Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kkent030315/evil-mhyprot-cli

A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.
https://github.com/kkent030315/evil-mhyprot-cli

driver exploit kernel kernel-exploit kernel-exploits mhyprot mhyprot2 windows

Last synced: 2 days ago
JSON representation

A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.

Host: GitHub
URL: https://github.com/kkent030315/evil-mhyprot-cli
Owner: kkent030315
License: mit
Created: 2020-10-15T04:35:39.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2021-07-03T20:07:19.000Z (over 3 years ago)
Last Synced: 2025-01-14T12:12:58.553Z (9 days ago)
Topics: driver, exploit, kernel, kernel-exploit, kernel-exploits, mhyprot, mhyprot2, windows
Language: C++
Homepage: https://www.godeye.club/2021/05/20/001-disclosure-mhyprot.html
Size: 10.3 MB
Stars: 321
Watchers: 11
Forks: 68
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

![IMAGE](images/image01.png)
![IMAGE](images/image04.png)
![IMAGE](images/image05.png)

# evil-mhyprot-cli

A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.

- [libmhyprot](https://github.com/kkent030315/libmhyprot)
- [Wiki](https://github.com/kkent030315/evil-mhyprot-cli/wiki)

# Overview

What we can do with this CLI is as follows:

- Read/Write any kernel memory with privilege of kernel from usermode
- Read/Write any user memory with privilege of kernel from usermode
- Enumerate a number of modules by specific process id
- Get system uptime
- Enumerate threads in specific process, result in allows us to reading `PETHREAD` structure in the kernel directly from CLI as well.
- Terminate specific process by process id with `ZwTerminateProcess` which called in the vulnerable driver context (ring-0).
- All operations are executed as kernel level privilege (ring-0) by the vulnerable driver

Also:

- Administrator privilege only needed if the service is not yet running
- Therefore we can execute commands above as the normal user (w/o administrator privilege)

# Requirements

- Any version of Windows x64 that the driver works on
- Administrator privilege **does not required** if the service already running

Tested on:

- Windows10 x64 1903
- Windows7 x64 6.1
- Windows8.1 x64 6.3

# Usage

```
*.exe -
```

following options are available as of now:

- `t`
- Perform Tests
- `d`
- Print debug infos
- `s`
- Print seedmap

# Latest

![IMAGE](images/image10.png)