Git Product home page Git Product logo

kblast's Introduction

KBlast

Static Badge Static Badge Static Badge

Windows Kernel Offensive Toolset


KBlast is a small application I built while experimenting with Windows kernel offensive security techniques. It puts together almost all the techniques discussed in the Offensive Driver Development course from Zero Point Security, plus some extra techniques. I thought that building up this tool rather than writing down a cheatsheet was a better way to both put into practice the concepts learned and provide the community with a comprehensive learning resource.

    __ __ ____  __           __
   / //_// __ )/ /___ ______/ /_        | KBlast client - OS Build #19045 - Major version #10
  / ,<  / __  / / __ `/ ___/ __/        | Version : 1.1 ( first release ) - Architecture : x64
 / /| |/ /_/ / / /_/ (__  ) /_          | Website : http://www.github.com/lem0nSec/KBlast
/_/ |_/_____/_/\__,_/____/\__/          | Author  : < lem0nSec_@world:~$ >
------------------------------------------------------->>>

[ KBlast ] --> help

Commands - ' generic ' ( generic commands. Do not initiate kernel interactions )
              help:     Show this help
              quit:     Quit KBlast
               cls:     Clear the screen
            banner:     Print KBlast banner
               pid:     Show current pid
              time:     Display system time
           version:     Display system version information
            !{cmd}:     Execute system command

Examples:
No example is available for ' generic ' commands


[ KBlast ] -->

How it works

This tool has two components. KBlaster.sys is the application's driver, the actual core where all central features reside. In contrast, KBlast.exe is the client application. KBlast.exe takes user commands, generate a specific input to be sent to KBlaster, and once the driver has finished its operation the client may or may not return the result of the operation depending on what was done.

Commands and Features

KBlast commands can fall into four categories which must be prepended to the actual command (generic commands can be just typed and run right away). Categories can be:

  • process (kernel-side process interactions)
  • protection (protection PPL)
  • token (token management)
  • callback (kernel callbacks)
  • blob (memory read/write)
  • misc (misc functionalities)

Examples

The following screenshot shows the swapping of a high-integrity powershell token with a system-level token (System process pid 4).

The following screenshot shows the elevation of mimikatz PPL to LSA. Mimikatz is now granted read access to lsass.

Installation Notes

Since KBlaster.sys is just a driver I built for my own learning, it does not come with signing. Enabling testsigning mode with the following command is required to play with this tool.

  • bcdedit /set testsigning on

Important note ⚠️

This tool is still at an early stage of development. KBlast is being actively tested on a Windows 10 Pro build 19045 x64 machine. Some functionalities support other Windows versions. Others don't. The following are the main issues you may encounter:

  • Module : Callback : compatible only with Windows 10 Pro build 19045 x64
  • Command : Token - revert : it works only if the process whose token is to be reverted is the last one whose token was modified
  • Command : Misc - dse : still under testing on Windows 10 Pro build 19045 x64 (you should not rely on this command at this stage of development).

To clarify, the following is the output of 'version' command on the system I am using to build the tool.

[ KBlast ] --> version
Microsoft Windows NT 10.0 OS Build 19045 ( Arch x64 )
KBlast v1.1 ( Arch x64 )

Since the Windows Kernel is mostly composed of 'opaque' data structures, this tool is likely to trigger bsods at this stage of development if a version other than the one mentioned is used. Development of these tools often requires months. I hope you understand and appreciate the project and the idea behind! Last but not least, I might consider adding new features such as process unlinking if the project will turn out a useful resource for learners.

kblast's People

Contributors

lem0nsec avatar

Stargazers

_Ev avatar oldkingcone avatar  avatar Nexnull avatar hirak0 avatar Ed avatar  avatar  avatar  avatar  avatar changheluori007 avatar  avatar  avatar  avatar  avatar  avatar Youssef Muhammad avatar Abdullah Bazaid avatar WtZ avatar maxowner avatar Chuck Gabriele avatar  avatar  avatar Nietzschean Priest avatar Sebin Thomas avatar David B. avatar MagicBytes avatar Zach  avatar ac1d avatar  avatar  avatar seonghwan avatar  avatar kobley avatar deadmoon avatar beerandgin avatar zsy-arch avatar Dino Barlattani avatar  avatar gsmith257 avatar  avatar  avatar Smith Noorah  avatar  avatar  avatar AVA avatar Nate Subra avatar 5l1v3r1 avatar  avatar  avatar shimmer avatar  avatar Hudson Seiler avatar  avatar Mason Soroka-Gill avatar  avatar Sumit Verma avatar biubiu avatar Helix avatar UIWP0 avatar Byungho avatar Amit Panghal avatar  avatar Amarjit Labhuram avatar  avatar  avatar Mercer avatar  avatar Hrudaya Vikasa avatar James Yeung avatar  avatar Nicolas Vincent avatar  avatar  avatar  avatar Tomas Rzepka avatar  avatar  avatar ​ avatar 0乂ᐯ爪 avatar 0x023 avatar  avatar Luczay-Mazula Adolf avatar Filippos Mastrogiannis avatar Zer0verflow avatar Chopicalqui avatar Itay Migdal avatar  avatar KeyStrOke avatar  avatar  avatar  avatar David Carboveanu avatar kleiton0x00 avatar Jacopo De Luca avatar

Watchers

deadmoon avatar  avatar  avatar progerdron avatar  avatar  avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.