Examples of leaking Kernel Mode information from User Mode on Windows
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Windows Kernel Address Leaks

This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode. A green ticket indicates a leak which works from a low integrity process and a blue tick indicates a leak which requires a medium integrity process.

Technique 7 8 8.1 10 - 1511 10 - 1607 10 - 1703 10 - 1703 + VBS
System Call Return Values
Win32k Shared Info User Handle Table
Descriptor Tables

The following techniques requiring non-standard permissions.

Technique Permission Needed 7 8 8.1 10 - 1511 10 - 1607 10 - 1703 10 - 1703 + VBS

Further Details

Some more details on techniques which no longer work and what was changed:

NtQuerySystemInformation/System Call Return Values:


Win32k Shared Info User Handle Table

notes/gSharedInfo.md - A brief look at the changes made in the Creators Update/1703. Not very concrete or detailed, I might revisit it and create something more detailed or maybe someone else will.

GdiSharedHandleTable / Desktop Heap



notes/NPIEP.md - A very brief "it's a thing" write up, more details pending on me getting a test laptop back when the summer interns are gone...


I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Green Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons
Blue Tick By Gregory Maxwell, User:David Levy, Wart Dark (en:Image:Blue check.png) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons