├── 1.png
├── 2.png
├── 3.png
├── 4.png
├── 5.png
├── 6.png
├── 7.png
├── 8.png
├── 9.png
├── .gitattributes
├── 10.png
└── README.md


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/1.png


--------------------------------------------------------------------------------
/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/2.png


--------------------------------------------------------------------------------
/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/3.png


--------------------------------------------------------------------------------
/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/4.png


--------------------------------------------------------------------------------
/5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/5.png


--------------------------------------------------------------------------------
/6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/6.png


--------------------------------------------------------------------------------
/7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/7.png


--------------------------------------------------------------------------------
/8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/8.png


--------------------------------------------------------------------------------
/9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/9.png


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/huoji120/Microsoft_Kernel_Memory_Leak/HEAD/10.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ### Microsoft Kernel Memory Leak
  2 | 
  3 | ***Please note that this is only a brief code bug. It is not a security problem and will not cause any security problems***
  4 | 
  5 | There are memory leaks in two Microsoft APIs:
  6 | 
  7 | ```
  8 | win32kbase!NtDCompositionCommitSynchronizationObject
  9 | win32kbase!NtGdiGetCertificate
 10 | ```
 11 | 
 12 | ### win32kbase!NtGdiGetCertificate
 13 | 
 14 | The ``` win32kbase!NtGdiGetCertificate``` memory leak was patch in windows 20h1,but still work in windows 1803
 15 | 
 16 | The NtGdiGetCertificate will be call a function name "GetCertificateLengthAndMonitorPDO"
 17 | 
 18 | ![](1.png)
 19 | 
 20 | in "GetCertificateLengthAndMonitorPDO" will final going ”dxgkrnl.DpiDispatchInternalloctl“ by "iofcalldriver",the full call stack:
 21 | 
 22 | ![](2.png)
 23 | 
 24 | #### dxgkrnl!DpiDispatchInternalIoctl
 25 | 
 26 | ![](3.png)
 27 | 
 28 | ##### dxgkrnl!FnDpiGdoDispatchInternalIoctl
 29 | 
 30 | its will allocate a pool memory name "trpD" (in windbg its call "Dprt"),but this pool memory ***will be never free***
 31 | 
 32 | ![](4.png)
 33 | 
 34 | the "v49" var:
 35 | 
 36 | ![](5.png)
 37 | 
 38 | ###### poc
 39 | 
 40 | ```
 41 | #include <iostream>
 42 | #include <Windows.h>
 43 | typedef void(__stdcall* fnNtGdiGetCertificate) (unsigned __int64 a1, unsigned __int64 a2, unsigned __int64* a3, unsigned __int64 a4);
 44 | 
 45 | int main()
 46 | {
 47 |     printf("NtGdiGetCertificate Memory Leak Tester 2021-10-14 by huoji \n");
 48 | 	printf("press any btn to test\n");
 49 | 	system("pause");
 50 | 	PVOID win32u = LoadLibrary(TEXT("win32u.dll"));
 51 | 	if (win32u == NULL) {
 52 | 		printf("load win32u.dll error\n");
 53 | 		system("pause");
 54 | 		return 0;
 55 | 	}
 56 | 	fnNtGdiGetCertificate NtGdiGetCertificate = (fnNtGdiGetCertificate)GetProcAddress((HMODULE)win32u, "NtGdiGetCertificate");
 57 | 	
 58 | 	if (NtGdiGetCertificate) {
 59 | 		printf("tesing NtGdiGetCertificate...\n");
 60 | 		for (size_t i = 0; i < 65536; i++)
 61 | 		{
 62 | 			NtGdiGetCertificate(0xFFFF080000000000, 0xFFFFF80000000000, (unsigned __int64*)0x000000000000FFFE, 0xFFFF800000000000);
 63 | 
 64 | 		}
 65 | 	}
 66 | 	printf("finished \n");
 67 | 	system("pause");
 68 | 	return 0;
 69 | }
 70 | ```
 71 | 
 72 | ###### result
 73 | 
 74 | ![](6.png)
 75 | 
 76 | ### win32kbase!NtDCompositionCommitSynchronizationObject
 77 | 
 78 | This Leak Point was non patch in windows 21h1
 79 | 
 80 | the full callstack:
 81 | 
 82 | ```
 83 | 3: kd> k
 84 |  # Child-SP          RetAddr           Call Site
 85 | 00 ffffef85`756fed10 fffff802`441b51c4 nt!ExAllocateHeapPool+0x1b1381
 86 | 01 ffffef85`756fee50 fffff802`43e9502c nt!ExAllocatePoolWithTag+0x64
 87 | 02 ffffef85`756feea0 fffff802`43d83204 nt!SeQueryInformationToken+0xdc
 88 | 03 ffffef85`756fefd0 fffff802`44112a29 nt!RtlCheckTokenCapability+0x194
 89 | 04 ffffef85`756ff2e0 ffffaa93`883d46f9 nt!RtlCapabilityCheck+0x329
 90 | 05 ffffef85`756ff450 ffffaa93`8877ea62 win32kbase!NtDCompositionCommitSynchronizationObject+0x59
 91 | 06 ffffef85`756ff490 fffff802`43c0a8b5 win32k!NtDCompositionCommitSynchronizationObject+0x16
 92 | 07 ffffef85`756ff4c0 00007ff7`f8f94299 nt!KiSystemServiceCopyEnd+0x25
 93 | 08 000000de`7e1ff288 00007ff7`f8f915ed NtCall64+0x4299
 94 | 09 000000de`7e1ff290 00007ff7`f8f919ab NtCall64+0x15ed
 95 | 0a 000000de`7e1ffbe0 00007ffd`f2767034 NtCall64+0x19ab
 96 | 0b 000000de`7e1ffc10 00007ffd`f3022651 KERNEL32!BaseThreadInitThunk+0x14
 97 | 0c 000000de`7e1ffc40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
 98 | ```
 99 | 
100 | #### RtlCheckTokenCapability
101 | 
102 | ![](7.png)
103 | 
104 | 
105 | 
106 | in MSDN about "SeQueryInformationToken" 
107 | 
108 | ![](8.png)
109 | 
110 | well , it doesn't seem to have been released
111 | 
112 | ### poc
113 | 
114 | pool memory in windbg:
115 | 
116 | ![](9.png)
117 | 
118 | No more code because of time,but you can reappearance it by NtCallFuzz tool in Credit
119 | 
120 | test time: 2021/10/14
121 | 
122 | ![](10.png)
123 | 
124 | ### Credit
125 | 
126 | @[hfiref0x](https://github.com/hfiref0x) and [Windows NtCall Fuzz Tools](https://github.com/hfiref0x/NtCall64)
127 | 
128 | @[huoji](https://github.com/huoji120)
129 | 
130 | @[heromantf](https://github.com/heromantf)
131 | 


--------------------------------------------------------------------------------