Skip to content

sam-b/windows_kernel_address_leaks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
DescriptorTables
DescriptorTables
 
 
DesktopHeap
DesktopHeap
 
 
GdiSharedHandleTable
GdiSharedHandleTable
 
 
HMValidateHandle
HMValidateHandle
 
 
NtQuerySysInfo_SystemBigPoolInformation
NtQuerySysInfo_SystemBigPoolInformation
 
 
NtQuerySysInfo_SystemFirmwareTableInfo
NtQuerySysInfo_SystemFirmwareTableInfo
 
 
NtQuerySysInfo_SystemHandleInformation
NtQuerySysInfo_SystemHandleInformation
 
 
NtQuerySysInfo_SystemLockInformation
NtQuerySysInfo_SystemLockInformation
 
 
NtQuerySysInfo_SystemModuleInformation
NtQuerySysInfo_SystemModuleInformation
 
 
NtQuerySysInfo_SystemProcessInformation
NtQuerySysInfo_SystemProcessInformation
 
 
NtSystemDebugControl_SysDbgGetTriageDump
NtSystemDebugControl_SysDbgGetTriageDump
 
 
SharedInfoHandleTable
SharedInfoHandleTable
 
 
Syscalls
Syscalls
 
 
icons
icons
 
 
notes
notes
 
 
screenshots
screenshots
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pointer_hunt.py
pointer_hunt.py
 
 

Repository files navigation

Windows Kernel Address Leaks

This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode. A green ticket indicates a leak which works from a low integrity process and a blue tick indicates a leak which requires a medium integrity process.

Technique 7 8 8.1 10 - 1511 10 - 1607 10 - 1703 10 - 1703 + VBS
NtQuerySystemInformation:
    SystemHandleInformation
    SystemLockInformation
    SystemModuleInformation
    SystemProcessInformation
    SystemBigPoolInformation
System Call Return Values
Win32k Shared Info User Handle Table
Descriptor Tables
HMValidateHandle
GdiSharedHandleTable
DesktopHeap

The following techniques requiring non-standard permissions.

Technique Permission Needed 7 8 8.1 10 - 1511 10 - 1607 10 - 1703 10 - 1703 + VBS
NtSystemDebugControl:
    SysDbgGetTriageDump		 SeDebugPrivilege
SeSystemProfilePrivilege

Further Details

Some more details on techniques which no longer work and what was changed:

NtQuerySystemInformation/System Call Return Values:

https://samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/

Win32k Shared Info User Handle Table

notes/gSharedInfo.md - A brief look at the changes made in the Creators Update/1703. Not very concrete or detailed, I might revisit it and create something more detailed or maybe someone else will.

GdiSharedHandleTable / Desktop Heap

Pending

NPIEP

notes/NPIEP.md - A very brief "it's a thing" write up, more details pending on me getting a test laptop back when the summer interns are gone...

Attributions

I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Green Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons
Blue Tick By Gregory Maxwell, User:David Levy, Wart Dark (en:Image:Blue check.png) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons

About

Examples of leaking Kernel Mode information from User Mode on Windows

samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/

Resources

Readme

License

Unlicense license
Activity

Stars

581 stars

Watchers

33 watching

Forks

160 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages