{"id":16551785,"url":"https://github.com/kkent030315/evil-mhyprot-cli","last_synced_at":"2025-04-09T07:10:02.600Z","repository":{"id":39604217,"uuid":"304210990","full_name":"kkent030315/evil-mhyprot-cli","owner":"kkent030315","description":"A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.","archived":false,"fork":false,"pushed_at":"2021-07-03T20:07:19.000Z","size":10765,"stargazers_count":331,"open_issues_count":3,"forks_count":69,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-05T01:05:01.746Z","etag":null,"topics":["driver","exploit","kernel","kernel-exploit","kernel-exploits","mhyprot","mhyprot2","windows"],"latest_commit_sha":null,"homepage":"https://www.godeye.club/2021/05/20/001-disclosure-mhyprot.html","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kkent030315.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-15T04:35:39.000Z","updated_at":"2025-03-25T10:35:27.000Z","dependencies_parsed_at":"2022-09-18T20:53:22.904Z","dependency_job_id":null,"html_url":"https://github.com/kkent030315/evil-mhyprot-cli","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fevil-mhyprot-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fevil-mhyprot-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fevil-mhyprot-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2Fevil-mhyprot-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kkent030315","download_url":"https://codeload.github.com/kkent030315/evil-mhyprot-cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247994122,"owners_count":21030050,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["driver","exploit","kernel","kernel-exploit","kernel-exploits","mhyprot","mhyprot2","windows"],"created_at":"2024-10-11T19:43:09.177Z","updated_at":"2025-04-09T07:10:02.579Z","avatar_url":"https://github.com/kkent030315.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"images/logo_min.png\"\u003e\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/license/kkent030315/evil-mhyprot-cli?style=for-the-badge\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/last-commit/kkent030315/evil-mhyprot-cli?style=for-the-badge\"\u003e\n  \u003cimg src=\"https://img.shields.io/codefactor/grade/github/kkent030315/evil-mhyprot-cli?style=for-the-badge\"\u003e\n\u003c/p\u003e\n\n![IMAGE](images/image01.png)\n![IMAGE](images/image04.png)\n![IMAGE](images/image05.png)\n\n# evil-mhyprot-cli\n\nA PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.\n\n- [libmhyprot](https://github.com/kkent030315/libmhyprot)\n- [Wiki](https://github.com/kkent030315/evil-mhyprot-cli/wiki)\n\n# Overview\n\nWhat we can do with this CLI is as follows:\n\n- Read/Write any kernel memory with privilege of kernel from usermode\n- Read/Write any user memory with privilege of kernel from usermode\n- Enumerate a number of modules by specific process id\n- Get system uptime\n- Enumerate threads in specific process, result in allows us to reading `PETHREAD` structure in the kernel directly from CLI as well.\n- Terminate specific process by process id with `ZwTerminateProcess` which called in the vulnerable driver context (ring-0).\n- All operations are executed as kernel level privilege (ring-0) by the vulnerable driver\n\nAlso:\n\n- Administrator privilege only needed if the service is not yet running\n- Therefore we can execute commands above as the normal user (w/o administrator privilege)\n\n# Requirements\n\n- Any version of Windows x64 that the driver works on\n- Administrator privilege **does not required** if the service already running\n\nTested on:\n\n- Windows10 x64 1903\n- Windows7 x64 6.1\n- Windows8.1 x64 6.3\n\n# Usage\n\n```\n*.exe \u003ctarget_process_name\u003e -\u003coptions\u003e\n```\n\nfollowing options are available as of now:\n\n- `t`\n  - Perform Tests\n- `d`\n  - Print debug infos\n- `s`\n  - Print seedmap\n\n# Latest\n\n![IMAGE](images/image10.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkkent030315%2Fevil-mhyprot-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkkent030315%2Fevil-mhyprot-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkkent030315%2Fevil-mhyprot-cli/lists"}