yardenshafir/IoRingReadWritePrimitive yardenshafir/IoRingReadWritePrimitive

  • Stars
    star
    221
  • Rank 179,773 (Top 4 %)
  • Language
    C++
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
yardenshafir/IoRingReadWritePrimitive
github

yardenshafir

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Post exploitation technique to turn arbitrary kernel write / increment into full read/write primitive on Windows 11 22H2

IoRingReadWritePrimitive

Post exploitation technique to turn arbitrary kernel write / increment into full read/write primitive on Windows 11 22H2+ This PoC is using the HackSysExtremeVulnerableDriver. The PoC supports both arbitrary write and arbitrary increment, controlled through a flag passed into the function from main(). For arbitrary increment, compile the latest HEVD driver from source.

Writeup: https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/

This PoC uses an arbitrary overwrite of the RegBuffers field of an I/O ring to point to a fake array of preregistered buffers that can be manipulated by an attacker. The fake buffers can point to kernel addresses, so the attacker can queue read and write operations that generate arbitrary reads and writes. By using named pipes instead of a file we can avoid leaving any traces for security tools to recognize. Current implementation reads a page from the NTOS data section and prints it out. This is done using a hard-coded offset so it might break inthe future.

More Repositories

1

WinDbg_Scripts

Useful scripts for WinDbg using the debugger data model
JavaScript
382
star
2

PoolViewer

An application to view and filter pool allocations from a dmp file on Windows 10 RS5+.
C++
121
star
3

CVE-2020-1034

PoC demonstrating the use of cve-2020-1034 for privilege escalation
C++
114
star
4

SymlinkCallback

A driver that hooks C: volume using symbolic link callback to track all FS access to the volume
C++
98
star
5

cet-research

A collection of tools, source code, and papers researching Windows' implementation of CET.
C
72
star
6

KernelDataStructureFinder

Driver and WinDBG scripts to dump information about all resources and lookaside lists
C++
63
star
7

InformationClasses

Documenting system information classes and their uses
48
star
8

DpcWait

Driver demonstrating how to register a DPC to asynchronously wait on an object
C++
45
star
9

MitigationFlagsCliTool

Command like tool to print mitigation flags for running processes in a memory dump
C++
41
star
10

IoRing_Demos

A repository for I/O ring demos, use cases and performance testing on Windows
C++
38
star
11

conference_talks

Slides from various conference talks
36
star
12

CallbackObjectAnalyzer

Dumps information about all the callback objects found in a dump file and the functions registered for them
C++
32
star
13

s1dbg

windbg extension that does stuff
C++
5
star