hacksysteam
commented
1 year ago Hi @Dominopl as you have noticed that Windows has moved its object from NonPagedPool to NonPagedPoolNx. So no matter what you try to groom NonPagedPool using Windows objects, it will not work as they are no longer allocated in NonPagedPool.
For successful grooming of NonPagedPool you need to find those drivers that still use this pool type to store data. Then using those drivers you might be able to groom NonPagedPool.
Dominopl
Hello, I have a question. I am on a Windows 10 (22H2) machine and I am trying to perform the Uaf exploit on the NonPagedPool. After following some tutorials unsuccessfully, I checked and learned that Windows only supports NonPagedPoolExecute(NonPagedPool) for backwards compatibility so that old drivers still work. I suspect that Windows has adapted all internal functions such as CreatePipe to use the NonPagedPoolNx, because every time I've tried to apply some "heap feng shui" I've been unable to find the "spray" objects on the NonPagedPool, which would make sense with DEP. Is it still possible to allocate objects at the NonPagedPool using functions similar to CreatePipe? Or do I need to load ExAllocatePoolWithTag from ntdll.dll and try it with that? Thank you in advance:)