This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode.
Technique | Windows 7 | Windows 8 | Windows 8.1 Low Integrity | Windows 8.1 Medium Integrity | Windows 10 Low Integrity | Windows 10 Medium Integrity |
---|---|---|---|---|---|---|
NtQuerySystemInformation (SystemHandleInformation) | ||||||
NtQuerySystemInformation (SystemLockInformation) | ||||||
NtQuerySystemInformation (SystemModuleInformation) | ||||||
NtQuerySystemInformation (SystemProcessInformation) | ||||||
System Call Return Values | ||||||
Win32k Shared Info Handle Table | ||||||
Descriptor Tables |
##Caveats
The Descriptor Table pointer leak will work on a standard Windows 10 machine but a Windows 10 Enterprise machine with HyperV enabled will trap on the sidt/sgdt instructions and return false values (see: https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf, Windows Kernel 64-bit ASLR Improvements).
##Attributions
I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons