Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sam-b/windows_kernel_address_leaks
Examples of leaking Kernel Mode information from User Mode on Windows
https://github.com/sam-b/windows_kernel_address_leaks
Last synced: 4 days ago
JSON representation
Examples of leaking Kernel Mode information from User Mode on Windows
- Host: GitHub
- URL: https://github.com/sam-b/windows_kernel_address_leaks
- Owner: sam-b
- License: unlicense
- Created: 2017-01-30T23:06:11.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2017-07-07T10:05:39.000Z (over 7 years ago)
- Last Synced: 2024-06-11T02:03:06.287Z (5 months ago)
- Language: C++
- Homepage: https://samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/
- Size: 1.01 MB
- Stars: 554
- Watchers: 33
- Forks: 155
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Windows Kernel Address Leaks
This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode. A green ticket indicates a leak which works from a low integrity process and a blue tick indicates a leak which requires a medium integrity process.
| Technique | 7 | 8 | 8.1 | 10 - 1511 | 10 - 1607 | 10 - 1703 | 10 - 1703 + VBS |
|---------------------------------------------------|-----------|-----------|--------------|----------------|----------------|----------------|----------------|
| NtQuerySystemInformation:
[SystemHandleInformation](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/NtQuerySysInfo_SystemHandleInformation/NtQuerySysInfo_SystemHandleInformation/NtQuerySysInfo_SystemHandleInformation.cpp)
[SystemLockInformation](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/NtQuerySysInfo_SystemLockInformation/NtQuerySysInfo_SystemLockInformation/NtQuerySysInfo_SystemLockInformation.cpp)
[SystemModuleInformation](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/NtQuerySysInfo_SystemModuleInformation/NtQuerySysInfo_SystemModuleInformation/NtQuerySysInfo_SystemModuleInformation.cpp)
[SystemProcessInformation](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/NtQuerySysInfo_SystemProcessInformation/NtQuerySysInfo_SystemProcessInformation/NtQuerySysInfo_SystemProcessInformation.cpp)
[SystemBigPoolInformation](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/NtQuerySysInfo_SystemBigPoolInformation/NtQuerySysInfo_SystemBigPoolInformation/NtQuerySysInfo_SystemBigPoolInformation.cpp)|  | ||||||
|[System Call Return Values](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/Syscalls/Syscalls/Syscalls.cpp) | | ||||||
|[Win32k Shared Info User Handle Table](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/SharedInfoHandleTable/SharedInfoHandleTable/SharedInfoHandleTable.cpp) | | ||||||
|[Descriptor Tables](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/DescriptorTables/DescriptorTables/DescriptorTables.cpp) | | ||||||
|[HMValidateHandle](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/HMValidateHandle/HMValidateHandle/HMValidateHandle.cpp) ||||||||
|[GdiSharedHandleTable](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/GdiSharedHandleTable/GdiSharedHandleTable/GdiSharedHandleTable.cpp)||||||||
|[DesktopHeap](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/DesktopHeap/DesktopHeap/DesktopHeap.cpp)||||||||
The following techniques requiring non-standard permissions.
| Technique | Permission Needed | 7 | 8 | 8.1 | 10 - 1511 | 10 - 1607 | 10 - 1703 | 10 - 1703 + VBS |
|---------------------------------------------------|-------------------|-----------|-----------|--------------|----------------|----------------|----------------|----------------|
| NtSystemDebugControl:
[SysDbgGetTriageDump](https://github.com/sam-b/windows_kernel_address_leaks/blob/master/NtSystemDebugControl_SysDbgGetTriageDump/NtSystemDebugControl_SysDbgGetTriageDump/NtSystemDebugControl_SysDbgGetTriageDump.cpp) | [SeDebugPrivilege](https://blogs.msdn.microsoft.com/oldnewthing/20080314-00/?p=23113) ||||||||
| | SeSystemProfilePrivilege |
## Further Details
Some more details on techniques which no longer work and what was changed:
### NtQuerySystemInformation/System Call Return Values:
[https://samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/](https://samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/)
### Win32k Shared Info User Handle Table
[notes/gSharedInfo.md](notes/gSharedInfo.md) - A brief look at the changes made in the Creators Update/1703. Not very concrete or detailed, I might revisit it and create something more detailed or maybe someone else will.
### GdiSharedHandleTable / Desktop Heap
Pending
### NPIEP
[notes/NPIEP.md](notes/NPIEP.md) - A very brief "it's a thing" write up, more details pending on me getting a test laptop back when the summer interns are gone...
## Attributions
I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from [ReactOS](https://www.reactos.org/).
Green Tick Icon By FatCow (http://www.fatcow.com/free-icons) [[CC BY 3.0](http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons
Blue Tick By Gregory Maxwell, User:David Levy, Wart Dark (en:Image:Blue check.png) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons