Windows Kernel Exploitation 練習

WinDBG 基本操作 - 練習手動把 VA 轉成 PA#

Virtual Address的組成:

PML4 Index	PDPT Index	PD Index	PT Index	Page Offset
Bits 47-39	Bits 38-30	Bits 29-21	Bits 20-12	Bits 11-0
9 bits	9 bits	9 bits	9 bits	12 bits

隨便拿一個位址做轉換的目標:

1
2: kd> lm m nt
2
Browse full module list
3
start             end                 module name
4
fffff806`77e00000 fffff806`79250000   nt         (pdb symbols)          c:\symbols\ntkrnlmp.pdb\0385A3E51169BA7F84716B1C792977F71\ntkrnlmp.pdb

讀取 CR3#

1
2: kd> r cr3
2
cr3=00000000001ae002

分別拿四個 Index#

1
2: kd> ? (fffff806`77e00000 >> c) & 1ff
2
Evaluate expression: 0 = 00000000`00000000
3
2: kd> ? (fffff806`77e00000 >> 15) & 1ff
4
Evaluate expression: 447 = 00000000`000001bf
5
2: kd> ? (fffff806`77e00000 >> 1e) & 1ff
6
Evaluate expression: 25 = 00000000`00000019
7
2: kd> ? (fffff806`77e00000 >> 27) & 1ff
8
Evaluate expression: 496 = 00000000`000001f0

PT Index: 0
PD Index: 0x1bf
PDPT Index: 0x19
PML4 Index: 0x1f0

爬Page Table#

先爬 PML4:

CR3 + PML4_Index * 8
!dq 抓 PML4 的內容
爬出來的 & 0ffffffffff000 清掉最低三位

1
2: kd> ? 00000000001ae002 + (00000000`000001f0 * 8)
2
Evaluate expression: 1765250 = 00000000`001aef82
3
2: kd> !dq 00000000`001aef82 L1
4
#  1aef80 00000000`001d0063
5
2: kd> ? 00000000`001d0063 & 0ffffffffff000
6
Evaluate expression: 1900544 = 00000000`001d0000

再用抓出來的結果當作 base 去爬 PDPT:

1
2: kd> ? 00000000`001d0000 + (00000000`00000019 * 8)
2
Evaluate expression: 1900744 = 00000000`001d00c8
3
2: kd> !dq 00000000`001d00c8 L1
4
#  1d00c8 00000000`0025a063
5
2: kd> ? 00000000`0025a063 & 0ffffffffff000
6
Evaluate expression: 2465792 = 00000000`0025a000

再用相同的步驟爬 PD:

1
2: kd> ? 00000000`0025a000 + (00000000`000001bf * 8)
2
Evaluate expression: 2469368 = 00000000`0025adf8
3
2: kd> !dq 00000000`0025adf8 L1
4
#  25adf8 8a000001`004000a1

注意到 PD 的內容, a1 為 1010 0001, bit7為1, 因此為 Large Page, 用 Large Page 的轉換方法:

({PTE} \&\quad {0ffffffffff000}) + (VA \&\quad {1fffff})

1
2: kd> ? (8a000001`004000a1 & 0fffffffffe00000) + (fffff806`77e00000 & 1fffff)
2
Evaluate expression: 720575944678440960 = 0a000001`00400000

最後可以用記憶體內容檢查轉換結果:

1
2: kd> db fffff806`77e00000
2
fffff806`77e00000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
3
fffff806`77e00010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
4
fffff806`77e00020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
5
fffff806`77e00030  00 00 00 00 00 00 00 00-00 00 00 00 18 01 00 00  ................
6
fffff806`77e00040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
7
fffff806`77e00050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
8
fffff806`77e00060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS
9
fffff806`77e00070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
10
2: kd> !db 000001`00400000
11
#100400000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
12
#100400010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
13
#100400020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
14
#100400030 00 00 00 00 00 00 00 00-00 00 00 00 18 01 00 00 ................
15
#100400040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
16
#100400050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
17
#100400060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
18
#100400070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......

Windows Programming 練習 - 列舉 User 可使用的所有 Device#

使用 Claude 生成, 各家 LLM 生出來的結果應該不會相差太大, 都是使用 pNtOpenDirectoryObject 去開 \\Device 然後用 pNtQueryDirectoryObject 配合 TryOpenDevice 去戳對應的 Device:

1
bool EnumerateDevices(DeviceStats& stats) {
2
    HANDLE hDirectory = NULL;
3
    NTSTATUS status;
4

5
    // Open \Device directory
6
    UNICODE_STRING dirName;
7
    pRtlInitUnicodeString(&dirName, L"\\Device");
8

9
    OBJECT_ATTRIBUTES objAttr;
10
    InitializeObjectAttributes(&objAttr, &dirName, OBJ_CASE_INSENSITIVE, NULL, NULL);
11

12
    status = pNtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY | DIRECTORY_TRAVERSE, &objAttr);
13
    if (!NT_SUCCESS(status)) {
14
        printf("[-] Failed to open \\Device directory. NTSTATUS: 0x%08X\n", status);
15
        return false;
16
    }
17

18
    printf("[+] Successfully opened \\Device directory\n");
19
    printf("[*] Enumerating devices...\n\n");
20

21
    // Buffer for directory query
22
    const ULONG bufferSize = 0x10000;
23
    BYTE* buffer = new BYTE[bufferSize];
24
    ULONG context = 0;
25
    ULONG returnLength = 0;
26
    BOOLEAN restartScan = TRUE;
27

28
    while (true) {
29
        status = pNtQueryDirectoryObject(
30
            hDirectory,
31
            buffer,
32
            bufferSize,
33
            FALSE,  // Return multiple entries
34
            restartScan,
35
            &context,
36
            &returnLength
37
        );
38

39
        restartScan = FALSE;
40

41
        if (!NT_SUCCESS(status)) {
42
            if (status == STATUS_NO_MORE_ENTRIES) {
43
                break;
44
            }
45
            printf("[-] NtQueryDirectoryObject failed: 0x%08X\n", status);
46
            break;
47
        }
48

49
        // Process entries
50
        POBJECT_DIRECTORY_INFORMATION info = (POBJECT_DIRECTORY_INFORMATION)buffer;
51

52
        while (info->Name.Buffer != nullptr) {
53
            std::wstring name = UnicodeToWString(info->Name);
54
            std::wstring type = UnicodeToWString(info->TypeName);
55

56
            // Only process Device objects
57
            if (type == L"Device") {
58
                stats.totalDevices++;
59

60
                DWORD error = TryOpenDevice(name);
61
                stats.errorCounts[error]++;
62

63
                // Print each device with result
64
                wprintf(L"[%4d] \\Device\\%-40s ", stats.totalDevices, name.c_str());
65

66
                switch (error) {
67
                    case 0:
68
                        stats.successCount++;
69
                        printf("[OK]\n");
70
                        break;
71
                    case ERROR_ACCESS_DENIED:
72
                        stats.accessDeniedCount++;
73
                        printf("[ACCESS_DENIED]\n");
74
                        break;
75
                    case ERROR_SHARING_VIOLATION:
76
                        stats.sharingViolationCount++;
77
                        printf("[SHARING_VIOLATION]\n");
78
                        break;
79
                    case ERROR_FILE_NOT_FOUND:
80
                    case ERROR_PATH_NOT_FOUND:
81
                        stats.notFoundCount++;
82
                        printf("[NOT_FOUND]\n");
83
                        break;
84
                    case ERROR_INVALID_NAME:
85
                        stats.invalidNameCount++;
86
                        printf("[INVALID_NAME]\n");
87
                        break;
88
                    default:
89
                        stats.otherErrorCount++;
90
                        printf("[ERROR: %lu]\n", error);
91
                        break;
92
                }
93
            }
94

95
            info++;
96
        }
97
    }
98

99
    delete[] buffer;
100
    CloseHandle(hDirectory);
101
    return true;
102
}

Windows Programming 練習 - 與 Driver 互動#

安裝 Driver#

開啟 Test Mode 之後先安裝 Lab 的 Driver:

1
C:\Windows\System32>sc create vul binPath=C:\VulDriver.sys type=kernel
2
[SC] CreateService SUCCESS
3

4
C:\Windows\System32>sc start vul
5

6
SERVICE_NAME: vul
7
        TYPE               : 1  KERNEL_DRIVER
8
        STATE              : 4  RUNNING
9
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
10
        WIN32_EXIT_CODE    : 0  (0x0)
11
        SERVICE_EXIT_CODE  : 0  (0x0)
12
        CHECKPOINT         : 0x0
13
        WAIT_HINT          : 0x0
14
        PID                : 0
15
        FLAGS              :
16

17
C:\Windows\System32>

安裝 Debug Symbol#

先在 Host 上隨便開一個資料夾, 把 VulDriver.pdb 拷進去之後加到 WinDbg 的 symbol path:

1
0: kd> .sympath srv*C:\Symbols*https://msdl.microsoft.com/download/symbols;C:\LocalSymbols
2
Symbol search path is: srv*C:\Symbols*https://msdl.microsoft.com/download/symbols;C:\LocalSymbols
3
Expanded Symbol search path is: srv*c:\symbols*https://msdl.microsoft.com/download/symbols;c:\localsymbols
4

5
************* Path validation summary **************
6
Response                         Time (ms)     Location
7
Deferred                                       srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
8
OK                                             C:\LocalSymbols
9
0: kd> .reload /f VulDriver.sys

可以 lm 或是直接 x VulDriver!* 看是不是有抓到 symbol:

1
0: kd> lm vm VulDriver
2
Browse full module list
3
start             end                 module name
4
fffff805`30240000 fffff805`30248000   VulDriver   (private pdb symbols)  c:\localsymbols\VulDriver.pdb
5
    Loaded symbol image file: VulDriver.sys
6
    Image path: \??\C:\VulDriver.sys
7
    Image name: VulDriver.sys
8
    Browse all global symbols  functions  data  Symbol Reload
9
    Timestamp:        Fri Dec 19 20:40:23 2025 (694547B7)
10
    CheckSum:         0000DCD0
11
    ImageSize:        00008000
12
    Mapping Form:     Loaded
13
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
14
    Information from resource tables:

利用 DeviceIoControl 與 driver 互動#

先觀察 IOCTL_VUL_TEST , 發現需滿足以下條件:

輸入 magic: 0x13371337
Output buffer 大小 >= 0x1337 bytes

1
    case IOCTL_VUL_TEST:
2
    {
3
        if (irpSp->Parameters.DeviceIoControl.InputBufferLength < 4) {
4
            status = STATUS_BUFFER_TOO_SMALL;
5
            break;
6
        }
7
        magic = *(ULONG*)Irp->AssociatedIrp.SystemBuffer;
8
        if (magic != 0x13371337) {
9
            status = STATUS_INVALID_PARAMETER;
10
            break;
11
        }
12
        const wchar_t* msg = L"HelloWorld";
13
        ULONG bytes = (ULONG)((wcslen(msg) + 1) * sizeof(wchar_t));
14

15
        if (irpSp->Parameters.DeviceIoControl.OutputBufferLength < 0x1337) {
16
            status = STATUS_BUFFER_TOO_SMALL;
17
            break;
18
        }
19
        RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer, msg, bytes);
20
        info = bytes;
21
        status = STATUS_SUCCESS;
22
        break;
23
    }

送出對應的 IOCTL 就能收到 Driver回傳的字串了

1
    DWORD inputBuffer = VUL_MAGIC;
2

3
    const DWORD outputBufferSize = 0x1337;
4
    BYTE* outputBuffer = new BYTE[outputBufferSize];
5
    ZeroMemory(outputBuffer, outputBufferSize);
6

7
    DWORD bytesReturned = 0;
8

9
    printf("\n[*] Calling DeviceIoControl...\n");
10

11
    BOOL success = DeviceIoControl(
12
        hDevice,
13
        IOCTL_VUL_TEST,
14
        &inputBuffer,           // Input buffer (magic value)
15
        sizeof(inputBuffer),    // Input buffer size (4 bytes)
16
        outputBuffer,           // Output buffer
17
        outputBufferSize,       // Output buffer size (0x1337)
18
        &bytesReturned,         // Bytes returned
19
        NULL                    // Not overlapped
20
    );

在 VulDriver!VulDeviceControl 上設定 breakpoint, 觀察 IRP 內容:

1
1: kd> bp VulDriver!VulDeviceControl
2
1: kd> g
3
Breakpoint 0 hit
4
VulDriver!VulDeviceControl:
5
fffff805`30241370 4889542410      mov     qword ptr [rsp+10h],rdx
6
1: kd> dt nt!_IRP @rdx
7
   +0x000 Type             : 0n6
8
   +0x002 Size             : 0x118
9
   +0x004 AllocationProcessorNumber : 1
10
   +0x006 Reserved1        : 0
11
   +0x008 MdlAddress       : (null)
12
   +0x010 Flags            : 0x60070
13
   +0x014 Reserved2        : 0
14
   +0x018 AssociatedIrp    : <unnamed-tag>
15
   +0x020 ThreadListEntry  : _LIST_ENTRY [ 0xffffa28c`a1c0b5c0 - 0xffffa28c`a1c0b5c0 ]
16
   +0x030 IoStatus         : _IO_STATUS_BLOCK
17
   +0x040 RequestorMode    : 1 ''
18
   +0x041 PendingReturned  : 0 ''
19
   +0x042 StackCount       : 1 ''
20
   +0x043 CurrentLocation  : 1 ''
21
   +0x044 Cancel           : 0 ''
22
   +0x045 CancelIrql       : 0 ''
23
   +0x046 ApcEnvironment   : 0 ''
24
   +0x047 AllocationFlags  : 0x6 ''
25
   +0x048 UserIosb         : 0x0000002b`e6b5f470 _IO_STATUS_BLOCK
26
   +0x048 IoRingContext    : 0x0000002b`e6b5f470 Void
27
   +0x050 UserEvent        : (null)
28
   +0x058 Overlay          : <unnamed-tag>
29
   +0x068 CancelRoutine    : (null)
30
   +0x070 UserBuffer       : 0x000001d7`5ee21060 Void
31
   +0x078 Tail             : <unnamed-tag>
32
1: kd> dd poi(@rdx+18) L1
33
ffffa28c`a739e000  13371337

Systembuffer 的內容對應到 Magic 0x13371337

Token Stealing 練習#

TBD

Blog

紅櫻落盡君不見，輕繪梨花淚沾衣