Windows Heap-backed Pool: The Good, the Bad, and the Encoded

Conference:  BlackHat USA 2021



The presentation discusses the Windows pool and exploiting it, including new techniques and tools for analyzing the pool.
  • The Windows pool is a memory management system used by the operating system.
  • Exploiting the pool can lead to security vulnerabilities.
  • New research has shown specific techniques for exploiting the pool.
  • Tools such as Windbg, Bank Pool, and Pool Viewer can be used to analyze the pool.
  • The presenter offers to answer questions and provide further information.
The presenter demonstrates the existence of an executable non-paged pool on their system using a Windbg command.


For decades, the Windows kernel pool remained the same, using simple structures that were easy to read, parse and search for, but recently this all changed, with a new and complex design that breaks assumptions and exploits, and of course, tools and debugger extensions.This new design modernizes the kernel pool and makes it significantly more efficient. Additionally, it has significant security implications - both good and bad. Major code changes break a lot of existing code and might make future pool-related exploits more difficult, or in some cases nearly impossible to write.But could this open up a whole new attack surface as well?



Post a comment

Related work

Conference:  Black Hat Asia 2023
Authors: Gabriel Landau