SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.
Cr4sh
/ SyscallProvider.md
Created
May 27, 2025 07:35
— forked from Kristal-g/SyscallProvider.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <shlobj.h> | |
| #include <atlbase.h> | |
| #include <shellapi.h> | |
| #pragma comment(lib, "shell32.lib") | |
| const wchar_t* CLSID_CMSTPLUA = L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"; | |
| const wchar_t* IID_ICMLuaUtil = L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"; |
Cr4sh
/ guide-change-imei-snapdragon.md
Created
October 16, 2024 18:31
— forked from Proxy13/guide-change-imei-snapdragon.md
[GUIDE] How to change IMEI on Snapdragon devices
FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.
I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.
This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.
Cr4sh
/ gist:0e04de6889ce9fc657f1ea0ccdb42119
Created
October 18, 2023 10:16
Windows Secure Kernel r/e hints and tips
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| To find SKPROCESS Policy offset: | |
| __int64 __fastcall SkpspFindPolicy(__int64 a1, __int64 a2, int a3, __int64 a4, __int64 a5) | |
| { | |
| v5 = a4; | |
| v6 = a3; | |
| v7 = a2; | |
| v8 = a1; | |
| v12 = 0i64; | |
| v9 = a1 + 0x1B8; // <-- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <irq.h> | |
| #include <libbase/uart.h> | |
| #include <libbase/console.h> | |
| #include <generated/csr.h> | |
| #include "adder.h" |
Cr4sh
/ smm_backdoor_hyper_v.py
Created
June 16, 2021 19:37
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, time, platform, ctypes | |
| from struct import pack, unpack | |
| from optparse import OptionParser, make_option | |
| import smm_backdoor as bd | |
| # how many seconds to wait for VM exit occur | |
| VM_EXIT_WAIT = 3 |
Cr4sh
/ smm_backdoor_privesc_win.py
Created
June 16, 2021 19:34
Example program that uses SMM backdoor for local privileges escalation under the Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes, ctypes.wintypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| # MSR register used by swapgs | |
| IA32_KERNEL_GS_BASE = 0xc0000102 |
Cr4sh
/ smm_backdoor_privesc_linux.py
Last active
May 22, 2024 02:17
Example program that uses SMM backdoor for local privileges escalation under the Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| try: | |
| import capstone |
Cr4sh
/ kforge.cpp
Created
May 15, 2021 03:22
Performing arbitrary kernel function calls on HVCI enabled systems with thread context hijacking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| // vulnerable driver device name | |
| #define EXPL_DEVICE_PATH "\\\\.\\Global\\RTCore64" | |
| // vulnerable driver service and file name | |
| #define EXPL_DRIVER_NAME "RTCore64.sys" | |
| #define EXPL_SERVICE_NAME "RTCore64" | |
| // vulnerable driver IOCTL codes |
Cr4sh
/ output.txt
Last active
April 18, 2021 15:46
List of UEFI protocols, interfaces and loaded DXE drivers obtained with DMA attack tools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./uefi.py | |
| [+] Scanning memory range 0x76000000:0xa0000000 | |
| [+] Waiting for PCI-E link... | |
| [+] PCI-E link with target is up | |
| [+] Looking for DXE driver PE image... | |
| [+] PE image is at 0x77866000 | |
| [+] PE image is at 0x77871000 | |
| [+] PROTOCOL_ENTRY address is 0x76bfaa98 | |
| [+] Registered UEFI protocols and interfaces: |
NewerOlder