search

hacksysteam / HackSysExtremeVulnerableDriver

HackSys Extreme Vulnerable Driver (HEVD) - Windows & Linux
https://hacksys.io
GNU General Public License v3.0
2.38k stars 524 forks source link

Documentation on compiling the exploits #60

Open 0xAtticus opened 1 month ago

0xAtticus commented 1 month ago

I see that the 3.00 version of the release does not contain compiled Exploit, so I wanted to compile them myself. I am running on Windows 10 x64, with Visual Studio Code 2022.

I ran the .bat file in C:\Users\user\Documents\HackSysExtremeVulnerableDriver-master\Builder\Build_HEVD_Exploit.bat.

However, when then running C:\Users\user\Documents\HackSysExtremeVulnerableDriver-master\compile\exploit\HackSysEVDExploit.exe, I get the following output (option was -a -c cmd)

[+] Starting Arbitrary Memory Overwrite Exploitation
        [+] Creating The Exploit Thread
                [+] Exploit Thread Handle: 0x190
        [+] Getting Device Driver Handle
                [+] Device Name: \\.\HackSysExtremeVulnerableDriver
                [+] Device Handle: 0x194
        [+] Setting Up Vulnerability Stage
                [+] Allocating Memory For WRITE_WHAT_WHERE Structure
                        [+] Memory Allocated: 0x013E55A8
                        [+] Allocation Size: 0x8
                [+] Gathering Information About Kernel
                        [+] Loaded Kernel: ntoskrnl.exe
                        [+] Kernel Base Address: 0x7CA00000
                        [-] Failed To Load Kernel: 0x7E

Looking the documentation, I see that 0x7E means ERROR_MOD_NOT_FOUND. However, I can see the file C:\Windows\System32\ntoskrnl.exe.

Edit: I feel like this is because the application is compiled in 32 bits, but try to load ntoskrnl.exe that is 64-bit. If I actually Load ntoskrnl.exe with LoadLibraryEx("C:\\Windows\\System32\\ntoskrnl.exe", NULL, LOAD_LIBRARY_AS_DATAFILE);, it loads successfully, but fails to find HalDispatchTable proc address afterwards.

However, I could not find a way to compile the exploit in 64 bits for now. Espececially Payloads.c, because it looks like inline assembly is not supported in 64 bits by Visual Studio ?

error C4235: nonstandard extension used: '__asm' keyword not supported on this architecture

What I am missing to get the exploits running ? (I am in a VirtualBox VM)

Thank you very much, Atticus

hacksysteam commented 2 weeks ago

Hi @0xAtticus the exploit for this is pretty old - Windows 7 x86 and it won't work on Windows 10 or later. There are tons of exploit that works on Windows 10 and 11 x64. It's really hard to keep the exploit working for each version as techniques get killed very often.

0xAtticus commented 1 week ago

Hi @hacksysteam thank you very much for your response. Of course, I understand that we cannot expect exploits to keep working when switching major versions of operating systems. However, the README states: The HackSys Extreme Vulnerable Driver and the respective exploits have been tested on Windows 7 SP1 x86 and Windows 10 x64.

This is why I expected the exploits to also work on Windows 10. Maybe we could change the phrasing to reflect the fact that some exploits will not work on Windows 10 x64 ?

Thank you very much, Atticus