evil-mhyprot-cli

A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.

• libmhyprot
• Wiki

Overview

What we can do with this CLI is as follows:

• Read/Write any kernel memory with privilege of kernel from usermode
• Read/Write any user memory with privilege of kernel from usermode
• Enumerate a number of modules by specific process id
• Get system uptime
• Enumerate threads in specific process, result in allows us to reading PETHREAD structure in the kernel directly from CLI as well.
• Terminate specific process by process id with ZwTerminateProcess which called in the vulnerable driver context (ring-0).
• All operations are executed as kernel level privilege (ring-0) by the vulnerable driver

Also:

• Administrator privilege only needed if the service is not yet running
• Therefore we can execute commands above as the normal user (w/o administrator privilege)

Requirements

• Any version of Windows x64 that the driver works on
• Administrator privilege does not required if the service already running

Tested on:

• Windows10 x64 1903
• Windows7 x64 6.1
• Windows8.1 x64 6.3

Usage

*.exe <target_process_name> -<options>

following options are available as of now:

• t
  • Perform Tests
• d
  • Print debug infos
• s
  • Print seedmap

Latest