Star 0


Windows 7 introduces the concept of Extension Hosts through an internal, exported API that is now used by over 15 components in Windows 10. These components have the ability to expose, and access, internal functionality of the operating system, as well as provide new capabilities to the OS, obviating the usual import/export table mechanism that is known and loved by all. This presents a new interesting hooking attack surface, as well as persistence capabilities, and leverages data structures and mechanisms that are not yet protected by PatchGuard. This talk will show case today's built-in extension hosts, the APIs for custom registrations and abuse of the interface, and how defenders can monitor and watch for potential attacks using this interface. We will be releasing some WinDBG scripts/tools to analyze extension hosts to beef up defender's memory forensics toolkits, and showcase some interesting post-exploitation capabilities for red teams.