This repository hosts a Proof-of-Concept (PoC) research project demonstrating advanced techniques in Windows kernel manipulation, driver manual mapping, and stealthy user-mode-to-kernel-mode communication.
The project was developed to explore the boundaries of the Windows Object Manager and the Kernel API, specifically focusing on bypassing standard handle acquisition restrictions through direct kernel object manipulation and function pointer hooking.
Note: This project is for educational and research purposes only. It demonstrates historical techniques used to analyze protected processes.
The architecture consists of two main components: a User-Mode Client and a Manually Mapped Kernel Driver.
Instead of using the standard Windows Service Control Manager (SCM) to load the driver—which requires a valid digital signature from a trusted certificate authority—this project utilizes a manual mapping technique (exploiting iqvw64e.sys).
- Vulnerable Driver Exploitation: The loader leverages a known vulnerability in the Intel LAN driver to gain arbitrary physical memory read/write primitives.
- MmMapIoSpace: Using physical access, the loader creates a thread or executes code to map the custom driver image into kernel memory (NonPagedPool).
- Relocation & Imports: The loader manually resolves relocations and kernel imports (e.g.,
ntoskrnl.exeexports) for the mapped image, effectively "linking" the driver in memory without OS awareness. - Cleanup: Traces of the vulnerable driver (PiDDBCacheTable, MmUnloadedDrivers) are scrubbed to minimize the forensic footprint.
Standard communication via DeviceIoControl requires opening a handle to the driver object, which creates a traceable link and can be easily stripped or monitored by anti-tamper solutions. This project implements a Trampoline Hook mechanism to establish a covert communication channel.
The driver identifies a specific, infrequently used system routine within the win32k or kernel namespace (specifically targeting functions like NtUserGetCurrentDpiInfoForWindow or NtFlipObjectEnablePresentStatisticsType).
- Pointer Swap: The driver locates the kernel-mode address of the target function's handler (often residing in
.datasections or dispatch tables). - Atomic Exchange: It atomically swaps the original function pointer with the address of the mapped driver's entry point.
- The "Trampoline":
- When the User-Mode Client wishes to execute a command (Read/Write Memory), it simply calls the standard Windows API for the hooked function (e.g.,
NtUserGetCurrentDpiInfoForWindow), passing a custom struct via the arguments. - The OS transitions to kernel mode and attempts to execute the registered handler.
- Interception: Execution is redirected to the custom driver logic.
- Dispatch: The driver inspects the arguments. If a specific "magic code" is present, it processes the memory request (copying memory via
MmCopyVirtualMemoryor physical addressing). - Restoration: If the arguments do not match the protocol, the driver invokes the original function pointer, ensuring system stability and transparency for normal OS operations.
- Process Identification: Locates process EPROCESS structures via kernel API traversal rather than OpenProcess handles.
- Base Address Retrieval: Accesses the PEB (Process Environment Block) from kernel context to identify module base addresses.
- Memory Operations: Implements
ReadProcessMemoryandWriteProcessMemoryequivalents that operate withRing 0privileges, bypassing user-mode permissions and handle stripping protections.
- Language: C++ (C++17 Standard)
- Platform: Windows x64 (Kernel & User Mode)
- Dependencies: Windows Driver Kit (WDK) libraries for specific definition referencing.
This software is provided for educational purposes to demonstrate kernel programming and reverse engineering concepts. It was developed to study Windows internal structures and bypass techniques. The author does not condone the use of this software for malicious activities or integrity violations in online games.