Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kkent030315/anycall

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
https://github.com/kkent030315/anycall

cli code-execution device-driver driver drivers kernel kernel-exploit kernel-exploitation kernel-exploits memory-hacking smep smep-bypass windows windows-10

Last synced: about 10 hours ago
JSON representation

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Host: GitHub
URL: https://github.com/kkent030315/anycall
Owner: kkent030315
License: mit
Created: 2021-05-14T02:22:54.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2022-07-06T17:17:52.000Z (over 2 years ago)
Last Synced: 2025-01-16T08:11:42.772Z (8 days ago)
Topics: cli, code-execution, device-driver, driver, drivers, kernel, kernel-exploit, kernel-exploitation, kernel-exploits, memory-hacking, smep, smep-bypass, windows, windows-10
Language: C++
Homepage: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html
Size: 873 KB
Stars: 252
Watchers: 8
Forks: 61
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        
















# anycall

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Read: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html

## How it works







1. Allocate physical memory to user virtual memory

	- Allows user-process to manupulate arbitrary physical memory without calling APIs

2. Search entire physical memory until we found function stub to hook, in `ntoskrnl.exe` physical memory

3. Once the stub found, place inline-hook on the stub

	- simply `jmp rax`, detour address could be anything we want to invoke

4. `syscall` it

5. wow, we are `user-mode` but able to call kernel APIs

## Goal of this project

This project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.

Related CVEs:

- [CVE-2020-12446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446)

## libanycall

`libanycall` is the powerful c++ static-library that makes exploit execution of ``anycall`` more easily.

### Usage

1. link it (e.g, `#pragma comment( lib, "libanycall64" )`)

2. include (e.g, `#include "libanycall.h"`)

For example:

```cpp

#include 

#include 

#include "libanycall.h"

#pragma comment( lib, "libanycall64" )

using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );

int main( const int argc, const char** argv, const char** envp )

{

    if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )

    {

        printf( "[!] failed to init libanycall\n" );

        return EXIT_FAILURE;

    }

    

    // invoke NT kernel APIs from usermode

    const uint32_t process_id =

        ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );

    printf( "PsGetCurrentProcessId returns %d\n", process_id );

    return EXIT_SUCCESS;

}

```

## License

MIT