Predictable kernel thread start address #43
Description
Currently the kernel thread's start address will always be pointing to the gadget mov rdx, qword ptr [rcx + 0x50]; mov rbp, qword ptr [rcx + 0x18]; mov rsp, qword ptr [rcx + 0x10]; jmp rdx; as specified in RopThreadManager::SpawnThread().
This gadget is located at KernelBase + 0x69ce00 so any defense software can easily sig this.
For this reason I have implemented the function Utils::FindRandomValidThreadAddress(). What it does is look through different start addresses present in already existing kernel threads, looks for those used more that once already in other system threads, and randomly chooses one to return.
However currently this value is not set as the thread address, this is because dynamic offsets are required for that to work across different Windows versions. But currently there exist the function StackManager::ModifyThreadStartAddress(const std::uint64_t NewStartAddress) which takes a start address and sets the EThread.StartAddress and EThread.Win32StartAddress to it.
Their offsets can be found here.
Basically, all that needs to be done is having StackManager::ModifyThreadStartAddress() support dynamic offsets and calling it with the value returned from Utils::FindRandomValidThreadAddress().