Skip to content
/ ShellcodeDriver Public
forked from Trietptm-on-Security/ShellcodeDriver

Windows driver to execute arbitrary usermode code (essentially same vulnerability as capcom.sys)

License

Apache-2.0 license
1 star 37 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

online-9/ShellcodeDriver

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
shellcodedriver
shellcodedriver
 
 
shellcoderun
shellcoderun
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
shellcodedriver.sln
shellcodedriver.sln
 
 

Repository files navigation

ShellcodeDriver

Windows driver to execute arbitrary usermode code (essentially same vulnerability as capcom.sys)

Functionality

The driver takes an ioctl with a pointer to a user-land function (or shellcode). It disables SMEP, calls the function and passes a pointer to the MmGetSystemRoutineAddress as an argument.

https://github.com/zerosum0x0/ShellcodeDriver/blob/master/shellcodedriver/shellcodedriver.c#L80

Exploitation

If you want to get SYSTEM, you can use the following functions to copy a system processes token to your current process. The whole point of MmGetSystemRoutineAddress is these function pointers are simple to obtain.

  • PsGetCurrentProcessId
  • PsLookupProcessByProcessId
  • ObDereferenceObject
  • PsReferencePrimaryToken
  • PsDereferencePrimaryToken

About

Windows driver to execute arbitrary usermode code (essentially same vulnerability as capcom.sys)

Topics

windows code driver execute arbitrary

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 87.6%
  • C++ 12.4%