Skip to content

sam-b/windows_kernel_address_leaks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits

DescriptorTables

DescriptorTables

 
 

DesktopHeap

DesktopHeap

 
 

GdiSharedHandleTable

GdiSharedHandleTable

 
 

HMValidateHandle

HMValidateHandle

 
 

NtQuerySysInfo_SystemBigPoolInformation

NtQuerySysInfo_SystemBigPoolInformation

 
 

NtQuerySysInfo_SystemFirmwareTableInfo

NtQuerySysInfo_SystemFirmwareTableInfo

 
 

NtQuerySysInfo_SystemHandleInformation

NtQuerySysInfo_SystemHandleInformation

 
 

NtQuerySysInfo_SystemLockInformation

NtQuerySysInfo_SystemLockInformation

 
 

NtQuerySysInfo_SystemModuleInformation

NtQuerySysInfo_SystemModuleInformation

 
 

NtQuerySysInfo_SystemProcessInformation

NtQuerySysInfo_SystemProcessInformation

 
 

NtSystemDebugControl_SysDbgGetTriageDump

NtSystemDebugControl_SysDbgGetTriageDump

 
 

SharedInfoHandleTable

SharedInfoHandleTable

 
 

Syscalls

Syscalls

 
 

icons

icons

 
 

notes

notes

 
 

screenshots

screenshots

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

pointer_hunt.py

pointer_hunt.py

 
 

Repository files navigation

Windows Kernel Address Leaks

This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode. A green ticket indicates a leak which works from a low integrity process and a blue tick indicates a leak which requires a medium integrity process.

Technique 7 8 8.1 10 - 1511 10 - 1607 10 - 1703 10 - 1703 + VBS
NtQuerySystemInformation:
    SystemHandleInformation
    SystemLockInformation
    SystemModuleInformation
    SystemProcessInformation
    SystemBigPoolInformation
System Call Return Values
Win32k Shared Info User Handle Table
Descriptor Tables
HMValidateHandle
GdiSharedHandleTable
DesktopHeap

The following techniques requiring non-standard permissions.

Technique Permission Needed 7 8 8.1 10 - 1511 10 - 1607 10 - 1703 10 - 1703 + VBS
NtSystemDebugControl:
    SysDbgGetTriageDump		 SeDebugPrivilege
SeSystemProfilePrivilege

Further Details

Some more details on techniques which no longer work and what was changed:

NtQuerySystemInformation/System Call Return Values:

https://samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/

Win32k Shared Info User Handle Table

notes/gSharedInfo.md - A brief look at the changes made in the Creators Update/1703. Not very concrete or detailed, I might revisit it and create something more detailed or maybe someone else will.

GdiSharedHandleTable / Desktop Heap

Pending

NPIEP

notes/NPIEP.md - A very brief "it's a thing" write up, more details pending on me getting a test laptop back when the summer interns are gone...

Attributions

I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Green Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons
Blue Tick By Gregory Maxwell, User:David Levy, Wart Dark (en:Image:Blue check.png) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons

About

Examples of leaking Kernel Mode information from User Mode on Windows

samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/

Resources

Readme

License

Unlicense license
Activity

Stars

550 stars

Watchers

33 watching

Forks

154 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages