SentinelOne's KeRnel Exploits Advanced Mitigations
This kit contains the following mitigations:
-
Preallocate 0xbad0b0b0
This mitigation will block exploits using TypeIndex overwrite techniques on Windows 7 and 8 (this specific technique was mitigated by Microsoft in Windows 8.1). -
PoolSlider and PoolBloater
Both of these mitigations will randomize pool allocations to break pool overflow exploits. PoolSlider uses the extra padding added to allocations whose size doesn't match the pool granularity to randomize the base address returned to the caller. PoolBloater adds a random number of pool blocks to each pool allocation, to randomize its size.
The mitigations included in SKREAM are explained in detail in these blog posts:
https://www.sentinelone.com/blog/skream-kernel-mode-exploits-mitigations-rest-us/
https://www.sentinelone.com/blog/skream-reloaded-randomizing-kernel-pool-allocations/
The configuration of the driver can be controlled through the config.h file, where you can enable/disable each mitigation and change default values for some of the mitigations.
Notice:
- You can't enable both PoolBloater and PoolSlider at the same time.
- If PoolSlider is enabled, the driver can't be loaded early in the boot (start_type= system), since it will conflict with some system drivers and crash the system.
- Use SKREAM at your own risk!