Skip to content

Dump ntoskrnl.exe important offsets for building your navigation system in the Windows Kernel, using Radare2 and Rust

Notifications You must be signed in to change notification settings

vtorres/ntoskrnl-offsets-dumper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NtoskrnlOffsetDumper

Rust

Ntoskrnl.exe Offsets Dumper

NtoskrnlOffsetDumper

📕 Prerequisites

  • Radare2 - Make sure the environment variable PATH is configured and the Radare2 version is >= 5.0.0

  • Rust

📖 Usage

In order to dump those important structs from the system, the script must extract its offsets from the known ntoskrnl.exe file, generally placed at C:/Windows/System32/ntoskrnl.exe

This script going to download ntoskrnl PDB, fetches a couple of crucial offsets from it and outputs all the relevant information needed for building your user navigation system with the kernel using the Bring Your Own Vulnerable Driver (A.K.A BYOVD) method for many purposes, like token stealing, handle elevation, thread hijacking and more. In the present moment, the necessary structs we are interested in are the following:

_LIST_ENTRY ActiveProcessLinks
void * UniqueProcessId
_LIST_ENTRY ThreadListHead
_PS_PROTECTION Protection
_EX_FAST_REF Token
_HANDLE_TABLE* ObjectTable
_KTRAP_FRAME* TrapFrame
uint64_t Rip
_LIST_ENTRY ThreadListEntry
_CLIENT_ID Cid
EtwThreatIntProvRegHandle
_ETW_GUID_ENTRY* GuidEntry
_TRACE_ENABLE_INFO ProviderEnableInfo
_GUID Guid

🖥️ Development

cargo run

or

cargo build --release

🏴‍☠️ Credits

After reading Kernel Cactus' latest blog post on a boring Sunday, I decided I would go through a coding session to do it.

About

Dump ntoskrnl.exe important offsets for building your navigation system in the Windows Kernel, using Radare2 and Rust

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages