Jump to content
Tuts 4 You

Ntdll/RtlGetNativeSystemInformation

JMC31337

By JMC31337
in Programming and Coding

Recommended Posts

JMC31337

JMC31337

Posted
Posted

messing around with some code done by H0mbre at https://h0mbre.github.io/HEVD_Stackoverflow_SMEP_Bypass_64bit/

thought i'd put this on the tuts4you walls to obtain ntoskrnl location using undocumented RtlGetNativeSystemInformation 

#include <windows.h>
#include <iostream>
using namespace std;

FARPROC proc; HMODULE hdll; LONG* ntos;

WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{

hdll = LoadLibrary("ntdll");
proc = GetProcAddress(hdll,"RtlGetNativeSystemInformation");

VirtualAlloc(NULL,0x1000,0x3000,0x40);

asm
(
"mov rcx,0x0b\r\n"
"mov rdx,rax\r\n"
"mov r8,0x1000\r\n"
"mov r9,rbp\r\n"
);
proc();

asm
(
"mov rax,[rsp]\r\n"
"mov rax,[rax+0x18]\r\n"
"mov ntos,rax\r\n"
);

cout<<ntos<<endl;
getchar();
  
}

 

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...