m0rethan3
commented
3 years ago oh and you can just patch vulnerable driver itself to not mess with windows kernel images and probably PatchGuard cases
Open m0rethan3 opened 3 years ago
m0rethan3
commented
3 years ago oh and you can just patch vulnerable driver itself to not mess with windows kernel images and probably PatchGuard cases
m0rethan3
commented
3 years ago and forgot to say, according to this blog post https://blog.can.ac/2018/04/28/escape-smep-exploiting-capcom-safely/ actually you don’t need to disable interrupts because some NT kernel routines may not work at all
kkent030315
commented
3 years ago We do not need such a nanosecond-level performance.
m0rethan3
commented
3 years ago ye i know but you anyway can patch that vulnerable driver (just need to find some ioctl that you don’t use) instead of ntoskrnl syscall and replace all physmem scanning with virtual to physical address translation of that ioctl handler address to patch it one time
kkent030315
commented
3 years ago That's the good point. Also bruteforcing system's CR3 is the good one than scanning entire physical memory. I will bring the implementation when I get time to do so! :)
serby2000
commented
2 years ago Also bruteforcing system's CR3 is the good one than scanning entire physical memory.
What would you achieve by bruteforcing CR3 when Kernel Structs including Page Tables are protected from mapping with ZwMapViewOfSection?
estimated1337
commented
2 years ago Also bruteforcing system's CR3 is the good one than scanning entire physical memory.
What would you achieve by bruteforcing CR3 when Kernel Structs including Page Tables are protected from mapping with ZwMapViewOfSection?
protected from MmMapIoSpace mapping but not from ZwMapViewOfSection, with last you can map actually entire physical memory
thx for taking attention on my previous issue also you can just look at NtUserCreateWindowStation function kernel implementation for example (or any other that match rule i described next) and you probably notice that actually to hook it you need to swap just one pointer i think that this hook should be PatchGuard free as well cuz pointer resides in .data RW section and to not make multiple syscall calls in usermode e.g. to disable smep or KeSetSystemAffinityThread call you can craft shellcode one time and patch it to function addresses or data that you need to make capcom-like execution faster and physmem loaded driver free
and also last advice: easy virtual to physical address translation example using physmem vulnerable driver - https://github.com/zx0CF1/physmem_drivers/blob/master/huawei_PoC/phymem.cpp#L66