This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode. A green ticket indicates a leak which works from a low integrity process and a blue tick indicates a leak which requires a medium integrity process.
| Technique | 7 | 8 | 8.1 | 10 - 1511 | 10 - 1607 | 10 - 1703 | 10 - 1703 + VBS |
|---|---|---|---|---|---|---|---|
| NtQuerySystemInformation: SystemHandleInformation SystemLockInformation SystemModuleInformation SystemProcessInformation SystemBigPoolInformation |
 |
|
 |
|
|
|
|
| System Call Return Values | |
 |
|
|
|
|
|
| Win32k Shared Info User Handle Table | |
|
|
|
|
|
|
| Descriptor Tables | |
|
|
|
|
|
|
| HMValidateHandle | |
|
|
|
|
|
|
| GdiSharedHandleTable | |
|
|
|
|
|
|
| DesktopHeap | |
|
|
|
|
|
|
The following techniques requiring non-standard permissions.
| Technique | Permission Needed | 7 | 8 | 8.1 | 10 - 1511 | 10 - 1607 | 10 - 1703 | 10 - 1703 + VBS |
|---|---|---|---|---|---|---|---|---|
| NtSystemDebugControl: SysDbgGetTriageDump |
SeDebugPrivilege | |
|
|
|
|
|
 |
| SeSystemProfilePrivilege |
Some more details on techniques which no longer work and what was changed:
https://samdb.xyz/revisiting-windows-security-hardening-through-kernel-address-protection/
notes/gSharedInfo.md - A brief look at the changes made in the Creators Update/1703. Not very concrete or detailed, I might revisit it and create something more detailed or maybe someone else will.
Pending
notes/NPIEP.md - A very brief "it's a thing" write up, more details pending on me getting a test laptop back when the summer interns are gone...
I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Green Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons
Blue Tick By Gregory Maxwell, User:David Levy, Wart Dark (en:Image:Blue check.png) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons