2025-06-28 –, Grand Salon
Which forensic enthusiast has never used Volatility or Velociraptor? Typically, those are the first software deployed on an infected machine to recover all data in memory, for subsequent analysis. Under the hood, software rely on a driver called WinPmem to capture the relevant information.
The problem? This driver used by many experts is obsolete and has some serious vulnerabilities. For example, CVE-2024-10972 allows you to effortlessly perform a BSOD on the target machine, effectively stopping any forensic procedure. The perfect illustration of the time-to-check-time-to-use (TOCTOU) technique. But there is more, the CVE-2024-12668 allows a malware in memory to erase itself from that memory! A paradox when considering that a forensic tool offers sufficient capabilities to escape that same forensic tool. As an additional bonus specific to WinPmem, the driver allows malware to load any unsigned drivers of their choice. Not only does this undermine any forensic analysis, but it also provides an elegant means of achieving privilege escalation for administrator to execute unsigned drivers. In fact, WinPmem can easily be included in the list “bring your own vulnerable driver” (BYOVD).
This talk explains in detail the two CVEs we found on this driver. More than that, we provide concise and illustrated explanations about how a driver works in Windows and the main steps involved in finding vulnerabilities in it. Enough to enrich the list of “loldrivers” for everyone in the room. More generally, the talk aims to present the difficulties of kernel development (that we could observe with CrowdStrike’s BSOD), discuss the future of third-party access to the kernel (spoiler: yes, the access should be kept), the possibility to prevent BSOD or exploits, and the complexity of fixing vulnerable drivers. From code quality to specific driver designs, the subject of driver development will be covered with several examples, accessible to anyone.
Finally, the talk is going to discuss these security tools using drivers, used by everyone in cybersecurity but implemented with a serious lack of quality and dangerous features for some of them. In the end, WinPmem is just the tip of the iceberg of highly privileged security products that are not secure.
The talk begins by presenting the context of memory forensic drivers and, more generally, how this type of software works. Then, we give an overview of the various security features present in a driver and how they have been implemented in WinpMem. Thereafter, we show the first vulnerability, how to trigger it, with a demo. A short reminder of how Windows BSOD (reverse engineering & internals) works, and why it is useful. Subsequently, we present the second vulnerability, with the associated demo. In the end, we talk about the difficulty of correcting drivers, but also about the special case of an open source driver. The conclusion is general, and refers to other software with similar characteristics.
Dr. Baptiste David is an IT security specialist at ERNW, specialized in Windows operating system. His research is mainly focused on reverse engineering, security of the Windows operating system platform, kernel drivers and vulnerability research. He also worked for couple of antivirus companies. He has given special courses and trainings in different universities in Europe. Also, he gives regularly talks on different conferences including Black Hat USA, Defcon, TROOPERS, Zero Night, C0c0n, NullCon, EICAR, ECCWS…