dive into wdag
TRANSCRIPT
![Page 1: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/1.jpg)
Dive Into WDAGYunhai Zhang
![Page 2: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/2.jpg)
Who am I! Yunhai Zhang ! Twitter: @_f0rgetting_ ! Researcher of NSFOCUS ! Winner of Mitigation Bypass Bounty: 2014 ~ 2018
![Page 3: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/3.jpg)
What is WDAG! Windows Defender Application Guard
• A security feature of Windows 10 • Hardware isolation based on virtualization technology • Separate untrusted content from the host operating system • Keep the host safe and remove potential malware
![Page 4: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/4.jpg)
What is WDAG
![Page 5: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/5.jpg)
How to use WDAG! WDAG is not installed by default
• System Requirement • Support SLAT and VT-x or AMD-V • More than 4 CPU cores • More than 8GB memory • More than 5GB disk space
![Page 6: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/6.jpg)
How to use WDAG! New menu item in Microsoft Edge
![Page 7: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/7.jpg)
How to use WDAG! Starting WDAG
![Page 8: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/8.jpg)
How to use WDAG! Microsoft Edge inside WDAG
![Page 9: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/9.jpg)
WDAG ArchitectureMicrosoftEdge.exe
hvsirpcd.exe hvsirdpclient.exe svchost.exe
vmcompute.exe
vmwp.exe
hvsimgr.exe
browser_broker.exe
![Page 10: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/10.jpg)
WDAG ArchitectureMicrosoftEdge.exe
hvsirpcd.exe hvsirdpclient.exe svchost.exe
vmcompute.exe
vmwp.exe
hvsimgr.exe
browser_broker.exe
browserbroker!CBrowserBrokerInstance::LaunchInHVSI
![Page 11: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/11.jpg)
WDAG ArchitectureMicrosoftEdge.exe
hvsirpcd.exe hvsirdpclient.exe svchost.exe
vmcompute.exe
vmwp.exe
hvsimgr.exe
browser_broker.exe
hvsimgr!CHvsiSession::Launch
![Page 12: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/12.jpg)
hvsimgr.exe
WDAG Architecture
hvsirpcd.exe hvsirdpclient.exe svchost.exe
vmcompute.exe
vmwp.exe
CHvsiSession
CHvsiNetRpcServer CHvsiContainerRdpStateController
![Page 13: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/13.jpg)
WDAG Architecturesvchost.exe(Application Guard Container Service)
vmcompute.exe
vmwp.exe
CHvsiContainerManager
CHvsiContainerServiceManager
CXenonContainer
CXenonManager
![Page 14: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/14.jpg)
WDAG Architecturevmcompute.exe
vmwp.exe
System Management Process Management
Notification Management Resource & Settings
Virtual Devices Integration ComponentsvSMB Server
![Page 15: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/15.jpg)
WDAG Internals! Terminology
• Image Name • Hex string of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component
Based Servicing\LastModified_UTC
323031372f31312f30332f30363a33373a3539
![Page 16: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/16.jpg)
WDAG Internals! Terminology
• Image Name
![Page 17: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/17.jpg)
WDAG Internals! Terminology
• Container ID
Computer Name User SidSHA256( )
![Page 18: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/18.jpg)
WDAG Internals! Terminology
• Container ID
Computer Name User SidSHA256( )
DESKTOP-7R43750
![Page 19: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/19.jpg)
WDAG Internals! Terminology
• Container ID
Computer Name User SidSHA256( )
S-1-5-21-2036491302-699820345-3847261429-1001
![Page 20: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/20.jpg)
WDAG Internals! Terminology
• Container ID
Computer Name User SidSHA256( )
DESKTOP-7R43750S-1-5-21-2036491302-699820345-3847261429-1001
![Page 21: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/21.jpg)
WDAG Internals! Terminology
• Container ID
Computer Name User SidSHA256( )
DESKTOP-7R43750S-1-5-21-2036491302-699820345-3847261429-1001
c0f58700-29b1-30fc-174f-ed6b1868a978
SHA256
![Page 22: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/22.jpg)
WDAG Internals! Terminology
• Container Name
HVSIContainer_ Container ID
HVSIContainer_c0f58700-29b1-30fc-174f-ed6b1868a978
![Page 23: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/23.jpg)
WDAG Internals! Terminology
• Container Name
![Page 24: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/24.jpg)
WDAG Internals! Terminology
• Runtime ID • Dynamic generated GUID for container instance • Generated each time when container is created
![Page 25: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/25.jpg)
WDAG Internals! How is the container created
• Create Template Persistent Data Stores
![Page 26: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/26.jpg)
WDAG Internals! How is the container created
• Create Template Persistent Data Stores
4GB NTFS Map to C:\WDAG\AuditLogs
![Page 27: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/27.jpg)
! How is the container created • Create Template Persistent Data Stores
WDAG Internals
4GB NTFS Map to C:\WDAG\Persistence
![Page 28: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/28.jpg)
WDAG Internals! How is the container created
• Create Base Image
![Page 29: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/29.jpg)
WDAG Internals! How is the container created
• Create Base Image
Extract from C:\Windows\containers\serviced\WindowsDefenderApplicationGuard.wim
![Page 30: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/30.jpg)
WDAG Internals! How is the container created
• Create Base Image
396 Files 16804 Folders 36314 linked Files 5 linked Folders 121 reparse Folders
![Page 31: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/31.jpg)
WDAG Internals! How is the container created
• Create Base Image
![Page 32: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/32.jpg)
WDAG Internals! How is the container created
• Create Base Image
Create a new VHD Format to NTFS Create directories Copy files from Files\Windows\ Copy files from Files\Windows\System32\ Copy files from Files\Windows\System32\IME\ Update BCD store
![Page 33: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/33.jpg)
WDAG Internals! How is the container created
• Create Base Image
Create a Diff VHD from SystemTemplateBase.vhdx Apply registry changes Create compute system Update system hive
![Page 34: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/34.jpg)
WDAG Internals! How is the container created
• Create Base Image
Create a Diff VHD from SystemTemplatePrepared.vhdx
![Page 35: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/35.jpg)
WDAG Internals! How is the container created
• Create Base Image
SystemTemplate.vhdx
SystemTemplatePrepared.vhdx
SystemTemplateBase.vhdx
Files <= WindowsDefenderApplicationGuard.wim
![Page 36: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/36.jpg)
WDAG Internals! How is the container created
• Create Container • Generate Runtime ID • Prepare HVSI NAT • Attach Persistent Data Stores • Create Container Settings • Create Sandbox Layer • Create Compute System • Create Container Credential • Start Compute System • Apply Settings to Container • Init RDP Logon
![Page 37: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/37.jpg)
{ "SystemType":"Container", "Name":"HVSIContainer_c0f58700-29b1-30fc-174f-ed6b1868a978", "HvPartition":true, "Owner":"HVSI", "HvRuntime":{ "RuntimeId":"3c810477-6845-43fd-aba0-c29d4d430998", "SkipTemplate":true, "EnableRdp":true, "RdpAccessSids":["S-1-5-21-2036491302-699820345-3847261429-1001","S-1-15-2-4241113689-1525372122-3928165819-2899915964-1654067008-1728629048-1671459956" ], "SynchronizeQPC":true, "BootFromLayers":true, "EnableMemoryHotHint":true, "EnableMemoryColdHint":true, "EnablePrivateMemoryCompressionStore":true, "EnableBattery":true, "BugcheckSavedStateFileName":"wdag.vmrs" }, "HostName":"3c810477-6", "RegistryChanges":{"AddValues":[{"Key":{"Hive":"System","Name":"ControlSet001\\Services\\EventLog\\Security"},"Name":"MaxSize","Type":"DWord","DWordValue":20971520},...]}, "MemoryMaximumInMB":4000, "ProcessorCount":4, "DirectFileMappingMB":1024, "SharedMemoryMB":1024, "SandboxPath":"C:\\ProgramData\\Microsoft\\HVSI\\HVSIContainer_c0f58700-29b1-30fc-174f-ed6b1868a978", "Layers":[{"Id":"1b3979c8-279b-42eb-b2b9-750767ee9e3f","Path":"C:\\ProgramData\\Microsoft\\HVSI\\323031372f31312f30332f30363a33373a3539\\Base"}], "MappedVirtualDisks":[ {"HostPath":"C:\\Users\\test\\AppData\\Local\\Microsoft\\WDAG\\PersistentAuditLogs.vhdx","ContainerPath":"C:\\WDAG\\AuditLogs","OverwriteIfExists":true}, {"HostPath":"C:\\Users\\test\\AppData\\Local\\Microsoft\\WDAG\\PersistentUserData.vhdx","ContainerPath":"C:\\WDAG\\Persistence","OverwriteIfExists":true} ], "NetworkEndpoints":[{ "Id":"00000000-0000-0000-0000-000000000000", "EndpointName":"3c810477-6845-43fd-aba0-c29d4d430998", "StaticMacAddress":"02174FED6B18", "NetworkId":"161df6ed-7ce7-450f-8ddb-4603ff64edfc" }], "VsockStdioPortRange":{"Min":0,"Max":0}, "EnableUtcRelay":true, "HvSocketConfig":{ "ServiceTable":{ "abd802e8-ffcc-40d2-a5f1-f04b1d12cbc8":{"BindSecurityDescriptor":"D:P(A;;FA;;;WD)(A;;FA;;;S-1-15-3-3)","ConnectSecurityDescriptor":"D:P(D;;FA;;;WD)"} } } }
![Page 38: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/38.jpg)
Reform WDAG for Research! Step 1: Launch File Explorer in WDAG
![Page 39: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/39.jpg)
![Page 40: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/40.jpg)
Reform WDAG for Research! Step 2: Modify Device Guard Rule
• WDAG deploy a very strict rule inside the container • UMCI is enabled • Only Microsoft Signers are allowed • 171 files are explicitly denied
• cmd.Exe • CONTROL.EXE • mmc.exe • netsh.exe • regedit.exe • windbg.Exe • wmic.exe • wscript.exe • ...
![Page 41: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/41.jpg)
![Page 42: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/42.jpg)
Reform WDAG for Research! Step 2: Modify Device Guard Rule
• The policy file can be modified outside the container
![Page 43: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/43.jpg)
![Page 44: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/44.jpg)
Reform WDAG for Research! Step 3: Install WinDbg
![Page 45: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/45.jpg)
![Page 46: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/46.jpg)
Reform WDAG for Research! Step 3: Install WinDbg
• We do not have sufficient privileges to install program • The logged on user is a normal user • The administrator user is disabled
![Page 47: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/47.jpg)
Reform WDAG for Research! Step 3: Install WinDbg
• Exploit an EoP vulnerability or • Copy a installed version into the container
![Page 48: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/48.jpg)
![Page 49: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/49.jpg)
Reform WDAG for Research! Step 4: Setting Up Kernel Debugging
• Edit BCD store of the container
![Page 50: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/50.jpg)
Reform WDAG for Research! Step 4: Setting Up Kernel Debugging
• Currently only local debugging is possible • No COM port or USB or 1394 • Network connection is restricted
![Page 51: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/51.jpg)
Reform WDAG for Research! Step 4: Setting Up Kernel Debugging
![Page 52: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/52.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 53: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/53.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 54: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/54.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 55: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/55.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 56: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/56.jpg)
![Page 57: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/57.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 58: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/58.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 59: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/59.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 60: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/60.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 61: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/61.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 62: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/62.jpg)
WDAG Attack Surface
hvsirpcd.exe hvsirdpclient.exe vmwp.exe
Windows Kernel
Hypervisor
hvsimgr.exe
Windows Kernel
StorVSP
vSMBRCP Proxy RDP Client
VMSwitch
User ModeDNS Client
RDP Server
RDP Relay
vPCI VID
Hypercall MSR
VMBus
StorVSC
netVSC
LSASS
APIC Address Manage,ment
MicrosoftEdgeCP.exe
![Page 63: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/63.jpg)
Q&A
![Page 64: Dive Into WDAG](https://reader031.vdocuments.mx/reader031/viewer/2022040822/624dfed441b28e4f1b728ae2/html5/thumbnails/64.jpg)
Thanks!