Antonio Cocomazzi
@splintercode.bsky.social
offensive security - windows internals - reverse engineering | X: https://x.com/splinter_code | Mastodon: https://infosec.exchange/@splinter_code | GitHub: https://github.com/antonioCoco | Blog: https://splintercod3.blogspot.com/
Also kudos to my friend @decoder-it.bsky.social that was the first to spot those as Admin Protection bypasses
January 29, 2025 at 11:39 AM
Also kudos to my friend @decoder-it.bsky.social that was the first to spot those as Admin Protection bypasses
There is also another check later in IopQueryRegistryKeySystemPath that ensures the ImagePath is under the "System" key
December 13, 2024 at 4:11 PM
There is also another check later in IopQueryRegistryKeySystemPath that ensures the ImagePath is under the "System" key
In older ntoskrnl (e.g. Win2016 1607) the function IopQueryRegistryKeySystemPath doesn't exist and the "ImagePath" value is retrieved without checks through IopGetRegistryValue(..., "ImagePath",...) in IopBuildFullDriverPath
December 13, 2024 at 4:11 PM
In older ntoskrnl (e.g. Win2016 1607) the function IopQueryRegistryKeySystemPath doesn't exist and the "ImagePath" value is retrieved without checks through IopGetRegistryValue(..., "ImagePath",...) in IopBuildFullDriverPath
In newer ntoskrnl.exe there is a check in IopLoadDriver->IopBuildFullDriverPath->IopQueryRegistryKeySystemPath that ensure the "ImagePath" value is under a regkey prefixed with \REGISTRY\MACHINE and if not it returns 0xC00000E5
December 13, 2024 at 4:11 PM
In newer ntoskrnl.exe there is a check in IopLoadDriver->IopBuildFullDriverPath->IopQueryRegistryKeySystemPath that ensure the "ImagePath" value is under a regkey prefixed with \REGISTRY\MACHINE and if not it returns 0xC00000E5
Insane work 🔥
November 25, 2024 at 6:28 PM
Insane work 🔥