Windows Kernel Address Leaks
This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode. A green ticket indicates a leak which works from a low integrity process and a blue tick indicates a leak which requires a medium integrity process.
|Technique||7||8||8.1||10 - 1511||10 - 1607||10 - 1703||10 - 1703 + VBS|
|System Call Return Values|
|Win32k Shared Info User Handle Table|
The following techniques requiring non-standard permissions.
|Technique||Permission Needed||7||8||8.1||10 - 1511||10 - 1607||10 - 1703||10 - 1703 + VBS|
Some more details on techniques which no longer work and what was changed:
NtQuerySystemInformation/System Call Return Values:
Win32k Shared Info User Handle Table
notes/gSharedInfo.md - A brief look at the changes made in the Creators Update/1703. Not very concrete or detailed, I might revisit it and create something more detailed or maybe someone else will.
GdiSharedHandleTable / Desktop Heap
notes/NPIEP.md - A very brief "it's a thing" write up, more details pending on me getting a test laptop back when the summer interns are gone...
I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Green Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons
Blue Tick By Gregory Maxwell, User:David Levy, Wart Dark (en:Image:Blue check.png) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons