Windows Kernel Offensive Toolset
KBlast is a small application I built while experimenting with Windows kernel offensive security techniques. It puts together almost all the techniques discussed in the Offensive Driver Development course from Zero Point Security, plus some extra techniques. I thought that building up this tool rather than writing down a cheatsheet was a better way to both put into practice the concepts learned and provide the community with a comprehensive learning resource.
__ __ ____ __ __
/ //_// __ )/ /___ ______/ /_ | KBlast client - OS Build #19045 - Major version #10
/ ,< / __ / / __ `/ ___/ __/ | Version : 0.1 ( first release ) - Architecture : x64
/ /| |/ /_/ / / /_/ (__ ) /_ | Website : http://www.github.com/lem0nSec/KBlast
/_/ |_/_____/_/\__,_/____/\__/ | Author : < lem0nSec_@world:~$ >
------------------------------------------------------->>>
[ KBlast ] --> help
Commands - ' generic ' ( generic commands. Do not initiate kernel interactions )
help: Show this help
quit: Quit KBlast
cls: Clear the screen
banner: Print KBlast banner
pid: Show current pid
time: Display system time
version: Display system version information
!{cmd}: Execute system command
Examples:
No example is available for ' generic ' commands
[ KBlast ] -->
This tool has two components. KBlaster.sys is the application's driver, the actual core where all central features reside. In contrast, KBlast.exe is the client application. KBlast.exe takes user commands, generate a specific input to be sent to KBlaster, and once the driver has finished its operation the client may or may not return the result of the operation depending on what was done.
KBlast commands can fall into four categories which must be prepended to the actual command (generic commands can be just typed and run right away). Categories can be:
- process (kernel-side process interactions)
- protection (protection PPL)
- token (token management)
- callback (kernel callbacks)
- blob (memory read/write)
- misc (misc functionalities)
The following screenshot shows the swapping of a high-integrity powershell token with a system-level token (System process pid 4).
The following screenshot shows the elevation of mimikatz PPL to LSA. Mimikatz is now granted read access to lsass.
Since KBlaster.sys is just a driver I built for my own learning, it does not come with signing. Enabling testsigning mode with the following command is required to play with this tool.
bcdedit /set testsigning on
Under specific conditions, KBlast may be able to zero out g_cioptions using KExecDD and load KBlaster even though testsigning is disabled. Bear in mind that an unsuccessful attempt likely means BSOD.
This tool is still at an early stage of development. KBlast is being actively tested on a Windows 10 Pro build 19045 x64 machine. Some functionalities support other Windows versions. Others don't. The following are the main issues you may encounter:
- Module : Callback : compatible only with Windows 10 Pro build 19045 x64
- Command : Token - revert : it works only if the process whose token is to be reverted is the last one whose token was modified
- Command : Misc - dse : I recently receplaced hardcoded offsets with more stable parser functions. There may still be problems under certain conditions.
To clarify, the following is the output of 'version' command on the system I am using to build the tool.
[ KBlast ] --> version
Microsoft Windows NT 10.0 OS Build 19045 ( Arch x64 )
KBlast v1.1 ( Arch x64 )
Since the Windows Kernel is mostly composed of 'opaque' data structures, this tool is likely to trigger bsods at this stage of development if a version other than the one mentioned is used. Development of these tools often requires months. I hope you understand and appreciate the project and the idea behind! Last but not least, I might consider adding new features such as process unlinking if the project will turn out a useful resource for learners.