This repository aims to provide functioning code that demonstrated usage of various different ways to gain access to Kernel Mode pointers in Windows from User Mode.
| Technique | Windows 7 | Windows 8 | Windows 8.1 Low Integrity | Windows 8.1 Medium Integrity | Windows 10 Low Integrity | Windows 10 Medium Integrity |
|---|---|---|---|---|---|---|
| NtQuerySystemInformation (SystemHandleInformation) |  |
|
 |
|
|
|
| NtQuerySystemInformation (SystemLockInformation) | |
|
|
|
|
|
| NtQuerySystemInformation (SystemModuleInformation) | |
|
|
|
|
|
| NtQuerySystemInformation (SystemProcessInformation) | |
|
|
|
|
|
| System Call Return Values | |
|
|
|
|
|
| Win32k Shared Info Handle Table | |
|
|
|
|
|
| Descriptor Tables | |
|
|
|
|
|
##Caveats
The Descriptor Table pointer leak will work on a standard Windows 10 machine but a Windows 10 Enterprise machine with HyperV enabled will trap on the sidt/sgdt instructions and return false values (see: https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf, Windows Kernel 64-bit ASLR Improvements).
##Attributions
I have referenced where I read about a technique and where specific structs etc have come from in the code, however these may not be the true original sources of the information :)
A lot of the function prototypes and struct definitions are taken from ReactOS.
Tick Icon By FatCow (http://www.fatcow.com/free-icons) [CC BY 3.0], via Wikimedia Commons
Cross Icon By Cäsium137 [Public domain], via Wikimedia Commons