Windows kernel information leakage POCs on Windows 10 RS1+

Overview

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel addresses on Windows 10 1607, 1703, 1809, and 1909.

Blog post that goes along with this - https://fullpwnops.com/Windows-10-kaslr-infoleak/

Windows 10 1607 - (Anniversary Update)

  • DesktopHeap (TEB.Win32ClientInfo) kernel information leakage

The following information leakage proof-of-concept works on various Windows versions, from Windows 7 till Windows 10 1603, where it has now been mitigated in 2016 via the 1703 update.

This Windows kernel address leakage proof-of-concept demonstrates how the user-mode mapped DesktopHeap on Windows 1607 x64 bit can be used to leak various kernel addresses via undocumented kernel data structures and undocumented members.

desktop heap leakage

Resources


Windows 10 1703 - (Creators Update)

With the Windows 10 1703 update in 2016, ulClientDelta from Win32ClientInfo has been removed, successfully mitigating the previously demonstrated information leak.

Windows 10 (all/most versions)

  • EnumDeviceDrivers kernel information leakage

This is the classic and easiest technique for bypassing KASRL using the EnumDeviceDrivers winAPI function to get the base address of ntoskrnl, this technique works on pretty much every Windows version. But it requires at least medium-integrity execution.

desktop heap leakage

Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
null
Decoded Information from Radio Emissions for Windows Or Linux Fans

Dire Wolf is a software "soundcard" AX.25 packet modem/TNC and APRS encoder/decoder. It can be used stand-alone to observe APRS traffic, as a tracker, digipeater, APRStt gateway, or Internet Gateway (IGate).

null 1.1k Aug 5, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 118 Jul 26, 2022
A kernel module to provide /system/xbin/su to Android Kernel (especially to WSA)

WSA-Kernel-SU Intro This is a kernel module to provide /system/xbin/su to Android Kernel (especially to WSA). Only works on 4.17+ kernel. For older ke

LSPosed 132 Jul 27, 2022
NetHunter Kernel for the OnePlus 7 Series based on DragonHeart Kernel

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

cyberknight777 9 Mar 13, 2022
a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time

toy-kernel a unix inspired, non posix compliant micro kernel (more of a monolithic kernel for now though) that i am working on in my spare time prereq

czapek 13 Jun 14, 2022
A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat

split-rss-counting-patch A kernel module that patches Linux kernel "on-the-fly" to skip TASK_RSS_EVENTS_THRESH check in check_sync_rss_stat. Why? Read

Bao-Hiep Le 3 Mar 6, 2022
M5Paper project with weather information from openweathermap

M5PaperWeather **M5Paper project with weather information from openweathermap *** Description Arduino project to show internal environment data and we

null 58 Jul 26, 2022
A Lilu plugin that makes System Information recognize your Realtek card reader as a native one

Realtek Card Reader Driver Friend Introduction A Lilu plugin that makes System Information recognize your Realtek card reader as a native one. Support

FireWolf 49 Jul 21, 2022
A handy little system information monitor using and ESP32 + ILI9488 TFT. Receives data over Serial Bluetooth.

Bluetooth-System-Monitor A handy little system information monitor using and ESP32 + ILI9488 TFT. Receives data over Serial Bluetooth and thus giving

Dustin Watts 26 Jul 18, 2022
Convert LLVM coverage information into HTML reports

llvm-coverage-to-html converter The clang compiler supports source based coverage tracking, but the default reporting options are very basic. This too

Thomas Neumann 2 Oct 11, 2021
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

Elizaveta 16 Dec 17, 2021
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 8 May 30, 2022
Information on my chord-based typing system

taipo A chord-based typing system: only needs 10 keys per hand (2 keys per finger) optimized to reduce finger usage, travel distance, and awkward patt

Michael 18 Mar 14, 2022
Steals plaguecheat.cc login information and sends them over Discord webhook

PlagueStealer DO NOT USE THIS!!! I TAKE NO RESPONSIBILITY FOR ANY DAMAGE CAUSED How to use: Make a Discord webhook (watch this if you dont know how: h

Sinner 3 Dec 28, 2021
Sysfex - Another system information tool written in C++

Sysfex Another neofetch-like system information fetching tool for linux-based systems written in C++ Installation To install this program using the pr

Mehedi Rahman Mahi 107 Aug 2, 2022
RaspberryPiCM4Handheld7Inch - A single source for all of the information around my Raspberry Pi CM4 7" Handheld

Raspberry Pi CM4 Handheld 7 - Aegis" A repository for the Aegis, a 7" Raspberry Pi CM4 handheld device. NOTE: This is still a work in progress. The de

null 227 Jul 28, 2022
See your system information on LCD with Arduino!

Nodejs Arduino System Info See your system information on LCD with Arduino! You can see RAM usage, and CPU usage. Requipments: An Arduino Board. [ You

Akif9748 4 Jan 14, 2022
This repo contains information about EDRs that can be useful during red team exercise.

EDRs This repo contains information about EDRs that can be useful during red team exercise. patch_syscall_dynamically64.c This proof-of-concept is res

Mr.Un1k0d3r 1.5k Jul 29, 2022