsMenu<\/span>\u304c\u547c\u3073\u51fa\u3059\u552f\u4e00\u306e\u95a2\u6570\u304cHMValidateHandle<\/span>\u3067\u3042\u308b\u305f\u3081\u3067\u3059\u3002E8<\/span>\u30aa\u30da\u30b3\u30fc\u30c9\u306fCALL<\/span>\u547d\u4ee4 (IsMenu<\/span>\u306e\u552f\u4e00\u306eCALL\u547d\u4ee4)\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

        \u56f32\u306fIsMenu<\/span>\u95a2\u6570\u3092\u9006\u30a2\u30bb\u30f3\u30d6\u30eb\u3057\u305f\u3082\u306e\u3067\u3059\u3002E8<\/span>\u30aa\u30da\u30b3\u30fc\u30c9\u304cHMValidateHandle<\/span>\u306b\u5bfe\u3059\u308b\u547c\u3073\u51fa\u3057\u3092\u884c\u3046\u6700\u521d\u3067\u552f\u4e00\u306e\u30aa\u30da\u30b3\u30fc\u30c9\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf2\u306f\u3001IsMenu\u95a2\u6570\u3092\u9006\u30a2\u30bb\u30f3\u30d6\u30eb\u3057\u305f\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002HMValidateHandle\u306b\u5bfe\u3059\u308b\u547c\u3073\u51fa\u3057\u3092\u884c\u3046\u6700\u521d\u3067\u6700\u5f8c\u306e\u30aa\u30da\u30b3\u30fc\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\"
        \u56f32. IsMenu<\/span>\u95a2\u6570\u306eIDA\u306b\u3088\u308b\u9006\u30a2\u30bb\u30f3\u30d6\u30eb<\/figcaption><\/figure>\n

        \u3053\u306e\u4f5c\u8005\u306f\u3053\u306ePoC 58\u884c\u76ee\u306bFindHMValidateHandle<\/span>\u3068\u3044\u3046\u540d\u524d\u306e\u95a2\u6570\u3092\u5b9a\u7fa9\u3059\u308b\u3053\u3068\u3067\u3001\u4e0a\u8a18\u306e\u5185\u5bb9\u3092\u5b9f\u73fe\u3057\u3066\u3044\u307e\u3059\u3002\u56f33\u306f\u3053\u306eFindHMValidateHandle<\/span>\u3068\u3044\u3046\u95a2\u6570\u304b\u3089\u306e\u30b3\u30fc\u30c9\u30b9\u30cb\u30da\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u95a2\u6570\u306fE8<\/span>\u30aa\u30da\u30b3\u30fc\u30c9\u3092\u63a2\u3057\u3066IsMenu<\/span>\u3092\u691c\u7d22\u3057\u3001\u305d\u306e\u4f4d\u7f6e\u3092\u30dd\u30a4\u30f3\u30bf\u30fc\u3068\u3057\u3066g_pfnHmValidateHandle<\/span>\u3068\u3044\u3046\u30b0\u30ed\u30fc\u30d0\u30eb\u5909\u6570\u306b\u4fdd\u5b58\u3057\u307e\u3059\u3002\u3053\u306e\u4f4d\u7f6e\u306f\u3001\u5f8c\u3067\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u306b\u30de\u30c3\u30d7\u3055\u308c\u305ftagWND<\/span>\u69cb\u9020\u4f53\u306e\u30a2\u30c9\u30ec\u30b9\u3092\u6f0f\u3048\u3044\u3055\u305b\u308b\u306e\u306b\u4f7f\u308f\u308c\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf3\u306f\u3001FindHMValidateHandle\u306e\u30b3\u30fc\u30c9
        \u56f33. FindHMValidateHandle<\/span>\u306e\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n
        <\/a>2. NtUserConsoleControl\u3001NtCallbackReturn\u3092\u30ed\u30fc\u30c9\u3059\u308b<\/h5>\n

        CVE-2022-21882\u3068CVE-2021-1732\u306e\u30c8\u30ea\u30ac\u30fc\u306b\u306f\u3001NtUserConsoleControl<\/span>\u3068NtCallbackReturn<\/span>\u306e\u4e21\u95a2\u6570\u304c\u60aa\u7528\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306f\u3044\u305a\u308c\u3082\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u3044\u95a2\u6570\u3067\u3001\u305d\u308c\u305e\u308cwin32u.dll<\/span>\u3001ntdll.dll<\/span>\u306b\u5b58\u5728\u3057\u3066\u3044\u307e\u3059\u3002PoC 285\uff5e288\u884c\u76ee(\u56f34)\u306f\u3001\u3053\u308c\u3089\u306e\u95a2\u6570\u3092\u89e3\u6c7a\u3057\u3066\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u4fdd\u5b58\u3057\u3001\u5f8c\u3067\u4f7f\u3048\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf4\u306fPoC
        \u56f34. PoC 285\uff5e288\u884c\u76ee<\/figcaption><\/figure>\n

        NtUserConsoleControl<\/span>\u3001NtCallbackReturn<\/span>\u306e\u4e21\u95a2\u6570\u306b\u3064\u3044\u3066\u306f\u305d\u308c\u305e\u308c\u30b9\u30c6\u30c3\u30d77\u30689\u3067\u8a73\u3057\u304f\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n

        <\/a>3. KernelCallbackTable\u3092\u898b\u3064\u3051\u3066\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30b3\u30fc\u30eb\u30d0\u30c3\u30afxxxClientAllocWindowClassExtraBytes\u3068xxxClientAllocWindowClassExtraBytes\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u4fdd\u5b58\u3059\u308b<\/h5>\n

        297\u301c304\u884c\u76ee\u307e\u3067\u306e\u30b3\u30fc\u30c9(\u56f35)\u306f\u3001KernelCallbackTable<\/span>\u306e\u5834\u6240\u3092\u7279\u5b9a\u3057\u3001\u6b63\u898f\u306exxxClientAllocWindowClassExtraBytes<\/span>\u95a2\u6570\u3068xxxClientFreeWindowClassExtraBytes<\/span>\u95a2\u6570\u306e\u30a2\u30c9\u30ec\u30b9\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u30ed\u30fc\u30ab\u30eb\u5909\u6570\u306b\u4fdd\u5b58\u3057\u3066\u3044\u307e\u3059\u3002xxxClientAllocWindowClassExtraBytes<\/span>\u95a2\u6570\u3068 xxxClientFreeWindowClassExtraBytes<\/span>\u95a2\u6570(\u30b9\u30c6\u30c3\u30d79\u3067\u8aac\u660e)\u3092\u30d5\u30c3\u30af\u3059\u308b\u306b\u306f\u3001\u5404\u95a2\u6570\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u898b\u3064\u3051\u308b\u5fc5\u8981\u304c\u3042\u308b\u306e\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u95a2\u6570\u306f\u3044\u305a\u308c\u3082\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u3067\u3001Windows API\u5185\u3067\u306e\u5229\u7528\u306e\u305f\u3081\u306b\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u306a\u3044\u306e\u304c\u305d\u306e\u7406\u7531\u3067\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf5\u306f\u3001PoC
        \u56f35. PoC 297\uff5e304\u884c\u76ee<\/figcaption><\/figure>\n

        \u30d7\u30ed\u30bb\u30b9\u74b0\u5883\u30d6\u30ed\u30c3\u30af(PEB)\u3092\u30d1\u30fc\u30b9\u3059\u308b\u3053\u3068\u306b\u3088\u308aKernelCallbackTable<\/span>\u306e\u5834\u6240\u304c\u7279\u5b9a\u3055\u308c\u307e\u3059\u3002\u3053\u306ePEB\u306e\u30aa\u30d5\u30bb\u30c3\u30c80x58<\/span>\u306e\u4f4d\u7f6e\u306bKernelCallbackTable<\/span>\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n

        \u6ce8<\/strong>: GS[0x60]<\/span>\u30ec\u30b8\u30b9\u30bf\u30fc\u306f\u3001Windows x64\u30b7\u30b9\u30c6\u30e0\u3067\u306fPEB\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u542b\u3093\u3067\u3044\u307e\u3059\u3002\u3053\u306e\u30b3\u30fc\u30c9\u304c__readgsqword(0x60u)<\/span>\u3092\u53c2\u7167\u3057\u3066\u3044\u308b\u306e\u306f\u305d\u306e\u305f\u3081\u3067\u3059\u3002KernelCallbackTable<\/span>\u306f\u3001Windows\u30ab\u30fc\u30cd\u30eb\u304c\u4f7f\u7528\u3059\u308b\u3059\u3079\u3066\u306e\u30ab\u30fc\u30cd\u30eb \u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u95a2\u6570\u3078\u30de\u30c3\u30d4\u30f3\u30b0\u3059\u308b\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u542b\u3080\u30c6\u30fc\u30d6\u30eb\u3067\u3059\u3002\u3053\u306ePEB\u306eKernelCallbackTable<\/span>\u30a8\u30f3\u30c8\u30ea\u30fc\u306e\u8868\u793a\u306b\u306fWinDbg<\/span>\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059(dt nt!_peb @$peb<\/span>\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u3063\u3066\u73fe\u5728\u306ePEB\u3092\u30c0\u30f3\u30d7\u3057\u305f)\u3002<\/p>\n

        \u56f36\u306b\u793a\u3057\u305fWinDbg<\/span>\u306e\u51fa\u529b\u306b\u3082\u3068\u3065\u304f\u3068\u3001PEB+0x58<\/span>\u306b KernelCallbackTable<\/span>\u30a2\u30c9\u30ec\u30b9\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf6\u306fWinDbg\u306e\u51fa\u529b\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002KernelCallbackTable\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\"
        \u56f36. WinDbg<\/span>\u306b\u3088\u308bPEB\u306e\u51fa\u529b<\/figcaption><\/figure>\n

        \u30ab\u30fc\u30cd\u30eb \u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u306e\u6700\u521d\u306e\u3044\u304f\u3064\u304b\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u3092\u56f37\u306b\u793a\u3057\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf7\u306f\u3001KernelCallbackTable\u306e\u6700\u521d\u306e16\u500b\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\"
        \u56f37 KernelCallbackTable<\/span>\u306e\u6700\u521d\u306e16\u500b\u306e\u30a8\u30f3\u30c8\u30ea\u30fc<\/figcaption><\/figure>\n

        \u3053\u306ePoC\u306fKernelCallbackTable<\/span>\u306eg_oldxxxClientAllocWindowClassExtraBytes<\/span>\u3068 g_oldxxxClientFreeWindowClassExtraBytes<\/span>\u306b\u30012\u3064\u306e\u30dd\u30a4\u30f3\u30bf\u30fc(\u30aa\u30d5\u30bb\u30c3\u30c80x3d8<\/span>\u30680x3e0<\/span>)\u3092\u305d\u308c\u305e\u308c\u4fdd\u5b58\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

        KernelCallbackTable+0x3d8<\/span>\u306b\u306f xxxClientAllocWindowClassExtraBytes<\/span>\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u304c\u3001\u6b21\u306e\u30a8\u30f3\u30c8\u30ea\u30fc(0x3e0<\/span>)\u306b\u306fxxxClientFreeWindowClassExtraBytes<\/span>\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u304c\u4fdd\u5b58\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u3088\u3046\u3059\u3092\u56f38\u306b\u793a\u3057\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf8\u306f\u3001WinDbg\u3067KernelCallbackTable
        \u56f38. KernelCallbackTable + 0x3d0\u306eWinDbg\u306b\u3088\u308b\u30e1\u30e2\u30ea\u30fc \u30c0\u30f3\u30d7\u3002\u3053\u3053\u306b\u8208\u5473\u306e\u5bfe\u8c61\u3068\u306a\u308b2\u3064\u306e\u95a2\u6570\u304c\u914d\u7f6e\u3055\u308c\u3066\u3044\u308b<\/figcaption><\/figure>\n
        <\/a>4. \u30a6\u30a3\u30f3\u30c9\u30a6 \u30af\u30e9\u30b9\u3092\u3044\u304f\u3064\u304b\u5b9a\u7fa9\u3059\u308b<\/h5>\n

        \u56f39\u306e\u30b3\u30fc\u30c9(312\u301c325\u884c\u76ee)\u306b\u306f\u898b\u899a\u3048\u304c\u3042\u308b\u3067\u3057\u3087\u3046\u3002\u672c\u9023\u8f09\u306e\u7b2c1\u90e8<\/a>\u3067\u53d6\u308a\u4e0a\u3052\u305f\u3088\u3046\u306b\u30012\u3064\u306e\u30a6\u30a3\u30f3\u30c9\u30a6 \u30af\u30e9\u30b9\u3092\u5b9a\u7fa9\u3057\u3001\u305d\u306e\u3046\u30611\u3064(wndClass<\/span>)\u3092\u767b\u9332\u3057\u3066\u3044\u307e\u3059\u3002\u4e00\u65b9\u306b\u306fnormalClass<\/span>\u3068\u3044\u3046\u30af\u30e9\u30b9\u540d\u304c\u4e0e\u3048\u3089\u308c\u3001\u3082\u3046\u4e00\u65b9\u306b\u306fmagicClass<\/span>\u3068\u3044\u3046\u30af\u30e9\u30b9\u540d\u304c\u4e0e\u3048\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n

        \u307e\u305f\u3053\u306emagic<\/span>\u30a6\u30a3\u30f3\u30c9\u30a6 \u30af\u30e9\u30b9\u306b\u306f\u3001\u30e9\u30f3\u30c0\u30e0\u306acbWndExtra<\/span>\u5024\u304c\u4e0e\u3048\u3089\u308c\u3066\u3044\u308b\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u3002\u3053\u306e\u5024\u306f\u3001\u5f8c\u3067\u30d5\u30c3\u30af\u3055\u308c\u305f\u95a2\u6570\u3092\u547c\u3073\u51fa\u3059\u3055\u3044\u306b\u30012\u3064\u306e\u30a6\u30a3\u30f3\u30c9\u30a6 \u30af\u30e9\u30b9\u3092\u533a\u5225\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059(\u8a73\u7d30\u5206\u6790\u306f\u5f8c\u8ff0)\u3002<\/a><\/p>\n

        \"\u753b\u50cf9\u306fPoC
        \u56f39. PoC 312\uff5e325\u884c\u76ee<\/figcaption><\/figure>\n
        <\/a>5. \u30d2\u30fc\u30d7 \u30b0\u30eb\u30fc\u30df\u30f3\u30b0\u3092\u884c\u3046<\/h5>\n

        PoC 413\u301c467\u884c\u76ee\u307e\u3067\u306fnormalClass<\/span>\u3068\u3044\u3046\u30af\u30e9\u30b9 \u30bf\u30a4\u30d7\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u309210\u500b\u4f5c\u6210\u3059\u308bdo while\u30eb\u30fc\u30d7\u3092\u5b9a\u7fa9\u3057\u3066\u3044\u307e\u3059\u3002\u5404\u30a6\u30a3\u30f3\u30c9\u30a6\u306b\u306fsomewnd<\/span>\u3068\u3044\u3046\u30a6\u30a3\u30f3\u30c9\u30a6\u540d\u304c\u4e0e\u3048\u3089\u308c\u307e\u3059\u3002<\/p>\n

        \u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u4f5c\u8005\u306f\u30010\u304b\u30899\u307e\u306710\u500b\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u4f5c\u6210\u3057\u305f\u5f8c\u30012\u304b\u30899\u307e\u3067\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u524a\u9664\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u304a\u305d\u3089\u304f\u3001\u3053\u3053\u3067\u6b8b\u3057\u305f2\u3064\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u3059\u3050\u5f8c\u308d\u306b\u5f8c\u304b\u3089PoC\u306e\u3053\u306e\u90e8\u5206\u3067\u4f5c\u6210\u3059\u308b\u3053\u3068\u306b\u306a\u308bmagic\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u5272\u308a\u5f53\u3066\u308b\u305f\u3081\u306b\u30d2\u30fc\u30d7 \u30b0\u30eb\u30fc\u30df\u30f3\u30b0\u3092\u884c\u304a\u3046\u3068\u3057\u305f\u306e\u3060\u308d\u3046\u3068\u601d\u308f\u308c\u307e\u3059\u3002\u305f\u3060\u3057\u5f8c\u8ff0\u3059\u308b\u3088\u3046\u306b\u3001\u3053\u306e\u5b9f\u884c\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u3001magic\u30a6\u30a3\u30f3\u30c9\u30a6\u306f\u6700\u521d\u306e2\u3064\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u771f\u3093\u4e2d\u306b\u5272\u308a\u5f53\u3066\u3089\u308c\u307e\u3059\u3002<\/p>\n

        \u5404\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u4f5c\u6210\u6642\u3001\u3053\u306e\u4f5c\u8005\u306f\u5404\u30a6\u30a3\u30f3\u30c9\u30a6\u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3092arrhwndNoraml[]<\/span>\u3068\u3044\u3046\u540d\u524d\u306e\u914d\u5217\u306b\u683c\u7d0d\u3057\u307e\u3059\u3002\u6b21\u306b\u3001\u5404\u30a6\u30a3\u30f3\u30c9\u30a6\u306etagWND<\/span>\u69cb\u9020\u4f53\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u3001arrEntryDesktop[]<\/span>\u3068\u3044\u3046\u540d\u524d\u306e\u5225\u306e\u914d\u5217\u306b\u683c\u7d0d\u3057\u307e\u3059\u3002\u3053\u306e\u51e6\u7406\u306fHMValidateHandle<\/span>\u3092\u547c\u3073\u51fa\u3059\u3053\u3068\u3067\u884c\u308f\u308c\u307e\u3059\u3002\u3059\u3067\u306b\u8aac\u660e\u3057\u305f\u3088\u3046\u306b\u3053\u306e\u547c\u3073\u51fa\u3057\u3067\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u5404tagWND<\/span>\u69cb\u9020\u4f53\u306e\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30b3\u30d4\u30fc\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u304c\u8fd4\u3055\u308c\u307e\u3059\u3002<\/p>\n

        \u56f310\u306fHMValidateHandle<\/span>\u3092\u6700\u521d\u306b\u547c\u3073\u51fa\u3057\u305f\u5f8c(\u3064\u307e\u308a1\u3064\u3081\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u4f5c\u6210\u3057\u305f\u5f8c)\u306e\u623b\u308a\u5024(rax<\/span>)\u3067\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf10\u306f\u3001\u6700\u521d\u306b\u4f5c\u6210\u3057\u305f\u30a6\u30a3\u30f3\u30c9\u30a6\u3067HMValidateHandle\u3092\u547c\u3073\u51fa\u3057\u305f\u3055\u3044\u306e\u623b\u308a\u5024\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u623b\u308a\u5024\u306frax\u3067\u3059\u3002\"
        \u56f310. \u6700\u521d\u306b\u4f5c\u6210\u3055\u308c\u305f\u30a6\u30a3\u30f3\u30c9\u30a6\u3067HMValidateHandle<\/span>\u3092\u547c\u3073\u51fa\u3057\u305f\u3068\u304d\u306e\u623b\u308a\u5024<\/figcaption><\/figure>\n

        PoC\u5206\u6790\u3067\u91cd\u8981\u3068\u306a\u308b\u30e9\u30d9\u30eb\u3092tagWND<\/span>\u69cb\u9020\u4f53\u306b\u8ffd\u52a0\u3057\u3066\u3042\u308a\u307e\u3059\u3002tagWND.cbWNDExtra<\/span>\u306e\u5024\u304c32 (0x20<\/span>)\u3067\u3042\u308b\u3053\u3068\u306b\u7559\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u3053\u306e\u5024\u306f\u4e0a\u8a18\u56f39\u306enormalClass<\/span>\u306e\u767b\u9332\u6642\u306b\u5ba3\u8a00\u3055\u308c\u305f\u5024\u3068\u540c\u3058\u3067\u3059\u3002<\/p>\n

        \u307e\u305ftagWND.dwExtraFlags<\/span>\u306b\u3082\u6ce8\u76ee\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u3053\u306e\u5024\u304cNtUserConsoleControl<\/span>\u306e\u547c\u3073\u51fa\u3057\u4e2d\u306b\u5909\u5316\u3059\u308b\u5024\u3067\u3001tagWND.pExtraBytes<\/span>\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u5024\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30a2\u30c9\u30ec\u30b9\u3067\u306f\u306a\u304f\u3001\u30ab\u30fc\u30cd\u30eb\u306b\u5bfe\u3059\u308b\u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u793a\u3059\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u305f\u3060\u3057\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u4f5c\u6210\u76f4\u5f8c\u306f\u3001\u3053\u306e\u5024\u304c\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30a2\u30c9\u30ec\u30b9(0x0000015ba4b73fb0<\/span>)\u3067\u3042\u308b\u3053\u3068\u304c\u660e\u78ba\u306b\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n

        \u540c\u3058\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9 \u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u306etagWND<\/span>\u69cb\u9020\u4f53\u3092\u56f311\u306b\u793a\u3057\u307e\u3059\u3002\u3053\u306e\u69cb\u9020\u4f53\u3092\u898b\u3064\u3051\u308b\u305f\u3081\u3001CreateWindowExW<\/span>\u95a2\u6570\u3092\u9759\u7684\u306b\u89e3\u6790\u3057\u3066\u30e1\u30e2\u30ea\u30fc\u304c\u5272\u308a\u5f53\u3066\u3089\u308c\u305f\u5834\u6240\u3092\u7279\u5b9a\u3057\u3001\u5b9f\u884c\u4e2d\u305d\u306e\u5834\u6240\u306b\u30d6\u30ec\u30fc\u30af \u30dd\u30a4\u30f3\u30c8\u3092\u8a2d\u5b9a\u3057\u307e\u3057\u305f\u3002<\/p>\n

        \u30ab\u30fc\u30cd\u30eb\u5185\u306etagWND<\/span>\u69cb\u9020\u4f53\u304c\u5b9f\u969b\u306bHMValidateHandle<\/span>\u306e\u547c\u3073\u51fa\u3057\u5f8c\u306b\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u3067\u8fd4\u3055\u308c\u308b\u3082\u306e\u3068\u540c\u3058\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002\u524d\u8ff0\u306e\u3088\u3046\u306b\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306f\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9 \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306e\u5358\u306a\u308b\u30b3\u30d4\u30fc\u3067\u3001Win32k\u306f\u5b9f\u969b\u306b\u306f\u3053\u306e\u30b3\u30d4\u30fc\u3092\u4f7f\u3063\u3066\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u7ba1\u7406\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

        \u5f8c\u8ff0\u3057\u307e\u3059\u304c\u3001\u5b9f\u306f\u30ab\u30fc\u30cd\u30eb\u5185\u306b\u306f\u89aa\u306etagWND<\/span>\u69cb\u9020\u4f53\u304c\u914d\u7f6e\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u89aa\u306e\u69cb\u9020\u4f53\u306b\u306f\u95a2\u9023\u3059\u308b\u30ab\u30fc\u30cd\u30eb \u30a2\u30c9\u30ec\u30b9\u304c\u3059\u3079\u3066\u683c\u7d0d\u3055\u308c\u3066\u3044\u3066\u3001Microsoft\u306f\u30a6\u30a3\u30f3\u30c9\u30a6\u69cb\u9020\u4f53\u3078\u306e\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u306e\u30a2\u30af\u30bb\u30b9\u306f\u3059\u3079\u3066\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30bb\u30fc\u30d5\u306atagWND<\/span>\u69cb\u9020\u4f53\u3092\u4ecb\u3057\u3066\u884c\u308f\u308c\u308b\u3088\u3046\u306b\u3057\u3066\u304d\u307e\u3057\u305f\u3002Microsoft\u306f\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304b\u3089\u306e\u30ab\u30fc\u30cd\u30eb \u30dd\u30a4\u30f3\u30bf\u30fc\u6f0f\u3048\u3044\u9632\u6b62\u306b\u3072\u3068\u304b\u305f\u306a\u3089\u306c\u52aa\u529b\u3092\u3057\u3066\u304a\u308a\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u304b\u3089\u306f\u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7 \u30a2\u30c9\u30ec\u30b9\u306b\u3057\u304b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u307e\u305b\u3093\u3002\u3053\u306e\u305f\u3081\u3001\u3053\u306e\u5236\u7d04\u3092\u56de\u907f\u3059\u308b\u65b9\u6cd5\u304c\u5c11\u3057\u5f8c\u3067\u5fc5\u8981\u306b\u306a\u308a\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf11\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u3068\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9\u3067\u5171\u6709\u3055\u308c\u308btagWND\u69cb\u9020\u4f53\u306e\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9
        \u56f311 \u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9\u3068\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9\u3067\u5171\u6709\u3055\u308c\u308btagWND\u69cb\u9020\u4f53\u306e\u30ab\u30fc\u30cd\u30eb\u30e2\u30fc\u30c9\u306e\u30b3\u30d4\u30fc<\/figcaption><\/figure>\n

        tagWND<\/span>\u69cb\u9020\u4f53\u304c\u5b58\u5728\u3059\u308b\u5b9f\u969b\u306e\u30a2\u30c9\u30ec\u30b9\u3092\u78ba\u8a8d\u3059\u308c\u3070\u3001\u3055\u3089\u306btagWND.OffsetToDesktopHeap<\/span>\u304c\u660e\u78ba\u306b\u306a\u308b\u70b9\u306b\u3082\u7559\u610f\u304c\u5fc5\u8981\u3067\u3059\u3002\u4e0a\u8a18\u306etagWND.OffsetToDesktopHeap<\/span>\u306e\u5024\u306f0x38390<\/span>\u3067\u3001\u30ab\u30fc\u30cd\u30eb\u306etagWND<\/span>\u306e\u30a2\u30c9\u30ec\u30b9\u306f0xffff8e8201038390<\/span>\u3067\u3059\u3002tagWND<\/span>\u306e\u30a2\u30c9\u30ec\u30b9\u304b\u3089tagWND.OffsetToDesktopHeap<\/span>\u306e\u5024\u3092\u5f15\u304f\u3068\u3001\u30ab\u30fc\u30cd\u30eb \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306e\u30a2\u30c9\u30ec\u30b9\u3067\u3042\u308b0xffff8e8201000000<\/span>\u3092\u7279\u5b9a\u3067\u304d\u307e\u3059\u3002\u540c\u3058\u3053\u3068\u304c\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 tagWND<\/span>\u69cb\u9020\u4f53\u306b\u3064\u3044\u3066\u3082\u5f53\u3066\u306f\u307e\u308a\u307e\u3059\u3002<\/p>\n

        \u5f8c\u3067\u4efb\u610f\u306ewrite\u30d7\u30ea\u30df\u30c6\u30a3\u30d6\u3092\u53d6\u5f97\u3059\u308c\u3070\u3001\u3053\u308c\u3089\u306e\u30aa\u30d5\u30bb\u30c3\u30c8\u304c\u30ab\u30fc\u30cd\u30eb \u30e1\u30e2\u30ea\u30fc\u7a7a\u9593\u5185\u306e\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3\u306b\u4f7f\u308f\u308c\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002\u7d9a\u304f\u7b2c3\u90e8\u3067\u306f\u30b9\u30c6\u30c3\u30d76\uff5e9\u3092\u898b\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n

        \u7d9a\u304d\u3092\u8aad\u3080 \u27a0 \u30bb\u30af\u30b7\u30e7\u30f3 3 \u2013 \u8a73\u7d30\u5206\u6790\u30b9\u30c6\u30c3\u30d76-9<\/a><\/em><\/strong><\/p>\n

        \u30c8\u30c3\u30d7\u306b\u623b\u308b<\/a><\/em><\/strong><\/p>\n

        <\/p>\n

        <\/a>\u76ee\u6b21<\/h2>\n

        6. \u30a6\u30a3\u30f3\u30c9\u30a6\u9593\u306e\u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u8a08\u7b97\u3059\u308b<\/a>
        \n        7. \u6700\u3082\u4e0b\u4f4d\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u30a2\u30c9\u30ec\u30b9\u3067NtUserConsoleControl\u3092\u547c\u3073\u51fa\u3059<\/a>
        \n        8. 3\u3064\u3081\u306e(magic)\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u4f5c\u6210\u3059\u308b<\/a>
        \n        9. NtUserConsoleControl\u3068NtCallbackReturn\u547c\u3073\u51fa\u3059\u60aa\u610f\u306e\u3042\u308b\u30d0\u30fc\u30b8\u30e7\u30f3\u3067xxxClientAllocWindowClassExtraBytes\u3092\u30d5\u30c3\u30af\u3057\u3066\u304b\u3089\u6b63\u898f\u306exxxClientAllocWindowClassExtraBytes\u306b\u623b\u308b<\/a><\/p>\n

        <\/a>\u56f3\u8868\u306e\u76ee\u6b21<\/h2>\n

        \u56f312. PoC 472\uff5e499\u884c\u76ee<\/a>
        \n        \u56f313. Wnd1\u306eHMValidateHandle\u306e\u623b\u308a\u5024(rax)\u3092WinDbg\u3067\u30c0\u30f3\u30d7\u3057\u305f\u3068\u3053\u308d<\/a>
        \n        \u56f314. Wnd0\u306eHMValidateHandle\u306e\u623b\u308a\u5024(rax)\u3092WinDbg\u3067\u30c0\u30f3\u30d7\u3057\u305f\u3068\u3053\u308d<\/a>
        \n        \u56f315. PoC 501\u884c\u76ee<\/a>
        \n        \u56f316. NtUserConsoleControl\u547c\u3073\u51fa\u3057\u524d\u5f8c\u306eWnd0\u306epExtraBytes\u306e\u5024<\/a>
        \n        \u56f317. WndMagic\u306e\u4f5c\u6210<\/a>
        \n        \u56f318. WndMagic\u4f5c\u6210\u76f4\u5f8c\u306e\u30e1\u30e2\u30ea\u30fc \u30ec\u30a4\u30a2\u30a6\u30c8<\/a>
        \n        \u56f319. PoC 522\uff5e530\u884c\u76ee<\/a>
        \n        \u56f320. \u30dd\u30a4\u30f3\u30bf\u30fc\u4e0a\u66f8\u304d\u524d\u306eKernelCallbackTable<\/a>
        \n        \u56f321. \u30dd\u30a4\u30f3\u30bf\u30fc\u4e0a\u66f8\u304d\u5f8c\u306eKernelCallbackTable<\/a>
        \n        \u56f322. PoC 170\uff5e190\u884c\u76ee<\/a>
        \n        \u56f323. PoC 496\u884c\u76ee<\/a>
        \n        \u56f324. PoC 151\uff5e164\u884c\u76ee<\/a><\/p>\n

        <\/a>6. \u30a6\u30a3\u30f3\u30c9\u30a6\u9593\u306e\u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u8a08\u7b97\u3059\u308b<\/h5>\n

        472\u884c\u76ee\u304b\u3089499\u884c\u76ee(\u56f312)\u3067\u306f\u5358\u7d14\u306b\u3001\u6700\u521d\u306b\u4f5c\u6210\u3055\u308c\u305f2\u3064\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u3046\u3061\u3001\u30ab\u30fc\u30cd\u30eb \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306e\u30d9\u30fc\u30b9\u306b\u5bfe\u3059\u308b\u30aa\u30d5\u30bb\u30c3\u30c8\u304c\u5c0f\u3055\u3044\u65b9\u3092\u6c7a\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001tagWND<\/span>\u30dd\u30a4\u30f3\u30bf\u30fc\u3068tagWND.OffsetToDesktopHeap<\/span>\u3092\u3001\u30e1\u30e2\u30ea\u30fc\u5185\u3067\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u9806\u756a\u306b\u3082\u3068\u3065\u3044\u3066_min<\/span>\u307e\u305f\u306f_max<\/span>\u306e\u30bf\u30b0\u3092\u4ed8\u3051\u305f\u5909\u6570\u306b\u4ee3\u5165\u3057\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf12\u306f\u3001PoC
        \u56f312. PoC 472\uff5e499\u884c\u76ee<\/figcaption><\/figure>\n

        \u4eca\u56de\u306e\u5834\u5408\u3001\u6700\u521d\u306b\u4f5c\u6210\u3055\u308c\u305f\u30a6\u30a3\u30f3\u30c9\u30a6\u306f\u3001\u5b9f\u306f\u30e1\u30e2\u30ea\u30fc\u4e0a\u3067\u6700\u3082\u4e0b\u4f4d\u306b\u306f\u306a\u304b\u3063\u305f\u306e\u3067\u3001Wnd1<\/span>\u3068\u547c\u3076\u3053\u3068\u306b\u3057\u307e\u3059\u30022\u3064\u3081\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306f\u3001\u30e1\u30e2\u30ea\u30fc\u4e0a\u3067\u306f\u3088\u308a\u4e0b\u4f4d\u306b\u3042\u308b\u305f\u3081\u3001\u4eca\u5f8c\u306f\u3053\u3061\u3089\u3092Wnd0<\/span>\u3068\u547c\u3093\u3067\u3001\u30e1\u30e2\u30ea\u30fc\u4e0a\u3067\u306e\u4f4d\u7f6e\u3092\u53cd\u6620\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3059\u3002<\/p>\n

        \u56f313\u3067\u793a\u3057\u305f\u5185\u5bb9\u304b\u3089\u3001\u30e6\u30fc\u30b6\u30fc\u30e2\u30fc\u30c9 \u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u306f0x15ba5028390 - 0x38390<\/span>\u3001\u3064\u307e\u308a0x15ba4ff0000<\/span>\u306b\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf13\u306f\u3001WND1\u306eHMValidateHandle\u306e\u623b\u308a\u5024\u3092WinDbg\u3067\u30c0\u30f3\u30d7\u3057\u305f\u3088\u3046\u3059\u3092\u8868\u3059\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\"
        \u56f313. Wnd1<\/span>\u306eHMValidateHandle<\/span>\u306e\u623b\u308a\u5024(rax<\/span>)\u3092WinDbg<\/span>\u3067\u30c0\u30f3\u30d7\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n

        Wnd1<\/span>\u306etagWND.OffsetToDesktopHeap<\/span>\u3092\u53d6\u308a\u51fa\u3057\u3066\u4e0a\u8a18\u3067\u8a08\u7b97\u3057\u305f\u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7 \u30a2\u30c9\u30ec\u30b9\u306b\u52a0\u7b97\u3059\u308b\u3068\u30010x15ba4ff0000 + 0x2ad30<\/span>\u3001\u3064\u307e\u308a0x15ba501ad30<\/span>\u304c\u5f97\u3089\u308c\u307e\u3059\u3002\u56f314\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u3053\u308c\u304c\u307e\u3055\u306bWnd0<\/span>\u306etagWND<\/span>\u69cb\u9020\u4f53\u306b\u5bfe\u3057\u3066HMValidateHandle<\/span>\u304c\u8fd4\u3057\u305f\u5185\u5bb9\u3067\u3059\u3002<\/a><\/p>\n

        \"\u753b\u50cf14\u306fWND0\u306eHMValidateHandle\u306e\u623b\u308a\u5024\u3092WinDbg\u3067\u30c0\u30f3\u30d7\u3057\u305f\u3088\u3046\u3059\u3092\u8868\u3059\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\"
        \u56f314 Wnd0<\/span>\u306eHMValidateHandle<\/span>\u306e\u623b\u308a\u5024(rax<\/span>)\u3092WinDbg<\/span>\u3067\u30c0\u30f3\u30d7\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n

        PoC\u306e\u3053\u306e\u90e8\u5206\u3067\u306f\u3001\u5358\u306b\u3053\u306e\u8a08\u7b97\u3092\u884c\u3044\u3001tagWND<\/span>\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3068\u30c7\u30b9\u30af\u30c8\u30c3\u30d7 \u30d2\u30fc\u30d7\u3078\u306e\u30aa\u30d5\u30bb\u30c3\u30c8\u3092\u4ee5\u4e0b\u306e\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u7528\u306e\u5909\u6570\u306b\u4ee3\u5165\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n