Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 1

This post analyzes Windows kernel pool internals (segment heap/kLFH) and demonstrates exploiting an out-of-bounds read in the HackSys Extreme Vulnerable Driver (HEVD) to leak adjacent pool data and bypass kASLR from a low-integrity process. Through pool grooming with CreateEvent objects and targeted allocation of a 0x70-byte structure containing a function pointer, the author reliably discloses kernel addresses and derives the HEVD base without restricted APIs, providing detailed WinDbg traces and PoC code.