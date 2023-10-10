FSStreamReg::PublishRx decompilation snippet

In the decompilation above, bPagesUnmapped is a boolean variable that gets set if FSFrameMdl::UnmapPages is called. If so, then offset 0x1a8 of the stream object is retrieved and if not null, KeSetEvent is called on it.

This offset corresponds to out of bounds memory and points within a POOL_HEADER, the data structure that separates buffer allocations in the pool. In particular it points to the ProcessBilled field, which is used to store a pointer to the _EPROCESS object for process that is “charged” with the allocation. This is used to account for how many pool allocations a particular process can have. Not all pool allocations are “charged” against a process, and those that don’t have the ProcessBilled field set to NULL in the POOL_HEADER. In addition, the EPROCESS pointer stored in ProcessBilled is actually XOR’d with a random cookie, so ProcessBilled doesn’t contain a valid pointer.

This presents a difficulty, because NpFr buffers are charged to the calling process, and thus ProcessBilled is set. When triggering the needed exploit primitive, bPagesUnmapped will be set to TRUE. If an invalid pointer is passed to KeSetEvent, the system will crash. Therefore, it’s necessary to ensure that the POOL_HEADER is for a non-charged allocation. At this point, I noticed that the context registration (Creg) object itself is not charged. However, this object does not allow control over memory contents at the FSFrameMdl offset. So, both NpFr and Creg objects need to be sprayed they also need to be sequenced correctly.