admin/pdfwkrnl-exploit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
dpcpointer
2025-05-28 19:34:32 -06:00
committed by GitHub
parent 3c347086eb
commit 20b85cec2b
1 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@@ -1,15 +1,22 @@
simple method.
# pdfwkrnl-exploit
## prologue
I saw this driver on loldrivers.io and thought nothing of it at first but then i realized all we need is vulnerable memcpy to copy kernel to call kernel functions.
__int64 NtCompareSigningLevels()
{
int v0; // eax
After remembering how a basic data pointer swap hook work's i found one in ntoskrnl.exe called "**NtCompareSigningLevels**" and this was perfect for exploiting.
v0 = 0;
if ( function_pointer )
v0 = ((__int64 (*)(void))function_pointer)();
return v0 == 0 ? 0xC0000428 : 0;
}
sub rsp, 28h
mov r8, cs:function_pointer
boom! that's the big ol bug, it loads a pointer from a variable inside ntoskrnl's **.data** section which can be easily modified to any kernel function which is a big no no.
this loads a qword into r9 from a var.
.data:0000000140C1DA00 function_pointer // ntoskrnl.exe
## exploiting the pointer
I wrote a simple library for pdfwkrnl.sys after taking a little code from another project (https://github.com/Legcsnaec/driverMapper) *"Originally forked from ia-32-Sudo's project, his account is deleted or terminated".* Then the exploit time i decided to use an offset for the **function_pointer** then i used **EnumDeviceDrivers** to get ntoskrnl's base then used the driver to walk the ntoskrnl's pe headers for exports then we got our export address then wrote over the **function_pointer** to our selected export then called the user-mode component **NtCompareSigningLevels** (exported by ntdll.dll) while passing our custom then after execution we swapped back the old pointer as nothing had happened.
we use pdfwkrnl's memcpy vulnerable function to swap this pointer to our kernel function.
![exploit working](https://github.com/dpcpointer/pdfwkrnl-exploit/blob/main/image.png?raw=true)
## final notes
This was cool as i racked my brain for this cool little project it took around 5 hours.
all i ask for is credits for my idea, thanks for the small read feel free to leave a follow or fork to show your support.
good bye and have a great day (: