Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort #57

Closed
caiocinel opened this issue Mar 15, 2023 · 1 comment
Closed

[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort #57

caiocinel opened this issue Mar 15, 2023 · 1 comment
Labels
help wanted Extra attention is needed

Comments

@caiocinel
Copy link 

C:\Users\caioc\Desktop>kdu -map driver.sys
[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec  9 01:44:47 2022, header checksum 0x7C8AA
[#] Supported x64 OS : Windows 7 and above
[*] Debug Mode Run
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22000
[*] SecureBoot is enabled on this machine
[*] WHQL enforcement ENABLED
[+] MSFT Driver block list is disabled
[*] Driver mapping using shellcode version: 1
[+] Input driver file "driver.sys" loaded at 0x00007FF6C77D0000
[+] Drivers database "drv64.dll" loaded at 0x00007FFCEAD50000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Extracting vulnerable driver as "C:\Users\caioc\Desktop\NalDrv.sys"
[+] Vulnerable driver "NalDrv" loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim "PROCEXP152" 1 acquire attempt of 3 (max)
[+] Processing victim "Process Explorer" driver
[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
[+] Victim is accepted, handle 0x00000000000000D4
[+] Reading FILE_OBJECT at 0xFFFFC70BB8C872D0
[+] Reading DEVICE_OBJECT at 0xFFFFC70BB2CBCAF0
[+] Reading DRIVER_OBJECT at 0xFFFFC70BB3DB9BF0
[+] Victim IRP_MJ_DEVICE_CONTROL 0xFFFFF803448E2220
[+] Victim DriverUnload 0xFFFFF803448E3280
[+] Loaded ntoskrnl base 0xFFFFF80111C00000
[+] Ntoskrnl.exe mapped at 0x7FF612180000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort
[!] Unexpected shellcode procedure size, abort
[!] Error while building shellcode, abort
[+] Victim released
[+] Vulnerable driver "NalDrv" unloaded
[+] Vulnerable driver file removed
[+] Return value: 0. Bye-bye!

Do you have any idea what could be causing this problem?
@hfiref0x
Copy link
Owner

The working binary must be built in Release configuration. Yours is debug.

@hfiref0x hfiref0x added the help wanted Extra attention is needed label Apr 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hfiref0x @caiocinel