Skip to content

kkent030315/evil-mhyprot-cli

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
IDA
 
 
 
 
src
 
 
 
 
 
 
 
 
 
 
 
 
 
 

IMAGE IMAGE IMAGE

evil-mhyprot-cli

A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.

Overview

What we can do with this CLI is as follows:

  • Read/Write any kernel memory with privilege of kernel from usermode
  • Read/Write any user memory with privilege of kernel from usermode
  • Enumerate a number of modules by specific process id
  • Get system uptime
  • Enumerate threads in specific process, result in allows us to reading PETHREAD structure in the kernel directly from CLI as well.
  • Terminate specific process by process id with ZwTerminateProcess which called in the vulnerable driver context (ring-0).
  • All operations are executed as kernel level privilege (ring-0) by the vulnerable driver

Also:

  • Administrator privilege only needed if the service is not yet running
  • Therefore we can execute commands above as the normal user (w/o administrator privilege)

Requirements

  • Any version of Windows x64 that the driver works on
  • Administrator privilege does not required if the service already running

Tested on:

  • Windows10 x64 1903
  • Windows7 x64 6.1
  • Windows8.1 x64 6.3

Usage

*.exe <target_process_name> -<options>

following options are available as of now:

  • t
    • Perform Tests
  • d
    • Print debug infos
  • s
    • Print seedmap

Latest

IMAGE

About

A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages