内核攻防：任意读写驱动漏洞分析及Exp编写<\/h1>

1. HEVD驱动项目介绍<\/h2>
HEVD (HackSys Extreme Vulnerable Driver) 是一个专门设计用于内核漏洞研究和学习的驱动项目，包含多种类型的内核漏洞实现。<\/p>
项目地址：https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver<\/p>

2. 漏洞分析<\/h2>

2.1 漏洞点定位<\/h3>

通过IDA Pro逆向分析HEVD驱动，可以找到任意读写模块的漏洞点：<\/p>

关键结构体包含两个可控指针：where<\/code>和what<\/code><\/li>

这两个指针完全由用户控制，没有进行充分的验证<\/li>
<\/ul>
2.2 IOCTL计算<\/h3>
触发漏洞需要正确的IOCTL代码，但直接传入的0x802与逆向出来的IOCTL不同，因为Windows系统对IOCTL进行了规范计算。<\/p>
IOCTL计算宏展开式解析：<\/p>

(0x00000022) << 16<\/code>：设备类型FILE_DEVICE_UNKNOWN<\/code>为0x22，移位16位后变为0x2200000<\/li>
(0) << 14<\/code>：方法为METHOD_NEITHER<\/code>，移位后值为0<\/li>
(0x802) << 2<\/code>：功能代码0x802移位2位后变为0x2008<\/li>
3<\/code>：访问权限FILE_ANY_ACCESS<\/code>为3<\/li>
<\/ol>
2.3 IDA Pro辅助分析<\/h3>
可以使用IDA Pro插件DriverBuddyReloaded<\/code>(支持IDA 9.0)来解析IOCTL代码：<\/p>

在DispatchDeviceControl<\/code>函数下按CTRL+ALT+F<\/code><\/li>
插件会显示IOCTL代码信息<\/li>
<\/ol>
也可以使用Python脚本枚举0x800-0x900范围内的Function编号，找到目标函数的计算后哈希值。<\/p>
3. 提权原理<\/h2>
利用内核漏洞进行提权的核心思路：<\/p>

通过漏洞获取内核空间的读取权限<\/li>
定位PID 4(System进程)对应的_EPROCESS<\/code>结构体<\/li>
提取其中的Token(系统最高权限)<\/li>
利用写权限将该Token注入到当前进程<\/li>
启动一个以SYSTEM权限运行的命令行(cmd.exe)<\/li>
<\/ol>
4. 关键数据结构<\/h2>
4.1 _SYSTEM_HANDLE<\/h3>
表示系统中的句柄：<\/p>
typedef<\/span> struct<\/span> _SYSTEM_HANDLE {
<\/span><\/span>    ULONG ProcessId;           \/\/ 拥有该句柄的进程ID
<\/span><\/span><\/span><\/span>    UCHAR ObjectTypeNumber;    \/\/ 对象类型枚举值
<\/span><\/span><\/span><\/span>    UCHAR Flags;               \/\/ 句柄标志
<\/span><\/span><\/span><\/span>    USHORT Handle;             \/\/ 系统资源句柄值
<\/span><\/span><\/span><\/span>    PVOID Object;              \/\/ 关联对象的指针
<\/span><\/span><\/span><\/span>    ULONG GrantedAccess;       \/\/ 访问权限
<\/span><\/span><\/span><\/span>} SYSTEM_HANDLE, *<\/span>PSYSTEM_HANDLE;
<\/span><\/span><\/code><\/pre>4.2 _SYSTEM_HANDLE_INFORMATION<\/h3>
包含系统句柄信息：<\/p>
typedef<\/span> struct<\/span> _SYSTEM_HANDLE_INFORMATION {
<\/span><\/span>    ULONG HandleCount;         \/\/ 系统中句柄数量
<\/span><\/span><\/span><\/span>    SYSTEM_HANDLE Handles[1<\/span>];  \/\/ 句柄数组
<\/span><\/span><\/span><\/span>} SYSTEM_HANDLE_INFORMATION, *<\/span>PSYSTEM_HANDLE_INFORMATION;
<\/span><\/span><\/code><\/pre>4.3 _SYSTEM_INFORMATION_CLASS<\/h3>
定义查询系统信息的类别：<\/p>
typedef<\/span> enum<\/span> _SYSTEM_INFORMATION_CLASS {
<\/span><\/span>    SystemHandleInformation =<\/span> 16<\/span>  \/\/ 请求系统句柄信息
<\/span><\/span><\/span><\/span>} SYSTEM_INFORMATION_CLASS;
<\/span><\/span><\/code><\/pre>4.4 _WRITE_WHAT_WHERE<\/h3>
描述内存写入操作：<\/p>
typedef<\/span> struct<\/span> _WRITE_WHAT_WHERE {
<\/span><\/span>    PULONG_PTR What;  \/\/ 指向要写入数据的指针
<\/span><\/span><\/span><\/span>    PULONG_PTR Where; \/\/ 指向目标内存位置的指针
<\/span><\/span><\/span><\/span>} WRITE_WHAT_WHERE, *<\/span>PWRITE_WHAT_WHERE;
<\/span><\/span><\/code><\/pre>5. 任意读写函数实现<\/h2>
5.1 任意写函数<\/h3>
关键代码实现：<\/p>
payload-><\/span>What =<\/span> (PULONG_PTR)&<\/span>value;  \/\/ 要写入的数据地址
<\/span><\/span><\/span><\/span>payload-><\/span>Where =<\/span> (PULONG_PTR)addr;   \/\/ 目标地址
<\/span><\/span><\/span><\/code><\/pre>重要说明<\/strong>：<\/p>

必须传递value<\/code>的地址(&value<\/code>)而不是value<\/code>本身<\/li>
驱动中的TriggerArbitraryWrite<\/code>函数通过*Where = *What<\/code>执行写入操作<\/li>
<\/ul>
5.2 任意读函数<\/h3>
实现思路与写函数类似，只是方向相反。<\/p>
6. 获取进程信息<\/h2>
6.1 获取PID 4的Token<\/h3>

通过NtQuerySystemInformation<\/code>获取指定PID的基地址<\/li>
定位到_EPROCESS<\/code>结构体中的Token字段<\/li>
<\/ol>
6.2 获取当前进程Token<\/h3>
关键步骤：<\/p>

获取当前进程ID：GetCurrentProcessId()<\/code><\/li>
遍历进程链表查找当前进程<\/li>
返回当前进程结构体地址<\/li>
<\/ol>
进程链表遍历代码示例：<\/p>
do<\/span> {
<\/span><\/span>    \/\/ 读取下一个进程的地址
<\/span><\/span><\/span><\/span>    next =<\/span> arbitrary_read(driver, ((uint64_t<\/span>)current +<\/span> ActiveProcessLinks_off));
<\/span><\/span>    current =<\/span> (uint64_t<\/span>*<\/span>)(next -<\/span> ActiveProcessLinks_off);
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取当前进程ID
<\/span><\/span><\/span><\/span>    curPid =<\/span> arbitrary_read(driver, ((uint64_t<\/span>)current +<\/span> UniqueProcessId_off));
<\/span><\/span>    
<\/span><\/span>    if<\/span> (curPid ==<\/span> pid) {
<\/span><\/span>        found =<\/span> 1<\/span>;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>} while<\/span> (current !=<\/span> SYSTEM);
<\/span><\/span><\/code><\/pre>7. 完整利用流程<\/h2>

开启HEVD驱动<\/li>
运行Exploit程序<\/li>
Exploit执行以下操作：

打开驱动设备获取句柄<\/li>
计算正确的IOCTL代码<\/li>
利用任意读功能查找System进程的Token<\/li>
利用任意写功能将Token复制到当前进程<\/li>
启动SYSTEM权限的cmd.exe<\/li>
<\/ul>
<\/li>
<\/ol>
8. 相关工具和资源<\/h2>

IDA Pro插件：https:\/\/github.com\/VoidSec\/DriverBuddyReloaded<\/li>
EPROCESS偏移量项目：https:\/\/github.com\/I3r1h0n\/eprocess_offsets<\/li>
HEVD驱动项目：https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver<\/li>
<\/ol>
9. 注意事项<\/h2>

内核漏洞利用具有高风险，可能导致系统崩溃<\/li>
在实际环境中使用需要充分考虑稳定性和兼容性<\/li>
不同Windows版本内核结构可能有所不同<\/li>
现代Windows系统有更多防护机制(如KASLR, SMEP等)需要考虑绕过<\/li>
<\/ol>

内核攻防：任意读写驱动漏洞分析及Exp编写<\/h1>

1. HEVD驱动项目介绍<\/h2> HEVD (HackSys Extreme Vulnerable Driver) 是一个专门设计用于内核漏洞研究和学习的驱动项目，包含多种类型的内核漏洞实现。<\/p> 项目地址：https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver<\/p>

2. 漏洞分析<\/h2>

4. 关键数据结构<\/h2>

5. 任意读写函数实现<\/h2>

5.2 任意读函数<\/h3> 实现思路与写函数类似，只是方向相反。<\/p>

6. 获取进程信息<\/h2>

1. HEVD驱动项目介绍<\/h2>
HEVD (HackSys Extreme Vulnerable Driver) 是一个专门设计用于内核漏洞研究和学习的驱动项目，包含多种类型的内核漏洞实现。<\/p>
项目地址：https:\/\/github.com\/hacksysteam\/HackSysExtremeVulnerableDriver<\/p>

5.2 任意读函数<\/h3>
实现思路与写函数类似，只是方向相反。<\/p>